xref: /linux/net/ipv6/ndisc.c (revision 2174181019e4273e583a0f0a9795e9db38984784)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *	Neighbour Discovery for IPv6
4  *	Linux INET6 implementation
5  *
6  *	Authors:
7  *	Pedro Roque		<roque@di.fc.ul.pt>
8  *	Mike Shaver		<shaver@ingenia.com>
9  */
10 
11 /*
12  *	Changes:
13  *
14  *	Alexey I. Froloff		:	RFC6106 (DNSSL) support
15  *	Pierre Ynard			:	export userland ND options
16  *						through netlink (RDNSS support)
17  *	Lars Fenneberg			:	fixed MTU setting on receipt
18  *						of an RA.
19  *	Janos Farkas			:	kmalloc failure checks
20  *	Alexey Kuznetsov		:	state machine reworked
21  *						and moved to net/core.
22  *	Pekka Savola			:	RFC2461 validation
23  *	YOSHIFUJI Hideaki @USAGI	:	Verify ND options properly
24  */
25 
26 #define pr_fmt(fmt) "ICMPv6: " fmt
27 
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/types.h>
31 #include <linux/socket.h>
32 #include <linux/sockios.h>
33 #include <linux/sched.h>
34 #include <linux/net.h>
35 #include <linux/in6.h>
36 #include <linux/route.h>
37 #include <linux/init.h>
38 #include <linux/rcupdate.h>
39 #include <linux/slab.h>
40 #ifdef CONFIG_SYSCTL
41 #include <linux/sysctl.h>
42 #endif
43 
44 #include <linux/if_addr.h>
45 #include <linux/if_ether.h>
46 #include <linux/if_arp.h>
47 #include <linux/ipv6.h>
48 #include <linux/icmpv6.h>
49 #include <linux/jhash.h>
50 
51 #include <net/sock.h>
52 #include <net/snmp.h>
53 
54 #include <net/ipv6.h>
55 #include <net/protocol.h>
56 #include <net/ndisc.h>
57 #include <net/ip6_route.h>
58 #include <net/addrconf.h>
59 #include <net/icmp.h>
60 
61 #include <net/netlink.h>
62 #include <linux/rtnetlink.h>
63 
64 #include <net/flow.h>
65 #include <net/ip6_checksum.h>
66 #include <net/inet_common.h>
67 #include <linux/proc_fs.h>
68 
69 #include <linux/netfilter.h>
70 #include <linux/netfilter_ipv6.h>
71 
72 static u32 ndisc_hash(const void *pkey,
73 		      const struct net_device *dev,
74 		      __u32 *hash_rnd);
75 static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);
76 static bool ndisc_allow_add(const struct net_device *dev,
77 			    struct netlink_ext_ack *extack);
78 static int ndisc_constructor(struct neighbour *neigh);
79 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
80 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
81 static int pndisc_constructor(struct pneigh_entry *n);
82 static void pndisc_destructor(struct pneigh_entry *n);
83 static void pndisc_redo(struct sk_buff *skb);
84 static int ndisc_is_multicast(const void *pkey);
85 
86 static const struct neigh_ops ndisc_generic_ops = {
87 	.family =		AF_INET6,
88 	.solicit =		ndisc_solicit,
89 	.error_report =		ndisc_error_report,
90 	.output =		neigh_resolve_output,
91 	.connected_output =	neigh_connected_output,
92 };
93 
94 static const struct neigh_ops ndisc_hh_ops = {
95 	.family =		AF_INET6,
96 	.solicit =		ndisc_solicit,
97 	.error_report =		ndisc_error_report,
98 	.output =		neigh_resolve_output,
99 	.connected_output =	neigh_resolve_output,
100 };
101 
102 
103 static const struct neigh_ops ndisc_direct_ops = {
104 	.family =		AF_INET6,
105 	.output =		neigh_direct_output,
106 	.connected_output =	neigh_direct_output,
107 };
108 
109 struct neigh_table nd_tbl = {
110 	.family =	AF_INET6,
111 	.key_len =	sizeof(struct in6_addr),
112 	.protocol =	cpu_to_be16(ETH_P_IPV6),
113 	.hash =		ndisc_hash,
114 	.key_eq =	ndisc_key_eq,
115 	.constructor =	ndisc_constructor,
116 	.pconstructor =	pndisc_constructor,
117 	.pdestructor =	pndisc_destructor,
118 	.proxy_redo =	pndisc_redo,
119 	.is_multicast =	ndisc_is_multicast,
120 	.allow_add  =   ndisc_allow_add,
121 	.id =		"ndisc_cache",
122 	.parms = {
123 		.tbl			= &nd_tbl,
124 		.reachable_time		= ND_REACHABLE_TIME,
125 		.data = {
126 			[NEIGH_VAR_MCAST_PROBES] = 3,
127 			[NEIGH_VAR_UCAST_PROBES] = 3,
128 			[NEIGH_VAR_RETRANS_TIME] = ND_RETRANS_TIMER,
129 			[NEIGH_VAR_BASE_REACHABLE_TIME] = ND_REACHABLE_TIME,
130 			[NEIGH_VAR_DELAY_PROBE_TIME] = 5 * HZ,
131 			[NEIGH_VAR_INTERVAL_PROBE_TIME_MS] = 5 * HZ,
132 			[NEIGH_VAR_GC_STALETIME] = 60 * HZ,
133 			[NEIGH_VAR_QUEUE_LEN_BYTES] = SK_WMEM_MAX,
134 			[NEIGH_VAR_PROXY_QLEN] = 64,
135 			[NEIGH_VAR_ANYCAST_DELAY] = 1 * HZ,
136 			[NEIGH_VAR_PROXY_DELAY] = (8 * HZ) / 10,
137 		},
138 	},
139 	.gc_interval =	  30 * HZ,
140 	.gc_thresh1 =	 128,
141 	.gc_thresh2 =	 512,
142 	.gc_thresh3 =	1024,
143 };
144 EXPORT_SYMBOL_GPL(nd_tbl);
145 
146 void __ndisc_fill_addr_option(struct sk_buff *skb, int type, const void *data,
147 			      int data_len, int pad)
148 {
149 	int space = __ndisc_opt_addr_space(data_len, pad);
150 	u8 *opt = skb_put(skb, space);
151 
152 	opt[0] = type;
153 	opt[1] = space>>3;
154 
155 	memset(opt + 2, 0, pad);
156 	opt   += pad;
157 	space -= pad;
158 
159 	memcpy(opt+2, data, data_len);
160 	data_len += 2;
161 	opt += data_len;
162 	space -= data_len;
163 	if (space > 0)
164 		memset(opt, 0, space);
165 }
166 EXPORT_SYMBOL_GPL(__ndisc_fill_addr_option);
167 
168 static inline void ndisc_fill_addr_option(struct sk_buff *skb, int type,
169 					  const void *data, u8 icmp6_type)
170 {
171 	__ndisc_fill_addr_option(skb, type, data, skb->dev->addr_len,
172 				 ndisc_addr_option_pad(skb->dev->type));
173 	ndisc_ops_fill_addr_option(skb->dev, skb, icmp6_type);
174 }
175 
176 static inline void ndisc_fill_redirect_addr_option(struct sk_buff *skb,
177 						   void *ha,
178 						   const u8 *ops_data)
179 {
180 	ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR, ha, NDISC_REDIRECT);
181 	ndisc_ops_fill_redirect_addr_option(skb->dev, skb, ops_data);
182 }
183 
184 static struct nd_opt_hdr *ndisc_next_option(struct nd_opt_hdr *cur,
185 					    struct nd_opt_hdr *end)
186 {
187 	int type;
188 	if (!cur || !end || cur >= end)
189 		return NULL;
190 	type = cur->nd_opt_type;
191 	do {
192 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
193 	} while (cur < end && cur->nd_opt_type != type);
194 	return cur <= end && cur->nd_opt_type == type ? cur : NULL;
195 }
196 
197 static inline int ndisc_is_useropt(const struct net_device *dev,
198 				   struct nd_opt_hdr *opt)
199 {
200 	return opt->nd_opt_type == ND_OPT_PREFIX_INFO ||
201 		opt->nd_opt_type == ND_OPT_RDNSS ||
202 		opt->nd_opt_type == ND_OPT_DNSSL ||
203 		opt->nd_opt_type == ND_OPT_CAPTIVE_PORTAL ||
204 		opt->nd_opt_type == ND_OPT_PREF64 ||
205 		ndisc_ops_is_useropt(dev, opt->nd_opt_type);
206 }
207 
208 static struct nd_opt_hdr *ndisc_next_useropt(const struct net_device *dev,
209 					     struct nd_opt_hdr *cur,
210 					     struct nd_opt_hdr *end)
211 {
212 	if (!cur || !end || cur >= end)
213 		return NULL;
214 	do {
215 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
216 	} while (cur < end && !ndisc_is_useropt(dev, cur));
217 	return cur <= end && ndisc_is_useropt(dev, cur) ? cur : NULL;
218 }
219 
220 struct ndisc_options *ndisc_parse_options(const struct net_device *dev,
221 					  u8 *opt, int opt_len,
222 					  struct ndisc_options *ndopts)
223 {
224 	struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)opt;
225 
226 	if (!nd_opt || opt_len < 0 || !ndopts)
227 		return NULL;
228 	memset(ndopts, 0, sizeof(*ndopts));
229 	while (opt_len) {
230 		int l;
231 		if (opt_len < sizeof(struct nd_opt_hdr))
232 			return NULL;
233 		l = nd_opt->nd_opt_len << 3;
234 		if (opt_len < l || l == 0)
235 			return NULL;
236 		if (ndisc_ops_parse_options(dev, nd_opt, ndopts))
237 			goto next_opt;
238 		switch (nd_opt->nd_opt_type) {
239 		case ND_OPT_SOURCE_LL_ADDR:
240 		case ND_OPT_TARGET_LL_ADDR:
241 		case ND_OPT_MTU:
242 		case ND_OPT_NONCE:
243 		case ND_OPT_REDIRECT_HDR:
244 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
245 				ND_PRINTK(2, warn,
246 					  "%s: duplicated ND6 option found: type=%d\n",
247 					  __func__, nd_opt->nd_opt_type);
248 			} else {
249 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
250 			}
251 			break;
252 		case ND_OPT_PREFIX_INFO:
253 			ndopts->nd_opts_pi_end = nd_opt;
254 			if (!ndopts->nd_opt_array[nd_opt->nd_opt_type])
255 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
256 			break;
257 #ifdef CONFIG_IPV6_ROUTE_INFO
258 		case ND_OPT_ROUTE_INFO:
259 			ndopts->nd_opts_ri_end = nd_opt;
260 			if (!ndopts->nd_opts_ri)
261 				ndopts->nd_opts_ri = nd_opt;
262 			break;
263 #endif
264 		default:
265 			if (ndisc_is_useropt(dev, nd_opt)) {
266 				ndopts->nd_useropts_end = nd_opt;
267 				if (!ndopts->nd_useropts)
268 					ndopts->nd_useropts = nd_opt;
269 			} else {
270 				/*
271 				 * Unknown options must be silently ignored,
272 				 * to accommodate future extension to the
273 				 * protocol.
