1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
25 * Copyright 2019 Joyent, Inc.
26 * Copyright (c) 2014, 2016 by Delphix. All rights reserved.
27 */
28
29/* This file contains all TCP input processing functions. */
30
31#include <sys/types.h>
32#include <sys/stream.h>
33#include <sys/strsun.h>
34#include <sys/strsubr.h>
35#include <sys/stropts.h>
36#include <sys/strlog.h>
37#define	_SUN_TPI_VERSION 2
38#include <sys/tihdr.h>
39#include <sys/suntpi.h>
40#include <sys/xti_inet.h>
41#include <sys/squeue_impl.h>
42#include <sys/squeue.h>
43#include <sys/tsol/tnet.h>
44
45#include <inet/common.h>
46#include <inet/ip.h>
47#include <inet/tcp.h>
48#include <inet/tcp_impl.h>
49#include <inet/tcp_cluster.h>
50#include <inet/proto_set.h>
51#include <inet/ipsec_impl.h>
52
53/*
54 * RFC7323-recommended phrasing of TSTAMP option, for easier parsing
55 */
56
57#ifdef _BIG_ENDIAN
58#define	TCPOPT_NOP_NOP_TSTAMP ((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | \
59	(TCPOPT_TSTAMP << 8) | 10)
60#else
61#define	TCPOPT_NOP_NOP_TSTAMP ((10 << 24) | (TCPOPT_TSTAMP << 16) | \
62	(TCPOPT_NOP << 8) | TCPOPT_NOP)
63#endif
64
65/*
66 *  PAWS needs a timer for 24 days.  This is the number of ticks in 24 days
67 */
68#define	PAWS_TIMEOUT	((clock_t)(24*24*60*60*hz))
69
70/*
71 * Since tcp_listener is not cleared atomically with tcp_detached
72 * being cleared we need this extra bit to tell a detached connection
73 * apart from one that is in the process of being accepted.
74 */
75#define	TCP_IS_DETACHED_NONEAGER(tcp)	\
76	(TCP_IS_DETACHED(tcp) &&	\
77	    (!(tcp)->tcp_hard_binding))
78
79/*
80 * Steps to do when a tcp_t moves to TIME-WAIT state.
81 *
82 * This connection is done, we don't need to account for it.  Decrement
83 * the listener connection counter if needed.
84 *
85 * Decrement the connection counter of the stack.  Note that this counter
86 * is per CPU.  So the total number of connections in a stack is the sum of all
87 * of them.  Since there is no lock for handling all of them exclusively, the
88 * resulting sum is only an approximation.
89 *
90 * Unconditionally clear the exclusive binding bit so this TIME-WAIT
91 * connection won't interfere with new ones.
92 *
93 * Start the TIME-WAIT timer.  If upper layer has not closed the connection,
94 * the timer is handled within the context of this tcp_t.  When the timer
95 * fires, tcp_clean_death() is called.  If upper layer closes the connection
96 * during this period, tcp_time_wait_append() will be called to add this
97 * tcp_t to the global TIME-WAIT list.  Note that this means that the
98 * actual wait time in TIME-WAIT state will be longer than the
99 * tcps_time_wait_interval since the period before upper layer closes the
100 * connection is not accounted for when tcp_time_wait_append() is called.
101 *
102 * If upper layer has closed the connection, call tcp_time_wait_append()
103 * directly.
104 *
105 */
106#define	SET_TIME_WAIT(tcps, tcp, connp)				\
107{								\
108	(tcp)->tcp_state = TCPS_TIME_WAIT;			\
109	if ((tcp)->tcp_listen_cnt != NULL)			\
110		TCP_DECR_LISTEN_CNT(tcp);			\
111	atomic_dec_64(						\
112	    (uint64_t *)&(tcps)->tcps_sc[CPU->cpu_seqid]->tcp_sc_conn_cnt); \
113	(connp)->conn_exclbind = 0;				\
114	if (!TCP_IS_DETACHED(tcp)) {				\
115		TCP_TIMER_RESTART(tcp, (tcps)->tcps_time_wait_interval); \
116	} else {						\
117		tcp_time_wait_append(tcp);			\
118		TCP_DBGSTAT(tcps, tcp_rput_time_wait);		\
119	}							\
120}
121
122/*
123 * If tcp_drop_ack_unsent_cnt is greater than 0, when TCP receives more
124 * than tcp_drop_ack_unsent_cnt number of ACKs which acknowledge unsent
125 * data, TCP will not respond with an ACK.  RFC 793 requires that
126 * TCP responds with an ACK for such a bogus ACK.  By not following
127 * the RFC, we prevent TCP from getting into an ACK storm if somehow
128 * an attacker successfully spoofs an acceptable segment to our
129 * peer; or when our peer is "confused."
130 */
131static uint32_t tcp_drop_ack_unsent_cnt = 10;
132
133/*
134 * To protect TCP against attacker using a small window and requesting
135 * large amount of data (DoS attack by conuming memory), TCP checks the
136 * window advertised in the last ACK of the 3-way handshake.  TCP uses
137 * the tcp_mss (the size of one packet) value for comparion.  The window
138 * should be larger than tcp_mss.  But while a sane TCP should advertise
139 * a receive window larger than or equal to 4*MSS to avoid stop and go
140 * tarrfic, not all TCP stacks do that.  This is especially true when
141 * tcp_mss is a big value.
142 *
143 * To work around this issue, an additional fixed value for comparison
144 * is also used.  If the advertised window is smaller than both tcp_mss
145 * and tcp_init_wnd_chk, the ACK is considered as invalid.  So for large
146 * tcp_mss value (say, 8K), a window larger than tcp_init_wnd_chk but
147 * smaller than 8K is considered to be OK.
148 */
149static uint32_t tcp_init_wnd_chk = 4096;
150
151/* Process ICMP source quench message or not. */
152static boolean_t tcp_icmp_source_quench = B_FALSE;
153
154static boolean_t tcp_outbound_squeue_switch = B_FALSE;
155
156static mblk_t	*tcp_conn_create_v4(conn_t *, conn_t *, mblk_t *,
157		    ip_recv_attr_t *);
158static mblk_t	*tcp_conn_create_v6(conn_t *, conn_t *, mblk_t *,
159		    ip_recv_attr_t *);
160static boolean_t	tcp_drop_q0(tcp_t *);
161static void	tcp_icmp_error_ipv6(tcp_t *, mblk_t *, ip_recv_attr_t *);
162static mblk_t	*tcp_input_add_ancillary(tcp_t *, mblk_t *, ip_pkt_t *,
163		    ip_recv_attr_t *);
164static void	tcp_input_listener(void *, mblk_t *, void *, ip_recv_attr_t *);
165static void	tcp_process_options(tcp_t *, tcpha_t *);
166static mblk_t	*tcp_reass(tcp_t *, mblk_t *, uint32_t);
167static void	tcp_reass_elim_overlap(tcp_t *, mblk_t *);
168static void	tcp_rsrv_input(void *, mblk_t *, void *, ip_recv_attr_t *);
169static void	tcp_set_rto(tcp_t *, hrtime_t);
170static void	tcp_setcred_data(mblk_t *, ip_recv_attr_t *);
171
172/*
173 * CC wrapper hook functions
174 */
175static void
176cc_ack_received(tcp_t *tcp, uint32_t seg_ack, int32_t bytes_acked,
177    uint16_t type)
178{
179	uint32_t old_cwnd = tcp->tcp_cwnd;
180
181	tcp->tcp_ccv.bytes_this_ack = bytes_acked;
182	if (tcp->tcp_cwnd <= tcp->tcp_swnd)
183		tcp->tcp_ccv.flags |= CCF_CWND_LIMITED;
184	else
185		tcp->tcp_ccv.flags &= ~CCF_CWND_LIMITED;
186
187	if (type == CC_ACK) {
188		if (tcp->tcp_cwnd > tcp->tcp_cwnd_ssthresh) {
189			if (tcp->tcp_ccv.flags & CCF_RTO)
190				tcp->tcp_ccv.flags &= ~CCF_RTO;
191
192			tcp->tcp_ccv.t_bytes_acked +=
193			    min(tcp->tcp_ccv.bytes_this_ack,
194			    tcp->tcp_tcps->tcps_abc_l_var * tcp->tcp_mss);
195			if (tcp->tcp_ccv.t_bytes_acked >= tcp->tcp_cwnd) {
196				tcp->tcp_ccv.t_bytes_acked -= tcp->tcp_cwnd;
197				tcp->tcp_ccv.flags |= CCF_ABC_SENTAWND;
198			}
199		} else {
200			tcp->tcp_ccv.flags &= ~CCF_ABC_SENTAWND;
201			tcp->tcp_ccv.t_bytes_acked = 0;
202		}
203	}
204
205	if (CC_ALGO(tcp)->ack_received != NULL) {
206		/*
207		 * The FreeBSD code where this originated had a comment "Find
208		 * a way to live without this" in several places where curack
209		 * got set.  If they eventually dump curack from the cc
210		 * variables, we'll need to adapt our code.
211		 */
212		tcp->tcp_ccv.curack = seg_ack;
213		CC_ALGO(tcp)->ack_received(&tcp->tcp_ccv, type);
214	}
215
216	DTRACE_PROBE3(cwnd__cc__ack__received, tcp_t *, tcp, uint32_t, old_cwnd,
217	    uint32_t, tcp->tcp_cwnd);
218}
219
220void
221cc_cong_signal(tcp_t *tcp, uint32_t seg_ack, uint32_t type)
222{
223	uint32_t old_cwnd = tcp->tcp_cwnd;
224	uint32_t old_cwnd_ssthresh = tcp->tcp_cwnd_ssthresh;
225	switch (type) {
226	case CC_NDUPACK:
227		if (!IN_FASTRECOVERY(tcp->tcp_ccv.flags)) {
228			tcp->tcp_rexmit_max = tcp->tcp_snxt;
229			if (tcp->tcp_ecn_ok) {
230				tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
231				tcp->tcp_cwr = B_TRUE;
232				tcp->tcp_ecn_cwr_sent = B_FALSE;
233			}
234		}
235		break;
236	case CC_ECN:
237		if (!IN_CONGRECOVERY(tcp->tcp_ccv.flags)) {
238			tcp->tcp_rexmit_max = tcp->tcp_snxt;
239			if (tcp->tcp_ecn_ok) {
240				tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
241				tcp->tcp_cwr = B_TRUE;
242				tcp->tcp_ecn_cwr_sent = B_FALSE;
243			}
244		}
245		break;
246	case CC_RTO:
247		tcp->tcp_ccv.flags |= CCF_RTO;
248		tcp->tcp_dupack_cnt = 0;
249		tcp->tcp_ccv.t_bytes_acked = 0;
250		/*
251		 * Give up on fast recovery and congestion recovery if we were
252		 * attempting either.
253		 */
254		EXIT_RECOVERY(tcp->tcp_ccv.flags);
255		if (CC_ALGO(tcp)->cong_signal == NULL) {
256			/*
257			 * RFC5681 Section 3.1
258			 * ssthresh = max (FlightSize / 2, 2*SMSS) eq (4)
259			 */
260			tcp->tcp_cwnd_ssthresh = max(
261			    (tcp->tcp_snxt - tcp->tcp_suna) / 2 / tcp->tcp_mss,
262			    2) * tcp->tcp_mss;
263			tcp->tcp_cwnd = tcp->tcp_mss;
264		}
265
266		if (tcp->tcp_ecn_ok) {
267			tcp->tcp_cwr = B_TRUE;
268			tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
269			tcp->tcp_ecn_cwr_sent = B_FALSE;
270		}
271		break;
272	}
273
274	if (CC_ALGO(tcp)->cong_signal != NULL) {
275		tcp->tcp_ccv.curack = seg_ack;
276		CC_ALGO(tcp)->cong_signal(&tcp->tcp_ccv, type);
277	}
278
279	DTRACE_PROBE6(cwnd__cc__cong__signal, tcp_t *, tcp, uint32_t, old_cwnd,
280	    uint32_t, tcp->tcp_cwnd, uint32_t, old_cwnd_ssthresh,
281	    uint32_t, tcp->tcp_cwnd_ssthresh, uint32_t, type);
282}
283
284static void
285cc_post_recovery(tcp_t *tcp, uint32_t seg_ack)
286{
287	uint32_t old_cwnd = tcp->tcp_cwnd;
288
289	if (CC_ALGO(tcp)->post_recovery != NULL) {
290		tcp->tcp_ccv.curack = seg_ack;
291		CC_ALGO(tcp)->post_recovery(&tcp->tcp_ccv);
292	}
293	tcp->tcp_ccv.t_bytes_acked = 0;
294
295	DTRACE_PROBE3(cwnd__cc__post__recovery, tcp_t *, tcp,
296	    uint32_t, old_cwnd, uint32_t, tcp->tcp_cwnd);
297}
298
299/*
300 * Set the MSS associated with a particular tcp based on its current value,
301 * and a new one passed in. Observe minimums and maximums, and reset other
302 * state variables that we want to view as multiples of MSS.
303 *
304 * The value of MSS could be either increased or descreased.
305 */
306void
307tcp_mss_set(tcp_t *tcp, uint32_t mss)
308{
309	uint32_t	mss_max;
310	tcp_stack_t	*tcps = tcp->tcp_tcps;
311	conn_t		*connp = tcp->tcp_connp;
312
313	if (connp->conn_ipversion == IPV4_VERSION)
314		mss_max = tcps->tcps_mss_max_ipv4;
315	else
316		mss_max = tcps->tcps_mss_max_ipv6;
317
318	if (mss < tcps->tcps_mss_min)
319		mss = tcps->tcps_mss_min;
320	if (mss > mss_max)
321		mss = mss_max;
322	/*
323	 * Unless naglim has been set by our client to
324	 * a non-mss value, force naglim to track mss.
325	 * This can help to aggregate small writes.
326	 */
327	if (mss < tcp->tcp_naglim || tcp->tcp_mss == tcp->tcp_naglim)
328		tcp->tcp_naglim = mss;
329	/*
330	 * TCP should be able to buffer at least 4 MSS data for obvious
331	 * performance reason.
332	 */
333	if ((mss << 2) > connp->conn_sndbuf)
334		connp->conn_sndbuf = mss << 2;
335
336	/*
337	 * Set the send lowater to at least twice of MSS.
338	 */
339	if ((mss << 1) > connp->conn_sndlowat)
340		connp->conn_sndlowat = mss << 1;
341
342	/*
343	 * Update tcp_cwnd according to the new value of MSS. Keep the
344	 * previous ratio to preserve the transmit rate.
345	 */
346	tcp->tcp_cwnd = (tcp->tcp_cwnd / tcp->tcp_mss) * mss;
347	tcp->tcp_cwnd_cnt = 0;
348
349	tcp->tcp_mss = mss;
350	(void) tcp_maxpsz_set(tcp, B_TRUE);
351}
352
353/*
354 * Extract option values from a tcp header.  We put any found values into the
355 * tcpopt struct and return a bitmask saying which options were found.
356 */
357int
358tcp_parse_options(tcpha_t *tcpha, tcp_opt_t *tcpopt)
359{
360	uchar_t		*endp;
361	int		len;
362	uint32_t	mss;
363	uchar_t		*up = (uchar_t *)tcpha;
364	int		found = 0;
365	int32_t		sack_len;
366	tcp_seq		sack_begin, sack_end;
367	tcp_t		*tcp;
368
369	endp = up + TCP_HDR_LENGTH(tcpha);
370	up += TCP_MIN_HEADER_LENGTH;
371	/*
372	 * If timestamp option is aligned as recommended in RFC 7323 Appendix
373	 * A, and is the only option, return quickly.
374	 */
375	if (TCP_HDR_LENGTH(tcpha) == (uint32_t)TCP_MIN_HEADER_LENGTH +
376	    TCPOPT_REAL_TS_LEN &&
377	    OK_32PTR(up) &&
378	    *(uint32_t *)up == TCPOPT_NOP_NOP_TSTAMP) {
379		tcpopt->tcp_opt_ts_val = ABE32_TO_U32((up+4));
380		tcpopt->tcp_opt_ts_ecr = ABE32_TO_U32((up+8));
381
382		return (TCP_OPT_TSTAMP_PRESENT);
383	}
384	while (up < endp) {
385		len = endp - up;
386		switch (*up) {
387		case TCPOPT_EOL:
388			break;
389
390		case TCPOPT_NOP:
391			up++;
392			continue;
393
394		case TCPOPT_MAXSEG:
395			if (len < TCPOPT_MAXSEG_LEN ||
396			    up[1] != TCPOPT_MAXSEG_LEN)
397				break;
398
399			mss = BE16_TO_U16(up+2);
400			/* Caller must handle tcp_mss_min and tcp_mss_max_* */
401			tcpopt->tcp_opt_mss = mss;
402			found |= TCP_OPT_MSS_PRESENT;
403
404			up += TCPOPT_MAXSEG_LEN;
405			continue;
406
407		case TCPOPT_WSCALE:
408			if (len < TCPOPT_WS_LEN || up[1] != TCPOPT_WS_LEN)
409				break;
410
411			if (up[2] > TCP_MAX_WINSHIFT)
412				tcpopt->tcp_opt_wscale = TCP_MAX_WINSHIFT;
413			else
414				tcpopt->tcp_opt_wscale = up[2];
415			found |= TCP_OPT_WSCALE_PRESENT;
416
417			up += TCPOPT_WS_LEN;
418			continue;
419
420		case TCPOPT_SACK_PERMITTED:
421			if (len < TCPOPT_SACK_OK_LEN ||
422			    up[1] != TCPOPT_SACK_OK_LEN)
423				break;
424			found |= TCP_OPT_SACK_OK_PRESENT;
425			up += TCPOPT_SACK_OK_LEN;
426			continue;
427
428		case TCPOPT_SACK:
429			if (len <= 2 || up[1] <= 2 || len < up[1])
430				break;
431
432			/* If TCP is not interested in SACK blks... */
433			if ((tcp = tcpopt->tcp) == NULL) {
434				up += up[1];
435				continue;
436			}
437			sack_len = up[1] - TCPOPT_HEADER_LEN;
438			up += TCPOPT_HEADER_LEN;
439
440			/*
441			 * If the list is empty, allocate one and assume
442			 * nothing is sack'ed.
443			 */
444			if (tcp->tcp_notsack_list == NULL) {
445				tcp_notsack_update(&(tcp->tcp_notsack_list),
446				    tcp->tcp_suna, tcp->tcp_snxt,
447				    &(tcp->tcp_num_notsack_blk),
448				    &(tcp->tcp_cnt_notsack_list));
449
450				/*
451				 * Make sure tcp_notsack_list is not NULL.
452				 * This happens when kmem_alloc(KM_NOSLEEP)
453				 * returns NULL.
454				 */
455				if (tcp->tcp_notsack_list == NULL) {
456					up += sack_len;
457					continue;
458				}
459				tcp->tcp_fack = tcp->tcp_suna;
460			}
461
462			while (sack_len > 0) {
463				if (up + 8 > endp) {
464					up = endp;
465					break;
466				}
467				sack_begin = BE32_TO_U32(up);
468				up += 4;
469				sack_end = BE32_TO_U32(up);
470				up += 4;
471				sack_len -= 8;
472				/*
473				 * Bounds checking.  Make sure the SACK
474				 * info is within tcp_suna and tcp_snxt.
475				 * If this SACK blk is out of bound, ignore
476				 * it but continue to parse the following
477				 * blks.
478				 */
479				if (SEQ_LEQ(sack_end, sack_begin) ||
480				    SEQ_LT(sack_begin, tcp->tcp_suna) ||
481				    SEQ_GT(sack_end, tcp->tcp_snxt)) {
482					continue;
483				}
484				tcp_notsack_insert(&(tcp->tcp_notsack_list),
485				    sack_begin, sack_end,
486				    &(tcp->tcp_num_notsack_blk),
487				    &(tcp->tcp_cnt_notsack_list));
488				if (SEQ_GT(sack_end, tcp->tcp_fack)) {
489					tcp->tcp_fack = sack_end;
490				}
491			}
492			found |= TCP_OPT_SACK_PRESENT;
493			continue;
494
495		case TCPOPT_TSTAMP:
496			if (len < TCPOPT_TSTAMP_LEN ||
497			    up[1] != TCPOPT_TSTAMP_LEN)
498				break;
499
500			tcpopt->tcp_opt_ts_val = BE32_TO_U32(up+2);
501			tcpopt->tcp_opt_ts_ecr = BE32_TO_U32(up+6);
502
503			found |= TCP_OPT_TSTAMP_PRESENT;
504
505			up += TCPOPT_TSTAMP_LEN;
506			continue;
507
508		default:
509			if (len <= 1 || len < (int)up[1] || up[1] == 0)
510				break;
511			up += up[1];
512			continue;
513		}
514		break;
515	}
516	return (found);
517}
518
519/*
520 * Process all TCP option in SYN segment.  Note that this function should
521 * be called after tcp_set_destination() is called so that the necessary info
522 * from IRE is already set in the tcp structure.
523 *
524 * This function sets up the correct tcp_mss value according to the
525 * MSS option value and our header size.  It also sets up the window scale
526 * and timestamp values, and initialize SACK info blocks.  But it does not
527 * change receive window size after setting the tcp_mss value.  The caller
528 * should do the appropriate change.
529 */
530static void
531tcp_process_options(tcp_t *tcp, tcpha_t *tcpha)
532{
533	int options;
534	tcp_opt_t tcpopt;
535	uint32_t mss_max;
536	char *tmp_tcph;
537	tcp_stack_t	*tcps = tcp->tcp_tcps;
538	conn_t		*connp = tcp->tcp_connp;
539
540	tcpopt.tcp = NULL;
541	options = tcp_parse_options(tcpha, &tcpopt);
542
543	/*
544	 * Process MSS option.  Note that MSS option value does not account
545	 * for IP or TCP options.  This means that it is equal to MTU - minimum
546	 * IP+TCP header size, which is 40 bytes for IPv4 and 60 bytes for
547	 * IPv6.
548	 */
549	if (!(options & TCP_OPT_MSS_PRESENT)) {
550		if (connp->conn_ipversion == IPV4_VERSION)
551			tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv4;
552		else
553			tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv6;
554	} else {
555		if (connp->conn_ipversion == IPV4_VERSION)
556			mss_max = tcps->tcps_mss_max_ipv4;
557		else
558			mss_max = tcps->tcps_mss_max_ipv6;
559		if (tcpopt.tcp_opt_mss < tcps->tcps_mss_min)
560			tcpopt.tcp_opt_mss = tcps->tcps_mss_min;
561		else if (tcpopt.tcp_opt_mss > mss_max)
562			tcpopt.tcp_opt_mss = mss_max;
563	}
564
565	/* Process Window Scale option. */
566	if (options & TCP_OPT_WSCALE_PRESENT) {
567		tcp->tcp_snd_ws = tcpopt.tcp_opt_wscale;
568		tcp->tcp_snd_ws_ok = B_TRUE;
569	} else {
570		tcp->tcp_snd_ws = B_FALSE;
571		tcp->tcp_snd_ws_ok = B_FALSE;
572		tcp->tcp_rcv_ws = B_FALSE;
573	}
574
575	/* Process Timestamp option. */
576	if ((options & TCP_OPT_TSTAMP_PRESENT) &&
577	    (tcp->tcp_snd_ts_ok || TCP_IS_DETACHED(tcp))) {
578		tmp_tcph = (char *)tcp->tcp_tcpha;
579
580		tcp->tcp_snd_ts_ok = B_TRUE;
581		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
582		tcp->tcp_last_rcv_lbolt = ddi_get_lbolt64();
583		ASSERT(OK_32PTR(tmp_tcph));
584		ASSERT(connp->conn_ht_ulp_len == TCP_MIN_HEADER_LENGTH);
585
586		/* Fill in our template header with basic timestamp option. */
587		tmp_tcph += connp->conn_ht_ulp_len;
588		tmp_tcph[0] = TCPOPT_NOP;
589		tmp_tcph[1] = TCPOPT_NOP;
590		tmp_tcph[2] = TCPOPT_TSTAMP;
591		tmp_tcph[3] = TCPOPT_TSTAMP_LEN;
592		connp->conn_ht_iphc_len += TCPOPT_REAL_TS_LEN;
593		connp->conn_ht_ulp_len += TCPOPT_REAL_TS_LEN;
594		tcp->tcp_tcpha->tha_offset_and_reserved += (3 << 4);
595	} else {
596		tcp->tcp_snd_ts_ok = B_FALSE;
597	}
598
599	/*
600	 * Process SACK options.  If SACK is enabled for this connection,
601	 * then allocate the SACK info structure.  Note the following ways
602	 * when tcp_snd_sack_ok is set to true.
603	 *
604	 * For active connection: in tcp_set_destination() called in
605	 * tcp_connect().
606	 *
607	 * For passive connection: in tcp_set_destination() called in
608	 * tcp_input_listener().
609	 *
610	 * That's the reason why the extra TCP_IS_DETACHED() check is there.
611	 * That check makes sure that if we did not send a SACK OK option,
612	 * we will not enable SACK for this connection even though the other
613	 * side sends us SACK OK option.  For active connection, the SACK
614	 * info structure has already been allocated.  So we need to free
615	 * it if SACK is disabled.
616	 */
617	if ((options & TCP_OPT_SACK_OK_PRESENT) &&
618	    (tcp->tcp_snd_sack_ok ||
619	    (tcps->tcps_sack_permitted != 0 && TCP_IS_DETACHED(tcp)))) {
620		ASSERT(tcp->tcp_num_sack_blk == 0);
621		ASSERT(tcp->tcp_notsack_list == NULL);
622
623		tcp->tcp_snd_sack_ok = B_TRUE;
624		if (tcp->tcp_snd_ts_ok) {
625			tcp->tcp_max_sack_blk = 3;
626		} else {
627			tcp->tcp_max_sack_blk = 4;
628		}
629	} else if (tcp->tcp_snd_sack_ok) {
630		/*
631		 * Resetting tcp_snd_sack_ok to B_FALSE so that
632		 * no SACK info will be used for this
633		 * connection.  This assumes that SACK usage
634		 * permission is negotiated.  This may need
635		 * to be changed once this is clarified.
636		 */
637		ASSERT(tcp->tcp_num_sack_blk == 0);
638		ASSERT(tcp->tcp_notsack_list == NULL);
639		tcp->tcp_snd_sack_ok = B_FALSE;
640	}
641
642	/*
643	 * Now we know the exact TCP/IP header length, subtract
644	 * that from tcp_mss to get our side's MSS.
645	 */
646	tcp->tcp_mss -= connp->conn_ht_iphc_len;
647
648	/*
649	 * Here we assume that the other side's header size will be equal to
650	 * our header size.  We calculate the real MSS accordingly.  Need to
651	 * take into additional stuffs IPsec puts in.
652	 *
653	 * Real MSS = Opt.MSS - (our TCP/IP header - min TCP/IP header)
654	 */
655	tcpopt.tcp_opt_mss -= connp->conn_ht_iphc_len +
656	    tcp->tcp_ipsec_overhead -
657	    ((connp->conn_ipversion == IPV4_VERSION ?
658	    IP_SIMPLE_HDR_LENGTH : IPV6_HDR_LEN) + TCP_MIN_HEADER_LENGTH);
659
660	/*
661	 * Set MSS to the smaller one of both ends of the connection.
662	 * We should not have called tcp_mss_set() before, but our
663	 * side of the MSS should have been set to a proper value
664	 * by tcp_set_destination().  tcp_mss_set() will also set up the
665	 * STREAM head parameters properly.
666	 *
667	 * If we have a larger-than-16-bit window but the other side
668	 * didn't want to do window scale, tcp_rwnd_set() will take
669	 * care of that.
670	 */
671	tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss));
672
673	/*
674	 * Initialize tcp_cwnd value. After tcp_mss_set(), tcp_mss has been
675	 * updated properly.
676	 */
677	TCP_SET_INIT_CWND(tcp, tcp->tcp_mss, tcps->tcps_slow_start_initial);
678
679	if (tcp->tcp_cc_algo->conn_init != NULL)
680		tcp->tcp_cc_algo->conn_init(&tcp->tcp_ccv);
681}
682
683/*
684 * Add a new piece to the tcp reassembly queue.  If the gap at the beginning
685 * is filled, return as much as we can.  The message passed in may be
686 * multi-part, chained using b_cont.  "start" is the starting sequence
687 * number for this piece.
688 */
689static mblk_t *
690tcp_reass(tcp_t *tcp, mblk_t *mp, uint32_t start)
691{
692	uint32_t	end, bytes;
693	mblk_t		*mp1;
694	mblk_t		*mp2;
695	mblk_t		*next_mp;
696	uint32_t	u1;
697	tcp_stack_t	*tcps = tcp->tcp_tcps;
698
699
700	/* Walk through all the new pieces. */
701	do {
702		ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
703		    (uintptr_t)INT_MAX);
704		end = start + (int)(mp->b_wptr - mp->b_rptr);
705		next_mp = mp->b_cont;
706		if (start == end) {
707			/* Empty.  Blast it. */
708			freeb(mp);
709			continue;
710		}
711		bytes = end - start;
712		mp->b_cont = NULL;
713		TCP_REASS_SET_SEQ(mp, start);
714		TCP_REASS_SET_END(mp, end);
715		mp1 = tcp->tcp_reass_tail;
716		if (mp1 == NULL || SEQ_GEQ(start, TCP_REASS_END(mp1))) {
717			if (mp1 != NULL) {
718				/*
719				 * New stuff is beyond the tail; link it on the
720				 * end.