274 				 */
275 				ND_PRINTK(2, notice,
276 					  "%s: ignored unsupported option; type=%d, len=%d\n",
277 					  __func__,
278 					  nd_opt->nd_opt_type,
279 					  nd_opt->nd_opt_len);
280 			}
281 		}
282 next_opt:
283 		opt_len -= l;
284 		nd_opt = ((void *)nd_opt) + l;
285 	}
286 	return ndopts;
287 }
288 
289 int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
290 {
291 	switch (dev->type) {
292 	case ARPHRD_ETHER:
293 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
294 	case ARPHRD_FDDI:
295 		ipv6_eth_mc_map(addr, buf);
296 		return 0;
297 	case ARPHRD_ARCNET:
298 		ipv6_arcnet_mc_map(addr, buf);
299 		return 0;
300 	case ARPHRD_INFINIBAND:
301 		ipv6_ib_mc_map(addr, dev->broadcast, buf);
302 		return 0;
303 	case ARPHRD_IPGRE:
304 		return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
305 	default:
306 		if (dir) {
307 			memcpy(buf, dev->broadcast, dev->addr_len);
308 			return 0;
309 		}
310 	}
311 	return -EINVAL;
312 }
313 EXPORT_SYMBOL(ndisc_mc_map);
314 
315 static u32 ndisc_hash(const void *pkey,
316 		      const struct net_device *dev,
317 		      __u32 *hash_rnd)
318 {
319 	return ndisc_hashfn(pkey, dev, hash_rnd);
320 }
321 
322 static bool ndisc_key_eq(const struct neighbour *n, const void *pkey)
323 {
324 	return neigh_key_eq128(n, pkey);
325 }
326 
327 static int ndisc_constructor(struct neighbour *neigh)
328 {
329 	struct in6_addr *addr = (struct in6_addr *)&neigh->primary_key;
330 	struct net_device *dev = neigh->dev;
331 	struct inet6_dev *in6_dev;
332 	struct neigh_parms *parms;
333 	bool is_multicast = ipv6_addr_is_multicast(addr);
334 
335 	in6_dev = in6_dev_get(dev);
336 	if (!in6_dev) {
337 		return -EINVAL;
338 	}
339 
340 	parms = in6_dev->nd_parms;
341 	__neigh_parms_put(neigh->parms);
342 	neigh->parms = neigh_parms_clone(parms);
343 
344 	neigh->type = is_multicast ? RTN_MULTICAST : RTN_UNICAST;
345 	if (!dev->header_ops) {
346 		neigh->nud_state = NUD_NOARP;
347 		neigh->ops = &ndisc_direct_ops;
348 		neigh->output = neigh_direct_output;
349 	} else {
350 		if (is_multicast) {
351 			neigh->nud_state = NUD_NOARP;
352 			ndisc_mc_map(addr, neigh->ha, dev, 1);
353 		} else if (dev->flags&(IFF_NOARP|IFF_LOOPBACK)) {
354 			neigh->nud_state = NUD_NOARP;
355 			memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
356 			if (dev->flags&IFF_LOOPBACK)
357 				neigh->type = RTN_LOCAL;
358 		} else if (dev->flags&IFF_POINTOPOINT) {
359 			neigh->nud_state = NUD_NOARP;
360 			memcpy(neigh->ha, dev->broadcast, dev->addr_len);
361 		}
362 		if (dev->header_ops->cache)
363 			neigh->ops = &ndisc_hh_ops;
364 		else
365 			neigh->ops = &ndisc_generic_ops;
366 		if (neigh->nud_state&NUD_VALID)
367 			neigh->output = neigh->ops->connected_output;
368 		else
369 			neigh->output = neigh->ops->output;
370 	}
371 	in6_dev_put(in6_dev);
372 	return 0;
373 }
374 
375 static int pndisc_constructor(struct pneigh_entry *n)
376 {
377 	struct in6_addr *addr = (struct in6_addr *)&n->key;
378 	struct in6_addr maddr;
379 	struct net_device *dev = n->dev;
380 
381 	if (!dev || !__in6_dev_get(dev))
382 		return -EINVAL;
383 	addrconf_addr_solict_mult(addr, &maddr);
384 	ipv6_dev_mc_inc(dev, &maddr);
385 	return 0;
386 }
387 
388 static void pndisc_destructor(struct pneigh_entry *n)
389 {
390 	struct in6_addr *addr = (struct in6_addr *)&n->key;
391 	struct in6_addr maddr;
392 	struct net_device *dev = n->dev;
393 
394 	if (!dev || !__in6_dev_get(dev))
395 		return;
396 	addrconf_addr_solict_mult(addr, &maddr);
397 	ipv6_dev_mc_dec(dev, &maddr);
398 }
399 
400 /* called with rtnl held */
401 static bool ndisc_allow_add(const struct net_device *dev,
402 			    struct netlink_ext_ack *extack)
403 {
404 	struct inet6_dev *idev = __in6_dev_get(dev);
405 
406 	if (!idev || idev->cnf.disable_ipv6) {
407 		NL_SET_ERR_MSG(extack, "IPv6 is disabled on this device");
408 		return false;
409 	}
410 
411 	return true;
412 }
413 
414 static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
415 				       int len)
416 {
417 	int hlen = LL_RESERVED_SPACE(dev);
418 	int tlen = dev->needed_tailroom;
419 	struct sock *sk = dev_net(dev)->ipv6.ndisc_sk;
420 	struct sk_buff *skb;
421 
422 	skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC);
423 	if (!skb) {
424 		ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n",
425 			  __func__);
426 		return NULL;
427 	}
428 
429 	skb->protocol = htons(ETH_P_IPV6);
430 	skb->dev = dev;
431 
432 	skb_reserve(skb, hlen + sizeof(struct ipv6hdr));
433 	skb_reset_transport_header(skb);
434 
435 	/* Manually assign socket ownership as we avoid calling
436 	 * sock_alloc_send_pskb() to bypass wmem buffer limits
437 	 */
438 	skb_set_owner_w(skb, sk);
439 
440 	return skb;
441 }
442 
443 static void ip6_nd_hdr(struct sk_buff *skb,
444 		       const struct in6_addr *saddr,
445 		       const struct in6_addr *daddr,
446 		       int hop_limit, int len)
447 {
448 	struct ipv6hdr *hdr;
449 	struct inet6_dev *idev;
450 	unsigned tclass;
451 
452 	rcu_read_lock();
453 	idev = __in6_dev_get(skb->dev);
454 	tclass = idev ? idev->cnf.ndisc_tclass : 0;
455 	rcu_read_unlock();
456 
457 	skb_push(skb, sizeof(*hdr));
458 	skb_reset_network_header(skb);
459 	hdr = ipv6_hdr(skb);
460 
461 	ip6_flow_hdr(hdr, tclass, 0);
462 
463 	hdr->payload_len = htons(len);
464 	hdr->nexthdr = IPPROTO_ICMPV6;
465 	hdr->hop_limit = hop_limit;
466 
467 	hdr->saddr = *saddr;
468 	hdr->daddr = *daddr;
469 }
470 
471 void ndisc_send_skb(struct sk_buff *skb, const struct in6_addr *daddr,
472 		    const struct in6_addr *saddr)
473 {
474 	struct dst_entry *dst = skb_dst(skb);
475 	struct net *net = dev_net(skb->dev);
476 	struct sock *sk = net->ipv6.ndisc_sk;
477 	struct inet6_dev *idev;
478 	int err;
479 	struct icmp6hdr *icmp6h = icmp6_hdr(skb);
480 	u8 type;
481 
482 	type = icmp6h->icmp6_type;
483 
484 	if (!dst) {
485 		struct flowi6 fl6;
486 		int oif = skb->dev->ifindex;
487 
488 		icmpv6_flow_init(sk, &fl6, type, saddr, daddr, oif);
489 		dst = icmp6_dst_alloc(skb->dev, &fl6);
490 		if (IS_ERR(dst)) {
491 			kfree_skb(skb);
492 			return;
493 		}
494 
495 		skb_dst_set(skb, dst);
496 	}
497 
498 	icmp6h->icmp6_cksum = csum_ipv6_magic(saddr, daddr, skb->len,
499 					      IPPROTO_ICMPV6,
500 					      csum_partial(icmp6h,
501 							   skb->len, 0));
502 
503 	ip6_nd_hdr(skb, saddr, daddr, inet6_sk(sk)->hop_limit, skb->len);
504 
505 	rcu_read_lock();
506 	idev = __in6_dev_get(dst->dev);
507 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
508 
509 	err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
510 		      net, sk, skb, NULL, dst->dev,
511 		      dst_output);
512 	if (!err) {
513 		ICMP6MSGOUT_INC_STATS(net, idev, type);
514 		ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
515 	}
516 
517 	rcu_read_unlock();
518 }
519 EXPORT_SYMBOL(ndisc_send_skb);
520 
521 void ndisc_send_na(struct net_device *dev, const struct in6_addr *daddr,
522 		   const struct in6_addr *solicited_addr,
523 		   bool router, bool solicited, bool override, bool inc_opt)
524 {
525 	struct sk_buff *skb;
526 	struct in6_addr tmpaddr;
527 	struct inet6_ifaddr *ifp;
528 	const struct in6_addr *src_addr;
529 	struct nd_msg *msg;
530 	int optlen = 0;
531 
532 	/* for anycast or proxy, solicited_addr != src_addr */
533 	ifp = ipv6_get_ifaddr(dev_net(dev), solicited_addr, dev, 1);
534 	if (ifp) {
535 		src_addr = solicited_addr;
536 		if (ifp->flags & IFA_F_OPTIMISTIC)
537 			override = false;
538 		inc_opt |= ifp->idev->cnf.force_tllao;
539 		in6_ifa_put(ifp);
540 	} else {
541 		if (ipv6_dev_get_saddr(dev_net(dev), dev, daddr,
542 				       inet6_sk(dev_net(dev)->ipv6.ndisc_sk)->srcprefs,
543 				       &tmpaddr))
544 			return;
545 		src_addr = &tmpaddr;
546 	}
547 
548 	if (!dev->addr_len)
549 		inc_opt = false;
550 	if (inc_opt)
551 		optlen += ndisc_opt_addr_space(dev,
552 					       NDISC_NEIGHBOUR_ADVERTISEMENT);
553 
554 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
555 	if (!skb)
556 		return;
557 
558 	msg = skb_put(skb, sizeof(*msg));
559 	*msg = (struct nd_msg) {
560 		.icmph = {
561 			.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT,
562 			.icmp6_router = router,
563 			.icmp6_solicited = solicited,
564 			.icmp6_override = override,
565 		},
566 		.target = *solicited_addr,
567 	};
568 
569 	if (inc_opt)
570 		ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR,
571 				       dev->dev_addr,
572 				       NDISC_NEIGHBOUR_ADVERTISEMENT);
573 
574 	ndisc_send_skb(skb, daddr, src_addr);
575 }
576 
577 static void ndisc_send_unsol_na(struct net_device *dev)
578 {
579 	struct inet6_dev *idev;
580 	struct inet6_ifaddr *ifa;
581 
582 	idev = in6_dev_get(dev);
583 	if (!idev)
584 		return;
585 
586 	read_lock_bh(&idev->lock);
587 	list_for_each_entry(ifa, &idev->addr_list, if_list) {
588 		/* skip tentative addresses until dad completes */
589 		if (ifa->flags & IFA_F_TENTATIVE &&
590 		    !(ifa->flags & IFA_F_OPTIMISTIC))
591 			continue;
592 
593 		ndisc_send_na(dev, &in6addr_linklocal_allnodes, &ifa->addr,
594 			      /*router=*/ !!idev->cnf.forwarding,
595 			      /*solicited=*/ false, /*override=*/ true,
596 			      /*inc_opt=*/ true);
597 	}
598 	read_unlock_bh(&idev->lock);
599 
600 	in6_dev_put(idev);
601 }
602 
603 struct sk_buff *ndisc_ns_create(struct net_device *dev, const struct in6_addr *solicit,
604 				const struct in6_addr *saddr, u64 nonce)
605 {
606 	int inc_opt = dev->addr_len;
607 	struct sk_buff *skb;
608 	struct nd_msg *msg;
609 	int optlen = 0;
610 
611 	if (!saddr)
612 		return NULL;
613 
614 	if (ipv6_addr_any(saddr))
615 		inc_opt = false;
616 	if (inc_opt)
617 		optlen += ndisc_opt_addr_space(dev,
618 					       NDISC_NEIGHBOUR_SOLICITATION);
619 	if (nonce != 0)
620 		optlen += 8;
621 
622 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
623 	if (!skb)
624 		return NULL;
625 
626 	msg = skb_put(skb, sizeof(*msg));
627 	*msg = (struct nd_msg) {
628 		.icmph = {
629 			.icmp6_type = NDISC_NEIGHBOUR_SOLICITATION,
630 		},
631 		.target = *solicit,
632 	};
633 
634 	if (inc_opt)
635 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
636 				       dev->dev_addr,
637 				       NDISC_NEIGHBOUR_SOLICITATION);
638 	if (nonce != 0) {
639 		u8 *opt = skb_put(skb, 8);
640 
641 		opt[0] = ND_OPT_NONCE;
642 		opt[1] = 8 >> 3;
643 		memcpy(opt + 2, &nonce, 6);
644 	}
645 
646 	return skb;
647 }
648 EXPORT_SYMBOL(ndisc_ns_create);
649 
650 void ndisc_send_ns(struct net_device *dev, const struct in6_addr *solicit,
651 		   const struct in6_addr *daddr, const struct in6_addr *saddr,
652 		   u64 nonce)
653 {
654 	struct in6_addr addr_buf;
655 	struct sk_buff *skb;
656 
657 	if (!saddr) {
658 		if (ipv6_get_lladdr(dev, &addr_buf,
659 				    (IFA_F_TENTATIVE | IFA_F_OPTIMISTIC)))
660 			return;
661 		saddr = &addr_buf;
662 	}
663 
664 	skb = ndisc_ns_create(dev, solicit, saddr, nonce);
665 
666 	if (skb)
667 		ndisc_send_skb(skb, daddr, saddr);
668 }
669 
670 void ndisc_send_rs(struct net_device *dev, const struct in6_addr *saddr,
671 		   const struct in6_addr *daddr)
672 {
673 	struct sk_buff *skb;
674 	struct rs_msg *msg;
675 	int send_sllao = dev->addr_len;
676 	int optlen = 0;
677 
678 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
679 	/*
680 	 * According to section 2.2 of RFC 4429, we must not
681 	 * send router solicitations with a sllao from
682 	 * optimistic addresses, but we may send the solicitation
683 	 * if we don't include the sllao.  So here we check
684 	 * if our address is optimistic, and if so, we
685 	 * suppress the inclusion of the sllao.
686 	 */
687 	if (send_sllao) {
688 		struct inet6_ifaddr *ifp = ipv6_get_ifaddr(dev_net(dev), saddr,
689 							   dev, 1);
690 		if (ifp) {
691 			if (ifp->flags & IFA_F_OPTIMISTIC)  {
692 				send_sllao = 0;
693 			}
694 			in6_ifa_put(ifp);
695 		} else {
696 			send_sllao = 0;
697 		}
698 	}
699 #endif
700 	if (send_sllao)
701 		optlen += ndisc_opt_addr_space(dev, NDISC_ROUTER_SOLICITATION);
702 
703 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
704 	if (!skb)
705 		return;
706 
707 	msg = skb_put(skb, sizeof(*msg));
708 	*msg = (struct rs_msg) {
709 		.icmph = {
710 			.icmp6_type = NDISC_ROUTER_SOLICITATION,
711 		},
712 	};
713 
714 	if (send_sllao)
715 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
716 				       dev->dev_addr,
717 				       NDISC_ROUTER_SOLICITATION);
718 
719 	ndisc_send_skb(skb, daddr, saddr);
720 }
721 
722 
723 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb)
724 {
725 	/*
726 	 *	"The sender MUST return an ICMP
727 	 *	 destination unreachable"
728 	 */
729 	dst_link_failure(skb);
730 	kfree_skb(skb);
731 }
732 
733 /* Called with locked neigh: either read or both */
734 
735 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
736 {
737 	struct in6_addr *saddr = NULL;
738 	struct in6_addr mcaddr;
739 	struct net_device *dev = neigh->dev;
740 	struct in6_addr *target = (struct in6_addr *)&neigh->primary_key;
741 	int probes = atomic_read(&neigh->probes);
742 
743 	if (skb && ipv6_chk_addr_and_flags(dev_net(dev), &ipv6_hdr(skb)->saddr,
744 					   dev, false, 1,
745 					   IFA_F_TENTATIVE|IFA_F_OPTIMISTIC))
746 		saddr = &ipv6_hdr(skb)->saddr;
747 	probes -= NEIGH_VAR(neigh->parms, UCAST_PROBES);
748 	if (probes < 0) {
749 		if (!(READ_ONCE(neigh->nud_state) & NUD_VALID)) {
750 			ND_PRINTK(1, dbg,
751 				  "%s: trying to ucast probe in NUD_INVALID: %pI6\n",
752 				  __func__, target);
753 		}
754 		ndisc_send_ns(dev, target, target, saddr, 0);
755 	} else if ((probes -= NEIGH_VAR(neigh->parms, APP_PROBES)) < 0) {
756 		neigh_app_ns(neigh);
757 	} else {
758 		addrconf_addr_solict_mult(target, &mcaddr);
759 		ndisc_send_ns(dev, target, &mcaddr, saddr, 0);
760 	}
761 }
762 
763 static int pndisc_is_router(const void *pkey,
764 			    struct net_device *dev)
765 {
766 	struct pneigh_entry *n;
767 	int ret = -1;
768 
769 	read_lock_bh(&nd_tbl.lock);
770 	n = __pneigh_lookup(&nd_tbl, dev_net(dev), pkey, dev);
771 	if (n)
772 		ret = !!(n->flags & NTF_ROUTER);
773 	read_unlock_bh(&nd_tbl.lock);
774 
775 	return ret;
776 }
777 
778 void ndisc_update(const struct net_device *dev, struct neighbour *neigh,
779 		  const u8 *lladdr, u8 new, u32 flags, u8 icmp6_type,
780 		  struct ndisc_options *ndopts)
781 {
782 	neigh_update(neigh, lladdr, new, flags, 0);
783 	/* report ndisc ops about neighbour update */
784 	ndisc_ops_update(dev, neigh, flags, icmp6_type, ndopts);
785 }
786 
787 static enum skb_drop_reason ndisc_recv_ns(struct sk_buff *skb)
788 {
789 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
790 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
791 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
792 	u8 *lladdr = NULL;
793 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
794 				    offsetof(struct nd_msg, opt));
795 	struct ndisc_options ndopts;
796 	struct net_device *dev = skb->dev;
797 	struct inet6_ifaddr *ifp;
798 	struct inet6_dev *idev = NULL;
799 	struct neighbour *neigh;
800 	int dad = ipv6_addr_any(saddr);
801 	int is_router = -1;
802 	SKB_DR(reason);
803 	u64 nonce = 0;
804 	bool inc;
805 
806 	if (skb->len < sizeof(struct nd_msg))
807 		return SKB_DROP_REASON_PKT_TOO_SMALL;
808 
809 	if (ipv6_addr_is_multicast(&msg->target)) {
810 		ND_PRINTK(2, warn, "NS: multicast target address\n");
811 		return reason;
812 	}
813 
814 	/*
815 	 * RFC2461 7.1.1:
816 	 * DAD has to be destined for solicited node multicast address.