721				 */
722				mp1->b_cont = mp;
723			} else {
724				tcp->tcp_reass_head = mp;
725			}
726			tcp->tcp_reass_tail = mp;
727			TCPS_BUMP_MIB(tcps, tcpInDataUnorderSegs);
728			TCPS_UPDATE_MIB(tcps, tcpInDataUnorderBytes, bytes);
729			tcp->tcp_cs.tcp_in_data_unorder_segs++;
730			tcp->tcp_cs.tcp_in_data_unorder_bytes += bytes;
731			continue;
732		}
733		mp1 = tcp->tcp_reass_head;
734		u1 = TCP_REASS_SEQ(mp1);
735		/* New stuff at the front? */
736		if (SEQ_LT(start, u1)) {
737			/* Yes... Check for overlap. */
738			mp->b_cont = mp1;
739			tcp->tcp_reass_head = mp;
740			tcp_reass_elim_overlap(tcp, mp);
741			continue;
742		}
743		/*
744		 * The new piece fits somewhere between the head and tail.
745		 * We find our slot, where mp1 precedes us and mp2 trails.
746		 */
747		for (; (mp2 = mp1->b_cont) != NULL; mp1 = mp2) {
748			u1 = TCP_REASS_SEQ(mp2);
749			if (SEQ_LEQ(start, u1))
750				break;
751		}
752		/* Link ourselves in */
753		mp->b_cont = mp2;
754		mp1->b_cont = mp;
755
756		/* Trim overlap with following mblk(s) first */
757		tcp_reass_elim_overlap(tcp, mp);
758
759		/* Trim overlap with preceding mblk */
760		tcp_reass_elim_overlap(tcp, mp1);
761
762	} while (start = end, mp = next_mp);
763	mp1 = tcp->tcp_reass_head;
764	/* Anything ready to go? */
765	if (TCP_REASS_SEQ(mp1) != tcp->tcp_rnxt)
766		return (NULL);
767	/* Eat what we can off the queue */
768	for (;;) {
769		mp = mp1->b_cont;
770		end = TCP_REASS_END(mp1);
771		TCP_REASS_SET_SEQ(mp1, 0);
772		TCP_REASS_SET_END(mp1, 0);
773		if (!mp) {
774			tcp->tcp_reass_tail = NULL;
775			break;
776		}
777		if (end != TCP_REASS_SEQ(mp)) {
778			mp1->b_cont = NULL;
779			break;
780		}
781		mp1 = mp;
782	}
783	mp1 = tcp->tcp_reass_head;
784	tcp->tcp_reass_head = mp;
785	return (mp1);
786}
787
788/* Eliminate any overlap that mp may have over later mblks */
789static void
790tcp_reass_elim_overlap(tcp_t *tcp, mblk_t *mp)
791{
792	uint32_t	end;
793	mblk_t		*mp1;
794	uint32_t	u1;
795	tcp_stack_t	*tcps = tcp->tcp_tcps;
796
797	end = TCP_REASS_END(mp);
798	while ((mp1 = mp->b_cont) != NULL) {
799		u1 = TCP_REASS_SEQ(mp1);
800		if (!SEQ_GT(end, u1))
801			break;
802		if (!SEQ_GEQ(end, TCP_REASS_END(mp1))) {
803			mp->b_wptr -= end - u1;
804			TCP_REASS_SET_END(mp, u1);
805			TCPS_BUMP_MIB(tcps, tcpInDataPartDupSegs);
806			TCPS_UPDATE_MIB(tcps, tcpInDataPartDupBytes,
807			    end - u1);
808			break;
809		}
810		mp->b_cont = mp1->b_cont;
811		TCP_REASS_SET_SEQ(mp1, 0);
812		TCP_REASS_SET_END(mp1, 0);
813		freeb(mp1);
814		TCPS_BUMP_MIB(tcps, tcpInDataDupSegs);
815		TCPS_UPDATE_MIB(tcps, tcpInDataDupBytes, end - u1);
816	}
817	if (!mp1)
818		tcp->tcp_reass_tail = mp;
819}
820
821/*
822 * This function does PAWS protection check, per RFC 7323 section 5. Requires
823 * that timestamp options are already processed into tcpoptp. Returns B_TRUE if
824 * the segment passes the PAWS test, else returns B_FALSE.
825 */
826boolean_t
827tcp_paws_check(tcp_t *tcp, const tcp_opt_t *tcpoptp)
828{
829	if (TSTMP_LT(tcpoptp->tcp_opt_ts_val,
830	    tcp->tcp_ts_recent)) {
831		if (LBOLT_FASTPATH64 <
832		    (tcp->tcp_last_rcv_lbolt + PAWS_TIMEOUT)) {
833			/* This segment is not acceptable. */
834			return (B_FALSE);
835		} else {
836			/*
837			 * Connection has been idle for
838			 * too long.  Reset the timestamp
839			 */
840			tcp->tcp_ts_recent =
841			    tcpoptp->tcp_opt_ts_val;
842		}
843	}
844	return (B_TRUE);
845}
846
847/*
848 * Defense for the SYN attack -
849 * 1. When q0 is full, drop from the tail (tcp_eager_prev_drop_q0) the oldest
850 *    one from the list of droppable eagers. This list is a subset of q0.
851 *    see comments before the definition of MAKE_DROPPABLE().
852 * 2. Don't drop a SYN request before its first timeout. This gives every
853 *    request at least til the first timeout to complete its 3-way handshake.
854 * 3. Maintain tcp_syn_rcvd_timeout as an accurate count of how many
855 *    requests currently on the queue that has timed out. This will be used
856 *    as an indicator of whether an attack is under way, so that appropriate
857 *    actions can be taken. (It's incremented in tcp_timer() and decremented
858 *    either when eager goes into ESTABLISHED, or gets freed up.)
859 * 4. The current threshold is - # of timeout > q0len/4 => SYN alert on
860 *    # of timeout drops back to <= q0len/32 => SYN alert off
861 */
862static boolean_t
863tcp_drop_q0(tcp_t *tcp)
864{
865	tcp_t	*eager;
866	mblk_t	*mp;
867	tcp_stack_t	*tcps = tcp->tcp_tcps;
868
869	ASSERT(MUTEX_HELD(&tcp->tcp_eager_lock));
870	ASSERT(tcp->tcp_eager_next_q0 != tcp->tcp_eager_prev_q0);
871
872	/* Pick oldest eager from the list of droppable eagers */
873	eager = tcp->tcp_eager_prev_drop_q0;
874
875	/* If list is empty. return B_FALSE */
876	if (eager == tcp) {
877		return (B_FALSE);
878	}
879
880	/* If allocated, the mp will be freed in tcp_clean_death_wrapper() */
881	if ((mp = allocb(0, BPRI_HI)) == NULL)
882		return (B_FALSE);
883
884	/*
885	 * Take this eager out from the list of droppable eagers since we are
886	 * going to drop it.
887	 */
888	MAKE_UNDROPPABLE(eager);
889
890	if (tcp->tcp_connp->conn_debug) {
891		(void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
892		    "tcp_drop_q0: listen half-open queue (max=%d) overflow"
893		    " (%d pending) on %s, drop one", tcps->tcps_conn_req_max_q0,
894		    tcp->tcp_conn_req_cnt_q0,
895		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
896	}
897
898	TCPS_BUMP_MIB(tcps, tcpHalfOpenDrop);
899
900	/* Put a reference on the conn as we are enqueueing it in the sqeue */
901	CONN_INC_REF(eager->tcp_connp);
902
903	SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
904	    tcp_clean_death_wrapper, eager->tcp_connp, NULL,
905	    SQ_FILL, SQTAG_TCP_DROP_Q0);
906
907	return (B_TRUE);
908}
909
910/*
911 * Handle a SYN on an AF_INET6 socket; can be either IPv4 or IPv6
912 */
913static mblk_t *
914tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
915    ip_recv_attr_t *ira)
916{
917	tcp_t		*ltcp = lconnp->conn_tcp;
918	tcp_t		*tcp = connp->conn_tcp;
919	mblk_t		*tpi_mp;
920	ipha_t		*ipha;
921	ip6_t		*ip6h;
922	sin6_t		sin6;
923	uint_t		ifindex = ira->ira_ruifindex;
924	tcp_stack_t	*tcps = tcp->tcp_tcps;
925
926	if (ira->ira_flags & IRAF_IS_IPV4) {
927		ipha = (ipha_t *)mp->b_rptr;
928
929		connp->conn_ipversion = IPV4_VERSION;
930		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
931		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
932		connp->conn_saddr_v6 = connp->conn_laddr_v6;
933
934		sin6 = sin6_null;
935		sin6.sin6_addr = connp->conn_faddr_v6;
936		sin6.sin6_port = connp->conn_fport;
937		sin6.sin6_family = AF_INET6;
938		sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
939		    IPCL_ZONEID(lconnp), tcps->tcps_netstack);
940
941		if (connp->conn_recv_ancillary.crb_recvdstaddr) {
942			sin6_t	sin6d;
943
944			sin6d = sin6_null;
945			sin6d.sin6_addr = connp->conn_laddr_v6;
946			sin6d.sin6_port = connp->conn_lport;
947			sin6d.sin6_family = AF_INET;
948			tpi_mp = mi_tpi_extconn_ind(NULL,
949			    (char *)&sin6d, sizeof (sin6_t),
950			    (char *)&tcp,
951			    (t_scalar_t)sizeof (intptr_t),
952			    (char *)&sin6d, sizeof (sin6_t),
953			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
954		} else {
955			tpi_mp = mi_tpi_conn_ind(NULL,
956			    (char *)&sin6, sizeof (sin6_t),
957			    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
958			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
959		}
960	} else {
961		ip6h = (ip6_t *)mp->b_rptr;
962
963		connp->conn_ipversion = IPV6_VERSION;
964		connp->conn_laddr_v6 = ip6h->ip6_dst;
965		connp->conn_faddr_v6 = ip6h->ip6_src;
966		connp->conn_saddr_v6 = connp->conn_laddr_v6;
967
968		sin6 = sin6_null;
969		sin6.sin6_addr = connp->conn_faddr_v6;
970		sin6.sin6_port = connp->conn_fport;
971		sin6.sin6_family = AF_INET6;
972		sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
973		sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
974		    IPCL_ZONEID(lconnp), tcps->tcps_netstack);
975
976		if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src)) {
977			/* Pass up the scope_id of remote addr */
978			sin6.sin6_scope_id = ifindex;
979		} else {
980			sin6.sin6_scope_id = 0;
981		}
982		if (connp->conn_recv_ancillary.crb_recvdstaddr) {
983			sin6_t	sin6d;
984
985			sin6d = sin6_null;
986			sin6.sin6_addr = connp->conn_laddr_v6;
987			sin6d.sin6_port = connp->conn_lport;
988			sin6d.sin6_family = AF_INET6;
989			if (IN6_IS_ADDR_LINKSCOPE(&connp->conn_laddr_v6))
990				sin6d.sin6_scope_id = ifindex;
991
992			tpi_mp = mi_tpi_extconn_ind(NULL,
993			    (char *)&sin6d, sizeof (sin6_t),
994			    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
995			    (char *)&sin6d, sizeof (sin6_t),
996			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
997		} else {
998			tpi_mp = mi_tpi_conn_ind(NULL,
999			    (char *)&sin6, sizeof (sin6_t),
1000			    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
1001			    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
1002		}
1003	}
1004
1005	tcp->tcp_mss = tcps->tcps_mss_def_ipv6;
1006	return (tpi_mp);
1007}
1008
1009/* Handle a SYN on an AF_INET socket */
1010static mblk_t *
1011tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, mblk_t *mp,
1012    ip_recv_attr_t *ira)
1013{
1014	tcp_t		*ltcp = lconnp->conn_tcp;
1015	tcp_t		*tcp = connp->conn_tcp;
1016	sin_t		sin;
1017	mblk_t		*tpi_mp = NULL;
1018	tcp_stack_t	*tcps = tcp->tcp_tcps;
1019	ipha_t		*ipha;
1020
1021	ASSERT(ira->ira_flags & IRAF_IS_IPV4);
1022	ipha = (ipha_t *)mp->b_rptr;
1023
1024	connp->conn_ipversion = IPV4_VERSION;
1025	IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
1026	IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
1027	connp->conn_saddr_v6 = connp->conn_laddr_v6;
1028
1029	sin = sin_null;
1030	sin.sin_addr.s_addr = connp->conn_faddr_v4;
1031	sin.sin_port = connp->conn_fport;
1032	sin.sin_family = AF_INET;
1033	if (lconnp->conn_recv_ancillary.crb_recvdstaddr) {
1034		sin_t	sind;
1035
1036		sind = sin_null;
1037		sind.sin_addr.s_addr = connp->conn_laddr_v4;
1038		sind.sin_port = connp->conn_lport;
1039		sind.sin_family = AF_INET;
1040		tpi_mp = mi_tpi_extconn_ind(NULL,
1041		    (char *)&sind, sizeof (sin_t), (char *)&tcp,
1042		    (t_scalar_t)sizeof (intptr_t), (char *)&sind,
1043		    sizeof (sin_t), (t_scalar_t)ltcp->tcp_conn_req_seqnum);
1044	} else {
1045		tpi_mp = mi_tpi_conn_ind(NULL,
1046		    (char *)&sin, sizeof (sin_t),
1047		    (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
1048		    (t_scalar_t)ltcp->tcp_conn_req_seqnum);
1049	}
1050
1051	tcp->tcp_mss = tcps->tcps_mss_def_ipv4;
1052	return (tpi_mp);
1053}
1054
1055/*
1056 * Called via squeue to get on to eager's perimeter. It sends a
1057 * TH_RST if eager is in the fanout table. The listener wants the
1058 * eager to disappear either by means of tcp_eager_blowoff() or
1059 * tcp_eager_cleanup() being called. tcp_eager_kill() can also be
1060 * called (via squeue) if the eager cannot be inserted in the
1061 * fanout table in tcp_input_listener().
1062 */
1063/* ARGSUSED */
1064void
1065tcp_eager_kill(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
1066{
1067	conn_t	*econnp = (conn_t *)arg;
1068	tcp_t	*eager = econnp->conn_tcp;
1069	tcp_t	*listener = eager->tcp_listener;
1070
1071	/*
1072	 * We could be called because listener is closing. Since
1073	 * the eager was using listener's queue's, we avoid
1074	 * using the listeners queues from now on.
1075	 */
1076	ASSERT(eager->tcp_detached);
1077	econnp->conn_rq = NULL;
1078	econnp->conn_wq = NULL;
1079
1080	/*
1081	 * An eager's conn_fanout will be NULL if it's a duplicate
1082	 * for an existing 4-tuples in the conn fanout table.
1083	 * We don't want to send an RST out in such case.
1084	 */
1085	if (econnp->conn_fanout != NULL && eager->tcp_state > TCPS_LISTEN) {
1086		tcp_xmit_ctl("tcp_eager_kill, can't wait",
1087		    eager, eager->tcp_snxt, 0, TH_RST);
1088	}
1089
1090	/* We are here because listener wants this eager gone */
1091	if (listener != NULL) {
1092		mutex_enter(&listener->tcp_eager_lock);
1093		tcp_eager_unlink(eager);
1094		if (eager->tcp_tconnind_started) {
1095			/*
1096			 * The eager has sent a conn_ind up to the
1097			 * listener but listener decides to close
1098			 * instead. We need to drop the extra ref
1099			 * placed on eager in tcp_input_data() before
1100			 * sending the conn_ind to listener.
1101			 */
1102			CONN_DEC_REF(econnp);
1103		}
1104		mutex_exit(&listener->tcp_eager_lock);
1105		CONN_DEC_REF(listener->tcp_connp);
1106	}
1107
1108	if (eager->tcp_state != TCPS_CLOSED)
1109		tcp_close_detached(eager);
1110}
1111
1112/*
1113 * Reset any eager connection hanging off this listener marked
1114 * with 'seqnum' and then reclaim it's resources.
1115 */
1116boolean_t
1117tcp_eager_blowoff(tcp_t	*listener, t_scalar_t seqnum)
1118{
1119	tcp_t	*eager;
1120	mblk_t	*mp;
1121
1122	eager = listener;
1123	mutex_enter(&listener->tcp_eager_lock);
1124	do {
1125		eager = eager->tcp_eager_next_q;
1126		if (eager == NULL) {
1127			mutex_exit(&listener->tcp_eager_lock);
1128			return (B_FALSE);
1129		}
1130	} while (eager->tcp_conn_req_seqnum != seqnum);
1131
1132	if (eager->tcp_closemp_used) {
1133		mutex_exit(&listener->tcp_eager_lock);
1134		return (B_TRUE);
1135	}
1136	eager->tcp_closemp_used = B_TRUE;
1137	TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1138	CONN_INC_REF(eager->tcp_connp);
1139	mutex_exit(&listener->tcp_eager_lock);
1140	mp = &eager->tcp_closemp;
1141	SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp, tcp_eager_kill,
1142	    eager->tcp_connp, NULL, SQ_FILL, SQTAG_TCP_EAGER_BLOWOFF);
1143	return (B_TRUE);
1144}
1145
1146/*
1147 * Reset any eager connection hanging off this listener
1148 * and then reclaim it's resources.
1149 */
1150void
1151tcp_eager_cleanup(tcp_t *listener, boolean_t q0_only)
1152{
1153	tcp_t	*eager;
1154	mblk_t	*mp;
1155	tcp_stack_t	*tcps = listener->tcp_tcps;
1156
1157	ASSERT(MUTEX_HELD(&listener->tcp_eager_lock));
1158
1159	if (!q0_only) {
1160		/* First cleanup q */
1161		TCP_STAT(tcps, tcp_eager_blowoff_q);
1162		eager = listener->tcp_eager_next_q;
1163		while (eager != NULL) {
1164			if (!eager->tcp_closemp_used) {
1165				eager->tcp_closemp_used = B_TRUE;
1166				TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1167				CONN_INC_REF(eager->tcp_connp);
1168				mp = &eager->tcp_closemp;
1169				SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
1170				    tcp_eager_kill, eager->tcp_connp, NULL,
1171				    SQ_FILL, SQTAG_TCP_EAGER_CLEANUP);
1172			}
1173			eager = eager->tcp_eager_next_q;
1174		}
1175	}
1176	/* Then cleanup q0 */
1177	TCP_STAT(tcps, tcp_eager_blowoff_q0);
1178	eager = listener->tcp_eager_next_q0;
1179	while (eager != listener) {
1180		if (!eager->tcp_closemp_used) {
1181			eager->tcp_closemp_used = B_TRUE;
1182			TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1183			CONN_INC_REF(eager->tcp_connp);
1184			mp = &eager->tcp_closemp;
1185			SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
1186			    tcp_eager_kill, eager->tcp_connp, NULL, SQ_FILL,
1187			    SQTAG_TCP_EAGER_CLEANUP_Q0);
1188		}
1189		eager = eager->tcp_eager_next_q0;
1190	}
1191}
1192
1193/*
1194 * If we are an eager connection hanging off a listener that hasn't
1195 * formally accepted the connection yet, get off its list and blow off
1196 * any data that we have accumulated.
1197 */
1198void
1199tcp_eager_unlink(tcp_t *tcp)
1200{
1201	tcp_t	*listener = tcp->tcp_listener;
1202
1203	ASSERT(listener != NULL);
1204	ASSERT(MUTEX_HELD(&listener->tcp_eager_lock));
1205	if (tcp->tcp_eager_next_q0 != NULL) {
1206		ASSERT(tcp->tcp_eager_prev_q0 != NULL);
1207
1208		/* Remove the eager tcp from q0 */
1209		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
1210		    tcp->tcp_eager_prev_q0;
1211		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
1212		    tcp->tcp_eager_next_q0;
1213		ASSERT(listener->tcp_conn_req_cnt_q0 > 0);
1214		listener->tcp_conn_req_cnt_q0--;
1215
1216		tcp->tcp_eager_next_q0 = NULL;
1217		tcp->tcp_eager_prev_q0 = NULL;
1218
1219		/*
1220		 * Take the eager out, if it is in the list of droppable
1221		 * eagers.
1222		 */
1223		MAKE_UNDROPPABLE(tcp);
1224
1225		if (tcp->tcp_syn_rcvd_timeout != 0) {
1226			/* we have timed out before */
1227			ASSERT(listener->tcp_syn_rcvd_timeout > 0);
1228			listener->tcp_syn_rcvd_timeout--;
1229		}
1230	} else {
1231		tcp_t   **tcpp = &listener->tcp_eager_next_q;
1232		tcp_t	*prev = NULL;
1233
1234		for (; tcpp[0]; tcpp = &tcpp[0]->tcp_eager_next_q) {
1235			if (tcpp[0] == tcp) {
1236				if (listener->tcp_eager_last_q == tcp) {
1237					/*
1238					 * If we are unlinking the last
1239					 * element on the list, adjust
1240					 * tail pointer. Set tail pointer
1241					 * to nil when list is empty.
1242					 */
1243					ASSERT(tcp->tcp_eager_next_q == NULL);
1244					if (listener->tcp_eager_last_q ==
1245					    listener->tcp_eager_next_q) {
1246						listener->tcp_eager_last_q =
1247						    NULL;
1248					} else {
1249						/*
1250						 * We won't get here if there
1251						 * is only one eager in the
1252						 * list.
1253						 */
1254						ASSERT(prev != NULL);
1255						listener->tcp_eager_last_q =
1256						    prev;
1257					}
1258				}
1259				tcpp[0] = tcp->tcp_eager_next_q;
1260				tcp->tcp_eager_next_q = NULL;
1261				tcp->tcp_eager_last_q = NULL;
1262				ASSERT(listener->tcp_conn_req_cnt_q > 0);
1263				listener->tcp_conn_req_cnt_q--;
1264				break;
1265			}
1266			prev = tcpp[0];
1267		}
1268	}
1269	tcp->tcp_listener = NULL;
1270}
1271
1272/* BEGIN CSTYLED */
1273/*
1274 *
1275 * The sockfs ACCEPT path:
1276 * =======================
1277 *
1278 * The eager is now established in its own perimeter as soon as SYN is
1279 * received in tcp_input_listener(). When sockfs receives conn_ind, it
1280 * completes the accept processing on the acceptor STREAM. The sending
1281 * of conn_ind part is common for both sockfs listener and a TLI/XTI
1282 * listener but a TLI/XTI listener completes the accept processing
1283 * on the listener perimeter.
1284 *
1285 * Common control flow for 3 way handshake:
1286 * ----------------------------------------
1287 *
1288 * incoming SYN (listener perimeter)	-> tcp_input_listener()
1289 *
1290 * incoming SYN-ACK-ACK (eager perim)	-> tcp_input_data()
1291 * send T_CONN_IND (listener perim)	-> tcp_send_conn_ind()
1292 *
1293 * Sockfs ACCEPT Path:
1294 * -------------------
1295 *
1296 * open acceptor stream (tcp_open allocates tcp_tli_accept()
1297 * as STREAM entry point)
1298 *
1299 * soaccept() sends T_CONN_RES on the acceptor STREAM to tcp_tli_accept()
1300 *
1301 * tcp_tli_accept() extracts the eager and makes the q->q_ptr <-> eager
1302 * association (we are not behind eager's squeue but sockfs is protecting us
1303 * and no one knows about this stream yet. The STREAMS entry point q->q_info
1304 * is changed to point at tcp_wput().
1305 *
1306 * tcp_accept_common() sends any deferred eagers via tcp_send_pending() to
1307 * listener (done on listener's perimeter).
1308 *
1309 * tcp_tli_accept() calls tcp_accept_finish() on eagers perimeter to finish
1310 * accept.
1311 *
1312 * TLI/XTI client ACCEPT path:
1313 * ---------------------------
1314 *
1315 * soaccept() sends T_CONN_RES on the listener STREAM.
1316 *
1317 * tcp_tli_accept() -> tcp_accept_swap() complete the processing and send
1318 * a M_SETOPS mblk to eager perimeter to finish accept (tcp_accept_finish()).
1319 *
1320 * Locks:
1321 * ======
1322 *
1323 * listener->tcp_eager_lock protects the listeners->tcp_eager_next_q0 and
1324 * and listeners->tcp_eager_next_q.
1325 *
1326 * Referencing:
1327 * ============
1328 *
1329 * 1) We start out in tcp_input_listener by eager placing a ref on
1330 * listener and listener adding eager to listeners->tcp_eager_next_q0.
1331 *
1332 * 2) When a SYN-ACK-ACK arrives, we send the conn_ind to listener. Before
1333 * doing so we place a ref on the eager. This ref is finally dropped at the
1334 * end of tcp_accept_finish() while unwinding from the squeue, i.e. the
1335 * reference is dropped by the squeue framework.
1336 *
1337 * 3) The ref on listener placed in 1 above is dropped in tcp_accept_finish
1338 *
1339 * The reference must be released by the same entity that added the reference
1340 * In the above scheme, the eager is the entity that adds and releases the
1341 * references. Note that tcp_accept_finish executes in the squeue of the eager
1342 * (albeit after it is attached to the acceptor stream). Though 1. executes
1343 * in the listener's squeue, the eager is nascent at this point and the
1344 * reference can be considered to have been added on behalf of the eager.
1345 *
1346 * Eager getting a Reset or listener closing:
1347 * ==========================================
1348 *
1349 * Once the listener and eager are linked, the listener never does the unlink.
1350 * If the listener needs to close, tcp_eager_cleanup() is called which queues
1351 * a message on all eager perimeter. The eager then does the unlink, clears
1352 * any pointers to the listener's queue and drops the reference to the
1353 * listener. The listener waits in tcp_close outside the squeue until its
1354 * refcount has dropped to 1. This ensures that the listener has waited for
1355 * all eagers to clear their association with the listener.
1356 *
1357 * Similarly, if eager decides to go away, it can unlink itself and close.
1358 * When the T_CONN_RES comes down, we check if eager has closed. Note that
1359 * the reference to eager is still valid because of the extra ref we put
1360 * in tcp_send_conn_ind.
1361 *
1362 * Listener can always locate the eager under the protection
1363 * of the listener->tcp_eager_lock, and then do a refhold
1364 * on the eager during the accept processing.
1365 *
1366 * The acceptor stream accesses the eager in the accept processing
1367 * based on the ref placed on eager before sending T_conn_ind.
1368 * The only entity that can negate this refhold is a listener close
1369 * which is mutually exclusive with an active acceptor stream.
1370 *
1371 * Eager's reference on the listener
1372 * ===================================
1373 *
1374 * If the accept happens (even on a closed eager) the eager drops its
1375 * reference on the listener at the start of tcp_accept_finish. If the
1376 * eager is killed due to an incoming RST before the T_conn_ind is sent up,
1377 * the reference is dropped in tcp_closei_local. If the listener closes,
1378 * the reference is dropped in tcp_eager_kill. In all cases the reference
1379 * is dropped while executing in the eager's context (squeue).
1380 */
1381/* END CSTYLED */
1382
1383/* Process the SYN packet, mp, directed at the listener 'tcp' */
1384
1385/*
1386 * THIS FUNCTION IS DIRECTLY CALLED BY IP VIA SQUEUE FOR SYN.
1387 * tcp_input_data will not see any packets for listeners since the listener
1388 * has conn_recv set to tcp_input_listener.
1389 */
1390/* ARGSUSED */
1391static void
1392tcp_input_listener(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
1393{
1394	tcpha_t		*tcpha;
1395	uint32_t	seg_seq;
1396	tcp_t		*eager;
1397	int		err;
1398	conn_t		*econnp = NULL;
1399	squeue_t	*new_sqp;
1400	mblk_t		*mp1;
1401	uint_t		ip_hdr_len;
1402	conn_t		*lconnp = (conn_t *)arg;
1403	tcp_t		*listener = lconnp->conn_tcp;
1404	tcp_stack_t	*tcps = listener->tcp_tcps;
1405	ip_stack_t	*ipst = tcps->tcps_netstack->netstack_ip;
1406	uint_t		flags;
1407	mblk_t		*tpi_mp;
1408	uint_t		ifindex = ira->ira_ruifindex;
1409	boolean_t	tlc_set = B_FALSE;
1410
1411	ip_hdr_len = ira->ira_ip_hdr_length;
1412	tcpha = (tcpha_t *)&mp->b_rptr[ip_hdr_len];
1413	flags = (unsigned int)tcpha->tha_flags & 0xFF;
1414
1415	DTRACE_TCP5(receive, mblk_t *, NULL, ip_xmit_attr_t *, lconnp->conn_ixa,
1416	    __dtrace_tcp_void_ip_t *, mp->b_rptr, tcp_t *, listener,
1417	    __dtrace_tcp_tcph_t *, tcpha);
1418
1419	if (!(flags & TH_SYN)) {
1420		if ((flags & TH_RST) || (flags & TH_URG)) {
1421			freemsg(mp);
1422			return;
1423		}
1424		if (flags & TH_ACK) {
1425			/* Note this executes in listener's squeue */
1426			tcp_xmit_listeners_reset(mp, ira, ipst, lconnp);
1427			return;
1428		}
1429
1430		freemsg(mp);
1431		return;
1432	}
1433
1434	if (listener->tcp_state != TCPS_LISTEN)
1435		goto error2;
1436
1437	ASSERT(IPCL_IS_BOUND(lconnp));
1438
1439	mutex_enter(&listener->tcp_eager_lock);
1440
1441	/*
1442	 * The system is under memory pressure, so we need to do our part
1443	 * to relieve the pressure.  So we only accept new request if there
1444	 * is nothing waiting to be accepted or waiting to complete the 3-way
1445	 * handshake.  This means that busy listener will not get too many
1446	 * new requests which they cannot handle in time while non-busy
1447	 * listener is still functioning properly.