817 	 */
818 	if (dad && !ipv6_addr_is_solict_mult(daddr)) {
819 		ND_PRINTK(2, warn, "NS: bad DAD packet (wrong destination)\n");
820 		return reason;
821 	}
822 
823 	if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts))
824 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
825 
826 	if (ndopts.nd_opts_src_lladdr) {
827 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
828 		if (!lladdr) {
829 			ND_PRINTK(2, warn,
830 				  "NS: invalid link-layer address length\n");
831 			return reason;
832 		}
833 
834 		/* RFC2461 7.1.1:
835 		 *	If the IP source address is the unspecified address,
836 		 *	there MUST NOT be source link-layer address option
837 		 *	in the message.
838 		 */
839 		if (dad) {
840 			ND_PRINTK(2, warn,
841 				  "NS: bad DAD packet (link-layer address option)\n");
842 			return reason;
843 		}
844 	}
845 	if (ndopts.nd_opts_nonce && ndopts.nd_opts_nonce->nd_opt_len == 1)
846 		memcpy(&nonce, (u8 *)(ndopts.nd_opts_nonce + 1), 6);
847 
848 	inc = ipv6_addr_is_multicast(daddr);
849 
850 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
851 	if (ifp) {
852 have_ifp:
853 		if (ifp->flags & (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)) {
854 			if (dad) {
855 				if (nonce != 0 && ifp->dad_nonce == nonce) {
856 					u8 *np = (u8 *)&nonce;
857 					/* Matching nonce if looped back */
858 					ND_PRINTK(2, notice,
859 						  "%s: IPv6 DAD loopback for address %pI6c nonce %pM ignored\n",
860 						  ifp->idev->dev->name,
861 						  &ifp->addr, np);
862 					goto out;
863 				}
864 				/*
865 				 * We are colliding with another node
866 				 * who is doing DAD
867 				 * so fail our DAD process
868 				 */
869 				addrconf_dad_failure(skb, ifp);
870 				return reason;
871 			} else {
872 				/*
873 				 * This is not a dad solicitation.
874 				 * If we are an optimistic node,
875 				 * we should respond.
876 				 * Otherwise, we should ignore it.
877 				 */
878 				if (!(ifp->flags & IFA_F_OPTIMISTIC))
879 					goto out;
880 			}
881 		}
882 
883 		idev = ifp->idev;
884 	} else {
885 		struct net *net = dev_net(dev);
886 
887 		/* perhaps an address on the master device */
888 		if (netif_is_l3_slave(dev)) {
889 			struct net_device *mdev;
890 
891 			mdev = netdev_master_upper_dev_get_rcu(dev);
892 			if (mdev) {
893 				ifp = ipv6_get_ifaddr(net, &msg->target, mdev, 1);
894 				if (ifp)
895 					goto have_ifp;
896 			}
897 		}
898 
899 		idev = in6_dev_get(dev);
900 		if (!idev) {
901 			/* XXX: count this drop? */
902 			return reason;
903 		}
904 
905 		if (ipv6_chk_acast_addr(net, dev, &msg->target) ||
906 		    (idev->cnf.forwarding &&
907 		     (net->ipv6.devconf_all->proxy_ndp || idev->cnf.proxy_ndp) &&
908 		     (is_router = pndisc_is_router(&msg->target, dev)) >= 0)) {
909 			if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
910 			    skb->pkt_type != PACKET_HOST &&
911 			    inc &&
912 			    NEIGH_VAR(idev->nd_parms, PROXY_DELAY) != 0) {
913 				/*
914 				 * for anycast or proxy,
915 				 * sender should delay its response
916 				 * by a random time between 0 and
917 				 * MAX_ANYCAST_DELAY_TIME seconds.
918 				 * (RFC2461) -- yoshfuji
919 				 */
920 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);
921 				if (n)
922 					pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
923 				goto out;
924 			}
925 		} else {
926 			SKB_DR_SET(reason, IPV6_NDISC_NS_OTHERHOST);
927 			goto out;
928 		}
929 	}
930 
931 	if (is_router < 0)
932 		is_router = idev->cnf.forwarding;
933 
934 	if (dad) {
935 		ndisc_send_na(dev, &in6addr_linklocal_allnodes, &msg->target,
936 			      !!is_router, false, (ifp != NULL), true);
937 		goto out;
938 	}
939 
940 	if (inc)
941 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_mcast);
942 	else
943 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_ucast);
944 
945 	/*
946 	 *	update / create cache entry
947 	 *	for the source address
948 	 */
949 	neigh = __neigh_lookup(&nd_tbl, saddr, dev,
950 			       !inc || lladdr || !dev->addr_len);
951 	if (neigh)
952 		ndisc_update(dev, neigh, lladdr, NUD_STALE,
953 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
954 			     NEIGH_UPDATE_F_OVERRIDE,
955 			     NDISC_NEIGHBOUR_SOLICITATION, &ndopts);
956 	if (neigh || !dev->header_ops) {
957 		ndisc_send_na(dev, saddr, &msg->target, !!is_router,
958 			      true, (ifp != NULL && inc), inc);
959 		if (neigh)
960 			neigh_release(neigh);
961 		reason = SKB_CONSUMED;
962 	}
963 
964 out:
965 	if (ifp)
966 		in6_ifa_put(ifp);
967 	else
968 		in6_dev_put(idev);
969 	return reason;
970 }
971 
972 static int accept_untracked_na(struct net_device *dev, struct in6_addr *saddr)
973 {
974 	struct inet6_dev *idev = __in6_dev_get(dev);
975 
976 	switch (idev->cnf.accept_untracked_na) {
977 	case 0: /* Don't accept untracked na (absent in neighbor cache) */
978 		return 0;
979 	case 1: /* Create new entries from na if currently untracked */
980 		return 1;
981 	case 2: /* Create new entries from untracked na only if saddr is in the
982 		 * same subnet as an address configured on the interface that
983 		 * received the na
984 		 */
985 		return !!ipv6_chk_prefix(saddr, dev);
986 	default:
987 		return 0;
988 	}
989 }
990 
991 static enum skb_drop_reason ndisc_recv_na(struct sk_buff *skb)
992 {
993 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
994 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
995 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
996 	u8 *lladdr = NULL;
997 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
998 				    offsetof(struct nd_msg, opt));
999 	struct ndisc_options ndopts;
1000 	struct net_device *dev = skb->dev;
1001 	struct inet6_dev *idev = __in6_dev_get(dev);
1002 	struct inet6_ifaddr *ifp;
1003 	struct neighbour *neigh;
1004 	SKB_DR(reason);
1005 	u8 new_state;
1006 
1007 	if (skb->len < sizeof(struct nd_msg))
1008 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1009 
1010 	if (ipv6_addr_is_multicast(&msg->target)) {
1011 		ND_PRINTK(2, warn, "NA: target address is multicast\n");
1012 		return reason;
1013 	}
1014 
1015 	if (ipv6_addr_is_multicast(daddr) &&
1016 	    msg->icmph.icmp6_solicited) {
1017 		ND_PRINTK(2, warn, "NA: solicited NA is multicasted\n");
1018 		return reason;
1019 	}
1020 
1021 	/* For some 802.11 wireless deployments (and possibly other networks),
1022 	 * there will be a NA proxy and unsolicitd packets are attacks
1023 	 * and thus should not be accepted.
1024 	 * drop_unsolicited_na takes precedence over accept_untracked_na
1025 	 */
1026 	if (!msg->icmph.icmp6_solicited && idev &&
1027 	    idev->cnf.drop_unsolicited_na)
1028 		return reason;
1029 
1030 	if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts))
1031 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1032 
1033 	if (ndopts.nd_opts_tgt_lladdr) {
1034 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
1035 		if (!lladdr) {
1036 			ND_PRINTK(2, warn,
1037 				  "NA: invalid link-layer address length\n");
1038 			return reason;
1039 		}
1040 	}
1041 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
1042 	if (ifp) {
1043 		if (skb->pkt_type != PACKET_LOOPBACK
1044 		    && (ifp->flags & IFA_F_TENTATIVE)) {
1045 				addrconf_dad_failure(skb, ifp);
1046 				return reason;
1047 		}
1048 		/* What should we make now? The advertisement
1049 		   is invalid, but ndisc specs say nothing
1050 		   about it. It could be misconfiguration, or
1051 		   an smart proxy agent tries to help us :-)
1052 
1053 		   We should not print the error if NA has been
1054 		   received from loopback - it is just our own
1055 		   unsolicited advertisement.
1056 		 */
1057 		if (skb->pkt_type != PACKET_LOOPBACK)
1058 			ND_PRINTK(1, warn,
1059 				  "NA: %pM advertised our address %pI6c on %s!\n",
1060 				  eth_hdr(skb)->h_source, &ifp->addr, ifp->idev->dev->name);
1061 		in6_ifa_put(ifp);
1062 		return reason;
1063 	}
1064 
1065 	neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
1066 
1067 	/* RFC 9131 updates original Neighbour Discovery RFC 4861.
1068 	 * NAs with Target LL Address option without a corresponding
1069 	 * entry in the neighbour cache can now create a STALE neighbour
1070 	 * cache entry on routers.
1071 	 *
1072 	 *   entry accept  fwding  solicited        behaviour
1073 	 * ------- ------  ------  ---------    ----------------------
1074 	 * present      X       X         0     Set state to STALE
1075 	 * present      X       X         1     Set state to REACHABLE
1076 	 *  absent      0       X         X     Do nothing
1077 	 *  absent      1       0         X     Do nothing
1078 	 *  absent      1       1         X     Add a new STALE entry
1079 	 *
1080 	 * Note that we don't do a (daddr == all-routers-mcast) check.
1081 	 */
1082 	new_state = msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE;
1083 	if (!neigh && lladdr && idev && idev->cnf.forwarding) {
1084 		if (accept_untracked_na(dev, saddr)) {
1085 			neigh = neigh_create(&nd_tbl, &msg->target, dev);
1086 			new_state = NUD_STALE;
1087 		}
1088 	}
1089 
1090 	if (neigh && !IS_ERR(neigh)) {
1091 		u8 old_flags = neigh->flags;
1092 		struct net *net = dev_net(dev);
1093 
1094 		if (READ_ONCE(neigh->nud_state) & NUD_FAILED)
1095 			goto out;
1096 
1097 		/*
1098 		 * Don't update the neighbor cache entry on a proxy NA from
1099 		 * ourselves because either the proxied node is off link or it
1100 		 * has already sent a NA to us.
1101 		 */
1102 		if (lladdr && !memcmp(lladdr, dev->dev_addr, dev->addr_len) &&
1103 		    net->ipv6.devconf_all->forwarding && net->ipv6.devconf_all->proxy_ndp &&
1104 		    pneigh_lookup(&nd_tbl, net, &msg->target, dev, 0)) {
1105 			/* XXX: idev->cnf.proxy_ndp */
1106 			goto out;
1107 		}
1108 
1109 		ndisc_update(dev, neigh, lladdr,
1110 			     new_state,
1111 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1112 			     (msg->icmph.icmp6_override ? NEIGH_UPDATE_F_OVERRIDE : 0)|
1113 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1114 			     (msg->icmph.icmp6_router ? NEIGH_UPDATE_F_ISROUTER : 0),
1115 			     NDISC_NEIGHBOUR_ADVERTISEMENT, &ndopts);
1116 
1117 		if ((old_flags & ~neigh->flags) & NTF_ROUTER) {
1118 			/*
1119 			 * Change: router to host
1120 			 */
1121 			rt6_clean_tohost(dev_net(dev),  saddr);
1122 		}
1123 		reason = SKB_CONSUMED;
1124 out:
1125 		neigh_release(neigh);
1126 	}
1127 	return reason;
1128 }
1129 
1130 static enum skb_drop_reason ndisc_recv_rs(struct sk_buff *skb)
1131 {
1132 	struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
1133 	unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
1134 	struct neighbour *neigh;
1135 	struct inet6_dev *idev;
1136 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
1137 	struct ndisc_options ndopts;
1138 	u8 *lladdr = NULL;
1139 	SKB_DR(reason);
1140 
1141 	if (skb->len < sizeof(*rs_msg))
1142 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1143 
1144 	idev = __in6_dev_get(skb->dev);
1145 	if (!idev) {
1146 		ND_PRINTK(1, err, "RS: can't find in6 device\n");
1147 		return reason;
1148 	}
1149 
1150 	/* Don't accept RS if we're not in router mode */
1151 	if (!idev->cnf.forwarding)
1152 		goto out;
1153 
1154 	/*
1155 	 * Don't update NCE if src = ::;
1156 	 * this implies that the source node has no ip address assigned yet.
1157 	 */
1158 	if (ipv6_addr_any(saddr))
1159 		goto out;
1160 
1161 	/* Parse ND options */
1162 	if (!ndisc_parse_options(skb->dev, rs_msg->opt, ndoptlen, &ndopts))
1163 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1164 
1165 	if (ndopts.nd_opts_src_lladdr) {
1166 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1167 					     skb->dev);
1168 		if (!lladdr)
1169 			goto out;
1170 	}
1171 
1172 	neigh = __neigh_lookup(&nd_tbl, saddr, skb->dev, 1);
1173 	if (neigh) {
1174 		ndisc_update(skb->dev, neigh, lladdr, NUD_STALE,
1175 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1176 			     NEIGH_UPDATE_F_OVERRIDE|
1177 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER,
1178 			     NDISC_ROUTER_SOLICITATION, &ndopts);
1179 		neigh_release(neigh);
1180 		reason = SKB_CONSUMED;
1181 	}
1182 out:
1183 	return reason;
1184 }
1185 
1186 static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
1187 {
1188 	struct icmp6hdr *icmp6h = (struct icmp6hdr *)skb_transport_header(ra);
1189 	struct sk_buff *skb;
1190 	struct nlmsghdr *nlh;
1191 	struct nduseroptmsg *ndmsg;
1192 	struct net *net = dev_net(ra->dev);
1193 	int err;
1194 	int base_size = NLMSG_ALIGN(sizeof(struct nduseroptmsg)
1195 				    + (opt->nd_opt_len << 3));
1196 	size_t msg_size = base_size + nla_total_size(sizeof(struct in6_addr));
1197 
1198 	skb = nlmsg_new(msg_size, GFP_ATOMIC);
1199 	if (!skb) {
1200 		err = -ENOBUFS;
1201 		goto errout;
1202 	}
1203 
1204 	nlh = nlmsg_put(skb, 0, 0, RTM_NEWNDUSEROPT, base_size, 0);
1205 	if (!nlh) {
1206 		goto nla_put_failure;
1207 	}
1208 
1209 	ndmsg = nlmsg_data(nlh);
1210 	ndmsg->nduseropt_family = AF_INET6;
1211 	ndmsg->nduseropt_ifindex = ra->dev->ifindex;
1212 	ndmsg->nduseropt_icmp_type = icmp6h->icmp6_type;
1213 	ndmsg->nduseropt_icmp_code = icmp6h->icmp6_code;
1214 	ndmsg->nduseropt_opts_len = opt->nd_opt_len << 3;
1215 
1216 	memcpy(ndmsg + 1, opt, opt->nd_opt_len << 3);
1217 
1218 	if (nla_put_in6_addr(skb, NDUSEROPT_SRCADDR, &ipv6_hdr(ra)->saddr))
1219 		goto nla_put_failure;
1220 	nlmsg_end(skb, nlh);
1221 
1222 	rtnl_notify(skb, net, 0, RTNLGRP_ND_USEROPT, NULL, GFP_ATOMIC);
1223 	return;
1224 
1225 nla_put_failure:
1226 	nlmsg_free(skb);
1227 	err = -EMSGSIZE;
1228 errout:
1229 	rtnl_set_sk_err(net, RTNLGRP_ND_USEROPT, err);
1230 }
1231 
1232 static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
1233 {
1234 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
1235 	bool send_ifinfo_notify = false;
1236 	struct neighbour *neigh = NULL;
1237 	struct ndisc_options ndopts;
1238 	struct fib6_info *rt = NULL;
1239 	struct inet6_dev *in6_dev;
1240 	u32 defrtr_usr_metric;
1241 	unsigned int pref = 0;
1242 	__u32 old_if_flags;
1243 	struct net *net;
1244 	SKB_DR(reason);
1245 	int lifetime;
1246 	int optlen;
1247 
1248 	__u8 *opt = (__u8 *)(ra_msg + 1);
1249 
1250 	optlen = (skb_tail_pointer(skb) - skb_transport_header(skb)) -
1251 		sizeof(struct ra_msg);
1252 
1253 	ND_PRINTK(2, info,
1254 		  "RA: %s, dev: %s\n",
1255 		  __func__, skb->dev->name);
1256 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1257 		ND_PRINTK(2, warn, "RA: source address is not link-local\n");
1258 		return reason;
1259 	}
1260 	if (optlen < 0)
1261 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1262 
1263 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1264 	if (skb->ndisc_nodetype == NDISC_NODETYPE_HOST) {
1265 		ND_PRINTK(2, warn, "RA: from host or unauthorized router\n");
1266 		return reason;
1267 	}
1268 #endif
1269 
1270 	/*
1271 	 *	set the RA_RECV flag in the interface
1272 	 */
1273 
1274 	in6_dev = __in6_dev_get(skb->dev);
1275 	if (!in6_dev) {
1276 		ND_PRINTK(0, err, "RA: can't find inet6 device for %s\n",
1277 			  skb->dev->name);
1278 		return reason;
1279 	}
1280 
1281 	if (!ndisc_parse_options(skb->dev, opt, optlen, &ndopts))
1282 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1283 
1284 	if (!ipv6_accept_ra(in6_dev)) {
1285 		ND_PRINTK(2, info,
1286 			  "RA: %s, did not accept ra for dev: %s\n",
1287 			  __func__, skb->dev->name);
1288 		goto skip_linkparms;
1289 	}
1290 
1291 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1292 	/* skip link-specific parameters from interior routers */
1293 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1294 		ND_PRINTK(2, info,
1295 			  "RA: %s, nodetype is NODEFAULT, dev: %s\n",
1296 			  __func__, skb->dev->name);
1297 		goto skip_linkparms;
1298 	}
1299 #endif
1300 
1301 	if (in6_dev->if_flags & IF_RS_SENT) {
1302 		/*
1303 		 *	flag that an RA was received after an RS was sent
1304 		 *	out on this interface.