1448	 */
1449	if (tcps->tcps_reclaim && (listener->tcp_conn_req_cnt_q > 0 ||
1450	    listener->tcp_conn_req_cnt_q0 > 0)) {
1451		mutex_exit(&listener->tcp_eager_lock);
1452		TCP_STAT(tcps, tcp_listen_mem_drop);
1453		goto error2;
1454	}
1455
1456	if (listener->tcp_conn_req_cnt_q >= listener->tcp_conn_req_max) {
1457		mutex_exit(&listener->tcp_eager_lock);
1458		TCP_STAT(tcps, tcp_listendrop);
1459		TCPS_BUMP_MIB(tcps, tcpListenDrop);
1460		if (lconnp->conn_debug) {
1461			(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
1462			    "tcp_input_listener: listen backlog (max=%d) "
1463			    "overflow (%d pending) on %s",
1464			    listener->tcp_conn_req_max,
1465			    listener->tcp_conn_req_cnt_q,
1466			    tcp_display(listener, NULL, DISP_PORT_ONLY));
1467		}
1468		goto error2;
1469	}
1470
1471	if (listener->tcp_conn_req_cnt_q0 >=
1472	    listener->tcp_conn_req_max + tcps->tcps_conn_req_max_q0) {
1473		/*
1474		 * Q0 is full. Drop a pending half-open req from the queue
1475		 * to make room for the new SYN req. Also mark the time we
1476		 * drop a SYN.
1477		 *
1478		 * A more aggressive defense against SYN attack will
1479		 * be to set the "tcp_syn_defense" flag now.
1480		 */
1481		TCP_STAT(tcps, tcp_listendropq0);
1482		listener->tcp_last_rcv_lbolt = ddi_get_lbolt64();
1483		if (!tcp_drop_q0(listener)) {
1484			mutex_exit(&listener->tcp_eager_lock);
1485			TCPS_BUMP_MIB(tcps, tcpListenDropQ0);
1486			if (lconnp->conn_debug) {
1487				(void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
1488				    "tcp_input_listener: listen half-open "
1489				    "queue (max=%d) full (%d pending) on %s",
1490				    tcps->tcps_conn_req_max_q0,
1491				    listener->tcp_conn_req_cnt_q0,
1492				    tcp_display(listener, NULL,
1493				    DISP_PORT_ONLY));
1494			}
1495			goto error2;
1496		}
1497	}
1498
1499	/*
1500	 * Enforce the limit set on the number of connections per listener.
1501	 * Note that tlc_cnt starts with 1.  So need to add 1 to tlc_max
1502	 * for comparison.
1503	 */
1504	if (listener->tcp_listen_cnt != NULL) {
1505		tcp_listen_cnt_t *tlc = listener->tcp_listen_cnt;
1506		int64_t now;
1507
1508		if (atomic_inc_32_nv(&tlc->tlc_cnt) > tlc->tlc_max + 1) {
1509			mutex_exit(&listener->tcp_eager_lock);
1510			now = ddi_get_lbolt64();
1511			atomic_dec_32(&tlc->tlc_cnt);
1512			TCP_STAT(tcps, tcp_listen_cnt_drop);
1513			tlc->tlc_drop++;
1514			if (now - tlc->tlc_report_time >
1515			    MSEC_TO_TICK(TCP_TLC_REPORT_INTERVAL)) {
1516				zcmn_err(lconnp->conn_zoneid, CE_WARN,
1517				    "Listener (port %d) connection max (%u) "
1518				    "reached: %u attempts dropped total\n",
1519				    ntohs(listener->tcp_connp->conn_lport),
1520				    tlc->tlc_max, tlc->tlc_drop);
1521				tlc->tlc_report_time = now;
1522			}
1523			goto error2;
1524		}
1525		tlc_set = B_TRUE;
1526	}
1527
1528	mutex_exit(&listener->tcp_eager_lock);
1529
1530	/*
1531	 * IP sets ira_sqp to either the senders conn_sqp (for loopback)
1532	 * or based on the ring (for packets from GLD). Otherwise it is
1533	 * set based on lbolt i.e., a somewhat random number.
1534	 */
1535	ASSERT(ira->ira_sqp != NULL);
1536	new_sqp = ira->ira_sqp;
1537
1538	econnp = tcp_get_conn(arg2, tcps);
1539	if (econnp == NULL)
1540		goto error2;
1541
1542	ASSERT(econnp->conn_netstack == lconnp->conn_netstack);
1543	econnp->conn_sqp = new_sqp;
1544	econnp->conn_initial_sqp = new_sqp;
1545	econnp->conn_ixa->ixa_sqp = new_sqp;
1546
1547	econnp->conn_fport = tcpha->tha_lport;
1548	econnp->conn_lport = tcpha->tha_fport;
1549
1550	err = conn_inherit_parent(lconnp, econnp);
1551	if (err != 0)
1552		goto error3;
1553
1554	/* We already know the laddr of the new connection is ours */
1555	econnp->conn_ixa->ixa_src_generation = ipst->ips_src_generation;
1556
1557	ASSERT(OK_32PTR(mp->b_rptr));
1558	ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION ||
1559	    IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
1560
1561	if (lconnp->conn_family == AF_INET) {
1562		ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1563		tpi_mp = tcp_conn_create_v4(lconnp, econnp, mp, ira);
1564	} else {
1565		tpi_mp = tcp_conn_create_v6(lconnp, econnp, mp, ira);
1566	}
1567
1568	if (tpi_mp == NULL)
1569		goto error3;
1570
1571	eager = econnp->conn_tcp;
1572	eager->tcp_detached = B_TRUE;
1573	SOCK_CONNID_INIT(eager->tcp_connid);
1574
1575	/*
1576	 * Initialize the eager's tcp_t and inherit some parameters from
1577	 * the listener.
1578	 */
1579	tcp_init_values(eager, listener);
1580
1581	ASSERT((econnp->conn_ixa->ixa_flags &
1582	    (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
1583	    IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO)) ==
1584	    (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
1585	    IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO));
1586
1587	if (!tcps->tcps_dev_flow_ctl)
1588		econnp->conn_ixa->ixa_flags |= IXAF_NO_DEV_FLOW_CTL;
1589
1590	/* Prepare for diffing against previous packets */
1591	eager->tcp_recvifindex = 0;
1592	eager->tcp_recvhops = 0xffffffffU;
1593
1594	if (!(ira->ira_flags & IRAF_IS_IPV4) && econnp->conn_bound_if == 0) {
1595		if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_faddr_v6) ||
1596		    IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6)) {
1597			econnp->conn_incoming_ifindex = ifindex;
1598			econnp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
1599			econnp->conn_ixa->ixa_scopeid = ifindex;
1600		}
1601	}
1602
1603	if ((ira->ira_flags & (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS)) ==
1604	    (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS) &&
1605	    tcps->tcps_rev_src_routes) {
1606		ipha_t *ipha = (ipha_t *)mp->b_rptr;
1607		ip_pkt_t *ipp = &econnp->conn_xmit_ipp;
1608
1609		/* Source routing option copyover (reverse it) */
1610		err = ip_find_hdr_v4(ipha, ipp, B_TRUE);
1611		if (err != 0) {
1612			freemsg(tpi_mp);
1613			goto error3;
1614		}
1615		ip_pkt_source_route_reverse_v4(ipp);
1616	}
1617
1618	ASSERT(eager->tcp_conn.tcp_eager_conn_ind == NULL);
1619	ASSERT(!eager->tcp_tconnind_started);
1620	/*
1621	 * If the SYN came with a credential, it's a loopback packet or a
1622	 * labeled packet; attach the credential to the TPI message.
1623	 */
1624	if (ira->ira_cred != NULL)
1625		mblk_setcred(tpi_mp, ira->ira_cred, ira->ira_cpid);
1626
1627	eager->tcp_conn.tcp_eager_conn_ind = tpi_mp;
1628	ASSERT(eager->tcp_ordrel_mp == NULL);
1629
1630	/* Inherit the listener's non-STREAMS flag */
1631	if (IPCL_IS_NONSTR(lconnp)) {
1632		econnp->conn_flags |= IPCL_NONSTR;
1633		/* All non-STREAMS tcp_ts are sockets */
1634		eager->tcp_issocket = B_TRUE;
1635	} else {
1636		/*
1637		 * Pre-allocate the T_ordrel_ind mblk for TPI socket so that
1638		 * at close time, we will always have that to send up.
1639		 * Otherwise, we need to do special handling in case the
1640		 * allocation fails at that time.
1641		 */
1642		if ((eager->tcp_ordrel_mp = mi_tpi_ordrel_ind()) == NULL)
1643			goto error3;
1644	}
1645	/*
1646	 * Now that the IP addresses and ports are setup in econnp we
1647	 * can do the IPsec policy work.
1648	 */
1649	if (ira->ira_flags & IRAF_IPSEC_SECURE) {
1650		if (lconnp->conn_policy != NULL) {
1651			/*
1652			 * Inherit the policy from the listener; use
1653			 * actions from ira
1654			 */
1655			if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
1656				CONN_DEC_REF(econnp);
1657				freemsg(mp);
1658				goto error3;
1659			}
1660		}
1661	}
1662
1663	/*
1664	 * tcp_set_destination() may set tcp_rwnd according to the route
1665	 * metrics. If it does not, the eager's receive window will be set
1666	 * to the listener's receive window later in this function.
1667	 */
1668	eager->tcp_rwnd = 0;
1669
1670	if (is_system_labeled()) {
1671		ip_xmit_attr_t *ixa = econnp->conn_ixa;
1672
1673		ASSERT(ira->ira_tsl != NULL);
1674		/* Discard any old label */
1675		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
1676			ASSERT(ixa->ixa_tsl != NULL);
1677			label_rele(ixa->ixa_tsl);
1678			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
1679			ixa->ixa_tsl = NULL;
1680		}
1681		if ((lconnp->conn_mlp_type != mlptSingle ||
1682		    lconnp->conn_mac_mode != CONN_MAC_DEFAULT) &&
1683		    ira->ira_tsl != NULL) {
1684			/*
1685			 * If this is an MLP connection or a MAC-Exempt
1686			 * connection with an unlabeled node, packets are to be
1687			 * exchanged using the security label of the received
1688			 * SYN packet instead of the server application's label.
1689			 * tsol_check_dest called from ip_set_destination
1690			 * might later update TSF_UNLABELED by replacing
1691			 * ixa_tsl with a new label.
1692			 */
1693			label_hold(ira->ira_tsl);
1694			ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
1695			DTRACE_PROBE2(mlp_syn_accept, conn_t *,
1696			    econnp, ts_label_t *, ixa->ixa_tsl)
1697		} else {
1698			ixa->ixa_tsl = crgetlabel(econnp->conn_cred);
1699			DTRACE_PROBE2(syn_accept, conn_t *,
1700			    econnp, ts_label_t *, ixa->ixa_tsl)
1701		}
1702		/*
1703		 * conn_connect() called from tcp_set_destination will verify
1704		 * the destination is allowed to receive packets at the
1705		 * security label of the SYN-ACK we are generating. As part of
1706		 * that, tsol_check_dest() may create a new effective label for
1707		 * this connection.
1708		 * Finally conn_connect() will call conn_update_label.
1709		 * All that remains for TCP to do is to call
1710		 * conn_build_hdr_template which is done as part of
1711		 * tcp_set_destination.
1712		 */
1713	}
1714
1715	/*
1716	 * Since we will clear tcp_listener before we clear tcp_detached
1717	 * in the accept code we need tcp_hard_binding aka tcp_accept_inprogress
1718	 * so we can tell a TCP_IS_DETACHED_NONEAGER apart.
1719	 */
1720	eager->tcp_hard_binding = B_TRUE;
1721
1722	tcp_bind_hash_insert(&tcps->tcps_bind_fanout[
1723	    TCP_BIND_HASH(econnp->conn_lport)], eager, 0);
1724
1725	CL_INET_CONNECT(econnp, B_FALSE, err);
1726	if (err != 0) {
1727		tcp_bind_hash_remove(eager);
1728		goto error3;
1729	}
1730
1731	SOCK_CONNID_BUMP(eager->tcp_connid);
1732
1733	/*
1734	 * Adapt our mss, ttl, ... based on the remote address.
1735	 */
1736
1737	if (tcp_set_destination(eager) != 0) {
1738		TCPS_BUMP_MIB(tcps, tcpAttemptFails);
1739		/* Undo the bind_hash_insert */
1740		tcp_bind_hash_remove(eager);
1741		goto error3;
1742	}
1743
1744	/* Process all TCP options. */
1745	tcp_process_options(eager, tcpha);
1746
1747	/* Is the other end ECN capable? */
1748	if (tcps->tcps_ecn_permitted >= 1 &&
1749	    (tcpha->tha_flags & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
1750		eager->tcp_ecn_ok = B_TRUE;
1751	}
1752
1753	/*
1754	 * The listener's conn_rcvbuf should be the default window size or a
1755	 * window size changed via SO_RCVBUF option. First round up the
1756	 * eager's tcp_rwnd to the nearest MSS. Then find out the window
1757	 * scale option value if needed. Call tcp_rwnd_set() to finish the
1758	 * setting.
1759	 *
1760	 * Note if there is a rpipe metric associated with the remote host,
1761	 * we should not inherit receive window size from listener.
1762	 */
1763	eager->tcp_rwnd = MSS_ROUNDUP(
1764	    (eager->tcp_rwnd == 0 ? econnp->conn_rcvbuf :
1765	    eager->tcp_rwnd), eager->tcp_mss);
1766	if (eager->tcp_snd_ws_ok)
1767		tcp_set_ws_value(eager);
1768	/*
1769	 * Note that this is the only place tcp_rwnd_set() is called for
1770	 * accepting a connection.  We need to call it here instead of
1771	 * after the 3-way handshake because we need to tell the other
1772	 * side our rwnd in the SYN-ACK segment.
1773	 */
1774	(void) tcp_rwnd_set(eager, eager->tcp_rwnd);
1775
1776	ASSERT(eager->tcp_connp->conn_rcvbuf != 0 &&
1777	    eager->tcp_connp->conn_rcvbuf == eager->tcp_rwnd);
1778
1779	ASSERT(econnp->conn_rcvbuf != 0 &&
1780	    econnp->conn_rcvbuf == eager->tcp_rwnd);
1781
1782	/* Put a ref on the listener for the eager. */
1783	CONN_INC_REF(lconnp);
1784	mutex_enter(&listener->tcp_eager_lock);
1785	listener->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
1786	eager->tcp_eager_next_q0 = listener->tcp_eager_next_q0;
1787	listener->tcp_eager_next_q0 = eager;
1788	eager->tcp_eager_prev_q0 = listener;
1789
1790	/* Set tcp_listener before adding it to tcp_conn_fanout */
1791	eager->tcp_listener = listener;
1792	eager->tcp_saved_listener = listener;
1793
1794	/*
1795	 * Set tcp_listen_cnt so that when the connection is done, the counter
1796	 * is decremented.
1797	 */
1798	eager->tcp_listen_cnt = listener->tcp_listen_cnt;
1799
1800	/*
1801	 * Tag this detached tcp vector for later retrieval
1802	 * by our listener client in tcp_accept().
1803	 */
1804	eager->tcp_conn_req_seqnum = listener->tcp_conn_req_seqnum;
1805	listener->tcp_conn_req_cnt_q0++;
1806	if (++listener->tcp_conn_req_seqnum == -1) {
1807		/*
1808		 * -1 is "special" and defined in TPI as something
1809		 * that should never be used in T_CONN_IND
1810		 */
1811		++listener->tcp_conn_req_seqnum;
1812	}
1813	mutex_exit(&listener->tcp_eager_lock);
1814
1815	if (listener->tcp_syn_defense) {
1816		/* Don't drop the SYN that comes from a good IP source */
1817		ipaddr_t *addr_cache;
1818
1819		addr_cache = (ipaddr_t *)(listener->tcp_ip_addr_cache);
1820		if (addr_cache != NULL && econnp->conn_faddr_v4 ==
1821		    addr_cache[IP_ADDR_CACHE_HASH(econnp->conn_faddr_v4)]) {
1822			eager->tcp_dontdrop = B_TRUE;
1823		}
1824	}
1825
1826	/*
1827	 * We need to insert the eager in its own perimeter but as soon
1828	 * as we do that, we expose the eager to the classifier and
1829	 * should not touch any field outside the eager's perimeter.
1830	 * So do all the work necessary before inserting the eager
1831	 * in its own perimeter. Be optimistic that conn_connect()
1832	 * will succeed but undo everything if it fails.
1833	 */
1834	seg_seq = ntohl(tcpha->tha_seq);
1835	eager->tcp_irs = seg_seq;
1836	eager->tcp_rack = seg_seq;
1837	eager->tcp_rnxt = seg_seq + 1;
1838	eager->tcp_tcpha->tha_ack = htonl(eager->tcp_rnxt);
1839	TCPS_BUMP_MIB(tcps, tcpPassiveOpens);
1840	eager->tcp_state = TCPS_SYN_RCVD;
1841	DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
1842	    econnp->conn_ixa, void, NULL, tcp_t *, eager, void, NULL,
1843	    int32_t, TCPS_LISTEN);
1844
1845	mp1 = tcp_xmit_mp(eager, eager->tcp_xmit_head, eager->tcp_mss,
1846	    NULL, NULL, eager->tcp_iss, B_FALSE, NULL, B_FALSE);
1847	if (mp1 == NULL) {
1848		/*
1849		 * Increment the ref count as we are going to
1850		 * enqueueing an mp in squeue
1851		 */
1852		CONN_INC_REF(econnp);
1853		goto error;
1854	}
1855
1856	/*
1857	 * We need to start the rto timer. In normal case, we start
1858	 * the timer after sending the packet on the wire (or at
1859	 * least believing that packet was sent by waiting for
1860	 * conn_ip_output() to return). Since this is the first packet
1861	 * being sent on the wire for the eager, our initial tcp_rto
1862	 * is at least tcp_rexmit_interval_min which is a fairly
1863	 * large value to allow the algorithm to adjust slowly to large
1864	 * fluctuations of RTT during first few transmissions.
1865	 *
1866	 * Starting the timer first and then sending the packet in this
1867	 * case shouldn't make much difference since tcp_rexmit_interval_min
1868	 * is of the order of several 100ms and starting the timer
1869	 * first and then sending the packet will result in difference
1870	 * of few micro seconds.
1871	 *
1872	 * Without this optimization, we are forced to hold the fanout
1873	 * lock across the ipcl_bind_insert() and sending the packet
1874	 * so that we don't race against an incoming packet (maybe RST)
1875	 * for this eager.
1876	 *
1877	 * It is necessary to acquire an extra reference on the eager
1878	 * at this point and hold it until after tcp_send_data() to
1879	 * ensure against an eager close race.
1880	 */
1881
1882	CONN_INC_REF(econnp);
1883
1884	TCP_TIMER_RESTART(eager, eager->tcp_rto);
1885
1886	/*
1887	 * Insert the eager in its own perimeter now. We are ready to deal
1888	 * with any packets on eager.
1889	 */
1890	if (ipcl_conn_insert(econnp) != 0)
1891		goto error;
1892
1893	ASSERT(econnp->conn_ixa->ixa_notify_cookie == econnp->conn_tcp);
1894	freemsg(mp);
1895	/*
1896	 * Send the SYN-ACK. Use the right squeue so that conn_ixa is
1897	 * only used by one thread at a time.
1898	 */
1899	if (econnp->conn_sqp == lconnp->conn_sqp) {
1900		DTRACE_TCP5(send, mblk_t *, NULL, ip_xmit_attr_t *,
1901		    econnp->conn_ixa, __dtrace_tcp_void_ip_t *, mp1->b_rptr,
1902		    tcp_t *, eager, __dtrace_tcp_tcph_t *,
1903		    &mp1->b_rptr[econnp->conn_ixa->ixa_ip_hdr_length]);
1904		(void) conn_ip_output(mp1, econnp->conn_ixa);
1905		CONN_DEC_REF(econnp);
1906	} else {
1907		SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_send_synack,
1908		    econnp, NULL, SQ_PROCESS, SQTAG_TCP_SEND_SYNACK);
1909	}
1910	return;
1911error:
1912	freemsg(mp1);
1913	eager->tcp_closemp_used = B_TRUE;
1914	TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1915	mp1 = &eager->tcp_closemp;
1916	SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_eager_kill,
1917	    econnp, NULL, SQ_FILL, SQTAG_TCP_CONN_REQ_2);
1918
1919	/*
1920	 * If a connection already exists, send the mp to that connections so
1921	 * that it can be appropriately dealt with.
1922	 */
1923	ipst = tcps->tcps_netstack->netstack_ip;
1924
1925	if ((econnp = ipcl_classify(mp, ira, ipst)) != NULL) {
1926		if (!IPCL_IS_CONNECTED(econnp)) {
1927			/*
1928			 * Something bad happened. ipcl_conn_insert()
1929			 * failed because a connection already existed
1930			 * in connected hash but we can't find it
1931			 * anymore (someone blew it away). Just
1932			 * free this message and hopefully remote
1933			 * will retransmit at which time the SYN can be
1934			 * treated as a new connection or dealth with
1935			 * a TH_RST if a connection already exists.
1936			 */
1937			CONN_DEC_REF(econnp);
1938			freemsg(mp);
1939		} else {
1940			SQUEUE_ENTER_ONE(econnp->conn_sqp, mp, tcp_input_data,
1941			    econnp, ira, SQ_FILL, SQTAG_TCP_CONN_REQ_1);
1942		}
1943	} else {
1944		/* Nobody wants this packet */
1945		freemsg(mp);
1946	}
1947	return;
1948error3:
1949	CONN_DEC_REF(econnp);
1950error2:
1951	freemsg(mp);
1952	if (tlc_set)
1953		atomic_dec_32(&listener->tcp_listen_cnt->tlc_cnt);
1954}
1955
1956/*
1957 * In an ideal case of vertical partition in NUMA architecture, its
1958 * beneficial to have the listener and all the incoming connections
1959 * tied to the same squeue. The other constraint is that incoming
1960 * connections should be tied to the squeue attached to interrupted
1961 * CPU for obvious locality reason so this leaves the listener to
1962 * be tied to the same squeue. Our only problem is that when listener
1963 * is binding, the CPU that will get interrupted by the NIC whose
1964 * IP address the listener is binding to is not even known. So
1965 * the code below allows us to change that binding at the time the
1966 * CPU is interrupted by virtue of incoming connection's squeue.
1967 *
1968 * This is usefull only in case of a listener bound to a specific IP
1969 * address. For other kind of listeners, they get bound the
1970 * very first time and there is no attempt to rebind them.
1971 */
1972void
1973tcp_input_listener_unbound(void *arg, mblk_t *mp, void *arg2,
1974    ip_recv_attr_t *ira)
1975{
1976	conn_t		*connp = (conn_t *)arg;
1977	squeue_t	*sqp = (squeue_t *)arg2;
1978	squeue_t	*new_sqp;
1979	uint32_t	conn_flags;
1980
1981	/*
1982	 * IP sets ira_sqp to either the senders conn_sqp (for loopback)
1983	 * or based on the ring (for packets from GLD). Otherwise it is
1984	 * set based on lbolt i.e., a somewhat random number.
1985	 */
1986	ASSERT(ira->ira_sqp != NULL);
1987	new_sqp = ira->ira_sqp;
1988
1989	if (connp->conn_fanout == NULL)
1990		goto done;
1991
1992	if (!(connp->conn_flags & IPCL_FULLY_BOUND)) {
1993		mutex_enter(&connp->conn_fanout->connf_lock);
1994		mutex_enter(&connp->conn_lock);
1995		/*
1996		 * No one from read or write side can access us now
1997		 * except for already queued packets on this squeue.
1998		 * But since we haven't changed the squeue yet, they
1999		 * can't execute. If they are processed after we have
2000		 * changed the squeue, they are sent back to the
2001		 * correct squeue down below.
2002		 * But a listner close can race with processing of
2003		 * incoming SYN. If incoming SYN processing changes
2004		 * the squeue then the listener close which is waiting
2005		 * to enter the squeue would operate on the wrong
2006		 * squeue. Hence we don't change the squeue here unless
2007		 * the refcount is exactly the minimum refcount. The
2008		 * minimum refcount of 4 is counted as - 1 each for
2009		 * TCP and IP, 1 for being in the classifier hash, and
2010		 * 1 for the mblk being processed.
2011		 */
2012
2013		if (connp->conn_ref != 4 ||
2014		    connp->conn_tcp->tcp_state != TCPS_LISTEN) {
2015			mutex_exit(&connp->conn_lock);
2016			mutex_exit(&connp->conn_fanout->connf_lock);
2017			goto done;
2018		}
2019		if (connp->conn_sqp != new_sqp) {
2020			while (connp->conn_sqp != new_sqp)
2021				(void) atomic_cas_ptr(&connp->conn_sqp, sqp,
2022				    new_sqp);
2023			/* No special MT issues for outbound ixa_sqp hint */
2024			connp->conn_ixa->ixa_sqp = new_sqp;
2025		}
2026
2027		do {
2028			conn_flags = connp->conn_flags;
2029			conn_flags |= IPCL_FULLY_BOUND;
2030			(void) atomic_cas_32(&connp->conn_flags,
2031			    connp->conn_flags, conn_flags);
2032		} while (!(connp->conn_flags & IPCL_FULLY_BOUND));
2033
2034		mutex_exit(&connp->conn_fanout->connf_lock);
2035		mutex_exit(&connp->conn_lock);
2036
2037		/*
2038		 * Assume we have picked a good squeue for the listener. Make
2039		 * subsequent SYNs not try to change the squeue.
2040		 */
2041		connp->conn_recv = tcp_input_listener;
2042	}
2043
2044done:
2045	if (connp->conn_sqp != sqp) {
2046		CONN_INC_REF(connp);
2047		SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv, connp,
2048		    ira, SQ_FILL, SQTAG_TCP_CONN_REQ_UNBOUND);
2049	} else {
2050		tcp_input_listener(connp, mp, sqp, ira);
2051	}
2052}
2053
2054/*
2055 * Send up all messages queued on tcp_rcv_list.
2056 */
2057uint_t
2058tcp_rcv_drain(tcp_t *tcp)
2059{
2060	mblk_t *mp;
2061	uint_t ret = 0;
2062#ifdef DEBUG
2063	uint_t cnt = 0;
2064#endif
2065	queue_t	*q = tcp->tcp_connp->conn_rq;
2066
2067	/* Can't drain on an eager connection */
2068	if (tcp->tcp_listener != NULL)
2069		return (ret);
2070
2071	/* Can't be a non-STREAMS connection */
2072	ASSERT(!IPCL_IS_NONSTR(tcp->tcp_connp));
2073
2074	/* No need for the push timer now. */
2075	if (tcp->tcp_push_tid != 0) {
2076		(void) TCP_TIMER_CANCEL(tcp, tcp->tcp_push_tid);
2077		tcp->tcp_push_tid = 0;
2078	}
2079
2080	/*
2081	 * Handle two cases here: we are currently fused or we were
2082	 * previously fused and have some urgent data to be delivered
2083	 * upstream.  The latter happens because we either ran out of
2084	 * memory or were detached and therefore sending the SIGURG was
2085	 * deferred until this point.  In either case we pass control
2086	 * over to tcp_fuse_rcv_drain() since it may need to complete
2087	 * some work.
2088	 */
2089	if ((tcp->tcp_fused || tcp->tcp_fused_sigurg)) {
2090		if (tcp_fuse_rcv_drain(q, tcp, tcp->tcp_fused ? NULL :
2091		    &tcp->tcp_fused_sigurg_mp))
2092			return (ret);
2093	}
2094
2095	while ((mp = tcp->tcp_rcv_list) != NULL) {
2096		tcp->tcp_rcv_list = mp->b_next;
2097		mp->b_next = NULL;
2098#ifdef DEBUG
2099		cnt += msgdsize(mp);
2100#endif
2101		putnext(q, mp);
2102	}
2103#ifdef DEBUG
2104	ASSERT(cnt == tcp->tcp_rcv_cnt);
2105#endif
2106	tcp->tcp_rcv_last_head = NULL;
2107	tcp->tcp_rcv_last_tail = NULL;
2108	tcp->tcp_rcv_cnt = 0;
2109
2110	if (canputnext(q))
2111		return (tcp_rwnd_reopen(tcp));
2112
2113	return (ret);
2114}
2115
2116/*
2117 * Queue data on tcp_rcv_list which is a b_next chain.
2118 * tcp_rcv_last_head/tail is the last element of this chain.
2119 * Each element of the chain is a b_cont chain.
2120 *
2121 * M_DATA messages are added to the current element.
2122 * Other messages are added as new (b_next) elements.
2123 */
2124void
2125tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len, cred_t *cr)
2126{
2127	ASSERT(seg_len == msgdsize(mp));
2128	ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_rcv_last_head != NULL);
2129
2130	if (is_system_labeled()) {
2131		ASSERT(cr != NULL || msg_getcred(mp, NULL) != NULL);
2132		/*
2133		 * Provide for protocols above TCP such as RPC. NOPID leaves
2134		 * db_cpid unchanged.
2135		 * The cred could have already been set.