1305 		 */
1306 		in6_dev->if_flags |= IF_RA_RCVD;
1307 	}
1308 
1309 	/*
1310 	 * Remember the managed/otherconf flags from most recently
1311 	 * received RA message (RFC 2462) -- yoshfuji
1312 	 */
1313 	old_if_flags = in6_dev->if_flags;
1314 	in6_dev->if_flags = (in6_dev->if_flags & ~(IF_RA_MANAGED |
1315 				IF_RA_OTHERCONF)) |
1316 				(ra_msg->icmph.icmp6_addrconf_managed ?
1317 					IF_RA_MANAGED : 0) |
1318 				(ra_msg->icmph.icmp6_addrconf_other ?
1319 					IF_RA_OTHERCONF : 0);
1320 
1321 	if (old_if_flags != in6_dev->if_flags)
1322 		send_ifinfo_notify = true;
1323 
1324 	if (!in6_dev->cnf.accept_ra_defrtr) {
1325 		ND_PRINTK(2, info,
1326 			  "RA: %s, defrtr is false for dev: %s\n",
1327 			  __func__, skb->dev->name);
1328 		goto skip_defrtr;
1329 	}
1330 
1331 	/* Do not accept RA with source-addr found on local machine unless
1332 	 * accept_ra_from_local is set to true.
1333 	 */
1334 	net = dev_net(in6_dev->dev);
1335 	if (!in6_dev->cnf.accept_ra_from_local &&
1336 	    ipv6_chk_addr(net, &ipv6_hdr(skb)->saddr, in6_dev->dev, 0)) {
1337 		ND_PRINTK(2, info,
1338 			  "RA from local address detected on dev: %s: default router ignored\n",
1339 			  skb->dev->name);
1340 		goto skip_defrtr;
1341 	}
1342 
1343 	lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime);
1344 
1345 #ifdef CONFIG_IPV6_ROUTER_PREF
1346 	pref = ra_msg->icmph.icmp6_router_pref;
1347 	/* 10b is handled as if it were 00b (medium) */
1348 	if (pref == ICMPV6_ROUTER_PREF_INVALID ||
1349 	    !in6_dev->cnf.accept_ra_rtr_pref)
1350 		pref = ICMPV6_ROUTER_PREF_MEDIUM;
1351 #endif
1352 	/* routes added from RAs do not use nexthop objects */
1353 	rt = rt6_get_dflt_router(net, &ipv6_hdr(skb)->saddr, skb->dev);
1354 	if (rt) {
1355 		neigh = ip6_neigh_lookup(&rt->fib6_nh->fib_nh_gw6,
1356 					 rt->fib6_nh->fib_nh_dev, NULL,
1357 					  &ipv6_hdr(skb)->saddr);
1358 		if (!neigh) {
1359 			ND_PRINTK(0, err,
1360 				  "RA: %s got default router without neighbour\n",
1361 				  __func__);
1362 			fib6_info_release(rt);
1363 			return reason;
1364 		}
1365 	}
1366 	/* Set default route metric as specified by user */
1367 	defrtr_usr_metric = in6_dev->cnf.ra_defrtr_metric;
1368 	/* delete the route if lifetime is 0 or if metric needs change */
1369 	if (rt && (lifetime == 0 || rt->fib6_metric != defrtr_usr_metric)) {
1370 		ip6_del_rt(net, rt, false);
1371 		rt = NULL;
1372 	}
1373 
1374 	ND_PRINTK(3, info, "RA: rt: %p  lifetime: %d, metric: %d, for dev: %s\n",
1375 		  rt, lifetime, defrtr_usr_metric, skb->dev->name);
1376 	if (!rt && lifetime) {
1377 		ND_PRINTK(3, info, "RA: adding default router\n");
1378 
1379 		if (neigh)
1380 			neigh_release(neigh);
1381 
1382 		rt = rt6_add_dflt_router(net, &ipv6_hdr(skb)->saddr,
1383 					 skb->dev, pref, defrtr_usr_metric);
1384 		if (!rt) {
1385 			ND_PRINTK(0, err,
1386 				  "RA: %s failed to add default route\n",
1387 				  __func__);
1388 			return reason;
1389 		}
1390 
1391 		neigh = ip6_neigh_lookup(&rt->fib6_nh->fib_nh_gw6,
1392 					 rt->fib6_nh->fib_nh_dev, NULL,
1393 					  &ipv6_hdr(skb)->saddr);
1394 		if (!neigh) {
1395 			ND_PRINTK(0, err,
1396 				  "RA: %s got default router without neighbour\n",
1397 				  __func__);
1398 			fib6_info_release(rt);
1399 			return reason;
1400 		}
1401 		neigh->flags |= NTF_ROUTER;
1402 	} else if (rt && IPV6_EXTRACT_PREF(rt->fib6_flags) != pref) {
1403 		struct nl_info nlinfo = {
1404 			.nl_net = net,
1405 		};
1406 		rt->fib6_flags = (rt->fib6_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
1407 		inet6_rt_notify(RTM_NEWROUTE, rt, &nlinfo, NLM_F_REPLACE);
1408 	}
1409 
1410 	if (rt)
1411 		fib6_set_expires(rt, jiffies + (HZ * lifetime));
1412 	if (in6_dev->cnf.accept_ra_min_hop_limit < 256 &&
1413 	    ra_msg->icmph.icmp6_hop_limit) {
1414 		if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) {
1415 			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
1416 			fib6_metric_set(rt, RTAX_HOPLIMIT,
1417 					ra_msg->icmph.icmp6_hop_limit);
1418 		} else {
1419 			ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than minimum\n");
1420 		}
1421 	}
1422 
1423 skip_defrtr:
1424 
1425 	/*
1426 	 *	Update Reachable Time and Retrans Timer
1427 	 */
1428 
1429 	if (in6_dev->nd_parms) {
1430 		unsigned long rtime = ntohl(ra_msg->retrans_timer);
1431 
1432 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/HZ) {
1433 			rtime = (rtime*HZ)/1000;
1434 			if (rtime < HZ/100)
1435 				rtime = HZ/100;
1436 			NEIGH_VAR_SET(in6_dev->nd_parms, RETRANS_TIME, rtime);
1437 			in6_dev->tstamp = jiffies;
1438 			send_ifinfo_notify = true;
1439 		}
1440 
1441 		rtime = ntohl(ra_msg->reachable_time);
1442 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/(3*HZ)) {
1443 			rtime = (rtime*HZ)/1000;
1444 
1445 			if (rtime < HZ/10)
1446 				rtime = HZ/10;
1447 
1448 			if (rtime != NEIGH_VAR(in6_dev->nd_parms, BASE_REACHABLE_TIME)) {
1449 				NEIGH_VAR_SET(in6_dev->nd_parms,
1450 					      BASE_REACHABLE_TIME, rtime);
1451 				NEIGH_VAR_SET(in6_dev->nd_parms,
1452 					      GC_STALETIME, 3 * rtime);
1453 				in6_dev->nd_parms->reachable_time = neigh_rand_reach_time(rtime);
1454 				in6_dev->tstamp = jiffies;
1455 				send_ifinfo_notify = true;
1456 			}
1457 		}
1458 	}
1459 
1460 skip_linkparms:
1461 
1462 	/*
1463 	 *	Process options.