2136		 */
2137		if (cr != NULL)
2138			mblk_setcred(mp, cr, NOPID);
2139	}
2140
2141	if (tcp->tcp_rcv_list == NULL) {
2142		ASSERT(tcp->tcp_rcv_last_head == NULL);
2143		tcp->tcp_rcv_list = mp;
2144		tcp->tcp_rcv_last_head = mp;
2145	} else if (DB_TYPE(mp) == DB_TYPE(tcp->tcp_rcv_last_head)) {
2146		tcp->tcp_rcv_last_tail->b_cont = mp;
2147	} else {
2148		tcp->tcp_rcv_last_head->b_next = mp;
2149		tcp->tcp_rcv_last_head = mp;
2150	}
2151
2152	while (mp->b_cont)
2153		mp = mp->b_cont;
2154
2155	tcp->tcp_rcv_last_tail = mp;
2156	tcp->tcp_rcv_cnt += seg_len;
2157	tcp->tcp_rwnd -= seg_len;
2158}
2159
2160/* Generate an ACK-only (no data) segment for a TCP endpoint */
2161mblk_t *
2162tcp_ack_mp(tcp_t *tcp)
2163{
2164	uint32_t	seq_no;
2165	tcp_stack_t	*tcps = tcp->tcp_tcps;
2166	conn_t		*connp = tcp->tcp_connp;
2167
2168	/*
2169	 * There are a few cases to be considered while setting the sequence no.
2170	 * Essentially, we can come here while processing an unacceptable pkt
2171	 * in the TCPS_SYN_RCVD state, in which case we set the sequence number
2172	 * to snxt (per RFC 793), note the swnd wouldn't have been set yet.
2173	 * If we are here for a zero window probe, stick with suna. In all
2174	 * other cases, we check if suna + swnd encompasses snxt and set
2175	 * the sequence number to snxt, if so. If snxt falls outside the
2176	 * window (the receiver probably shrunk its window), we will go with
2177	 * suna + swnd, otherwise the sequence no will be unacceptable to the
2178	 * receiver.
2179	 */
2180	if (tcp->tcp_zero_win_probe) {
2181		seq_no = tcp->tcp_suna;
2182	} else if (tcp->tcp_state == TCPS_SYN_RCVD) {
2183		ASSERT(tcp->tcp_swnd == 0);
2184		seq_no = tcp->tcp_snxt;
2185	} else {
2186		seq_no = SEQ_GT(tcp->tcp_snxt,
2187		    (tcp->tcp_suna + tcp->tcp_swnd)) ?
2188		    (tcp->tcp_suna + tcp->tcp_swnd) : tcp->tcp_snxt;
2189	}
2190
2191	if (tcp->tcp_valid_bits) {
2192		/*
2193		 * For the complex case where we have to send some
2194		 * controls (FIN or SYN), let tcp_xmit_mp do it.
2195		 */
2196		return (tcp_xmit_mp(tcp, NULL, 0, NULL, NULL, seq_no, B_FALSE,
2197		    NULL, B_FALSE));
2198	} else {
2199		/* Generate a simple ACK */
2200		int	data_length;
2201		uchar_t	*rptr;
2202		tcpha_t	*tcpha;
2203		mblk_t	*mp1;
2204		int32_t	total_hdr_len;
2205		int32_t	tcp_hdr_len;
2206		int32_t	num_sack_blk = 0;
2207		int32_t sack_opt_len;
2208		ip_xmit_attr_t *ixa = connp->conn_ixa;
2209
2210		/*
2211		 * Allocate space for TCP + IP headers
2212		 * and link-level header
2213		 */
2214		if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
2215			num_sack_blk = MIN(tcp->tcp_max_sack_blk,
2216			    tcp->tcp_num_sack_blk);
2217			sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
2218			    TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
2219			total_hdr_len = connp->conn_ht_iphc_len + sack_opt_len;
2220			tcp_hdr_len = connp->conn_ht_ulp_len + sack_opt_len;
2221		} else {
2222			total_hdr_len = connp->conn_ht_iphc_len;
2223			tcp_hdr_len = connp->conn_ht_ulp_len;
2224		}
2225		mp1 = allocb(total_hdr_len + tcps->tcps_wroff_xtra, BPRI_MED);
2226		if (!mp1)
2227			return (NULL);
2228
2229		/* Update the latest receive window size in TCP header. */
2230		tcp->tcp_tcpha->tha_win =
2231		    htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
2232		/* copy in prototype TCP + IP header */
2233		rptr = mp1->b_rptr + tcps->tcps_wroff_xtra;
2234		mp1->b_rptr = rptr;
2235		mp1->b_wptr = rptr + total_hdr_len;
2236		bcopy(connp->conn_ht_iphc, rptr, connp->conn_ht_iphc_len);
2237
2238		tcpha = (tcpha_t *)&rptr[ixa->ixa_ip_hdr_length];
2239
2240		/* Set the TCP sequence number. */
2241		tcpha->tha_seq = htonl(seq_no);
2242
2243		/* Set up the TCP flag field. */
2244		tcpha->tha_flags = (uchar_t)TH_ACK;
2245		if (tcp->tcp_ecn_echo_on)
2246			tcpha->tha_flags |= TH_ECE;
2247
2248		tcp->tcp_rack = tcp->tcp_rnxt;
2249		tcp->tcp_rack_cnt = 0;
2250
2251		/* fill in timestamp option if in use */
2252		if (tcp->tcp_snd_ts_ok) {
2253			uint32_t llbolt = (uint32_t)LBOLT_FASTPATH;
2254
2255			U32_TO_BE32(llbolt,
2256			    (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
2257			U32_TO_BE32(tcp->tcp_ts_recent,
2258			    (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
2259		}
2260
2261		/* Fill in SACK options */
2262		if (num_sack_blk > 0) {
2263			uchar_t *wptr = (uchar_t *)tcpha +
2264			    connp->conn_ht_ulp_len;
2265			sack_blk_t *tmp;
2266			int32_t	i;
2267
2268			wptr[0] = TCPOPT_NOP;
2269			wptr[1] = TCPOPT_NOP;
2270			wptr[2] = TCPOPT_SACK;
2271			wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
2272			    sizeof (sack_blk_t);
2273			wptr += TCPOPT_REAL_SACK_LEN;
2274
2275			tmp = tcp->tcp_sack_list;
2276			for (i = 0; i < num_sack_blk; i++) {
2277				U32_TO_BE32(tmp[i].begin, wptr);
2278				wptr += sizeof (tcp_seq);
2279				U32_TO_BE32(tmp[i].end, wptr);
2280				wptr += sizeof (tcp_seq);
2281			}
2282			tcpha->tha_offset_and_reserved +=
2283			    ((num_sack_blk * 2 + 1) << 4);
2284		}
2285
2286		ixa->ixa_pktlen = total_hdr_len;
2287
2288		if (ixa->ixa_flags & IXAF_IS_IPV4) {
2289			((ipha_t *)rptr)->ipha_length = htons(total_hdr_len);
2290		} else {
2291			ip6_t *ip6 = (ip6_t *)rptr;
2292
2293			ip6->ip6_plen = htons(total_hdr_len - IPV6_HDR_LEN);
2294		}
2295
2296		/*
2297		 * Prime pump for checksum calculation in IP.  Include the
2298		 * adjustment for a source route if any.
2299		 */
2300		data_length = tcp_hdr_len + connp->conn_sum;
2301		data_length = (data_length >> 16) + (data_length & 0xFFFF);
2302		tcpha->tha_sum = htons(data_length);
2303
2304		if (tcp->tcp_ip_forward_progress) {
2305			tcp->tcp_ip_forward_progress = B_FALSE;
2306			connp->conn_ixa->ixa_flags |= IXAF_REACH_CONF;
2307		} else {
2308			connp->conn_ixa->ixa_flags &= ~IXAF_REACH_CONF;
2309		}
2310		return (mp1);
2311	}
2312}
2313
2314/*
2315 * Dummy socket upcalls for if/when the conn_t gets detached from a
2316 * direct-callback sonode via a user-driven close().  Easy to catch with
2317 * DTrace FBT, and should be mostly harmless.
2318 */
2319
2320/* ARGSUSED */
2321static sock_upper_handle_t
2322tcp_dummy_newconn(sock_upper_handle_t x, sock_lower_handle_t y,
2323    sock_downcalls_t *z, cred_t *cr, pid_t pid, sock_upcalls_t **ignored)
2324{
2325	ASSERT(0);	/* Panic in debug, otherwise ignore. */
2326	return (NULL);
2327}
2328
2329/* ARGSUSED */
2330static void
2331tcp_dummy_connected(sock_upper_handle_t x, sock_connid_t y, cred_t *cr,
2332    pid_t pid)
2333{
2334	ASSERT(x == NULL);
2335	/* Normally we'd crhold(cr) and attach it to socket state. */
2336	/* LINTED */
2337}
2338
2339/* ARGSUSED */
2340static int
2341tcp_dummy_disconnected(sock_upper_handle_t x, sock_connid_t y, int blah)
2342{
2343	ASSERT(0);	/* Panic in debug, otherwise ignore. */
2344	return (-1);
2345}
2346
2347/* ARGSUSED */
2348static void
2349tcp_dummy_opctl(sock_upper_handle_t x, sock_opctl_action_t y, uintptr_t blah)
2350{
2351	ASSERT(x == NULL);
2352	/* We really want this one to be a harmless NOP for now. */
2353	/* LINTED */
2354}
2355
2356/* ARGSUSED */
2357static ssize_t
2358tcp_dummy_recv(sock_upper_handle_t x, mblk_t *mp, size_t len, int flags,
2359    int *error, boolean_t *push)
2360{
2361	ASSERT(x == NULL);
2362
2363	/*
2364	 * Consume the message, set ESHUTDOWN, and return an error.
2365	 * Nobody's home!
2366	 */
2367	freemsg(mp);
2368	*error = ESHUTDOWN;
2369	return (-1);
2370}
2371
2372/* ARGSUSED */
2373static void
2374tcp_dummy_set_proto_props(sock_upper_handle_t x, struct sock_proto_props *y)
2375{
2376	ASSERT(0);	/* Panic in debug, otherwise ignore. */
2377}
2378
2379/* ARGSUSED */
2380static void
2381tcp_dummy_txq_full(sock_upper_handle_t x, boolean_t y)
2382{
2383	ASSERT(0);	/* Panic in debug, otherwise ignore. */
2384}
2385
2386/* ARGSUSED */
2387static void
2388tcp_dummy_signal_oob(sock_upper_handle_t x, ssize_t len)
2389{
2390	ASSERT(x == NULL);
2391	/* Otherwise, this would signal socket state about OOB data. */
2392}
2393
2394/* ARGSUSED */
2395static void
2396tcp_dummy_set_error(sock_upper_handle_t x, int err)
2397{
2398	ASSERT(0);	/* Panic in debug, otherwise ignore. */
2399}
2400
2401/* ARGSUSED */
2402static void
2403tcp_dummy_onearg(sock_upper_handle_t x)
2404{
2405	ASSERT(0);	/* Panic in debug, otherwise ignore. */
2406}
2407
2408static sock_upcalls_t tcp_dummy_upcalls = {
2409	tcp_dummy_newconn,
2410	tcp_dummy_connected,
2411	tcp_dummy_disconnected,
2412	tcp_dummy_opctl,
2413	tcp_dummy_recv,
2414	tcp_dummy_set_proto_props,
2415	tcp_dummy_txq_full,
2416	tcp_dummy_signal_oob,
2417	tcp_dummy_onearg,
2418	tcp_dummy_set_error,
2419	tcp_dummy_onearg
2420};
2421
2422/*
2423 * Handle M_DATA messages from IP. Its called directly from IP via
2424 * squeue for received IP packets.
2425 *
2426 * The first argument is always the connp/tcp to which the mp belongs.
2427 * There are no exceptions to this rule. The caller has already put
2428 * a reference on this connp/tcp and once tcp_input_data() returns,
2429 * the squeue will do the refrele.
2430 *
2431 * The TH_SYN for the listener directly go to tcp_input_listener via
2432 * squeue. ICMP errors go directly to tcp_icmp_input().
2433 *
2434 * sqp: NULL = recursive, sqp != NULL means called from squeue
2435 */
2436void
2437tcp_input_data(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
2438{
2439	int32_t		bytes_acked;
2440	int32_t		gap;
2441	mblk_t		*mp1;
2442	uint_t		flags;
2443	uint32_t	new_swnd = 0;
2444	uchar_t		*iphdr;
2445	uchar_t		*rptr;
2446	int32_t		rgap;
2447	uint32_t	seg_ack;
2448	int		seg_len;
2449	uint_t		ip_hdr_len;
2450	uint32_t	seg_seq;
2451	tcpha_t		*tcpha;
2452	int		urp;
2453	tcp_opt_t	tcpopt;
2454	ip_pkt_t	ipp;
2455	boolean_t	ofo_seg = B_FALSE; /* Out of order segment */
2456	uint32_t	cwnd;
2457	int		mss;
2458	conn_t		*connp = (conn_t *)arg;
2459	squeue_t	*sqp = (squeue_t *)arg2;
2460	tcp_t		*tcp = connp->conn_tcp;
2461	tcp_stack_t	*tcps = tcp->tcp_tcps;
2462	sock_upcalls_t	*sockupcalls;
2463
2464	/*
2465	 * RST from fused tcp loopback peer should trigger an unfuse.
2466	 */
2467	if (tcp->tcp_fused) {
2468		TCP_STAT(tcps, tcp_fusion_aborted);
2469		tcp_unfuse(tcp);
2470	}
2471
2472	mss = 0;
2473	iphdr = mp->b_rptr;
2474	rptr = mp->b_rptr;
2475	ASSERT(OK_32PTR(rptr));
2476
2477	ip_hdr_len = ira->ira_ip_hdr_length;
2478	if (connp->conn_recv_ancillary.crb_all != 0) {
2479		/*
2480		 * Record packet information in the ip_pkt_t
2481		 */
2482		ipp.ipp_fields = 0;
2483		if (ira->ira_flags & IRAF_IS_IPV4) {
2484			(void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
2485			    B_FALSE);
2486		} else {
2487			uint8_t nexthdrp;
2488
2489			/*
2490			 * IPv6 packets can only be received by applications
2491			 * that are prepared to receive IPv6 addresses.
2492			 * The IP fanout must ensure this.
2493			 */
2494			ASSERT(connp->conn_family == AF_INET6);
2495
2496			(void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
2497			    &nexthdrp);
2498			ASSERT(nexthdrp == IPPROTO_TCP);
2499
2500			/* Could have caused a pullup? */
2501			iphdr = mp->b_rptr;
2502			rptr = mp->b_rptr;
2503		}
2504	}
2505	ASSERT(DB_TYPE(mp) == M_DATA);
2506	ASSERT(mp->b_next == NULL);
2507
2508	tcpha = (tcpha_t *)&rptr[ip_hdr_len];
2509	seg_seq = ntohl(tcpha->tha_seq);
2510	seg_ack = ntohl(tcpha->tha_ack);
2511	ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
2512	seg_len = (int)(mp->b_wptr - rptr) -
2513	    (ip_hdr_len + TCP_HDR_LENGTH(tcpha));
2514	if ((mp1 = mp->b_cont) != NULL && mp1->b_datap->db_type == M_DATA) {
2515		do {
2516			ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
2517			    (uintptr_t)INT_MAX);
2518			seg_len += (int)(mp1->b_wptr - mp1->b_rptr);
2519		} while ((mp1 = mp1->b_cont) != NULL &&
2520		    mp1->b_datap->db_type == M_DATA);
2521	}
2522
2523	DTRACE_TCP5(receive, mblk_t *, NULL, ip_xmit_attr_t *, connp->conn_ixa,
2524	    __dtrace_tcp_void_ip_t *, iphdr, tcp_t *, tcp,
2525	    __dtrace_tcp_tcph_t *, tcpha);
2526
2527	if (tcp->tcp_state == TCPS_TIME_WAIT) {
2528		tcp_time_wait_processing(tcp, mp, seg_seq, seg_ack,
2529		    seg_len, tcpha, ira);
2530		return;
2531	}
2532
2533	if (sqp != NULL) {
2534		/*
2535		 * This is the correct place to update tcp_last_recv_time. Note
2536		 * that it is also updated for tcp structure that belongs to
2537		 * global and listener queues which do not really need updating.
2538		 * But that should not cause any harm.  And it is updated for
2539		 * all kinds of incoming segments, not only for data segments.
2540		 */
2541		tcp->tcp_last_recv_time = LBOLT_FASTPATH;
2542	}
2543
2544	flags = (unsigned int)tcpha->tha_flags & 0xFF;
2545
2546	TCPS_BUMP_MIB(tcps, tcpHCInSegs);
2547	DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
2548
2549	if ((flags & TH_URG) && sqp != NULL) {
2550		/*
2551		 * TCP can't handle urgent pointers that arrive before
2552		 * the connection has been accept()ed since it can't
2553		 * buffer OOB data.  Discard segment if this happens.
2554		 *
2555		 * We can't just rely on a non-null tcp_listener to indicate
2556		 * that the accept() has completed since unlinking of the
2557		 * eager and completion of the accept are not atomic.
2558		 * tcp_detached, when it is not set (B_FALSE) indicates
2559		 * that the accept() has completed.
2560		 *
2561		 * Nor can it reassemble urgent pointers, so discard
2562		 * if it's not the next segment expected.
2563		 *
2564		 * Otherwise, collapse chain into one mblk (discard if
2565		 * that fails).  This makes sure the headers, retransmitted
2566		 * data, and new data all are in the same mblk.
2567		 */
2568		ASSERT(mp != NULL);
2569		if (tcp->tcp_detached || !pullupmsg(mp, -1)) {
2570			freemsg(mp);
2571			return;
2572		}
2573		/* Update pointers into message */
2574		iphdr = rptr = mp->b_rptr;
2575		tcpha = (tcpha_t *)&rptr[ip_hdr_len];
2576		if (SEQ_GT(seg_seq, tcp->tcp_rnxt)) {
2577			/*
2578			 * Since we can't handle any data with this urgent
2579			 * pointer that is out of sequence, we expunge
2580			 * the data.  This allows us to still register
2581			 * the urgent mark and generate the M_PCSIG,
2582			 * which we can do.
2583			 */
2584			mp->b_wptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
2585			seg_len = 0;
2586		}
2587	}
2588
2589	sockupcalls = connp->conn_upcalls;
2590	/* A conn_t may have belonged to a now-closed socket.  Be careful. */
2591	if (sockupcalls == NULL)
2592		sockupcalls = &tcp_dummy_upcalls;
2593
2594	switch (tcp->tcp_state) {
2595	case TCPS_SYN_SENT:
2596		if (connp->conn_final_sqp == NULL &&
2597		    tcp_outbound_squeue_switch && sqp != NULL) {
2598			ASSERT(connp->conn_initial_sqp == connp->conn_sqp);
2599			connp->conn_final_sqp = sqp;
2600			if (connp->conn_final_sqp != connp->conn_sqp) {
2601				DTRACE_PROBE1(conn__final__sqp__switch,
2602				    conn_t *, connp);
2603				CONN_INC_REF(connp);
2604				SQUEUE_SWITCH(connp, connp->conn_final_sqp);
2605				SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
2606				    tcp_input_data, connp, ira, ip_squeue_flag,
2607				    SQTAG_CONNECT_FINISH);
2608				return;
2609			}
2610			DTRACE_PROBE1(conn__final__sqp__same, conn_t *, connp);
2611		}
2612		if (flags & TH_ACK) {
2613			/*
2614			 * Note that our stack cannot send data before a
2615			 * connection is established, therefore the
2616			 * following check is valid.  Otherwise, it has
2617			 * to be changed.
2618			 */
2619			if (SEQ_LEQ(seg_ack, tcp->tcp_iss) ||
2620			    SEQ_GT(seg_ack, tcp->tcp_snxt)) {
2621				freemsg(mp);
2622				if (flags & TH_RST)
2623					return;
2624				tcp_xmit_ctl("TCPS_SYN_SENT-Bad_seq",
2625				    tcp, seg_ack, 0, TH_RST);
2626				return;
2627			}
2628			ASSERT(tcp->tcp_suna + 1 == seg_ack);
2629		}
2630		if (flags & TH_RST) {
2631			if (flags & TH_ACK) {
2632				DTRACE_TCP5(connect__refused, mblk_t *, NULL,
2633				    ip_xmit_attr_t *, connp->conn_ixa,
2634				    void_ip_t *, iphdr, tcp_t *, tcp,
2635				    tcph_t *, tcpha);
2636				(void) tcp_clean_death(tcp, ECONNREFUSED);
2637			}
2638			freemsg(mp);
2639			return;
2640		}
2641		if (!(flags & TH_SYN)) {
2642			freemsg(mp);
2643			return;
2644		}
2645
2646		/* Process all TCP options. */
2647		tcp_process_options(tcp, tcpha);
2648		/*
2649		 * The following changes our rwnd to be a multiple of the
2650		 * MIN(peer MSS, our MSS) for performance reason.
2651		 */
2652		(void) tcp_rwnd_set(tcp, MSS_ROUNDUP(connp->conn_rcvbuf,
2653		    tcp->tcp_mss));
2654
2655		/* Is the other end ECN capable? */
2656		if (tcp->tcp_ecn_ok) {
2657			if ((flags & (TH_ECE|TH_CWR)) != TH_ECE) {
2658				tcp->tcp_ecn_ok = B_FALSE;
2659			}
2660		}
2661		/*
2662		 * Clear ECN flags because it may interfere with later
2663		 * processing.
2664		 */
2665		flags &= ~(TH_ECE|TH_CWR);
2666
2667		tcp->tcp_irs = seg_seq;
2668		tcp->tcp_rack = seg_seq;
2669		tcp->tcp_rnxt = seg_seq + 1;
2670		tcp->tcp_tcpha->tha_ack = htonl(tcp->tcp_rnxt);
2671		if (!TCP_IS_DETACHED(tcp)) {
2672			/* Allocate room for SACK options if needed. */
2673			connp->conn_wroff = connp->conn_ht_iphc_len;
2674			if (tcp->tcp_snd_sack_ok)
2675				connp->conn_wroff += TCPOPT_MAX_SACK_LEN;
2676			if (!tcp->tcp_loopback)
2677				connp->conn_wroff += tcps->tcps_wroff_xtra;
2678
2679			(void) proto_set_tx_wroff(connp->conn_rq, connp,
2680			    connp->conn_wroff);
2681		}
2682		if (flags & TH_ACK) {
2683			/*
2684			 * If we can't get the confirmation upstream, pretend
2685			 * we didn't even see this one.
2686			 *
2687			 * XXX: how can we pretend we didn't see it if we
2688			 * have updated rnxt et. al.
2689			 *
2690			 * For loopback we defer sending up the T_CONN_CON
2691			 * until after some checks below.
2692			 */
2693			mp1 = NULL;
2694			/*
2695			 * tcp_sendmsg() checks tcp_state without entering
2696			 * the squeue so tcp_state should be updated before
2697			 * sending up connection confirmation.  Probe the
2698			 * state change below when we are sure the connection
2699			 * confirmation has been sent.
2700			 */
2701			tcp->tcp_state = TCPS_ESTABLISHED;
2702			if (!tcp_conn_con(tcp, iphdr, mp,
2703			    tcp->tcp_loopback ? &mp1 : NULL, ira)) {
2704				tcp->tcp_state = TCPS_SYN_SENT;
2705				freemsg(mp);
2706				return;
2707			}
2708			TCPS_CONN_INC(tcps);
2709			/* SYN was acked - making progress */
2710			tcp->tcp_ip_forward_progress = B_TRUE;
2711
2712			/* One for the SYN */
2713			tcp->tcp_suna = tcp->tcp_iss + 1;
2714			tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
2715
2716			/*
2717			 * If SYN was retransmitted, need to reset all
2718			 * retransmission info.  This is because this
2719			 * segment will be treated as a dup ACK.
2720			 */
2721			if (tcp->tcp_rexmit) {
2722				tcp->tcp_rexmit = B_FALSE;
2723				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
2724				tcp->tcp_rexmit_max = tcp->tcp_snxt;
2725				tcp->tcp_ms_we_have_waited = 0;
2726
2727				/*
2728				 * Set tcp_cwnd back to 1 MSS, per
2729				 * recommendation from
2730				 * draft-floyd-incr-init-win-01.txt,
2731				 * Increasing TCP's Initial Window.
2732				 */
2733				DTRACE_PROBE3(cwnd__retransmitted__syn,
2734				    tcp_t *, tcp, uint32_t, tcp->tcp_cwnd,
2735				    uint32_t, tcp->tcp_mss);
2736				tcp->tcp_cwnd = tcp->tcp_mss;
2737			}
2738
2739			tcp->tcp_swl1 = seg_seq;
2740			tcp->tcp_swl2 = seg_ack;
2741
2742			new_swnd = ntohs(tcpha->tha_win);
2743			tcp->tcp_swnd = new_swnd;
2744			if (new_swnd > tcp->tcp_max_swnd)
2745				tcp->tcp_max_swnd = new_swnd;
2746
2747			/*
2748			 * Always send the three-way handshake ack immediately
2749			 * in order to make the connection complete as soon as
2750			 * possible on the accepting host.
2751			 */
2752			flags |= TH_ACK_NEEDED;
2753
2754			/*
2755			 * Trace connect-established here.
2756			 */
2757			DTRACE_TCP5(connect__established, mblk_t *, NULL,
2758			    ip_xmit_attr_t *, tcp->tcp_connp->conn_ixa,
2759			    void_ip_t *, iphdr, tcp_t *, tcp, tcph_t *, tcpha);
2760
2761			/* Trace change from SYN_SENT -> ESTABLISHED here */
2762			DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
2763			    connp->conn_ixa, void, NULL, tcp_t *, tcp,
2764			    void, NULL, int32_t, TCPS_SYN_SENT);
2765
2766			/*
2767			 * Special case for loopback.  At this point we have
2768			 * received SYN-ACK from the remote endpoint.  In
2769			 * order to ensure that both endpoints reach the
2770			 * fused state prior to any data exchange, the final
2771			 * ACK needs to be sent before we indicate T_CONN_CON
2772			 * to the module upstream.
2773			 */
2774			if (tcp->tcp_loopback) {
2775				mblk_t *ack_mp;
2776
2777				ASSERT(!tcp->tcp_unfusable);
2778				ASSERT(mp1 != NULL);
2779				/*
2780				 * For loopback, we always get a pure SYN-ACK
2781				 * and only need to send back the final ACK
2782				 * with no data (this is because the other
2783				 * tcp is ours and we don't do T/TCP).  This
2784				 * final ACK triggers the passive side to
2785				 * perform fusion in ESTABLISHED state.
2786				 */
2787				if ((ack_mp = tcp_ack_mp(tcp)) != NULL) {
2788					if (tcp->tcp_ack_tid != 0) {
2789						(void) TCP_TIMER_CANCEL(tcp,
2790						    tcp->tcp_ack_tid);
2791						tcp->tcp_ack_tid = 0;
2792					}
2793					tcp_send_data(tcp, ack_mp);
2794					TCPS_BUMP_MIB(tcps, tcpHCOutSegs);
2795					TCPS_BUMP_MIB(tcps, tcpOutAck);
2796
2797					if (!IPCL_IS_NONSTR(connp)) {
2798						/* Send up T_CONN_CON */
2799						if (ira->ira_cred != NULL) {
2800							mblk_setcred(mp1,
2801							    ira->ira_cred,
2802							    ira->ira_cpid);
2803						}
2804						putnext(connp->conn_rq, mp1);
2805					} else {
2806						(*sockupcalls->su_connected)
2807						    (connp->conn_upper_handle,
2808						    tcp->tcp_connid,
2809						    ira->ira_cred,
2810						    ira->ira_cpid);
2811						freemsg(mp1);
2812					}
2813
2814					freemsg(mp);
2815					return;
2816				}
2817				/*
2818				 * Forget fusion; we need to handle more
2819				 * complex cases below.  Send the deferred
2820				 * T_CONN_CON message upstream and proceed
2821				 * as usual.  Mark this tcp as not capable
2822				 * of fusion.
2823				 */
2824				TCP_STAT(tcps, tcp_fusion_unfusable);
2825				tcp->tcp_unfusable = B_TRUE;
2826				if (!IPCL_IS_NONSTR(connp)) {
2827					if (ira->ira_cred != NULL) {
2828						mblk_setcred(mp1, ira->ira_cred,
2829						    ira->ira_cpid);
2830					}
2831					putnext(connp->conn_rq, mp1);
2832				} else {
2833					(*sockupcalls->su_connected)
2834					    (connp->conn_upper_handle,
2835					    tcp->tcp_connid, ira->ira_cred,
2836					    ira->ira_cpid);
2837					freemsg(mp1);
2838				}
2839			}
2840
2841			/*
2842			 * Check to see if there is data to be sent.  If
2843			 * yes, set the transmit flag.  Then check to see
2844			 * if received data processing needs to be done.
2845			 * If not, go straight to xmit_check.  This short
2846			 * cut is OK as we don't support T/TCP.
2847			 */
2848			if (tcp->tcp_unsent)
2849				flags |= TH_XMIT_NEEDED;
2850
2851			if (seg_len == 0 && !(flags & TH_URG)) {
2852				freemsg(mp);
2853				goto xmit_check;
2854			}
2855
2856			flags &= ~TH_SYN;
2857			seg_seq++;
2858			break;
2859		}
2860		tcp->tcp_state = TCPS_SYN_RCVD;
2861		DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
2862		    connp->conn_ixa, void_ip_t *, NULL, tcp_t *, tcp,
2863		    tcph_t *, NULL, int32_t, TCPS_SYN_SENT);
2864		mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, tcp->tcp_mss,
2865		    NULL, NULL, tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
2866		if (mp1 != NULL) {
2867			tcp_send_data(tcp, mp1);
2868			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
2869		}
2870		freemsg(mp);
2871		return;
2872	case TCPS_SYN_RCVD:
2873		if (flags & TH_ACK) {
2874			uint32_t pinit_wnd;
2875
2876			/*
2877			 * In this state, a SYN|ACK packet is either bogus
2878			 * because the other side must be ACKing our SYN which
2879			 * indicates it has seen the ACK for their SYN and
2880			 * shouldn't retransmit it or we're crossing SYNs
2881			 * on active open.
2882			 */
2883			if ((flags & TH_SYN) && !tcp->tcp_active_open) {
2884				freemsg(mp);
2885				tcp_xmit_ctl("TCPS_SYN_RCVD-bad_syn",
2886				    tcp, seg_ack, 0, TH_RST);
2887				return;
2888			}
2889			/*
2890			 * NOTE: RFC 793 pg. 72 says this should be
2891			 * tcp->tcp_suna <= seg_ack <= tcp->tcp_snxt
2892			 * but that would mean we have an ack that ignored
2893			 * our SYN.
2894			 */
2895			if (SEQ_LEQ(seg_ack, tcp->tcp_suna) ||
2896			    SEQ_GT(seg_ack, tcp->tcp_snxt)) {
2897				freemsg(mp);
2898				tcp_xmit_ctl("TCPS_SYN_RCVD-bad_ack",
2899				    tcp, seg_ack, 0, TH_RST);
2900				return;
2901			}
2902			/*
2903			 * No sane TCP stack will send such a small window
2904			 * without receiving any data.  Just drop this invalid
2905			 * ACK.  We also shorten the abort timeout in case
2906			 * this is an attack.
2907			 */
2908			pinit_wnd = ntohs(tcpha->tha_win) << tcp->tcp_snd_ws;
2909			if (pinit_wnd < tcp->tcp_mss &&
2910			    pinit_wnd < tcp_init_wnd_chk) {
2911				freemsg(mp);
2912				TCP_STAT(tcps, tcp_zwin_ack_syn);
2913				tcp->tcp_second_ctimer_threshold =
2914				    tcp_early_abort * SECONDS;
2915				return;
2916			}
2917		}
2918		break;
2919	case TCPS_LISTEN:
2920		/*
2921		 * Only a TLI listener can come through this path when a
2922		 * acceptor is going back to be a listener and a packet
2923		 * for the acceptor hits the classifier. For a socket
2924		 * listener, this can never happen because a listener
2925		 * can never accept connection on itself and hence a
2926		 * socket acceptor can not go back to being a listener.
2927		 */
2928		ASSERT(!TCP_IS_SOCKET(tcp));
2929		/*FALLTHRU*/
2930	case TCPS_CLOSED:
2931	case TCPS_BOUND: {
2932		conn_t	*new_connp;
2933		ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
2934
2935		/*
2936		 * Don't accept any input on a closed tcp as this TCP logically
2937		 * does not exist on the system. Don't proceed further with
2938		 * this TCP. For instance, this packet could trigger another
2939		 * close of this tcp which would be disastrous for tcp_refcnt.
2940		 * tcp_close_detached / tcp_clean_death / tcp_closei_local must
2941		 * be called at most once on a TCP. In this case we need to
2942		 * refeed the packet into the classifier and figure out where
2943		 * the packet should go.
2944		 */
2945		new_connp = ipcl_classify(mp, ira, ipst);
2946		if (new_connp != NULL) {
2947			/* Drops ref on new_connp */
2948			tcp_reinput(new_connp, mp, ira, ipst);
2949			return;
2950		}
2951		/* We failed to classify. For now just drop the packet */
2952		freemsg(mp);
2953		return;
2954	}
2955	case TCPS_IDLE:
2956		/*
2957		 * Handle the case where the tcp_clean_death() has happened
2958		 * on a connection (application hasn't closed yet) but a packet
2959		 * was already queued on squeue before tcp_clean_death()
2960		 * was processed. Calling tcp_clean_death() twice on same
2961		 * connection can result in weird behaviour.
2962		 */
2963		freemsg(mp);
2964		return;
2965	default:
2966		break;
2967	}
2968
2969	/*
2970	 * Already on the correct queue/perimeter.
2971	 * If this is a detached connection and not an eager
2972	 * connection hanging off a listener then new data
2973	 * (past the FIN) will cause a reset.
2974	 * We do a special check here where it
2975	 * is out of the main line, rather than check
2976	 * if we are detached every time we see new
2977	 * data down below.
2978	 */
2979	if (TCP_IS_DETACHED_NONEAGER(tcp) &&
2980	    (seg_len > 0 && SEQ_GT(seg_seq + seg_len, tcp->tcp_rnxt))) {
2981		TCPS_BUMP_MIB(tcps, tcpInClosed);
2982		DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
2983		freemsg(mp);
2984		tcp_xmit_ctl("new data when detached", tcp,
2985		    tcp->tcp_snxt, 0, TH_RST);
2986		(void) tcp_clean_death(tcp, EPROTO);
2987		return;
2988	}
2989
2990	mp->b_rptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
2991	urp = ntohs(tcpha->tha_urp) - TCP_OLD_URP_INTERPRETATION;
2992	new_swnd = ntohs(tcpha->tha_win) <<
2993	    ((tcpha->tha_flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
2994
2995	/*
2996	 * We are interested in two TCP options: timestamps (if negotiated) and
2997	 * SACK (if negotiated). Skip option parsing if neither is negotiated.
2998	 */
2999	if (tcp->tcp_snd_ts_ok || tcp->tcp_snd_sack_ok) {
3000		int options;
3001		if (tcp->tcp_snd_sack_ok)
3002			tcpopt.tcp = tcp;
3003		else
3004			tcpopt.tcp = NULL;
3005		options = tcp_parse_options(tcpha, &tcpopt);
3006		/*
3007		 * RST segments must not be subject to PAWS and are not
3008		 * required to have timestamps.
3009		 * We do not drop keepalive segments without
3010		 * timestamps, to maintain compatibility with legacy TCP stacks.
3011		 */
3012		boolean_t keepalive = (seg_len == 0 || seg_len == 1) &&
3013		    (seg_seq + 1 == tcp->tcp_rnxt);
3014		if (tcp->tcp_snd_ts_ok && !(flags & TH_RST) && !keepalive) {
3015			/*
3016			 * Per RFC 7323 section 3.2., silently drop non-RST
3017			 * segments without expected TSopt. This is a 'SHOULD'
3018			 * requirement.
3019			 * We accept keepalives without TSopt to maintain
3020			 * interoperability with tcp implementations that omit
3021			 * the TSopt on these. Keepalive data is discarded, so
3022			 * there is no risk corrupting data by accepting these.
3023			 */
3024			if (!(options & TCP_OPT_TSTAMP_PRESENT)) {
3025				/*
3026				 * Leave a breadcrumb for people to detect this
3027				 * behavior.
3028				 */
3029				DTRACE_TCP1(droppedtimestamp, tcp_t *, tcp);
3030				freemsg(mp);
3031				return;
3032			}
3033
3034			if (!tcp_paws_check(tcp, &tcpopt)) {
3035				/*
3036				 * This segment is not acceptable.
3037				 * Drop it and send back an ACK.
3038				 */
3039				freemsg(mp);
3040				flags |= TH_ACK_NEEDED;
3041				goto ack_check;
3042			}
3043		}
3044	}
3045try_again:;
3046	mss = tcp->tcp_mss;
3047	gap = seg_seq - tcp->tcp_rnxt;
3048	rgap = tcp->tcp_rwnd - (gap + seg_len);
3049	/*
3050	 * gap is the amount of sequence space between what we expect to see
3051	 * and what we got for seg_seq.  A positive value for gap means
3052	 * something got lost.  A negative value means we got some old stuff.
3053	 */
3054	if (gap < 0) {
3055		/* Old stuff present.  Is the SYN in there? */
3056		if (seg_seq == tcp->tcp_irs && (flags & TH_SYN) &&
3057		    (seg_len != 0)) {
3058			flags &= ~TH_SYN;
3059			seg_seq++;
3060			urp--;
3061			/* Recompute the gaps after noting the SYN. */
3062			goto try_again;
3063		}
3064		TCPS_BUMP_MIB(tcps, tcpInDataDupSegs);
3065		TCPS_UPDATE_MIB(tcps, tcpInDataDupBytes,
3066		    (seg_len > -gap ? -gap : seg_len));
3067		/* Remove the old stuff from seg_len. */
3068		seg_len += gap;
3069		/*
3070		 * Anything left?
3071		 * Make sure to check for unack'd FIN when rest of data
3072		 * has been previously ack'd.
3073		 */
3074		if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
3075			/*
3076			 * Resets are only valid if they lie within our offered
3077			 * window.  If the RST bit is set, we just ignore this
3078			 * segment.
3079			 */
3080			if (flags & TH_RST) {
3081				freemsg(mp);
3082				return;
3083			}
3084
3085			/*
3086			 * The arriving of dup data packets indicate that we
3087			 * may have postponed an ack for too long, or the other
3088			 * side's RTT estimate is out of shape. Start acking
3089			 * more often.
3090			 */
3091			if (SEQ_GEQ(seg_seq + seg_len - gap, tcp->tcp_rack) &&
3092			    tcp->tcp_rack_cnt >= 1 &&
3093			    tcp->tcp_rack_abs_max > 2) {
3094				tcp->tcp_rack_abs_max--;
3095			}
3096			tcp->tcp_rack_cur_max = 1;
3097
3098			/*
3099			 * This segment is "unacceptable".  None of its
3100			 * sequence space lies within our advertized window.
3101			 *
3102			 * Adjust seg_len to the original value for tracing.
3103			 */
3104			seg_len -= gap;
3105			if (connp->conn_debug) {
3106				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3107				    "tcp_rput: unacceptable, gap %d, rgap %d, "
3108				    "flags 0x%x, seg_seq %u, seg_ack %u, "
3109				    "seg_len %d, rnxt %u, snxt %u, %s",
3110				    gap, rgap, flags, seg_seq, seg_ack,
3111				    seg_len, tcp->tcp_rnxt, tcp->tcp_snxt,
3112				    tcp_display(tcp, NULL,
3113				    DISP_ADDR_AND_PORT));
3114			}
3115
3116			/*
3117			 * Arrange to send an ACK in response to the
3118			 * unacceptable segment per RFC 793 page 69. There
3119			 * is only one small difference between ours and the
3120			 * acceptability test in the RFC - we accept ACK-only
3121			 * packet with SEG.SEQ = RCV.NXT+RCV.WND and no ACK
3122			 * will be generated.
3123			 *
3124			 * Note that we have to ACK an ACK-only packet at least
3125			 * for stacks that send 0-length keep-alives with
3126			 * SEG.SEQ = SND.NXT-1 as recommended by RFC1122,
3127			 * section 4.2.3.6. As long as we don't ever generate
3128			 * an unacceptable packet in response to an incoming
3129			 * packet that is unacceptable, it should not cause
3130			 * "ACK wars".
3131			 */
3132			flags |=  TH_ACK_NEEDED;
3133
3134			/*
3135			 * Continue processing this segment in order to use the
3136			 * ACK information it contains, but skip all other
3137			 * sequence-number processing.	Processing the ACK
3138			 * information is necessary in order to
3139			 * re-synchronize connections that may have lost
3140			 * synchronization.
3141			 *
3142			 * We clear seg_len and flag fields related to
3143			 * sequence number processing as they are not
3144			 * to be trusted for an unacceptable segment.
3145			 */
3146			seg_len = 0;
3147			flags &= ~(TH_SYN | TH_FIN | TH_URG);
3148			goto process_ack;
3149		}
3150
3151		/* Fix seg_seq, and chew the gap off the front. */
3152		seg_seq = tcp->tcp_rnxt;
3153		urp += gap;
3154		do {
3155			mblk_t	*mp2;
3156			ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
3157			    (uintptr_t)UINT_MAX);
3158			gap += (uint_t)(mp->b_wptr - mp->b_rptr);
3159			if (gap > 0) {
3160				mp->b_rptr = mp->b_wptr - gap;
3161				break;
3162			}
3163			mp2 = mp;
3164			mp = mp->b_cont;
3165			freeb(mp2);
3166		} while (gap < 0);
3167		/*
3168		 * If the urgent data has already been acknowledged, we
3169		 * should ignore TH_URG below
3170		 */
3171		if (urp < 0)
3172			flags &= ~TH_URG;
3173	}
3174	/*
3175	 * rgap is the amount of stuff received out of window.  A negative
3176	 * value is the amount out of window.
3177	 */
3178	if (rgap < 0) {
3179		mblk_t	*mp2;
3180
3181		if (tcp->tcp_rwnd == 0) {
3182			TCPS_BUMP_MIB(tcps, tcpInWinProbe);
3183			tcp->tcp_cs.tcp_in_zwnd_probes++;
3184		} else {
3185			TCPS_BUMP_MIB(tcps, tcpInDataPastWinSegs);
3186			TCPS_UPDATE_MIB(tcps, tcpInDataPastWinBytes, -rgap);
3187		}
3188
3189		/*
3190		 * seg_len does not include the FIN, so if more than
3191		 * just the FIN is out of window, we act like we don't
3192		 * see it.  (If just the FIN is out of window, rgap
3193		 * will be zero and we will go ahead and acknowledge
3194		 * the FIN.)
3195		 */
3196		flags &= ~TH_FIN;
3197
3198		/* Fix seg_len and make sure there is something left. */
3199		seg_len += rgap;
3200		if (seg_len <= 0) {
3201			/*
3202			 * Resets are only valid if they lie within our offered
3203			 * window.  If the RST bit is set, we just ignore this
3204			 * segment.
3205			 */
3206			if (flags & TH_RST) {
3207				freemsg(mp);
3208				return;
3209			}
3210
3211			/* Per RFC 793, we need to send back an ACK. */
3212			flags |= TH_ACK_NEEDED;
3213
3214			/*
3215			 * Send SIGURG as soon as possible i.e. even
3216			 * if the TH_URG was delivered in a window probe
3217			 * packet (which will be unacceptable).
3218			 *
3219			 * We generate a signal if none has been generated
3220			 * for this connection or if this is a new urgent
3221			 * byte. Also send a zero-length "unmarked" message
3222			 * to inform SIOCATMARK that this is not the mark.
3223			 *
3224			 * tcp_urp_last_valid is cleared when the T_exdata_ind
3225			 * is sent up. This plus the check for old data
3226			 * (gap >= 0) handles the wraparound of the sequence
3227			 * number space without having to always track the
3228			 * correct MAX(tcp_urp_last, tcp_rnxt). (BSD tracks
3229			 * this max in its rcv_up variable).
3230			 *
3231			 * This prevents duplicate SIGURGS due to a "late"
3232			 * zero-window probe when the T_EXDATA_IND has already
3233			 * been sent up.
3234			 */
3235			if ((flags & TH_URG) &&
3236			    (!tcp->tcp_urp_last_valid || SEQ_GT(urp + seg_seq,
3237			    tcp->tcp_urp_last))) {
3238				if (IPCL_IS_NONSTR(connp)) {
3239					if (!TCP_IS_DETACHED(tcp)) {
3240						(*sockupcalls->su_signal_oob)
3241						    (connp->conn_upper_handle,
3242						    urp);
3243					}
3244				} else {
3245					mp1 = allocb(0, BPRI_MED);
3246					if (mp1 == NULL) {
3247						freemsg(mp);
3248						return;
3249					}
3250					if (!TCP_IS_DETACHED(tcp) &&
3251					    !putnextctl1(connp->conn_rq,
3252					    M_PCSIG, SIGURG)) {
3253						/* Try again on the rexmit. */
3254						freemsg(mp1);
3255						freemsg(mp);
3256						return;
3257					}
3258					/*
3259					 * If the next byte would be the mark
3260					 * then mark with MARKNEXT else mark
3261					 * with NOTMARKNEXT.
3262					 */
3263					if (gap == 0 && urp == 0)
3264						mp1->b_flag |= MSGMARKNEXT;
3265					else
3266						mp1->b_flag |= MSGNOTMARKNEXT;
3267					freemsg(tcp->tcp_urp_mark_mp);
3268					tcp->tcp_urp_mark_mp = mp1;
3269					flags |= TH_SEND_URP_MARK;
3270				}
3271				tcp->tcp_urp_last_valid = B_TRUE;
3272				tcp->tcp_urp_last = urp + seg_seq;
3273			}
3274			/*
3275			 * If this is a zero window probe, continue to
3276			 * process the ACK part.  But we need to set seg_len
3277			 * to 0 to avoid data processing.  Otherwise just
3278			 * drop the segment and send back an ACK.
3279			 */
3280			if (tcp->tcp_rwnd == 0 && seg_seq == tcp->tcp_rnxt) {
3281				flags &= ~(TH_SYN | TH_URG);
3282				seg_len = 0;
3283				goto process_ack;
3284			} else {
3285				freemsg(mp);
3286				goto ack_check;
3287			}
3288		}
3289		/* Pitch out of window stuff off the end. */
3290		rgap = seg_len;
3291		mp2 = mp;
3292		do {
3293			ASSERT((uintptr_t)(mp2->b_wptr - mp2->b_rptr) <=
3294			    (uintptr_t)INT_MAX);
3295			rgap -= (int)(mp2->b_wptr - mp2->b_rptr);
3296			if (rgap < 0) {
3297				mp2->b_wptr += rgap;
3298				if ((mp1 = mp2->b_cont) != NULL) {
3299					mp2->b_cont = NULL;
3300					freemsg(mp1);
3301				}
3302				break;
3303			}
3304		} while ((mp2 = mp2->b_cont) != NULL);
3305	}
3306ok:;
3307	/*
3308	 * TCP should check ECN info for segments inside the window only.
3309	 * Therefore the check should be done here.
3310	 */
3311	if (tcp->tcp_ecn_ok) {
3312		if (flags & TH_CWR) {
3313			tcp->tcp_ecn_echo_on = B_FALSE;
3314		}
3315		/*
3316		 * Note that both ECN_CE and CWR can be set in the
3317		 * same segment.  In this case, we once again turn
3318		 * on ECN_ECHO.
3319		 */
3320		if (connp->conn_ipversion == IPV4_VERSION) {
3321			uchar_t tos = ((ipha_t *)rptr)->ipha_type_of_service;
3322
3323			if ((tos & IPH_ECN_CE) == IPH_ECN_CE) {
3324				tcp->tcp_ecn_echo_on = B_TRUE;
3325			}
3326		} else {
3327			uint32_t vcf = ((ip6_t *)rptr)->ip6_vcf;
3328
3329			if ((vcf & htonl(IPH_ECN_CE << 20)) ==
3330			    htonl(IPH_ECN_CE << 20)) {
3331				tcp->tcp_ecn_echo_on = B_TRUE;
3332			}
3333		}
3334	}
3335
3336	/*
3337	 * Check whether we can update tcp_ts_recent. This test is from RFC
3338	 * 7323, section 5.3.
3339	 */
3340	if (tcp->tcp_snd_ts_ok && !(flags & TH_RST) &&
3341	    TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
3342	    SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
3343		tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
3344		tcp->tcp_last_rcv_lbolt = LBOLT_FASTPATH64;
3345	}
3346
3347	if (seg_seq != tcp->tcp_rnxt || tcp->tcp_reass_head) {
3348		/*
3349		 * FIN in an out of order segment.  We record this in
3350		 * tcp_valid_bits and the seq num of FIN in tcp_ofo_fin_seq.
3351		 * Clear the FIN so that any check on FIN flag will fail.
3352		 * Remember that FIN also counts in the sequence number
3353		 * space.  So we need to ack out of order FIN only segments.
3354		 */
3355		if (flags & TH_FIN) {
3356			tcp->tcp_valid_bits |= TCP_OFO_FIN_VALID;
3357			tcp->tcp_ofo_fin_seq = seg_seq + seg_len;
3358			flags &= ~TH_FIN;
3359			flags |= TH_ACK_NEEDED;
3360		}
3361		if (seg_len > 0) {
3362			/* Fill in the SACK blk list. */
3363			if (tcp->tcp_snd_sack_ok) {
3364				tcp_sack_insert(tcp->tcp_sack_list,
3365				    seg_seq, seg_seq + seg_len,
3366				    &(tcp->tcp_num_sack_blk));
3367			}
3368
3369			/*
3370			 * Attempt reassembly and see if we have something
3371			 * ready to go.
3372			 */
3373			mp = tcp_reass(tcp, mp, seg_seq);
3374			/* Always ack out of order packets */
3375			flags |= TH_ACK_NEEDED | TH_PUSH;
3376			if (mp) {
3377				ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
3378				    (uintptr_t)INT_MAX);
3379				seg_len = mp->b_cont ? msgdsize(mp) :
3380				    (int)(mp->b_wptr - mp->b_rptr);
3381				seg_seq = tcp->tcp_rnxt;
3382				/*
3383				 * A gap is filled and the seq num and len
3384				 * of the gap match that of a previously
3385				 * received FIN, put the FIN flag back in.
3386				 */
3387				if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
3388				    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
3389					flags |= TH_FIN;
3390					tcp->tcp_valid_bits &=
3391					    ~TCP_OFO_FIN_VALID;
3392				}
3393				if (tcp->tcp_reass_tid != 0) {
3394					(void) TCP_TIMER_CANCEL(tcp,
3395					    tcp->tcp_reass_tid);
3396					/*
3397					 * Restart the timer if there is still
3398					 * data in the reassembly queue.
3399					 */
3400					if (tcp->tcp_reass_head != NULL) {
3401						tcp->tcp_reass_tid = TCP_TIMER(
3402						    tcp, tcp_reass_timer,
3403						    tcps->tcps_reass_timeout);
3404					} else {
3405						tcp->tcp_reass_tid = 0;
3406					}
3407				}
3408			} else {
3409				/*
3410				 * Keep going even with NULL mp.
3411				 * There may be a useful ACK or something else
3412				 * we don't want to miss.
3413				 *
3414				 * But TCP should not perform fast retransmit
3415				 * because of the ack number.  TCP uses
3416				 * seg_len == 0 to determine if it is a pure
3417				 * ACK.  And this is not a pure ACK.
3418				 */
3419				seg_len = 0;
3420				ofo_seg = B_TRUE;
3421
3422				if (tcps->tcps_reass_timeout != 0 &&
3423				    tcp->tcp_reass_tid == 0) {
3424					tcp->tcp_reass_tid = TCP_TIMER(tcp,
3425					    tcp_reass_timer,
3426					    tcps->tcps_reass_timeout);
3427				}
3428			}
3429		}
3430	} else if (seg_len > 0) {
3431		TCPS_BUMP_MIB(tcps, tcpInDataInorderSegs);
3432		TCPS_UPDATE_MIB(tcps, tcpInDataInorderBytes, seg_len);
3433		tcp->tcp_cs.tcp_in_data_inorder_segs++;
3434		tcp->tcp_cs.tcp_in_data_inorder_bytes += seg_len;
3435
3436		/*
3437		 * If an out of order FIN was received before, and the seq
3438		 * num and len of the new segment match that of the FIN,
3439		 * put the FIN flag back in.
3440		 */
3441		if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
3442		    seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
3443			flags |= TH_FIN;
3444			tcp->tcp_valid_bits &= ~TCP_OFO_FIN_VALID;
3445		}
3446	}
3447	if ((flags & (TH_RST | TH_SYN | TH_URG | TH_ACK)) != TH_ACK) {
3448	if (flags & TH_RST) {
3449		freemsg(mp);
3450		switch (tcp->tcp_state) {
3451		case TCPS_SYN_RCVD:
3452			(void) tcp_clean_death(tcp, ECONNREFUSED);
3453			break;
3454		case TCPS_ESTABLISHED:
3455		case TCPS_FIN_WAIT_1:
3456		case TCPS_FIN_WAIT_2:
3457		case TCPS_CLOSE_WAIT:
3458			(void) tcp_clean_death(tcp, ECONNRESET);
3459			break;
3460		case TCPS_CLOSING:
3461		case TCPS_LAST_ACK:
3462			(void) tcp_clean_death(tcp, 0);
3463			break;
3464		default:
3465			ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
3466			(void) tcp_clean_death(tcp, ENXIO);
3467			break;
3468		}
3469		return;
3470	}
3471	if (flags & TH_SYN) {
3472		/*
3473		 * See RFC 793, Page 71
3474		 *
3475		 * The seq number must be in the window as it should
3476		 * be "fixed" above.  If it is outside window, it should
3477		 * be already rejected.  Note that we allow seg_seq to be
3478		 * rnxt + rwnd because we want to accept 0 window probe.
3479		 */
3480		ASSERT(SEQ_GEQ(seg_seq, tcp->tcp_rnxt) &&
3481		    SEQ_LEQ(seg_seq, tcp->tcp_rnxt + tcp->tcp_rwnd));
3482		freemsg(mp);
3483		/*
3484		 * If the ACK flag is not set, just use our snxt as the
3485		 * seq number of the RST segment.
3486		 */
3487		if (!(flags & TH_ACK)) {
3488			seg_ack = tcp->tcp_snxt;
3489		}
3490		tcp_xmit_ctl("TH_SYN", tcp, seg_ack, seg_seq + 1,
3491		    TH_RST|TH_ACK);
3492		ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
3493		(void) tcp_clean_death(tcp, ECONNRESET);
3494		return;
3495	}
3496	/*
3497	 * urp could be -1 when the urp field in the packet is 0
3498	 * and TCP_OLD_URP_INTERPRETATION is set. This implies that the urgent
3499	 * byte was at seg_seq - 1, in which case we ignore the urgent flag.
3500	 */
3501	if ((flags & TH_URG) && urp >= 0) {
3502		if (!tcp->tcp_urp_last_valid ||
3503		    SEQ_GT(urp + seg_seq, tcp->tcp_urp_last)) {
3504			/*
3505			 * Non-STREAMS sockets handle the urgent data a litte
3506			 * differently from STREAMS based sockets. There is no
3507			 * need to mark any mblks with the MSG{NOT,}MARKNEXT
3508			 * flags to keep SIOCATMARK happy. Instead a
3509			 * su_signal_oob upcall is made to update the mark.
3510			 * Neither is a T_EXDATA_IND mblk needed to be
3511			 * prepended to the urgent data. The urgent data is
3512			 * delivered using the su_recv upcall, where we set
3513			 * the MSG_OOB flag to indicate that it is urg data.
3514			 *
3515			 * Neither TH_SEND_URP_MARK nor TH_MARKNEXT_NEEDED
3516			 * are used by non-STREAMS sockets.
3517			 */
3518			if (IPCL_IS_NONSTR(connp)) {
3519				if (!TCP_IS_DETACHED(tcp)) {
3520					(*sockupcalls->su_signal_oob)
3521					    (connp->conn_upper_handle, urp);
3522				}
3523			} else {
3524				/*
3525				 * If we haven't generated the signal yet for
3526				 * this urgent pointer value, do it now.  Also,
3527				 * send up a zero-length M_DATA indicating
3528				 * whether or not this is the mark. The latter
3529				 * is not needed when a T_EXDATA_IND is sent up.
3530				 * However, if there are allocation failures
3531				 * this code relies on the sender retransmitting
3532				 * and the socket code for determining the mark
3533				 * should not block waiting for the peer to
3534				 * transmit. Thus, for simplicity we always
3535				 * send up the mark indication.
3536				 */
3537				mp1 = allocb(0, BPRI_MED);
3538				if (mp1 == NULL) {
3539					freemsg(mp);
3540					return;
3541				}
3542				if (!TCP_IS_DETACHED(tcp) &&
3543				    !putnextctl1(connp->conn_rq, M_PCSIG,
3544				    SIGURG)) {
3545					/* Try again on the rexmit. */
3546					freemsg(mp1);
3547					freemsg(mp);
3548					return;
3549				}
3550				/*
3551				 * Mark with NOTMARKNEXT for now.
3552				 * The code below will change this to MARKNEXT
3553				 * if we are at the mark.
3554				 *
3555				 * If there are allocation failures (e.g. in
3556				 * dupmsg below) the next time tcp_input_data
3557				 * sees the urgent segment it will send up the
3558				 * MSGMARKNEXT message.
3559				 */
3560				mp1->b_flag |= MSGNOTMARKNEXT;
3561				freemsg(tcp->tcp_urp_mark_mp);
3562				tcp->tcp_urp_mark_mp = mp1;
3563				flags |= TH_SEND_URP_MARK;
3564#ifdef DEBUG
3565				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3566				    "tcp_rput: sent M_PCSIG 2 seq %x urp %x "
3567				    "last %x, %s",
3568				    seg_seq, urp, tcp->tcp_urp_last,
3569				    tcp_display(tcp, NULL, DISP_PORT_ONLY));
3570#endif /* DEBUG */
3571			}
3572			tcp->tcp_urp_last_valid = B_TRUE;
3573			tcp->tcp_urp_last = urp + seg_seq;
3574		} else if (tcp->tcp_urp_mark_mp != NULL) {
3575			/*
3576			 * An allocation failure prevented the previous
3577			 * tcp_input_data from sending up the allocated
3578			 * MSG*MARKNEXT message - send it up this time
3579			 * around.
3580			 */
3581			flags |= TH_SEND_URP_MARK;
3582		}
3583
3584		/*
3585		 * If the urgent byte is in this segment, make sure that it is
3586		 * all by itself.  This makes it much easier to deal with the
3587		 * possibility of an allocation failure on the T_exdata_ind.
3588		 * Note that seg_len is the number of bytes in the segment, and
3589		 * urp is the offset into the segment of the urgent byte.
3590		 * urp < seg_len means that the urgent byte is in this segment.
3591		 */
3592		if (urp < seg_len) {
3593			if (seg_len != 1) {
3594				uint32_t  tmp_rnxt;
3595				/*
3596				 * Break it up and feed it back in.
3597				 * Re-attach the IP header.
3598				 */
3599				mp->b_rptr = iphdr;
3600				if (urp > 0) {
3601					/*
3602					 * There is stuff before the urgent
3603					 * byte.