1464 	 */
1465 
1466 	if (!neigh)
1467 		neigh = __neigh_lookup(&nd_tbl, &ipv6_hdr(skb)->saddr,
1468 				       skb->dev, 1);
1469 	if (neigh) {
1470 		u8 *lladdr = NULL;
1471 		if (ndopts.nd_opts_src_lladdr) {
1472 			lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1473 						     skb->dev);
1474 			if (!lladdr) {
1475 				ND_PRINTK(2, warn,
1476 					  "RA: invalid link-layer address length\n");
1477 				goto out;
1478 			}
1479 		}
1480 		ndisc_update(skb->dev, neigh, lladdr, NUD_STALE,
1481 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1482 			     NEIGH_UPDATE_F_OVERRIDE|
1483 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1484 			     NEIGH_UPDATE_F_ISROUTER,
1485 			     NDISC_ROUTER_ADVERTISEMENT, &ndopts);
1486 		reason = SKB_CONSUMED;
1487 	}
1488 
1489 	if (!ipv6_accept_ra(in6_dev)) {
1490 		ND_PRINTK(2, info,
1491 			  "RA: %s, accept_ra is false for dev: %s\n",
1492 			  __func__, skb->dev->name);
1493 		goto out;
1494 	}
1495 
1496 #ifdef CONFIG_IPV6_ROUTE_INFO
1497 	if (!in6_dev->cnf.accept_ra_from_local &&
1498 	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
1499 			  in6_dev->dev, 0)) {
1500 		ND_PRINTK(2, info,
1501 			  "RA from local address detected on dev: %s: router info ignored.\n",
1502 			  skb->dev->name);
1503 		goto skip_routeinfo;
1504 	}
1505 
1506 	if (in6_dev->cnf.accept_ra_rtr_pref && ndopts.nd_opts_ri) {
1507 		struct nd_opt_hdr *p;
1508 		for (p = ndopts.nd_opts_ri;
1509 		     p;
1510 		     p = ndisc_next_option(p, ndopts.nd_opts_ri_end)) {
1511 			struct route_info *ri = (struct route_info *)p;
1512 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1513 			if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT &&
1514 			    ri->prefix_len == 0)
1515 				continue;
1516 #endif
1517 			if (ri->prefix_len == 0 &&
1518 			    !in6_dev->cnf.accept_ra_defrtr)
1519 				continue;
1520 			if (ri->prefix_len < in6_dev->cnf.accept_ra_rt_info_min_plen)
1521 				continue;
1522 			if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
1523 				continue;
1524 			rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3,
1525 				      &ipv6_hdr(skb)->saddr);
1526 		}
1527 	}
1528 
1529 skip_routeinfo:
1530 #endif
1531 
1532 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1533 	/* skip link-specific ndopts from interior routers */
1534 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1535 		ND_PRINTK(2, info,
1536 			  "RA: %s, nodetype is NODEFAULT (interior routes), dev: %s\n",
1537 			  __func__, skb->dev->name);
1538 		goto out;
1539 	}
1540 #endif
1541 
1542 	if (in6_dev->cnf.accept_ra_pinfo && ndopts.nd_opts_pi) {
1543 		struct nd_opt_hdr *p;
1544 		for (p = ndopts.nd_opts_pi;
1545 		     p;
1546 		     p = ndisc_next_option(p, ndopts.nd_opts_pi_end)) {
1547 			addrconf_prefix_rcv(skb->dev, (u8 *)p,
1548 					    (p->nd_opt_len) << 3,
1549 					    ndopts.nd_opts_src_lladdr != NULL);
1550 		}
1551 	}
1552 
1553 	if (ndopts.nd_opts_mtu && in6_dev->cnf.accept_ra_mtu) {
1554 		__be32 n;
1555 		u32 mtu;
1556 
1557 		memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
1558 		mtu = ntohl(n);
1559 
1560 		if (in6_dev->ra_mtu != mtu) {
1561 			in6_dev->ra_mtu = mtu;
1562 			send_ifinfo_notify = true;
1563 		}
1564 
1565 		if (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) {
1566 			ND_PRINTK(2, warn, "RA: invalid mtu: %d\n", mtu);
1567 		} else if (in6_dev->cnf.mtu6 != mtu) {
1568 			in6_dev->cnf.mtu6 = mtu;
1569 			fib6_metric_set(rt, RTAX_MTU, mtu);
1570 			rt6_mtu_change(skb->dev, mtu);
1571 		}
1572 	}
1573 
1574 	if (ndopts.nd_useropts) {
1575 		struct nd_opt_hdr *p;
1576 		for (p = ndopts.nd_useropts;
1577 		     p;
1578 		     p = ndisc_next_useropt(skb->dev, p,
1579 					    ndopts.nd_useropts_end)) {
1580 			ndisc_ra_useropt(skb, p);
1581 		}
1582 	}
1583 
1584 	if (ndopts.nd_opts_tgt_lladdr || ndopts.nd_opts_rh) {
1585 		ND_PRINTK(2, warn, "RA: invalid RA options\n");
1586 	}
1587 out:
1588 	/* Send a notify if RA changed managed/otherconf flags or
1589 	 * timer settings or ra_mtu value
1590 	 */
1591 	if (send_ifinfo_notify)
1592 		inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1593 
1594 	fib6_info_release(rt);
1595 	if (neigh)
1596 		neigh_release(neigh);
1597 	return reason;
1598 }
1599 
1600 static enum skb_drop_reason ndisc_redirect_rcv(struct sk_buff *skb)
1601 {
1602 	struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
1603 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
1604 				    offsetof(struct rd_msg, opt));
1605 	struct ndisc_options ndopts;
1606 	SKB_DR(reason);
1607 	u8 *hdr;
1608 
1609 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1610 	switch (skb->ndisc_nodetype) {
1611 	case NDISC_NODETYPE_HOST:
1612 	case NDISC_NODETYPE_NODEFAULT:
1613 		ND_PRINTK(2, warn,
1614 			  "Redirect: from host or unauthorized router\n");
1615 		return reason;
1616 	}
1617 #endif
1618 
1619 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1620 		ND_PRINTK(2, warn,
1621 			  "Redirect: source address is not link-local\n");
1622 		return reason;
1623 	}
1624 
1625 	if (!ndisc_parse_options(skb->dev, msg->opt, ndoptlen, &ndopts))
1626 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1627 
1628 	if (!ndopts.nd_opts_rh) {
1629 		ip6_redirect_no_header(skb, dev_net(skb->dev),
1630 					skb->dev->ifindex);
1631 		return reason;
1632 	}
1633 
1634 	hdr = (u8 *)ndopts.nd_opts_rh;
1635 	hdr += 8;
1636 	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
1637 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1638 
1639 	return icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
1640 }
1641 
1642 static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
1643 					   struct sk_buff *orig_skb,
1644 					   int rd_len)
1645 {
1646 	u8 *opt = skb_put(skb, rd_len);
1647 
1648 	memset(opt, 0, 8);
1649 	*(opt++) = ND_OPT_REDIRECT_HDR;
1650 	*(opt++) = (rd_len >> 3);
1651 	opt += 6;
1652 
1653 	skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
1654 		      rd_len - 8);
1655 }
1656 
1657 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
1658 {
1659 	struct net_device *dev = skb->dev;
1660 	struct net *net = dev_net(dev);
1661 	struct sock *sk = net->ipv6.ndisc_sk;
1662 	int optlen = 0;
1663 	struct inet_peer *peer;
1664 	struct sk_buff *buff;
1665 	struct rd_msg *msg;
1666 	struct in6_addr saddr_buf;
1667 	struct rt6_info *rt;
1668 	struct dst_entry *dst;
1669 	struct flowi6 fl6;
1670 	int rd_len;
1671 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL,
1672 	   ops_data_buf[NDISC_OPS_REDIRECT_DATA_SPACE], *ops_data = NULL;
1673 	bool ret;
1674 
1675 	if (netif_is_l3_master(skb->dev)) {
1676 		dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
1677 		if (!dev)
1678 			return;
1679 	}
1680 
1681 	if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
1682 		ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
1683 			  dev->name);
1684 		return;
1685 	}
1686 
1687 	if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
1688 	    ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
1689 		ND_PRINTK(2, warn,
1690 			  "Redirect: target address is not link-local unicast\n");
1691 		return;
1692 	}
1693 
1694 	icmpv6_flow_init(sk, &fl6, NDISC_REDIRECT,
1695 			 &saddr_buf, &ipv6_hdr(skb)->saddr, dev->ifindex);
1696 
1697 	dst = ip6_route_output(net, NULL, &fl6);
1698 	if (dst->error) {
1699 		dst_release(dst);
1700 		return;
1701 	}
1702 	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
1703 	if (IS_ERR(dst))
1704 		return;
1705 
1706 	rt = (struct rt6_info *) dst;
1707 
1708 	if (rt->rt6i_flags & RTF_GATEWAY) {
1709 		ND_PRINTK(2, warn,
1710 			  "Redirect: destination is not a neighbour\n");
1711 		goto release;
1712 	}
1713 	peer = inet_getpeer_v6(net->ipv6.peers, &ipv6_hdr(skb)->saddr, 1);
1714 	ret = inet_peer_xrlim_allow(peer, 1*HZ);
1715 	if (peer)
1716 		inet_putpeer(peer);
1717 	if (!ret)
1718 		goto release;
1719 
1720 	if (dev->addr_len) {
1721 		struct neighbour *neigh = dst_neigh_lookup(skb_dst(skb), target);
1722 		if (!neigh) {
1723 			ND_PRINTK(2, warn,
1724 				  "Redirect: no neigh for target address\n");
1725 			goto release;
1726 		}
1727 
1728 		read_lock_bh(&neigh->lock);
1729 		if (neigh->nud_state & NUD_VALID) {
1730 			memcpy(ha_buf, neigh->ha, dev->addr_len);
1731 			read_unlock_bh(&neigh->lock);
1732 			ha = ha_buf;
1733 			optlen += ndisc_redirect_opt_addr_space(dev, neigh,
1734 								ops_data_buf,
1735 								&ops_data);
1736 		} else
1737 			read_unlock_bh(&neigh->lock);
1738 
1739 		neigh_release(neigh);
1740 	}
1741 
1742 	rd_len = min_t(unsigned int,
1743 		       IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(*msg) - optlen,
1744 		       skb->len + 8);
1745 	rd_len &= ~0x7;
1746 	optlen += rd_len;
1747 
1748 	buff = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
1749 	if (!buff)
1750 		goto release;
1751 
1752 	msg = skb_put(buff, sizeof(*msg));
1753 	*msg = (struct rd_msg) {
1754 		.icmph = {
1755 			.icmp6_type = NDISC_REDIRECT,
1756 		},
1757 		.target = *target,
1758 		.dest = ipv6_hdr(skb)->daddr,
1759 	};
1760 
1761 	/*
1762 	 *	include target_address option
1763 	 */
1764 
1765 	if (ha)
1766 		ndisc_fill_redirect_addr_option(buff, ha, ops_data);
1767 
1768 	/*
1769 	 *	build redirect option and copy skb over to the new packet.