3604					 */
3605					mp1 = dupmsg(mp);
3606					if (!mp1) {
3607						/*
3608						 * Trim from urgent byte on.
3609						 * The rest will come back.
3610						 */
3611						(void) adjmsg(mp,
3612						    urp - seg_len);
3613						tcp_input_data(connp,
3614						    mp, NULL, ira);
3615						return;
3616					}
3617					(void) adjmsg(mp1, urp - seg_len);
3618					/* Feed this piece back in. */
3619					tmp_rnxt = tcp->tcp_rnxt;
3620					tcp_input_data(connp, mp1, NULL, ira);
3621					/*
3622					 * If the data passed back in was not
3623					 * processed (ie: bad ACK) sending
3624					 * the remainder back in will cause a
3625					 * loop. In this case, drop the
3626					 * packet and let the sender try
3627					 * sending a good packet.
3628					 */
3629					if (tmp_rnxt == tcp->tcp_rnxt) {
3630						freemsg(mp);
3631						return;
3632					}
3633				}
3634				if (urp != seg_len - 1) {
3635					uint32_t  tmp_rnxt;
3636					/*
3637					 * There is stuff after the urgent
3638					 * byte.
3639					 */
3640					mp1 = dupmsg(mp);
3641					if (!mp1) {
3642						/*
3643						 * Trim everything beyond the
3644						 * urgent byte.  The rest will
3645						 * come back.
3646						 */
3647						(void) adjmsg(mp,
3648						    urp + 1 - seg_len);
3649						tcp_input_data(connp,
3650						    mp, NULL, ira);
3651						return;
3652					}
3653					(void) adjmsg(mp1, urp + 1 - seg_len);
3654					tmp_rnxt = tcp->tcp_rnxt;
3655					tcp_input_data(connp, mp1, NULL, ira);
3656					/*
3657					 * If the data passed back in was not
3658					 * processed (ie: bad ACK) sending
3659					 * the remainder back in will cause a
3660					 * loop. In this case, drop the
3661					 * packet and let the sender try
3662					 * sending a good packet.
3663					 */
3664					if (tmp_rnxt == tcp->tcp_rnxt) {
3665						freemsg(mp);
3666						return;
3667					}
3668				}
3669				tcp_input_data(connp, mp, NULL, ira);
3670				return;
3671			}
3672			/*
3673			 * This segment contains only the urgent byte.  We
3674			 * have to allocate the T_exdata_ind, if we can.
3675			 */
3676			if (IPCL_IS_NONSTR(connp)) {
3677				int error;
3678
3679				(*sockupcalls->su_recv)
3680				    (connp->conn_upper_handle, mp, seg_len,
3681				    MSG_OOB, &error, NULL);
3682				/*
3683				 * We should never be in middle of a
3684				 * fallback, the squeue guarantees that.
3685				 */
3686				ASSERT(error != EOPNOTSUPP);
3687				mp = NULL;
3688				goto update_ack;
3689			} else if (!tcp->tcp_urp_mp) {
3690				struct T_exdata_ind *tei;
3691				mp1 = allocb(sizeof (struct T_exdata_ind),
3692				    BPRI_MED);
3693				if (!mp1) {
3694					/*
3695					 * Sigh... It'll be back.
3696					 * Generate any MSG*MARK message now.
3697					 */
3698					freemsg(mp);
3699					seg_len = 0;
3700					if (flags & TH_SEND_URP_MARK) {
3701
3702
3703						ASSERT(tcp->tcp_urp_mark_mp);
3704						tcp->tcp_urp_mark_mp->b_flag &=
3705						    ~MSGNOTMARKNEXT;
3706						tcp->tcp_urp_mark_mp->b_flag |=
3707						    MSGMARKNEXT;
3708					}
3709					goto ack_check;
3710				}
3711				mp1->b_datap->db_type = M_PROTO;
3712				tei = (struct T_exdata_ind *)mp1->b_rptr;
3713				tei->PRIM_type = T_EXDATA_IND;
3714				tei->MORE_flag = 0;
3715				mp1->b_wptr = (uchar_t *)&tei[1];
3716				tcp->tcp_urp_mp = mp1;
3717#ifdef DEBUG
3718				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3719				    "tcp_rput: allocated exdata_ind %s",
3720				    tcp_display(tcp, NULL,
3721				    DISP_PORT_ONLY));
3722#endif /* DEBUG */
3723				/*
3724				 * There is no need to send a separate MSG*MARK
3725				 * message since the T_EXDATA_IND will be sent
3726				 * now.
3727				 */
3728				flags &= ~TH_SEND_URP_MARK;
3729				freemsg(tcp->tcp_urp_mark_mp);
3730				tcp->tcp_urp_mark_mp = NULL;
3731			}
3732			/*
3733			 * Now we are all set.  On the next putnext upstream,
3734			 * tcp_urp_mp will be non-NULL and will get prepended
3735			 * to what has to be this piece containing the urgent
3736			 * byte.  If for any reason we abort this segment below,
3737			 * if it comes back, we will have this ready, or it
3738			 * will get blown off in close.
3739			 */
3740		} else if (urp == seg_len) {
3741			/*
3742			 * The urgent byte is the next byte after this sequence
3743			 * number. If this endpoint is non-STREAMS, then there
3744			 * is nothing to do here since the socket has already
3745			 * been notified about the urg pointer by the
3746			 * su_signal_oob call above.
3747			 *
3748			 * In case of STREAMS, some more work might be needed.
3749			 * If there is data it is marked with MSGMARKNEXT and
3750			 * and any tcp_urp_mark_mp is discarded since it is not
3751			 * needed. Otherwise, if the code above just allocated
3752			 * a zero-length tcp_urp_mark_mp message, that message
3753			 * is tagged with MSGMARKNEXT. Sending up these
3754			 * MSGMARKNEXT messages makes SIOCATMARK work correctly
3755			 * even though the T_EXDATA_IND will not be sent up
3756			 * until the urgent byte arrives.
3757			 */
3758			if (!IPCL_IS_NONSTR(tcp->tcp_connp)) {
3759				if (seg_len != 0) {
3760					flags |= TH_MARKNEXT_NEEDED;
3761					freemsg(tcp->tcp_urp_mark_mp);
3762					tcp->tcp_urp_mark_mp = NULL;
3763					flags &= ~TH_SEND_URP_MARK;
3764				} else if (tcp->tcp_urp_mark_mp != NULL) {
3765					flags |= TH_SEND_URP_MARK;
3766					tcp->tcp_urp_mark_mp->b_flag &=
3767					    ~MSGNOTMARKNEXT;
3768					tcp->tcp_urp_mark_mp->b_flag |=
3769					    MSGMARKNEXT;
3770				}
3771			}
3772#ifdef DEBUG
3773			(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3774			    "tcp_rput: AT MARK, len %d, flags 0x%x, %s",
3775			    seg_len, flags,
3776			    tcp_display(tcp, NULL, DISP_PORT_ONLY));
3777#endif /* DEBUG */
3778		}
3779#ifdef DEBUG
3780		else {
3781			/* Data left until we hit mark */
3782			(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3783			    "tcp_rput: URP %d bytes left, %s",
3784			    urp - seg_len, tcp_display(tcp, NULL,
3785			    DISP_PORT_ONLY));
3786		}
3787#endif /* DEBUG */
3788	}
3789
3790process_ack:
3791	if (!(flags & TH_ACK)) {
3792		freemsg(mp);
3793		goto xmit_check;
3794	}
3795	}
3796	bytes_acked = (int)(seg_ack - tcp->tcp_suna);
3797
3798	if (bytes_acked > 0)
3799		tcp->tcp_ip_forward_progress = B_TRUE;
3800	if (tcp->tcp_state == TCPS_SYN_RCVD) {
3801		/*
3802		 * tcp_sendmsg() checks tcp_state without entering
3803		 * the squeue so tcp_state should be updated before
3804		 * sending up a connection confirmation or a new
3805		 * connection indication.
3806		 */
3807		tcp->tcp_state = TCPS_ESTABLISHED;
3808
3809		/*
3810		 * We are seeing the final ack in the three way
3811		 * hand shake of a active open'ed connection
3812		 * so we must send up a T_CONN_CON
3813		 */
3814		if (tcp->tcp_active_open) {
3815			if (!tcp_conn_con(tcp, iphdr, mp, NULL, ira)) {
3816				freemsg(mp);
3817				tcp->tcp_state = TCPS_SYN_RCVD;
3818				return;
3819			}
3820			/*
3821			 * Don't fuse the loopback endpoints for
3822			 * simultaneous active opens.
3823			 */
3824			if (tcp->tcp_loopback) {
3825				TCP_STAT(tcps, tcp_fusion_unfusable);
3826				tcp->tcp_unfusable = B_TRUE;
3827			}
3828			/*
3829			 * For simultaneous active open, trace receipt of final
3830			 * ACK as tcp:::connect-established.
3831			 */
3832			DTRACE_TCP5(connect__established, mblk_t *, NULL,
3833			    ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
3834			    iphdr, tcp_t *, tcp, tcph_t *, tcpha);
3835		} else if (IPCL_IS_NONSTR(connp)) {
3836			/*
3837			 * 3-way handshake has completed, so notify socket
3838			 * of the new connection.
3839			 *
3840			 * We are here means eager is fine but it can
3841			 * get a TH_RST at any point between now and till
3842			 * accept completes and disappear. We need to
3843			 * ensure that reference to eager is valid after
3844			 * we get out of eager's perimeter. So we do
3845			 * an extra refhold.
3846			 */
3847			CONN_INC_REF(connp);
3848
3849			if (!tcp_newconn_notify(tcp, ira)) {
3850				/*
3851				 * The state-change probe for SYN_RCVD ->
3852				 * ESTABLISHED has not fired yet. We reset
3853				 * the state to SYN_RCVD so that future
3854				 * state-change probes report correct state
3855				 * transistions.
3856				 */
3857				tcp->tcp_state = TCPS_SYN_RCVD;
3858				freemsg(mp);
3859				/* notification did not go up, so drop ref */
3860				CONN_DEC_REF(connp);
3861				/* ... and close the eager */
3862				ASSERT(TCP_IS_DETACHED(tcp));
3863				(void) tcp_close_detached(tcp);
3864				return;
3865			}
3866			/*
3867			 * tcp_newconn_notify() changes conn_upcalls and
3868			 * connp->conn_upper_handle.  Fix things now, in case
3869			 * there's data attached to this ack.
3870			 */
3871			if (connp->conn_upcalls != NULL)
3872				sockupcalls = connp->conn_upcalls;
3873			/*
3874			 * For passive open, trace receipt of final ACK as
3875			 * tcp:::accept-established.
3876			 */
3877			DTRACE_TCP5(accept__established, mlbk_t *, NULL,
3878			    ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
3879			    iphdr, tcp_t *, tcp, tcph_t *, tcpha);
3880		} else {
3881			/*
3882			 * 3-way handshake complete - this is a STREAMS based
3883			 * socket, so pass up the T_CONN_IND.
3884			 */
3885			tcp_t	*listener = tcp->tcp_listener;
3886			mblk_t	*mp = tcp->tcp_conn.tcp_eager_conn_ind;
3887
3888			tcp->tcp_tconnind_started = B_TRUE;
3889			tcp->tcp_conn.tcp_eager_conn_ind = NULL;
3890			ASSERT(mp != NULL);
3891			/*
3892			 * We are here means eager is fine but it can
3893			 * get a TH_RST at any point between now and till
3894			 * accept completes and disappear. We need to
3895			 * ensure that reference to eager is valid after
3896			 * we get out of eager's perimeter. So we do
3897			 * an extra refhold.
3898			 */
3899			CONN_INC_REF(connp);
3900
3901			/*
3902			 * The listener also exists because of the refhold
3903			 * done in tcp_input_listener. Its possible that it
3904			 * might have closed. We will check that once we
3905			 * get inside listeners context.
3906			 */
3907			CONN_INC_REF(listener->tcp_connp);
3908			if (listener->tcp_connp->conn_sqp ==
3909			    connp->conn_sqp) {
3910				/*
3911				 * We optimize by not calling an SQUEUE_ENTER
3912				 * on the listener since we know that the
3913				 * listener and eager squeues are the same.
3914				 * We are able to make this check safely only
3915				 * because neither the eager nor the listener
3916				 * can change its squeue. Only an active connect
3917				 * can change its squeue
3918				 */
3919				tcp_send_conn_ind(listener->tcp_connp, mp,
3920				    listener->tcp_connp->conn_sqp);
3921				CONN_DEC_REF(listener->tcp_connp);
3922			} else if (!tcp->tcp_loopback) {
3923				SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
3924				    mp, tcp_send_conn_ind,
3925				    listener->tcp_connp, NULL, SQ_FILL,
3926				    SQTAG_TCP_CONN_IND);
3927			} else {
3928				SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
3929				    mp, tcp_send_conn_ind,
3930				    listener->tcp_connp, NULL, SQ_NODRAIN,
3931				    SQTAG_TCP_CONN_IND);
3932			}
3933			/*
3934			 * For passive open, trace receipt of final ACK as
3935			 * tcp:::accept-established.
3936			 */
3937			DTRACE_TCP5(accept__established, mlbk_t *, NULL,
3938			    ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
3939			    iphdr, tcp_t *, tcp, tcph_t *, tcpha);
3940		}
3941		TCPS_CONN_INC(tcps);
3942
3943		tcp->tcp_suna = tcp->tcp_iss + 1;	/* One for the SYN */
3944		bytes_acked--;
3945		/* SYN was acked - making progress */
3946		tcp->tcp_ip_forward_progress = B_TRUE;
3947
3948		/*
3949		 * If SYN was retransmitted, need to reset all
3950		 * retransmission info as this segment will be
3951		 * treated as a dup ACK.
3952		 */
3953		if (tcp->tcp_rexmit) {
3954			tcp->tcp_rexmit = B_FALSE;
3955			tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
3956			tcp->tcp_rexmit_max = tcp->tcp_snxt;
3957			tcp->tcp_ms_we_have_waited = 0;
3958			DTRACE_PROBE3(cwnd__retransmitted__syn,
3959			    tcp_t *, tcp, uint32_t, tcp->tcp_cwnd,
3960			    uint32_t, tcp->tcp_mss);
3961			tcp->tcp_cwnd = mss;
3962		}
3963
3964		/*
3965		 * We set the send window to zero here.
3966		 * This is needed if there is data to be
3967		 * processed already on the queue.
3968		 * Later (at swnd_update label), the
3969		 * "new_swnd > tcp_swnd" condition is satisfied
3970		 * the XMIT_NEEDED flag is set in the current
3971		 * (SYN_RCVD) state. This ensures tcp_wput_data() is
3972		 * called if there is already data on queue in
3973		 * this state.
3974		 */
3975		tcp->tcp_swnd = 0;
3976
3977		if (new_swnd > tcp->tcp_max_swnd)
3978			tcp->tcp_max_swnd = new_swnd;
3979		tcp->tcp_swl1 = seg_seq;
3980		tcp->tcp_swl2 = seg_ack;
3981		tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
3982
3983		/* Trace change from SYN_RCVD -> ESTABLISHED here */
3984		DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
3985		    connp->conn_ixa, void, NULL, tcp_t *, tcp, void, NULL,
3986		    int32_t, TCPS_SYN_RCVD);
3987
3988		/* Fuse when both sides are in ESTABLISHED state */
3989		if (tcp->tcp_loopback && do_tcp_fusion)
3990			tcp_fuse(tcp, iphdr, tcpha);
3991
3992	}
3993	/* This code follows 4.4BSD-Lite2 mostly. */
3994	if (bytes_acked < 0)
3995		goto est;
3996
3997	/*
3998	 * If TCP is ECN capable and the congestion experience bit is
3999	 * set, reduce tcp_cwnd and tcp_ssthresh.  But this should only be
4000	 * done once per window (or more loosely, per RTT).
4001	 */
4002	if (tcp->tcp_cwr && SEQ_GT(seg_ack, tcp->tcp_cwr_snd_max))
4003		tcp->tcp_cwr = B_FALSE;
4004	if (tcp->tcp_ecn_ok && (flags & TH_ECE) && !tcp->tcp_cwr) {
4005		cc_cong_signal(tcp, seg_ack, CC_ECN);
4006		/*
4007		 * If the cwnd is 0, use the timer to clock out
4008		 * new segments.  This is required by the ECN spec.
4009		 */
4010		if (tcp->tcp_cwnd == 0)
4011			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
4012		tcp->tcp_cwr = B_TRUE;
4013		/*
4014		 * This marks the end of the current window of in
4015		 * flight data.  That is why we don't use
4016		 * tcp_suna + tcp_swnd.  Only data in flight can
4017		 * provide ECN info.
4018		 */
4019		tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
4020	}
4021
4022	mp1 = tcp->tcp_xmit_head;
4023	if (bytes_acked == 0) {
4024		if (!ofo_seg && seg_len == 0 && new_swnd == tcp->tcp_swnd) {
4025			int dupack_cnt;
4026
4027			TCPS_BUMP_MIB(tcps, tcpInDupAck);
4028			/*
4029			 * Fast retransmit.  When we have seen exactly three
4030			 * identical ACKs while we have unacked data
4031			 * outstanding we take it as a hint that our peer
4032			 * dropped something.
4033			 *
4034			 * If TCP is retransmitting, don't do fast retransmit.
4035			 */
4036			if (mp1 && tcp->tcp_suna != tcp->tcp_snxt &&
4037			    ! tcp->tcp_rexmit) {
4038				/* Do Limited Transmit */
4039				if ((dupack_cnt = ++tcp->tcp_dupack_cnt) <
4040				    tcps->tcps_dupack_fast_retransmit) {
4041					cc_ack_received(tcp, seg_ack,
4042					    bytes_acked, CC_DUPACK);
4043					/*
4044					 * RFC 3042
4045					 *
4046					 * What we need to do is temporarily
4047					 * increase tcp_cwnd so that new
4048					 * data can be sent if it is allowed
4049					 * by the receive window (tcp_rwnd).
4050					 * tcp_wput_data() will take care of
4051					 * the rest.
4052					 *
4053					 * If the connection is SACK capable,
4054					 * only do limited xmit when there
4055					 * is SACK info.
4056					 *
4057					 * Note how tcp_cwnd is incremented.
4058					 * The first dup ACK will increase
4059					 * it by 1 MSS.  The second dup ACK
4060					 * will increase it by 2 MSS.  This
4061					 * means that only 1 new segment will
4062					 * be sent for each dup ACK.
4063					 */
4064					if (tcp->tcp_unsent > 0 &&
4065					    (!tcp->tcp_snd_sack_ok ||
4066					    (tcp->tcp_snd_sack_ok &&
4067					    tcp->tcp_notsack_list != NULL))) {
4068						tcp->tcp_cwnd += mss <<
4069						    (tcp->tcp_dupack_cnt - 1);
4070						flags |= TH_LIMIT_XMIT;
4071					}
4072				} else if (dupack_cnt ==
4073				    tcps->tcps_dupack_fast_retransmit) {
4074
4075				/*
4076				 * If we have reduced tcp_ssthresh
4077				 * because of ECN, do not reduce it again
4078				 * unless it is already one window of data
4079				 * away.  After one window of data, tcp_cwr
4080				 * should then be cleared.  Note that
4081				 * for non ECN capable connection, tcp_cwr
4082				 * should always be false.
4083				 *
4084				 * Adjust cwnd since the duplicate
4085				 * ack indicates that a packet was
4086				 * dropped (due to congestion.)
4087				 */
4088				if (!tcp->tcp_cwr) {
4089					cc_cong_signal(tcp, seg_ack,
4090					    CC_NDUPACK);
4091					cc_ack_received(tcp, seg_ack,
4092					    bytes_acked, CC_DUPACK);
4093				}
4094				if (tcp->tcp_ecn_ok) {
4095					tcp->tcp_cwr = B_TRUE;
4096					tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
4097					tcp->tcp_ecn_cwr_sent = B_FALSE;
4098				}
4099
4100				/*
4101				 * We do Hoe's algorithm.  Refer to her
4102				 * paper "Improving the Start-up Behavior
4103				 * of a Congestion Control Scheme for TCP,"
4104				 * appeared in SIGCOMM'96.
4105				 *
4106				 * Save highest seq no we have sent so far.
4107				 * Be careful about the invisible FIN byte.
4108				 */
4109				if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
4110				    (tcp->tcp_unsent == 0)) {
4111					tcp->tcp_rexmit_max = tcp->tcp_fss;
4112				} else {
4113					tcp->tcp_rexmit_max = tcp->tcp_snxt;
4114				}
4115
4116				/*
4117				 * For SACK:
4118				 * Calculate tcp_pipe, which is the
4119				 * estimated number of bytes in
4120				 * network.
4121				 *
4122				 * tcp_fack is the highest sack'ed seq num
4123				 * TCP has received.
4124				 *
4125				 * tcp_pipe is explained in the above quoted
4126				 * Fall and Floyd's paper.  tcp_fack is
4127				 * explained in Mathis and Mahdavi's
4128				 * "Forward Acknowledgment: Refining TCP
4129				 * Congestion Control" in SIGCOMM '96.
4130				 */
4131				if (tcp->tcp_snd_sack_ok) {
4132					if (tcp->tcp_notsack_list != NULL) {
4133						tcp->tcp_pipe = tcp->tcp_snxt -
4134						    tcp->tcp_fack;
4135						tcp->tcp_sack_snxt = seg_ack;
4136						flags |= TH_NEED_SACK_REXMIT;
4137					} else {
4138						/*
4139						 * Always initialize tcp_pipe
4140						 * even though we don't have
4141						 * any SACK info.  If later
4142						 * we get SACK info and
4143						 * tcp_pipe is not initialized,
4144						 * funny things will happen.
4145						 */
4146						tcp->tcp_pipe =
4147						    tcp->tcp_cwnd_ssthresh;
4148					}
4149				} else {
4150					flags |= TH_REXMIT_NEEDED;
4151				} /* tcp_snd_sack_ok */
4152
4153				} else {
4154					cc_ack_received(tcp, seg_ack,
4155					    bytes_acked, CC_DUPACK);
4156					/*
4157					 * Here we perform congestion
4158					 * avoidance, but NOT slow start.
4159					 * This is known as the Fast
4160					 * Recovery Algorithm.
4161					 */
4162					if (tcp->tcp_snd_sack_ok &&
4163					    tcp->tcp_notsack_list != NULL) {
4164						flags |= TH_NEED_SACK_REXMIT;
4165						tcp->tcp_pipe -= mss;
4166						if (tcp->tcp_pipe < 0)
4167							tcp->tcp_pipe = 0;
4168					} else {
4169					/*
4170					 * We know that one more packet has
4171					 * left the pipe thus we can update
4172					 * cwnd.
4173					 */
4174					cwnd = tcp->tcp_cwnd + mss;
4175					if (cwnd > tcp->tcp_cwnd_max)
4176						cwnd = tcp->tcp_cwnd_max;
4177					DTRACE_PROBE3(cwnd__fast__recovery,
4178					    tcp_t *, tcp,
4179					    uint32_t, tcp->tcp_cwnd,
4180					    uint32_t, cwnd);
4181					tcp->tcp_cwnd = cwnd;
4182					if (tcp->tcp_unsent > 0)
4183						flags |= TH_XMIT_NEEDED;
4184					}
4185				}
4186			}
4187		} else if (tcp->tcp_zero_win_probe) {
4188			/*
4189			 * If the window has opened, need to arrange
4190			 * to send additional data.
4191			 */
4192			if (new_swnd != 0) {
4193				/* tcp_suna != tcp_snxt */
4194				/* Packet contains a window update */
4195				TCPS_BUMP_MIB(tcps, tcpInWinUpdate);
4196				tcp->tcp_zero_win_probe = 0;
4197				tcp->tcp_timer_backoff = 0;
4198				tcp->tcp_ms_we_have_waited = 0;
4199
4200				/*
4201				 * Transmit starting with tcp_suna since
4202				 * the one byte probe is not ack'ed.
4203				 * If TCP has sent more than one identical
4204				 * probe, tcp_rexmit will be set.  That means
4205				 * tcp_ss_rexmit() will send out the one
4206				 * byte along with new data.  Otherwise,
4207				 * fake the retransmission.
4208				 */
4209				flags |= TH_XMIT_NEEDED;
4210				if (!tcp->tcp_rexmit) {
4211					tcp->tcp_rexmit = B_TRUE;
4212					tcp->tcp_dupack_cnt = 0;
4213					tcp->tcp_rexmit_nxt = tcp->tcp_suna;
4214					tcp->tcp_rexmit_max = tcp->tcp_suna + 1;
4215				}
4216			}
4217		}
4218		goto swnd_update;
4219	}
4220
4221	/*
4222	 * Check for "acceptability" of ACK value per RFC 793, pages 72 - 73.
4223	 * If the ACK value acks something that we have not yet sent, it might
4224	 * be an old duplicate segment.  Send an ACK to re-synchronize the
4225	 * other side.
4226	 * Note: reset in response to unacceptable ACK in SYN_RECEIVE
4227	 * state is handled above, so we can always just drop the segment and
4228	 * send an ACK here.
4229	 *
4230	 * In the case where the peer shrinks the window, we see the new window
4231	 * update, but all the data sent previously is queued up by the peer.
4232	 * To account for this, in tcp_process_shrunk_swnd(), the sequence
4233	 * number, which was already sent, and within window, is recorded.
4234	 * tcp_snxt is then updated.
4235	 *
4236	 * If the window has previously shrunk, and an ACK for data not yet
4237	 * sent, according to tcp_snxt is recieved, it may still be valid. If
4238	 * the ACK is for data within the window at the time the window was
4239	 * shrunk, then the ACK is acceptable. In this case tcp_snxt is set to
4240	 * the sequence number ACK'ed.
4241	 *
4242	 * If the ACK covers all the data sent at the time the window was
4243	 * shrunk, we can now set tcp_is_wnd_shrnk to B_FALSE.
4244	 *
4245	 * Should we send ACKs in response to ACK only segments?
4246	 */
4247
4248	if (SEQ_GT(seg_ack, tcp->tcp_snxt)) {
4249		if ((tcp->tcp_is_wnd_shrnk) &&
4250		    (SEQ_LEQ(seg_ack, tcp->tcp_snxt_shrunk))) {
4251			uint32_t data_acked_ahead_snxt;
4252
4253			data_acked_ahead_snxt = seg_ack - tcp->tcp_snxt;
4254			tcp_update_xmit_tail(tcp, seg_ack);
4255			tcp->tcp_unsent -= data_acked_ahead_snxt;
4256		} else {
4257			TCPS_BUMP_MIB(tcps, tcpInAckUnsent);
4258			/* drop the received segment */
4259			freemsg(mp);
4260
4261			/*
4262			 * Send back an ACK.  If tcp_drop_ack_unsent_cnt is
4263			 * greater than 0, check if the number of such
4264			 * bogus ACks is greater than that count.  If yes,
4265			 * don't send back any ACK.  This prevents TCP from
4266			 * getting into an ACK storm if somehow an attacker
4267			 * successfully spoofs an acceptable segment to our
4268			 * peer.  If this continues (count > 2 X threshold),
4269			 * we should abort this connection.
4270			 */
4271			if (tcp_drop_ack_unsent_cnt > 0 &&
4272			    ++tcp->tcp_in_ack_unsent >
4273			    tcp_drop_ack_unsent_cnt) {
4274				TCP_STAT(tcps, tcp_in_ack_unsent_drop);
4275				if (tcp->tcp_in_ack_unsent > 2 *
4276				    tcp_drop_ack_unsent_cnt) {
4277					(void) tcp_clean_death(tcp, EPROTO);
4278				}
4279				return;
4280			}
4281			mp = tcp_ack_mp(tcp);
4282			if (mp != NULL) {
4283				TCPS_BUMP_MIB(tcps, tcpHCOutSegs);
4284				TCPS_BUMP_MIB(tcps, tcpOutAck);
4285				tcp_send_data(tcp, mp);
4286			}
4287			return;
4288		}
4289	} else if (tcp->tcp_is_wnd_shrnk && SEQ_GEQ(seg_ack,
4290	    tcp->tcp_snxt_shrunk)) {
4291			tcp->tcp_is_wnd_shrnk = B_FALSE;
4292	}
4293
4294	/*
4295	 * TCP gets a new ACK, update the notsack'ed list to delete those
4296	 * blocks that are covered by this ACK.
4297	 */
4298	if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
4299		tcp_notsack_remove(&(tcp->tcp_notsack_list), seg_ack,
4300		    &(tcp->tcp_num_notsack_blk), &(tcp->tcp_cnt_notsack_list));
4301	}
4302
4303	/*
4304	 * If we got an ACK after fast retransmit, check to see
4305	 * if it is a partial ACK.  If it is not and the congestion
4306	 * window was inflated to account for the other side's
4307	 * cached packets, retract it.  If it is, do Hoe's algorithm.
4308	 */
4309	if (tcp->tcp_dupack_cnt >= tcps->tcps_dupack_fast_retransmit) {
4310		ASSERT(tcp->tcp_rexmit == B_FALSE);
4311		if (SEQ_GEQ(seg_ack, tcp->tcp_rexmit_max)) {
4312			tcp->tcp_dupack_cnt = 0;
4313
4314			cc_post_recovery(tcp, seg_ack);
4315
4316			tcp->tcp_rexmit_max = seg_ack;
4317
4318			/*
4319			 * Remove all notsack info to avoid confusion with
4320			 * the next fast retrasnmit/recovery phase.