1770 	 */
1771 
1772 	if (rd_len)
1773 		ndisc_fill_redirect_hdr_option(buff, skb, rd_len);
1774 
1775 	skb_dst_set(buff, dst);
1776 	ndisc_send_skb(buff, &ipv6_hdr(skb)->saddr, &saddr_buf);
1777 	return;
1778 
1779 release:
1780 	dst_release(dst);
1781 }
1782 
1783 static void pndisc_redo(struct sk_buff *skb)
1784 {
1785 	enum skb_drop_reason reason = ndisc_recv_ns(skb);
1786 
1787 	kfree_skb_reason(skb, reason);
1788 }
1789 
1790 static int ndisc_is_multicast(const void *pkey)
1791 {
1792 	return ipv6_addr_is_multicast((struct in6_addr *)pkey);
1793 }
1794 
1795 static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
1796 {
1797 	struct inet6_dev *idev = __in6_dev_get(skb->dev);
1798 
1799 	if (!idev)
1800 		return true;
1801 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
1802 	    idev->cnf.suppress_frag_ndisc) {
1803 		net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
1804 		return true;
1805 	}
1806 	return false;
1807 }
1808 
1809 enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
1810 {
1811 	struct nd_msg *msg;
1812 	SKB_DR(reason);
1813 
1814 	if (ndisc_suppress_frag_ndisc(skb))
1815 		return SKB_DROP_REASON_IPV6_NDISC_FRAG;
1816 
1817 	if (skb_linearize(skb))
1818 		return SKB_DROP_REASON_NOMEM;
1819 
1820 	msg = (struct nd_msg *)skb_transport_header(skb);
1821 
1822 	__skb_push(skb, skb->data - skb_transport_header(skb));
1823 
1824 	if (ipv6_hdr(skb)->hop_limit != 255) {
1825 		ND_PRINTK(2, warn, "NDISC: invalid hop-limit: %d\n",
1826 			  ipv6_hdr(skb)->hop_limit);
1827 		return SKB_DROP_REASON_IPV6_NDISC_HOP_LIMIT;
1828 	}
1829 
1830 	if (msg->icmph.icmp6_code != 0) {
1831 		ND_PRINTK(2, warn, "NDISC: invalid ICMPv6 code: %d\n",
1832 			  msg->icmph.icmp6_code);
1833 		return SKB_DROP_REASON_IPV6_NDISC_BAD_CODE;
1834 	}
1835 
1836 	switch (msg->icmph.icmp6_type) {
1837 	case NDISC_NEIGHBOUR_SOLICITATION:
1838 		memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
1839 		reason = ndisc_recv_ns(skb);
1840 		break;
1841 
1842 	case NDISC_NEIGHBOUR_ADVERTISEMENT:
1843 		reason = ndisc_recv_na(skb);
1844 		break;
1845 
1846 	case NDISC_ROUTER_SOLICITATION:
1847 		reason = ndisc_recv_rs(skb);
1848 		break;
1849 
1850 	case NDISC_ROUTER_ADVERTISEMENT:
1851 		reason = ndisc_router_discovery(skb);
1852 		break;
1853 
1854 	case NDISC_REDIRECT:
1855 		reason = ndisc_redirect_rcv(skb);
1856 		break;
1857 	}
1858 
1859 	return reason;
1860 }
1861 
1862 static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
1863 {
1864 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1865 	struct netdev_notifier_change_info *change_info;
1866 	struct net *net = dev_net(dev);
1867 	struct inet6_dev *idev;
1868 	bool evict_nocarrier;
1869 
1870 	switch (event) {
1871 	case NETDEV_CHANGEADDR:
1872 		neigh_changeaddr(&nd_tbl, dev);
1873 		fib6_run_gc(0, net, false);
1874 		fallthrough;
1875 	case NETDEV_UP:
1876 		idev = in6_dev_get(dev);
1877 		if (!idev)
1878 			break;
1879 		if (idev->cnf.ndisc_notify ||
1880 		    net->ipv6.devconf_all->ndisc_notify)
1881 			ndisc_send_unsol_na(dev);
1882 		in6_dev_put(idev);
1883 		break;
1884 	case NETDEV_CHANGE:
1885 		idev = in6_dev_get(dev);
1886 		if (!idev)
1887 			evict_nocarrier = true;
1888 		else {
1889 			evict_nocarrier = idev->cnf.ndisc_evict_nocarrier &&
1890 					  net->ipv6.devconf_all->ndisc_evict_nocarrier;
1891 			in6_dev_put(idev);
1892 		}
1893 
1894 		change_info = ptr;
1895 		if (change_info->flags_changed & IFF_NOARP)
1896 			neigh_changeaddr(&nd_tbl, dev);
1897 		if (evict_nocarrier && !netif_carrier_ok(dev))
1898 			neigh_carrier_down(&nd_tbl, dev);
1899 		break;
1900 	case NETDEV_DOWN:
1901 		neigh_ifdown(&nd_tbl, dev);
1902 		fib6_run_gc(0, net, false);
1903 		break;
1904 	case NETDEV_NOTIFY_PEERS:
1905 		ndisc_send_unsol_na(dev);
1906 		break;
1907 	default:
1908 		break;
1909 	}
1910 
1911 	return NOTIFY_DONE;
1912 }
1913 
1914 static struct notifier_block ndisc_netdev_notifier = {
1915 	.notifier_call = ndisc_netdev_event,
1916 	.priority = ADDRCONF_NOTIFY_PRIORITY - 5,
1917 };
1918 
1919 #ifdef CONFIG_SYSCTL
1920 static void ndisc_warn_deprecated_sysctl(struct ctl_table *ctl,
1921 					 const char *func, const char *dev_name)
1922 {
1923 	static char warncomm[TASK_COMM_LEN];
1924 	static int warned;
1925 	if (strcmp(warncomm, current->comm) && warned < 5) {
1926 		strcpy(warncomm, current->comm);
1927 		pr_warn("process `%s' is using deprecated sysctl (%s) net.ipv6.neigh.%s.%s - use net.ipv6.neigh.%s.%s_ms instead\n",
1928 			warncomm, func,
1929 			dev_name, ctl->procname,
1930 			dev_name, ctl->procname);
1931 		warned++;
1932 	}
1933 }
1934 
1935 int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, void *buffer,
1936 		size_t *lenp, loff_t *ppos)
1937 {
1938 	struct net_device *dev = ctl->extra1;
1939 	struct inet6_dev *idev;
1940 	int ret;
1941 
1942 	if ((strcmp(ctl->procname, "retrans_time") == 0) ||
1943 	    (strcmp(ctl->procname, "base_reachable_time") == 0))
1944 		ndisc_warn_deprecated_sysctl(ctl, "syscall", dev ? dev->name : "default");
1945 
1946 	if (strcmp(ctl->procname, "retrans_time") == 0)
1947 		ret = neigh_proc_dointvec(ctl, write, buffer, lenp, ppos);
1948 
1949 	else if (strcmp(ctl->procname, "base_reachable_time") == 0)
1950 		ret = neigh_proc_dointvec_jiffies(ctl, write,
1951 						  buffer, lenp, ppos);
1952 
1953 	else if ((strcmp(ctl->procname, "retrans_time_ms") == 0) ||
1954 		 (strcmp(ctl->procname, "base_reachable_time_ms") == 0))
1955 		ret = neigh_proc_dointvec_ms_jiffies(ctl, write,
1956 						     buffer, lenp, ppos);
1957 	else
1958 		ret = -1;
1959 
1960 	if (write && ret == 0 && dev && (idev = in6_dev_get(dev)) != NULL) {
1961 		if (ctl->data == &NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME))
1962 			idev->nd_parms->reachable_time =
1963 					neigh_rand_reach_time(NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME));
1964 		idev->tstamp = jiffies;
1965 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1966 		in6_dev_put(idev);
1967 	}
1968 	return ret;
1969 }
1970 
1971 
1972 #endif
1973 
1974 static int __net_init ndisc_net_init(struct net *net)
1975 {
1976 	struct ipv6_pinfo *np;
1977 	struct sock *sk;
1978 	int err;
1979 
1980 	err = inet_ctl_sock_create(&sk, PF_INET6,
1981 				   SOCK_RAW, IPPROTO_ICMPV6, net);
1982 	if (err < 0) {
1983 		ND_PRINTK(0, err,
1984 			  "NDISC: Failed to initialize the control socket (err %d)\n",
1985 			  err);
1986 		return err;
1987 	}
1988 
1989 	net->ipv6.ndisc_sk = sk;
1990 
1991 	np = inet6_sk(sk);
1992 	np->hop_limit = 255;
1993 	/* Do not loopback ndisc messages */
1994 	np->mc_loop = 0;
1995 
1996 	return 0;
1997 }
1998 
1999 static void __net_exit ndisc_net_exit(struct net *net)
2000 {
2001 	inet_ctl_sock_destroy(net->ipv6.ndisc_sk);
2002 }
2003 
2004 static struct pernet_operations ndisc_net_ops = {
2005 	.init = ndisc_net_init,
2006 	.exit = ndisc_net_exit,
2007 };
2008 
2009 int __init ndisc_init(void)
2010 {
2011 	int err;
2012 
2013 	err = register_pernet_subsys(&ndisc_net_ops);
2014 	if (err)
2015 		return err;
2016 	/*
2017 	 * Initialize the neighbour table
2018 	 */
2019 	neigh_table_init(NEIGH_ND_TABLE, &nd_tbl);
2020 
2021 #ifdef CONFIG_SYSCTL
2022 	err = neigh_sysctl_register(NULL, &nd_tbl.parms,
2023 				    ndisc_ifinfo_sysctl_change);
2024 	if (err)
2025 		goto out_unregister_pernet;
2026 out:
2027 #endif
2028 	return err;
2029 
2030 #ifdef CONFIG_SYSCTL
2031 out_unregister_pernet:
2032 	unregister_pernet_subsys(&ndisc_net_ops);
2033 	goto out;
2034 #endif
2035 }
2036 
2037 int __init ndisc_late_init(void)
2038 {
2039 	return register_netdevice_notifier(&ndisc_netdev_notifier);
2040 }
2041 
2042 void ndisc_late_cleanup(void)
2043 {
2044 	unregister_netdevice_notifier(&ndisc_netdev_notifier);
2045 }
2046 
2047 void ndisc_cleanup(void)
2048 {
2049 #ifdef CONFIG_SYSCTL
2050 	neigh_sysctl_unregister(&nd_tbl.parms);
2051 #endif
2052 	neigh_table_clear(NEIGH_ND_TABLE, &nd_tbl);
2053 	unregister_pernet_subsys(&ndisc_net_ops);
2054 }
2055