4321			 */
4322			if (tcp->tcp_snd_sack_ok) {
4323				TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list,
4324				    tcp);
4325			}
4326		} else {
4327			if (tcp->tcp_snd_sack_ok &&
4328			    tcp->tcp_notsack_list != NULL) {
4329				flags |= TH_NEED_SACK_REXMIT;
4330				tcp->tcp_pipe -= mss;
4331				if (tcp->tcp_pipe < 0)
4332					tcp->tcp_pipe = 0;
4333			} else {
4334				/*
4335				 * Hoe's algorithm:
4336				 *
4337				 * Retransmit the unack'ed segment and
4338				 * restart fast recovery.  Note that we
4339				 * need to scale back tcp_cwnd to the
4340				 * original value when we started fast
4341				 * recovery.  This is to prevent overly
4342				 * aggressive behaviour in sending new
4343				 * segments.
4344				 */
4345				cwnd = tcp->tcp_cwnd_ssthresh +
4346				    tcps->tcps_dupack_fast_retransmit * mss;
4347				DTRACE_PROBE3(cwnd__fast__retransmit__part__ack,
4348				    tcp_t *, tcp, uint32_t, tcp->tcp_cwnd,
4349				    uint32_t, cwnd);
4350				tcp->tcp_cwnd = cwnd;
4351				tcp->tcp_cwnd_cnt = tcp->tcp_cwnd;
4352				flags |= TH_REXMIT_NEEDED;
4353			}
4354		}
4355	} else {
4356		tcp->tcp_dupack_cnt = 0;
4357		if (tcp->tcp_rexmit) {
4358			/*
4359			 * TCP is retranmitting.  If the ACK ack's all
4360			 * outstanding data, update tcp_rexmit_max and
4361			 * tcp_rexmit_nxt.  Otherwise, update tcp_rexmit_nxt
4362			 * to the correct value.
4363			 *
4364			 * Note that SEQ_LEQ() is used.  This is to avoid
4365			 * unnecessary fast retransmit caused by dup ACKs
4366			 * received when TCP does slow start retransmission
4367			 * after a time out.  During this phase, TCP may
4368			 * send out segments which are already received.
4369			 * This causes dup ACKs to be sent back.
4370			 */
4371			if (SEQ_LEQ(seg_ack, tcp->tcp_rexmit_max)) {
4372				if (SEQ_GT(seg_ack, tcp->tcp_rexmit_nxt)) {
4373					tcp->tcp_rexmit_nxt = seg_ack;
4374				}
4375				if (seg_ack != tcp->tcp_rexmit_max) {
4376					flags |= TH_XMIT_NEEDED;
4377				}
4378			} else {
4379				tcp->tcp_rexmit = B_FALSE;
4380				tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
4381			}
4382			tcp->tcp_ms_we_have_waited = 0;
4383		}
4384	}
4385
4386	TCPS_BUMP_MIB(tcps, tcpInAckSegs);
4387	TCPS_UPDATE_MIB(tcps, tcpInAckBytes, bytes_acked);
4388	tcp->tcp_suna = seg_ack;
4389	if (tcp->tcp_zero_win_probe != 0) {
4390		tcp->tcp_zero_win_probe = 0;
4391		tcp->tcp_timer_backoff = 0;
4392	}
4393
4394	/*
4395	 * If tcp_xmit_head is NULL, then it must be the FIN being ack'ed.
4396	 * Note that it cannot be the SYN being ack'ed.  The code flow
4397	 * will not reach here.
4398	 */
4399	if (mp1 == NULL) {
4400		goto fin_acked;
4401	}
4402
4403	/*
4404	 * Update the congestion window.
4405	 *
4406	 * If TCP is not ECN capable or TCP is ECN capable but the
4407	 * congestion experience bit is not set, increase the tcp_cwnd as
4408	 * usual.
4409	 */
4410	if (!tcp->tcp_ecn_ok || !(flags & TH_ECE)) {
4411		if (IN_RECOVERY(tcp->tcp_ccv.flags)) {
4412			EXIT_RECOVERY(tcp->tcp_ccv.flags);
4413		}
4414		cc_ack_received(tcp, seg_ack, bytes_acked, CC_ACK);
4415	}
4416
4417	/* See if the latest urgent data has been acknowledged */
4418	if ((tcp->tcp_valid_bits & TCP_URG_VALID) &&
4419	    SEQ_GT(seg_ack, tcp->tcp_urg))
4420		tcp->tcp_valid_bits &= ~TCP_URG_VALID;
4421
4422	/*
4423	 * Update the RTT estimates. Note that we don't use the TCP
4424	 * timestamp option to calculate RTT even if one is present. This is
4425	 * because the timestamp option's resolution (CPU tick) is
4426	 * too coarse to measure modern datacenter networks' microsecond
4427	 * latencies. The timestamp field's resolution is limited by its
4428	 * 4-byte width (see RFC1323), and since we always store a
4429	 * high-resolution nanosecond presision timestamp along with the data,
4430	 * there is no point to ever using the timestamp option.
4431	 */
4432	if (SEQ_GT(seg_ack, tcp->tcp_csuna)) {
4433		/*
4434		 * An ACK sequence we haven't seen before, so get the RTT
4435		 * and update the RTO. But first check if the timestamp is
4436		 * valid to use.
4437		 */
4438		if ((mp1->b_next != NULL) &&
4439		    SEQ_GT(seg_ack, (uint32_t)(uintptr_t)(mp1->b_next))) {
4440			tcp_set_rto(tcp, gethrtime() -
4441			    (hrtime_t)(intptr_t)mp1->b_prev);
4442		} else {
4443			TCPS_BUMP_MIB(tcps, tcpRttNoUpdate);
4444		}
4445
4446		/* Remeber the last sequence to be ACKed */
4447		tcp->tcp_csuna = seg_ack;
4448		if (tcp->tcp_set_timer == 1) {
4449			TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
4450			tcp->tcp_set_timer = 0;
4451		}
4452	} else {
4453		TCPS_BUMP_MIB(tcps, tcpRttNoUpdate);
4454	}
4455
4456	/* Eat acknowledged bytes off the xmit queue. */
4457	for (;;) {
4458		mblk_t	*mp2;
4459		uchar_t	*wptr;
4460
4461		wptr = mp1->b_wptr;
4462		ASSERT((uintptr_t)(wptr - mp1->b_rptr) <= (uintptr_t)INT_MAX);
4463		bytes_acked -= (int)(wptr - mp1->b_rptr);
4464		if (bytes_acked < 0) {
4465			mp1->b_rptr = wptr + bytes_acked;
4466			/*
4467			 * Set a new timestamp if all the bytes timed by the
4468			 * old timestamp have been ack'ed.
4469			 */
4470			if (SEQ_GT(seg_ack,
4471			    (uint32_t)(uintptr_t)(mp1->b_next))) {
4472				mp1->b_prev =
4473				    (mblk_t *)(intptr_t)gethrtime();
4474				mp1->b_next = NULL;
4475			}
4476			break;
4477		}
4478		mp1->b_next = NULL;
4479		mp1->b_prev = NULL;
4480		mp2 = mp1;
4481		mp1 = mp1->b_cont;
4482
4483		/*
4484		 * This notification is required for some zero-copy
4485		 * clients to maintain a copy semantic. After the data
4486		 * is ack'ed, client is safe to modify or reuse the buffer.
4487		 */
4488		if (tcp->tcp_snd_zcopy_aware &&
4489		    (mp2->b_datap->db_struioflag & STRUIO_ZCNOTIFY))
4490			tcp_zcopy_notify(tcp);
4491		freeb(mp2);
4492		if (bytes_acked == 0) {
4493			if (mp1 == NULL) {
4494				/* Everything is ack'ed, clear the tail. */
4495				tcp->tcp_xmit_tail = NULL;
4496				/*
4497				 * Cancel the timer unless we are still
4498				 * waiting for an ACK for the FIN packet.
4499				 */
4500				if (tcp->tcp_timer_tid != 0 &&
4501				    tcp->tcp_snxt == tcp->tcp_suna) {
4502					(void) TCP_TIMER_CANCEL(tcp,
4503					    tcp->tcp_timer_tid);
4504					tcp->tcp_timer_tid = 0;
4505				}
4506				goto pre_swnd_update;
4507			}
4508			if (mp2 != tcp->tcp_xmit_tail)
4509				break;
4510			tcp->tcp_xmit_tail = mp1;
4511			ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
4512			    (uintptr_t)INT_MAX);
4513			tcp->tcp_xmit_tail_unsent = (int)(mp1->b_wptr -
4514			    mp1->b_rptr);
4515			break;
4516		}
4517		if (mp1 == NULL) {
4518			/*
4519			 * More was acked but there is nothing more
4520			 * outstanding.  This means that the FIN was
4521			 * just acked or that we're talking to a clown.
4522			 */
4523fin_acked:
4524			ASSERT(tcp->tcp_fin_sent);
4525			tcp->tcp_xmit_tail = NULL;
4526			if (tcp->tcp_fin_sent) {
4527				/* FIN was acked - making progress */
4528				if (!tcp->tcp_fin_acked)
4529					tcp->tcp_ip_forward_progress = B_TRUE;
4530				tcp->tcp_fin_acked = B_TRUE;
4531				if (tcp->tcp_linger_tid != 0 &&
4532				    TCP_TIMER_CANCEL(tcp,
4533				    tcp->tcp_linger_tid) >= 0) {
4534					tcp_stop_lingering(tcp);
4535					freemsg(mp);
4536					mp = NULL;
4537				}
4538			} else {
4539				/*
4540				 * We should never get here because
4541				 * we have already checked that the
4542				 * number of bytes ack'ed should be
4543				 * smaller than or equal to what we
4544				 * have sent so far (it is the
4545				 * acceptability check of the ACK).
4546				 * We can only get here if the send
4547				 * queue is corrupted.
4548				 *
4549				 * Terminate the connection and
4550				 * panic the system.  It is better
4551				 * for us to panic instead of
4552				 * continuing to avoid other disaster.
4553				 */
4554				tcp_xmit_ctl(NULL, tcp, tcp->tcp_snxt,
4555				    tcp->tcp_rnxt, TH_RST|TH_ACK);
4556				panic("Memory corruption "
4557				    "detected for connection %s.",
4558				    tcp_display(tcp, NULL,
4559				    DISP_ADDR_AND_PORT));
4560				/*NOTREACHED*/
4561			}
4562			goto pre_swnd_update;
4563		}
4564		ASSERT(mp2 != tcp->tcp_xmit_tail);
4565	}
4566	if (tcp->tcp_unsent) {
4567		flags |= TH_XMIT_NEEDED;
4568	}
4569pre_swnd_update:
4570	tcp->tcp_xmit_head = mp1;
4571swnd_update:
4572	/*
4573	 * The following check is different from most other implementations.
4574	 * For bi-directional transfer, when segments are dropped, the
4575	 * "normal" check will not accept a window update in those
4576	 * retransmitted segemnts.  Failing to do that, TCP may send out
4577	 * segments which are outside receiver's window.  As TCP accepts
4578	 * the ack in those retransmitted segments, if the window update in
4579	 * the same segment is not accepted, TCP will incorrectly calculates
4580	 * that it can send more segments.  This can create a deadlock
4581	 * with the receiver if its window becomes zero.
4582	 */
4583	if (SEQ_LT(tcp->tcp_swl2, seg_ack) ||
4584	    SEQ_LT(tcp->tcp_swl1, seg_seq) ||
4585	    (tcp->tcp_swl1 == seg_seq && new_swnd > tcp->tcp_swnd)) {
4586		/*
4587		 * The criteria for update is:
4588		 *
4589		 * 1. the segment acknowledges some data.  Or
4590		 * 2. the segment is new, i.e. it has a higher seq num. Or
4591		 * 3. the segment is not old and the advertised window is
4592		 * larger than the previous advertised window.
4593		 */
4594		if (tcp->tcp_unsent && new_swnd > tcp->tcp_swnd)
4595			flags |= TH_XMIT_NEEDED;
4596		tcp->tcp_swnd = new_swnd;
4597		if (new_swnd > tcp->tcp_max_swnd)
4598			tcp->tcp_max_swnd = new_swnd;
4599		tcp->tcp_swl1 = seg_seq;
4600		tcp->tcp_swl2 = seg_ack;
4601	}
4602est:
4603	if (tcp->tcp_state > TCPS_ESTABLISHED) {
4604
4605		switch (tcp->tcp_state) {
4606		case TCPS_FIN_WAIT_1:
4607			if (tcp->tcp_fin_acked) {
4608				tcp->tcp_state = TCPS_FIN_WAIT_2;
4609				DTRACE_TCP6(state__change, void, NULL,
4610				    ip_xmit_attr_t *, connp->conn_ixa,
4611				    void, NULL, tcp_t *, tcp, void, NULL,
4612				    int32_t, TCPS_FIN_WAIT_1);
4613				/*
4614				 * We implement the non-standard BSD/SunOS
4615				 * FIN_WAIT_2 flushing algorithm.
4616				 * If there is no user attached to this
4617				 * TCP endpoint, then this TCP struct
4618				 * could hang around forever in FIN_WAIT_2
4619				 * state if the peer forgets to send us
4620				 * a FIN.  To prevent this, we wait only
4621				 * 2*MSL (a convenient time value) for
4622				 * the FIN to arrive.  If it doesn't show up,
4623				 * we flush the TCP endpoint.  This algorithm,
4624				 * though a violation of RFC-793, has worked
4625				 * for over 10 years in BSD systems.
4626				 * Note: SunOS 4.x waits 675 seconds before
4627				 * flushing the FIN_WAIT_2 connection.
4628				 */
4629				TCP_TIMER_RESTART(tcp,
4630				    tcp->tcp_fin_wait_2_flush_interval);
4631			}
4632			break;
4633		case TCPS_FIN_WAIT_2:
4634			break;	/* Shutdown hook? */
4635		case TCPS_LAST_ACK:
4636			freemsg(mp);
4637			if (tcp->tcp_fin_acked) {
4638				(void) tcp_clean_death(tcp, 0);
4639				return;
4640			}
4641			goto xmit_check;
4642		case TCPS_CLOSING:
4643			if (tcp->tcp_fin_acked) {
4644				SET_TIME_WAIT(tcps, tcp, connp);
4645				DTRACE_TCP6(state__change, void, NULL,
4646				    ip_xmit_attr_t *, connp->conn_ixa, void,
4647				    NULL, tcp_t *, tcp, void, NULL, int32_t,
4648				    TCPS_CLOSING);
4649			}
4650			/*FALLTHRU*/
4651		case TCPS_CLOSE_WAIT:
4652			freemsg(mp);
4653			goto xmit_check;
4654		default:
4655			ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
4656			break;
4657		}
4658	}
4659	if (flags & TH_FIN) {
4660		/* Make sure we ack the fin */
4661		flags |= TH_ACK_NEEDED;
4662		if (!tcp->tcp_fin_rcvd) {
4663			tcp->tcp_fin_rcvd = B_TRUE;
4664			tcp->tcp_rnxt++;
4665			tcpha = tcp->tcp_tcpha;
4666			tcpha->tha_ack = htonl(tcp->tcp_rnxt);
4667
4668			/*
4669			 * Generate the ordrel_ind at the end unless the
4670			 * conn is detached or it is a STREAMS based eager.
4671			 * In the eager case we defer the notification until
4672			 * tcp_accept_finish has run.
4673			 */
4674			if (!TCP_IS_DETACHED(tcp) && (IPCL_IS_NONSTR(connp) ||
4675			    (tcp->tcp_listener == NULL &&
4676			    !tcp->tcp_hard_binding)))
4677				flags |= TH_ORDREL_NEEDED;
4678			switch (tcp->tcp_state) {
4679			case TCPS_SYN_RCVD:
4680				tcp->tcp_state = TCPS_CLOSE_WAIT;
4681				DTRACE_TCP6(state__change, void, NULL,
4682				    ip_xmit_attr_t *, connp->conn_ixa,
4683				    void, NULL, tcp_t *, tcp, void, NULL,
4684				    int32_t, TCPS_SYN_RCVD);
4685				/* Keepalive? */
4686				break;
4687			case TCPS_ESTABLISHED:
4688				tcp->tcp_state = TCPS_CLOSE_WAIT;
4689				DTRACE_TCP6(state__change, void, NULL,
4690				    ip_xmit_attr_t *, connp->conn_ixa,
4691				    void, NULL, tcp_t *, tcp, void, NULL,
4692				    int32_t, TCPS_ESTABLISHED);
4693				/* Keepalive? */
4694				break;
4695			case TCPS_FIN_WAIT_1:
4696				if (!tcp->tcp_fin_acked) {
4697					tcp->tcp_state = TCPS_CLOSING;
4698					DTRACE_TCP6(state__change, void, NULL,
4699					    ip_xmit_attr_t *, connp->conn_ixa,
4700					    void, NULL, tcp_t *, tcp, void,
4701					    NULL, int32_t, TCPS_FIN_WAIT_1);
4702					break;
4703				}
4704				/* FALLTHRU */
4705			case TCPS_FIN_WAIT_2:
4706				SET_TIME_WAIT(tcps, tcp, connp);
4707				DTRACE_TCP6(state__change, void, NULL,
4708				    ip_xmit_attr_t *, connp->conn_ixa, void,
4709				    NULL, tcp_t *, tcp, void, NULL, int32_t,
4710				    TCPS_FIN_WAIT_2);
4711				if (seg_len) {
4712					/*
4713					 * implies data piggybacked on FIN.
4714					 * break to handle data.
4715					 */
4716					break;
4717				}
4718				freemsg(mp);
4719				goto ack_check;
4720			}
4721		}
4722	}
4723	if (mp == NULL)
4724		goto xmit_check;
4725	if (seg_len == 0) {
4726		freemsg(mp);
4727		goto xmit_check;
4728	}
4729	if (mp->b_rptr == mp->b_wptr) {
4730		/*
4731		 * The header has been consumed, so we remove the
4732		 * zero-length mblk here.
4733		 */
4734		mp1 = mp;
4735		mp = mp->b_cont;
4736		freeb(mp1);
4737	}
4738update_ack:
4739	tcpha = tcp->tcp_tcpha;
4740	tcp->tcp_rack_cnt++;
4741	{
4742		uint32_t cur_max;
4743
4744		cur_max = tcp->tcp_rack_cur_max;
4745		if (tcp->tcp_rack_cnt >= cur_max) {
4746			/*
4747			 * We have more unacked data than we should - send
4748			 * an ACK now.
4749			 */
4750			flags |= TH_ACK_NEEDED;
4751			cur_max++;
4752			if (cur_max > tcp->tcp_rack_abs_max)
4753				tcp->tcp_rack_cur_max = tcp->tcp_rack_abs_max;
4754			else
4755				tcp->tcp_rack_cur_max = cur_max;
4756		} else if (TCP_IS_DETACHED(tcp)) {
4757			/* We don't have an ACK timer for detached TCP. */
4758			flags |= TH_ACK_NEEDED;
4759		} else if (seg_len < mss) {
4760			/*
4761			 * If we get a segment that is less than an mss, and we
4762			 * already have unacknowledged data, and the amount
4763			 * unacknowledged is not a multiple of mss, then we
4764			 * better generate an ACK now.  Otherwise, this may be
4765			 * the tail piece of a transaction, and we would rather
4766			 * wait for the response.
4767			 */
4768			uint32_t udif;
4769			ASSERT((uintptr_t)(tcp->tcp_rnxt - tcp->tcp_rack) <=
4770			    (uintptr_t)INT_MAX);
4771			udif = (int)(tcp->tcp_rnxt - tcp->tcp_rack);
4772			if (udif && (udif % mss))
4773				flags |= TH_ACK_NEEDED;
4774			else
4775				flags |= TH_ACK_TIMER_NEEDED;
4776		} else {
4777			/* Start delayed ack timer */
4778			flags |= TH_ACK_TIMER_NEEDED;
4779		}
4780	}
4781	tcp->tcp_rnxt += seg_len;
4782	tcpha->tha_ack = htonl(tcp->tcp_rnxt);
4783
4784	if (mp == NULL)
4785		goto xmit_check;
4786
4787	/* Update SACK list */
4788	if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
4789		tcp_sack_remove(tcp->tcp_sack_list, tcp->tcp_rnxt,
4790		    &(tcp->tcp_num_sack_blk));
4791	}
4792
4793	if (tcp->tcp_urp_mp) {
4794		tcp->tcp_urp_mp->b_cont = mp;
4795		mp = tcp->tcp_urp_mp;
4796		tcp->tcp_urp_mp = NULL;
4797		/* Ready for a new signal. */
4798		tcp->tcp_urp_last_valid = B_FALSE;
4799#ifdef DEBUG
4800		(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
4801		    "tcp_rput: sending exdata_ind %s",
4802		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
4803#endif /* DEBUG */
4804	}
4805
4806	/*
4807	 * Check for ancillary data changes compared to last segment.
4808	 */
4809	if (connp->conn_recv_ancillary.crb_all != 0) {
4810		mp = tcp_input_add_ancillary(tcp, mp, &ipp, ira);
4811		if (mp == NULL)
4812			return;
4813	}
4814
4815	if (IPCL_IS_NONSTR(connp)) {
4816		/*
4817		 * Non-STREAMS socket
4818		 */
4819		boolean_t push = flags & (TH_PUSH|TH_FIN);
4820		int error;
4821
4822		if ((*sockupcalls->su_recv)(connp->conn_upper_handle,
4823		    mp, seg_len, 0, &error, &push) <= 0) {
4824			/*
4825			 * We should never be in middle of a
4826			 * fallback, the squeue guarantees that.
4827			 */
4828			ASSERT(error != EOPNOTSUPP);
4829			if (error == ENOSPC)
4830				tcp->tcp_rwnd -= seg_len;
4831		} else if (push) {
4832			/* PUSH bit set and sockfs is not flow controlled */
4833			flags |= tcp_rwnd_reopen(tcp);
4834		}
4835	} else if (tcp->tcp_listener != NULL || tcp->tcp_hard_binding) {
4836		/*
4837		 * Side queue inbound data until the accept happens.
4838		 * tcp_accept/tcp_rput drains this when the accept happens.
4839		 * M_DATA is queued on b_cont. Otherwise (T_OPTDATA_IND or
4840		 * T_EXDATA_IND) it is queued on b_next.
4841		 * XXX Make urgent data use this. Requires:
4842		 *	Removing tcp_listener check for TH_URG
4843		 *	Making M_PCPROTO and MARK messages skip the eager case
4844		 */
4845
4846		tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
4847	} else {
4848		/* Active STREAMS socket */
4849		if (mp->b_datap->db_type != M_DATA ||
4850		    (flags & TH_MARKNEXT_NEEDED)) {
4851			if (tcp->tcp_rcv_list != NULL) {
4852				flags |= tcp_rcv_drain(tcp);
4853			}
4854			ASSERT(tcp->tcp_rcv_list == NULL ||
4855			    tcp->tcp_fused_sigurg);
4856
4857			if (flags & TH_MARKNEXT_NEEDED) {
4858#ifdef DEBUG
4859				(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
4860				    "tcp_rput: sending MSGMARKNEXT %s",
4861				    tcp_display(tcp, NULL,
4862				    DISP_PORT_ONLY));
4863#endif /* DEBUG */
4864				mp->b_flag |= MSGMARKNEXT;
4865				flags &= ~TH_MARKNEXT_NEEDED;
4866			}
4867
4868			if (is_system_labeled())
4869				tcp_setcred_data(mp, ira);
4870
4871			putnext(connp->conn_rq, mp);
4872			if (!canputnext(connp->conn_rq))
4873				tcp->tcp_rwnd -= seg_len;
4874		} else if ((flags & (TH_PUSH|TH_FIN)) ||
4875		    tcp->tcp_rcv_cnt + seg_len >= connp->conn_rcvbuf >> 3) {
4876			if (tcp->tcp_rcv_list != NULL) {
4877				/*
4878				 * Enqueue the new segment first and then
4879				 * call tcp_rcv_drain() to send all data
4880				 * up.  The other way to do this is to
4881				 * send all queued data up and then call
4882				 * putnext() to send the new segment up.
4883				 * This way can remove the else part later
4884				 * on.
4885				 *
4886				 * We don't do this to avoid one more call to
4887				 * canputnext() as tcp_rcv_drain() needs to
4888				 * call canputnext().
4889				 */
4890				tcp_rcv_enqueue(tcp, mp, seg_len,
4891				    ira->ira_cred);
4892				flags |= tcp_rcv_drain(tcp);
4893			} else {
4894				if (is_system_labeled())
4895					tcp_setcred_data(mp, ira);
4896
4897				putnext(connp->conn_rq, mp);
4898				if (!canputnext(connp->conn_rq))
4899					tcp->tcp_rwnd -= seg_len;
4900			}
4901		} else {
4902			/*
4903			 * Enqueue all packets when processing an mblk
4904			 * from the co queue and also enqueue normal packets.
4905			 */
4906			tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
4907		}
4908		/*
4909		 * Make sure the timer is running if we have data waiting
4910		 * for a push bit. This provides resiliency against
4911		 * implementations that do not correctly generate push bits.
4912		 */
4913		if (tcp->tcp_rcv_list != NULL && tcp->tcp_push_tid == 0) {
4914			/*
4915			 * The connection may be closed at this point, so don't
4916			 * do anything for a detached tcp.
4917			 */
4918			if (!TCP_IS_DETACHED(tcp))
4919				tcp->tcp_push_tid = TCP_TIMER(tcp,
4920				    tcp_push_timer,
4921				    tcps->tcps_push_timer_interval);
4922		}
4923	}
4924
4925xmit_check:
4926	/* Is there anything left to do? */
4927	ASSERT(!(flags & TH_MARKNEXT_NEEDED));
4928	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_ACK_NEEDED|
4929	    TH_NEED_SACK_REXMIT|TH_LIMIT_XMIT|TH_ACK_TIMER_NEEDED|
4930	    TH_ORDREL_NEEDED|TH_SEND_URP_MARK)) == 0)
4931		goto done;
4932
4933	/* Any transmit work to do and a non-zero window? */
4934	if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_NEED_SACK_REXMIT|
4935	    TH_LIMIT_XMIT)) && tcp->tcp_swnd != 0) {
4936		if (flags & TH_REXMIT_NEEDED) {
4937			uint32_t snd_size = tcp->tcp_snxt - tcp->tcp_suna;
4938
4939			TCPS_BUMP_MIB(tcps, tcpOutFastRetrans);
4940			if (snd_size > mss)
4941				snd_size = mss;
4942			if (snd_size > tcp->tcp_swnd)
4943				snd_size = tcp->tcp_swnd;
4944			mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, snd_size,
4945			    NULL, NULL, tcp->tcp_suna, B_TRUE, &snd_size,
4946			    B_TRUE);
4947
4948			if (mp1 != NULL) {
4949				tcp->tcp_xmit_head->b_prev =
4950				    (mblk_t *)(intptr_t)gethrtime();
4951				tcp->tcp_csuna = tcp->tcp_snxt;
4952				TCPS_BUMP_MIB(tcps, tcpRetransSegs);
4953				TCPS_UPDATE_MIB(tcps, tcpRetransBytes,
4954				    snd_size);
4955				tcp->tcp_cs.tcp_out_retrans_segs++;
4956				tcp->tcp_cs.tcp_out_retrans_bytes += snd_size;
4957				tcp_send_data(tcp, mp1);
4958			}
4959		}
4960		if (flags & TH_NEED_SACK_REXMIT) {
4961			tcp_sack_rexmit(tcp, &flags);
4962		}
4963		/*
4964		 * For TH_LIMIT_XMIT, tcp_wput_data() is called to send
4965		 * out new segment.  Note that tcp_rexmit should not be
4966		 * set, otherwise TH_LIMIT_XMIT should not be set.
4967		 */
4968		if (flags & (TH_XMIT_NEEDED|TH_LIMIT_XMIT)) {
4969			if (!tcp->tcp_rexmit) {
4970				tcp_wput_data(tcp, NULL, B_FALSE);
4971			} else {
4972				tcp_ss_rexmit(tcp);
4973			}
4974		}
4975		/*
4976		 * Adjust tcp_cwnd back to normal value after sending
4977		 * new data segments.
4978		 */
4979		if (flags & TH_LIMIT_XMIT) {
4980			tcp->tcp_cwnd -= mss << (tcp->tcp_dupack_cnt - 1);
4981			/*
4982			 * This will restart the timer.  Restarting the
4983			 * timer is used to avoid a timeout before the
4984			 * limited transmitted segment's ACK gets back.
4985			 */
4986			if (tcp->tcp_xmit_head != NULL) {
4987				tcp->tcp_xmit_head->b_prev =
4988				    (mblk_t *)(intptr_t)gethrtime();
4989			}
4990		}
4991
4992		/* Anything more to do? */
4993		if ((flags & (TH_ACK_NEEDED|TH_ACK_TIMER_NEEDED|
4994		    TH_ORDREL_NEEDED|TH_SEND_URP_MARK)) == 0)
4995			goto done;
4996	}
4997ack_check:
4998	if (flags & TH_SEND_URP_MARK) {
4999		ASSERT(tcp->tcp_urp_mark_mp);
5000		ASSERT(!IPCL_IS_NONSTR(connp));
5001		/*
5002		 * Send up any queued data and then send the mark message
5003		 */
5004		if (tcp->tcp_rcv_list != NULL) {
5005			flags |= tcp_rcv_drain(tcp);
5006
5007		}
5008		ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
5009		mp1 = tcp->tcp_urp_mark_mp;
5010		tcp->tcp_urp_mark_mp = NULL;
5011		if (is_system_labeled())
5012			tcp_setcred_data(mp1, ira);
5013
5014		putnext(connp->conn_rq, mp1);
5015#ifdef DEBUG
5016		(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
5017		    "tcp_rput: sending zero-length %s %s",
5018		    ((mp1->b_flag & MSGMARKNEXT) ? "MSGMARKNEXT" :
5019		    "MSGNOTMARKNEXT"),
5020		    tcp_display(tcp, NULL, DISP_PORT_ONLY));
5021#endif /* DEBUG */
5022		flags &= ~TH_SEND_URP_MARK;
5023	}
5024	if (flags & TH_ACK_NEEDED) {
5025		/*
5026		 * Time to send an ack for some reason.
5027		 */
5028		mp1 = tcp_ack_mp(tcp);
5029
5030		if (mp1 != NULL) {
5031			tcp_send_data(tcp, mp1);
5032			TCPS_BUMP_MIB(tcps, tcpHCOutSegs);
5033			TCPS_BUMP_MIB(tcps, tcpOutAck);
5034		}
5035		if (tcp->tcp_ack_tid != 0) {
5036			(void) TCP_TIMER_CANCEL(tcp, tcp->tcp_ack_tid);
5037			tcp->tcp_ack_tid = 0;
5038		}
5039	}
5040	if (flags & TH_ACK_TIMER_NEEDED) {
5041		/*
5042		 * Arrange for deferred ACK or push wait timeout.
5043		 * Start timer if it is not already running.
5044		 */
5045		if (tcp->tcp_ack_tid == 0) {
5046			tcp->tcp_ack_tid = TCP_TIMER(tcp, tcp_ack_timer,
5047			    tcp->tcp_localnet ?
5048			    tcps->tcps_local_dack_interval :
5049			    tcps->tcps_deferred_ack_interval);
5050		}
5051	}
5052	if (flags & TH_ORDREL_NEEDED) {
5053		/*
5054		 * Notify upper layer about an orderly release. If this is
5055		 * a non-STREAMS socket, then just make an upcall. For STREAMS
5056		 * we send up an ordrel_ind, unless this is an eager, in which
5057		 * case the ordrel will be sent when tcp_accept_finish runs.
5058		 * Note that for non-STREAMS we make an upcall even if it is an
5059		 * eager, because we have an upper handle to send it to.
5060		 */
5061		ASSERT(IPCL_IS_NONSTR(connp) || tcp->tcp_listener == NULL);
5062		ASSERT(!tcp->tcp_detached);
5063
5064		if (IPCL_IS_NONSTR(connp)) {
5065			ASSERT(tcp->tcp_ordrel_mp == NULL);
5066			tcp->tcp_ordrel_done = B_TRUE;
5067			(*sockupcalls->su_opctl)(connp->conn_upper_handle,
5068			    SOCK_OPCTL_SHUT_RECV, 0);
5069			goto done;
5070		}
5071
5072		if (tcp->tcp_rcv_list != NULL) {
5073			/*
5074			 * Push any mblk(s) enqueued from co processing.
5075			 */
5076			flags |= tcp_rcv_drain(tcp);
5077		}
5078		ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
5079
5080		mp1 = tcp->tcp_ordrel_mp;
5081		tcp->tcp_ordrel_mp = NULL;
5082		tcp->tcp_ordrel_done = B_TRUE;
5083		putnext(connp->conn_rq, mp1);
5084	}
5085done:
5086	ASSERT(!(flags & TH_MARKNEXT_NEEDED));
5087}
5088
5089/*
5090 * Attach ancillary data to a received TCP segments for the
5091 * ancillary pieces requested by the application that are
5092 * different than they were in the previous data segment.
5093 *
5094 * Save the "current" values once memory allocation is ok so that
5095 * when memory allocation fails we can just wait for the next data segment.
5096 */
5097static mblk_t *
5098tcp_input_add_ancillary(tcp_t *tcp, mblk_t *mp, ip_pkt_t *ipp,
5099    ip_recv_attr_t *ira)
5100{
5101	struct T_optdata_ind *todi;
5102	int optlen;
5103	uchar_t *optptr;
5104	struct T_opthdr *toh;
5105	crb_t addflag;	/* Which pieces to add */
5106	mblk_t *mp1;
5107	conn_t	*connp = tcp->tcp_connp;
5108
5109	optlen = 0;
5110	addflag.crb_all = 0;
5111	/* If app asked for pktinfo and the index has changed ... */
5112	if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
5113	    ira->ira_ruifindex != tcp->tcp_recvifindex) {
5114		optlen += sizeof (struct T_opthdr) +
5115		    sizeof (struct in6_pktinfo);
5116		addflag.crb_ip_recvpktinfo = 1;
5117	}
5118	/* If app asked for hoplimit and it has changed ... */
5119	if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
5120	    ipp->ipp_hoplimit != tcp->tcp_recvhops) {
5121		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
5122		addflag.crb_ipv6_recvhoplimit = 1;
5123	}
5124	/* If app asked for tclass and it has changed ... */
5125	if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
5126	    ipp->ipp_tclass != tcp->tcp_recvtclass) {
5127		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
5128		addflag.crb_ipv6_recvtclass = 1;
5129	}
5130	/*
5131	 * If app asked for hopbyhop headers and it has changed ...
5132	 * For security labels, note that (1) security labels can't change on
5133	 * a connected socket at all, (2) we're connected to at most one peer,
5134	 * (3) if anything changes, then it must be some other extra option.
5135	 */
5136	if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
5137	    ip_cmpbuf(tcp->tcp_hopopts, tcp->tcp_hopoptslen,
5138	    (ipp->ipp_fields & IPPF_HOPOPTS),
5139	    ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
5140		optlen += sizeof (struct T_opthdr) + ipp->ipp_hopoptslen;
5141		addflag.crb_ipv6_recvhopopts = 1;
5142		if (!ip_allocbuf((void **)&tcp->tcp_hopopts,
5143		    &tcp->tcp_hopoptslen, (ipp->ipp_fields & IPPF_HOPOPTS),
5144		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
5145			return (mp);
5146	}
5147	/* If app asked for dst headers before routing headers ... */
5148	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
5149	    ip_cmpbuf(tcp->tcp_rthdrdstopts, tcp->tcp_rthdrdstoptslen,
5150	    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
5151	    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
5152		optlen += sizeof (struct T_opthdr) +
5153		    ipp->ipp_rthdrdstoptslen;
5154		addflag.crb_ipv6_recvrthdrdstopts = 1;
5155		if (!ip_allocbuf((void **)&tcp->tcp_rthdrdstopts,
5156		    &tcp->tcp_rthdrdstoptslen,
5157		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
5158		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
5159			return (mp);
5160	}
5161	/* If app asked for routing headers and it has changed ... */
5162	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
5163	    ip_cmpbuf(tcp->tcp_rthdr, tcp->tcp_rthdrlen,
5164	    (ipp->ipp_fields & IPPF_RTHDR),
5165	    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
5166		optlen += sizeof (struct T_opthdr) + ipp->ipp_rthdrlen;
5167		addflag.crb_ipv6_recvrthdr = 1;
5168		if (!ip_allocbuf((void **)&tcp->tcp_rthdr,
5169		    &tcp->tcp_rthdrlen, (ipp->ipp_fields & IPPF_RTHDR),
5170		    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
5171			return (mp);
5172	}
5173	/* If app asked for dest headers and it has changed ... */
5174	if ((connp->conn_recv_ancillary.crb_ipv6_recvdstopts ||
5175	    connp->conn_recv_ancillary.crb_old_ipv6_recvdstopts) &&
5176	    ip_cmpbuf(tcp->tcp_dstopts, tcp->tcp_dstoptslen,
5177	    (ipp->ipp_fields & IPPF_DSTOPTS),
5178	    ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
5179		optlen += sizeof (struct T_opthdr) + ipp->ipp_dstoptslen;
5180		addflag.crb_ipv6_recvdstopts = 1;
5181		if (!ip_allocbuf((void **)&tcp->tcp_dstopts,
5182		    &tcp->tcp_dstoptslen, (ipp->ipp_fields & IPPF_DSTOPTS),
5183		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
5184			return (mp);
5185	}
5186
5187	if (optlen == 0) {
5188		/* Nothing to add */
5189		return (mp);
5190	}
5191	mp1 = allocb(sizeof (struct T_optdata_ind) + optlen, BPRI_MED);
5192	if (mp1 == NULL) {
5193		/*
5194		 * Defer sending ancillary data until the next TCP segment
5195		 * arrives.
5196		 */
5197		return (mp);
5198	}
5199	mp1->b_cont = mp;
5200	mp = mp1;
5201	mp->b_wptr += sizeof (*todi) + optlen;
5202	mp->b_datap->db_type = M_PROTO;
5203	todi = (struct T_optdata_ind *)mp->b_rptr;
5204	todi->PRIM_type = T_OPTDATA_IND;
5205	todi->DATA_flag = 1;	/* MORE data */
5206	todi->OPT_length = optlen;
5207	todi->OPT_offset = sizeof (*todi);
5208	optptr = (uchar_t *)&todi[1];
5209	/*
5210	 * If app asked for pktinfo and the index has changed ...
5211	 * Note that the local address never changes for the connection.
5212	 */
5213	if (addflag.crb_ip_recvpktinfo) {
5214		struct in6_pktinfo *pkti;
5215		uint_t ifindex;
5216
5217		ifindex = ira->ira_ruifindex;
5218		toh = (struct T_opthdr *)optptr;
5219		toh->level = IPPROTO_IPV6;
5220		toh->name = IPV6_PKTINFO;
5221		toh->len = sizeof (*toh) + sizeof (*pkti);
5222		toh->status = 0;
5223		optptr += sizeof (*toh);
5224		pkti = (struct in6_pktinfo *)optptr;
5225		pkti->ipi6_addr = connp->conn_laddr_v6;
5226		pkti->ipi6_ifindex = ifindex;
5227		optptr += sizeof (*pkti);
5228		ASSERT(OK_32PTR(optptr));
5229		/* Save as "last" value */
5230		tcp->tcp_recvifindex = ifindex;
5231	}
5232	/* If app asked for hoplimit and it has changed ... */
5233	if (addflag.crb_ipv6_recvhoplimit) {
5234		toh = (struct T_opthdr *)optptr;
5235		toh->level = IPPROTO_IPV6;
5236		toh->name = IPV6_HOPLIMIT;
5237		toh->len = sizeof (*toh) + sizeof (uint_t);
5238		toh->status = 0;
5239		optptr += sizeof (*toh);
5240		*(uint_t *)optptr = ipp->ipp_hoplimit;
5241		optptr += sizeof (uint_t);
5242		ASSERT(OK_32PTR(optptr));
5243		/* Save as "last" value */
5244		tcp->tcp_recvhops = ipp->ipp_hoplimit;
5245	}
5246	/* If app asked for tclass and it has changed ... */
5247	if (addflag.crb_ipv6_recvtclass) {
5248		toh = (struct T_opthdr *)optptr;
5249		toh->level = IPPROTO_IPV6;
5250		toh->name = IPV6_TCLASS;
5251		toh->len = sizeof (*toh) + sizeof (uint_t);
5252		toh->status = 0;
5253		optptr += sizeof (*toh);
5254		*(uint_t *)optptr = ipp->ipp_tclass;
5255		optptr += sizeof (uint_t);
5256		ASSERT(OK_32PTR(optptr));
5257		/* Save as "last" value */
5258		tcp->tcp_recvtclass = ipp->ipp_tclass;
5259	}
5260	if (addflag.crb_ipv6_recvhopopts) {
5261		toh = (struct T_opthdr *)optptr;
5262		toh->level = IPPROTO_IPV6;
5263		toh->name = IPV6_HOPOPTS;
5264		toh->len = sizeof (*toh) + ipp->ipp_hopoptslen;
5265		toh->status = 0;
5266		optptr += sizeof (*toh);
5267		bcopy((uchar_t *)ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
5268		optptr += ipp->ipp_hopoptslen;
5269		ASSERT(OK_32PTR(optptr));
5270		/* Save as last value */
5271		ip_savebuf((void **)&tcp->tcp_hopopts, &tcp->tcp_hopoptslen,
5272		    (ipp->ipp_fields & IPPF_HOPOPTS),
5273		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
5274	}
5275	if (addflag.crb_ipv6_recvrthdrdstopts) {
5276		toh = (struct T_opthdr *)optptr;
5277		toh->level = IPPROTO_IPV6;
5278		toh->name = IPV6_RTHDRDSTOPTS;
5279		toh->len = sizeof (*toh) + ipp->ipp_rthdrdstoptslen;
5280		toh->status = 0;
5281		optptr += sizeof (*toh);
5282		bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
5283		optptr += ipp->ipp_rthdrdstoptslen;
5284		ASSERT(OK_32PTR(optptr));
5285		/* Save as last value */
5286		ip_savebuf((void **)&tcp->tcp_rthdrdstopts,
5287		    &tcp->tcp_rthdrdstoptslen,
5288		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
5289		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
5290	}
5291	if (addflag.crb_ipv6_recvrthdr) {
5292		toh = (struct T_opthdr *)optptr;
5293		toh->level = IPPROTO_IPV6;
5294		toh->name = IPV6_RTHDR;
5295		toh->len = sizeof (*toh) + ipp->ipp_rthdrlen;
5296		toh->status = 0;
5297		optptr += sizeof (*toh);
5298		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
5299		optptr += ipp->ipp_rthdrlen;
5300		ASSERT(OK_32PTR(optptr));
5301		/* Save as last value */
5302		ip_savebuf((void **)&tcp->tcp_rthdr, &tcp->tcp_rthdrlen,
5303		    (ipp->ipp_fields & IPPF_RTHDR),
5304		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
5305	}
5306	if (addflag.crb_ipv6_recvdstopts) {
5307		toh = (struct T_opthdr *)optptr;
5308		toh->level = IPPROTO_IPV6;
5309		toh->name = IPV6_DSTOPTS;
5310		toh->len = sizeof (*toh) + ipp->ipp_dstoptslen;
5311		toh->status = 0;
5312		optptr += sizeof (*toh);
5313		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
5314		optptr += ipp->ipp_dstoptslen;
5315		ASSERT(OK_32PTR(optptr));
5316		/* Save as last value */
5317		ip_savebuf((void **)&tcp->tcp_dstopts, &tcp->tcp_dstoptslen,
5318		    (ipp->ipp_fields & IPPF_DSTOPTS),
5319		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
5320	}
5321	ASSERT(optptr == mp->b_wptr);
5322	return (mp);
5323}
5324
5325/* The minimum of smoothed mean deviation in RTO calculation (nsec). */
5326#define	TCP_SD_MIN	400000000
5327
5328/*
5329 * Set RTO for this connection based on a new round-trip time measurement.
5330 * The formula is from Jacobson and Karels' "Congestion Avoidance and Control"
5331 * in SIGCOMM '88.  The variable names are the same as those in Appendix A.2
5332 * of that paper.
5333 *
5334 * m = new measurement
5335 * sa = smoothed RTT average (8 * average estimates).
5336 * sv = smoothed mean deviation (mdev) of RTT (4 * deviation estimates).
5337 */
5338static void
5339tcp_set_rto(tcp_t *tcp, hrtime_t rtt)
5340{
5341	hrtime_t m = rtt;
5342	hrtime_t sa = tcp->tcp_rtt_sa;
5343	hrtime_t sv = tcp->tcp_rtt_sd;
5344	tcp_stack_t *tcps = tcp->tcp_tcps;
5345
5346	TCPS_BUMP_MIB(tcps, tcpRttUpdate);
5347	tcp->tcp_rtt_update++;
5348	tcp->tcp_rtt_sum += m;
5349	tcp->tcp_rtt_cnt++;
5350
5351	/* tcp_rtt_sa is not 0 means this is a new sample. */
5352	if (sa != 0) {
5353		/*
5354		 * Update average estimator (see section 2.3 of RFC6298):
5355		 *	SRTT = 7/8 SRTT + 1/8 rtt
5356		 *
5357		 * We maintain tcp_rtt_sa as 8 * SRTT, so this reduces to:
5358		 *	tcp_rtt_sa = 7 * SRTT + rtt
5359		 *	tcp_rtt_sa = 7 * (tcp_rtt_sa / 8) + rtt
5360		 *	tcp_rtt_sa = tcp_rtt_sa - (tcp_rtt_sa / 8) + rtt
5361		 *	tcp_rtt_sa = tcp_rtt_sa + (rtt - (tcp_rtt_sa / 8))
5362		 *	tcp_rtt_sa = tcp_rtt_sa + (rtt - (tcp_rtt_sa / 2^3))
5363		 *	tcp_rtt_sa = tcp_rtt_sa + (rtt - (tcp_rtt_sa >> 3))
5364		 *
5365		 * (rtt - tcp_rtt_sa / 8) is simply the difference
5366		 * between the new rtt measurement and the existing smoothed
5367		 * RTT average. This is referred to as "Error" in subsequent
5368		 * calculations.
5369		 */
5370
5371		/* m is now Error. */
5372		m -= sa >> 3;
5373		if ((sa += m) <= 0) {
5374			/*
5375			 * Don't allow the smoothed average to be negative.
5376			 * We use 0 to denote reinitialization of the
5377			 * variables.
5378			 */
5379			sa = 1;
5380		}
5381
5382		/*
5383		 * Update deviation estimator:
5384		 *  mdev = 3/4 mdev + 1/4 abs(Error)
5385		 *
5386		 * We maintain tcp_rtt_sd as 4 * mdev, so this reduces to:
5387		 *  tcp_rtt_sd = 3 * mdev + abs(Error)
5388		 *  tcp_rtt_sd = tcp_rtt_sd - (tcp_rtt_sd / 4) + abs(Error)
5389		 *  tcp_rtt_sd = tcp_rtt_sd - (tcp_rtt_sd / 2^2) + abs(Error)
5390		 *  tcp_rtt_sd = tcp_rtt_sd - (tcp_rtt_sd >> 2) + abs(Error)
5391		 */
5392		if (m < 0)
5393			m = -m;
5394		m -= sv >> 2;
5395		sv += m;
5396	} else {
5397		/*
5398		 * This follows BSD's implementation.  So the reinitialized
5399		 * RTO is 3 * m.  We cannot go less than 2 because if the
5400		 * link is bandwidth dominated, doubling the window size
5401		 * during slow start means doubling the RTT.  We want to be
5402		 * more conservative when we reinitialize our estimates.  3
5403		 * is just a convenient number.
5404		 */
5405		sa = m << 3;
5406		sv = m << 1;
5407	}
5408	if (sv < TCP_SD_MIN) {
5409		/*
5410		 * Since a receiver doesn't delay its ACKs during a long run of
5411		 * segments, sa may not have captured the effect of delayed ACK
5412		 * timeouts on the RTT.  To make sure we always account for the
5413		 * possible delay (and avoid the unnecessary retransmission),
5414		 * TCP_SD_MIN is set to 400ms, twice the delayed ACK timeout of
5415		 * 200ms on older SunOS/BSD systems and modern Windows systems
5416		 * (as of 2019).  This means that the minimum possible mean
5417		 * deviation is 100 ms.
5418		 */
5419		sv = TCP_SD_MIN;
5420	}
5421	tcp->tcp_rtt_sa = sa;
5422	tcp->tcp_rtt_sd = sv;
5423
5424	tcp->tcp_rto = tcp_calculate_rto(tcp, tcps, 0);
5425
5426	/* Now, we can reset tcp_timer_backoff to use the new RTO... */
5427	tcp->tcp_timer_backoff = 0;
5428}
5429
5430/*
5431 * On a labeled system we have some protocols above TCP, such as RPC, which
5432 * appear to assume that every mblk in a chain has a db_credp.
5433 */
5434static void
5435tcp_setcred_data(mblk_t *mp, ip_recv_attr_t *ira)
5436{
5437	ASSERT(is_system_labeled());
5438	ASSERT(ira->ira_cred != NULL);
5439
5440	while (mp != NULL) {
5441		mblk_setcred(mp, ira->ira_cred, NOPID);
5442		mp = mp->b_cont;
5443	}
5444}
5445
5446uint_t
5447tcp_rwnd_reopen(tcp_t *tcp)
5448{
5449	uint_t ret = 0;
5450	uint_t thwin;
5451	conn_t *connp = tcp->tcp_connp;
5452
5453	/* Learn the latest rwnd information that we sent to the other side. */
5454	thwin = ((uint_t)ntohs(tcp->tcp_tcpha->tha_win))
5455	    << tcp->tcp_rcv_ws;
5456	/* This is peer's calculated send window (our receive window). */
5457	thwin -= tcp->tcp_rnxt - tcp->tcp_rack;
5458	/*
5459	 * Increase the receive window to max.  But we need to do receiver
5460	 * SWS avoidance.  This means that we need to check the increase of
5461	 * of receive window is at least 1 MSS.
5462	 */
5463	if (connp->conn_rcvbuf - thwin >= tcp->tcp_mss) {
5464		/*
5465		 * If the window that the other side knows is less than max
5466		 * deferred acks segments, send an update immediately.
5467		 */
5468		if (thwin < tcp->tcp_rack_cur_max * tcp->tcp_mss) {
5469			TCPS_BUMP_MIB(tcp->tcp_tcps, tcpOutWinUpdate);
5470			ret = TH_ACK_NEEDED;
5471		}
5472		tcp->tcp_rwnd = connp->conn_rcvbuf;
5473	}
5474	return (ret);
5475}
5476
5477/*
5478 * Handle a packet that has been reclassified by TCP.
5479 * This function drops the ref on connp that the caller had.
5480 */
5481void
5482tcp_reinput(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
5483{
5484	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
5485
5486	if (connp->conn_incoming_ifindex != 0 &&
5487	    connp->conn_incoming_ifindex != ira->ira_ruifindex) {
5488		freemsg(mp);
5489		CONN_DEC_REF(connp);
5490		return;
5491	}
5492
5493	if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
5494	    (ira->ira_flags & IRAF_IPSEC_SECURE)) {
5495		ip6_t *ip6h;
5496		ipha_t *ipha;
5497
5498		if (ira->ira_flags & IRAF_IS_IPV4) {
5499			ipha = (ipha_t *)mp->b_rptr;
5500			ip6h = NULL;
5501		} else {
5502			ipha = NULL;
5503			ip6h = (ip6_t *)mp->b_rptr;
5504		}
5505		mp = ipsec_check_inbound_policy(mp, connp, ipha, ip6h, ira);
5506		if (mp == NULL) {
5507			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
5508			/* Note that mp is NULL */
5509			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
5510			CONN_DEC_REF(connp);
5511			return;
5512		}
5513	}
5514
5515	if (IPCL_IS_TCP(connp)) {
5516		/*
5517		 * do not drain, certain use cases can blow
5518		 * the stack
5519		 */
5520		SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
5521		    connp->conn_recv, connp, ira,
5522		    SQ_NODRAIN, SQTAG_IP_TCP_INPUT);
5523	} else {
5524		/* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
5525		(connp->conn_recv)(connp, mp, NULL,
5526		    ira);
5527		CONN_DEC_REF(connp);
5528	}
5529
5530}
5531
5532/* ARGSUSED */
5533static void
5534tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
5535{
5536	conn_t	*connp = (conn_t *)arg;
5537	tcp_t	*tcp = connp->conn_tcp;
5538	queue_t	*q = connp->conn_rq;
5539
5540	ASSERT(!IPCL_IS_NONSTR(connp));
5541	mutex_enter(&tcp->tcp_rsrv_mp_lock);
5542	tcp->tcp_rsrv_mp = mp;
5543	mutex_exit(&tcp->tcp_rsrv_mp_lock);
5544
5545	if (TCP_IS_DETACHED(tcp) || q == NULL) {
5546		return;
5547	}
5548
5549	if (tcp->tcp_fused) {
5550		tcp_fuse_backenable(tcp);
5551		return;
5552	}
5553
5554	if (canputnext(q)) {
5555		/* Not flow-controlled, open rwnd */
5556		tcp->tcp_rwnd = connp->conn_rcvbuf;
5557
5558		/*
5559		 * Send back a window update immediately if TCP is above
5560		 * ESTABLISHED state and the increase of the rcv window
5561		 * that the other side knows is at least 1 MSS after flow
5562		 * control is lifted.
5563		 */
5564		if (tcp->tcp_state >= TCPS_ESTABLISHED &&
5565		    tcp_rwnd_reopen(tcp) == TH_ACK_NEEDED) {
5566			tcp_xmit_ctl(NULL, tcp,
5567			    (tcp->tcp_swnd == 0) ? tcp->tcp_suna :
5568			    tcp->tcp_snxt, tcp->tcp_rnxt, TH_ACK);
5569		}
5570	}
5571}
5572
5573/*
5574 * The read side service routine is called mostly when we get back-enabled as a
5575 * result of flow control relief.  Since we don't actually queue anything in
5576 * TCP, we have no data to send out of here.  What we do is clear the receive
5577 * window, and send out a window update.
5578 */
5579int
5580tcp_rsrv(queue_t *q)
5581{
5582	conn_t		*connp = Q_TO_CONN(q);
5583	tcp_t		*tcp = connp->conn_tcp;
5584	mblk_t		*mp;
5585
5586	/* No code does a putq on the read side */
5587	ASSERT(q->q_first == NULL);
5588
5589	/*
5590	 * If tcp->tcp_rsrv_mp == NULL, it means that tcp_rsrv() has already
5591	 * been run.  So just return.
5592	 */
5593	mutex_enter(&tcp->tcp_rsrv_mp_lock);
5594	if ((mp = tcp->tcp_rsrv_mp) == NULL) {
5595		mutex_exit(&tcp->tcp_rsrv_mp_lock);
5596		return (0);
5597	}
5598	tcp->tcp_rsrv_mp = NULL;
5599	mutex_exit(&tcp->tcp_rsrv_mp_lock);
5600
5601	CONN_INC_REF(connp);
5602	SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_rsrv_input, connp,
5603	    NULL, SQ_PROCESS, SQTAG_TCP_RSRV);
5604	return (0);
5605}
5606
5607/* At minimum we need 8 bytes in the TCP header for the lookup */
5608#define	ICMP_MIN_TCP_HDR	8
5609
5610/*
5611 * tcp_icmp_input is called as conn_recvicmp to process ICMP error messages
5612 * passed up by IP. The message is always received on the correct tcp_t.
5613 * Assumes that IP has pulled up everything up to and including the ICMP header.
5614 */
5615/* ARGSUSED2 */
5616void
5617tcp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
5618{
5619	conn_t		*connp = (conn_t *)arg1;
5620	icmph_t		*icmph;
5621	ipha_t		*ipha;
5622	int		iph_hdr_length;
5623	tcpha_t		*tcpha;
5624	uint32_t	seg_seq;
5625	tcp_t		*tcp = connp->conn_tcp;
5626
5627	/* Assume IP provides aligned packets */
5628	ASSERT(OK_32PTR(mp->b_rptr));
5629	ASSERT((MBLKL(mp) >= sizeof (ipha_t)));
5630
5631	/*
5632	 * It's possible we have a closed, but not yet destroyed, TCP
5633	 * connection. Several fields (e.g. conn_ixa->ixa_ire) are invalid
5634	 * in the closed state, so don't take any chances and drop the packet.
5635	 */
5636	if (tcp->tcp_state == TCPS_CLOSED) {
5637		freemsg(mp);
5638		return;
5639	}
5640
5641	/*
5642	 * Verify IP version. Anything other than IPv4 or IPv6 packet is sent
5643	 * upstream. ICMPv6 is handled in tcp_icmp_error_ipv6.
5644	 */
5645	if (!(ira->ira_flags & IRAF_IS_IPV4)) {
5646		tcp_icmp_error_ipv6(tcp, mp, ira);
5647		return;
5648	}
5649
5650	/* Skip past the outer IP and ICMP headers */
5651	iph_hdr_length = ira->ira_ip_hdr_length;
5652	icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
5653	/*
5654	 * If we don't have the correct outer IP header length
5655	 * or if we don't have a complete inner IP header
5656	 * drop it.
5657	 */
5658	if (iph_hdr_length < sizeof (ipha_t) ||
5659	    (ipha_t *)&icmph[1] + 1 > (ipha_t *)mp->b_wptr) {
5660noticmpv4:
5661		freemsg(mp);
5662		return;
5663	}
5664	ipha = (ipha_t *)&icmph[1];
5665
5666	/* Skip past the inner IP and find the ULP header */
5667	iph_hdr_length = IPH_HDR_LENGTH(ipha);
5668	tcpha = (tcpha_t *)((char *)ipha + iph_hdr_length);
5669	/*
5670	 * If we don't have the correct inner IP header length or if the ULP
5671	 * is not IPPROTO_TCP or if we don't have at least ICMP_MIN_TCP_HDR
5672	 * bytes of TCP header, drop it.
5673	 */
5674	if (iph_hdr_length < sizeof (ipha_t) ||
5675	    ipha->ipha_protocol != IPPROTO_TCP ||
5676	    (uchar_t *)tcpha + ICMP_MIN_TCP_HDR > mp->b_wptr) {
5677		goto noticmpv4;
5678	}
5679
5680	seg_seq = ntohl(tcpha->tha_seq);
5681	switch (icmph->icmph_type) {
5682	case ICMP_DEST_UNREACHABLE:
5683		switch (icmph->icmph_code) {
5684		case ICMP_FRAGMENTATION_NEEDED:
5685			/*
5686			 * Update Path MTU, then try to send something out.
5687			 */
5688			tcp_update_pmtu(tcp, B_TRUE);
5689			tcp_rexmit_after_error(tcp);
5690			break;
5691		case ICMP_PORT_UNREACHABLE:
5692		case ICMP_PROTOCOL_UNREACHABLE:
5693			switch (tcp->tcp_state) {
5694			case TCPS_SYN_SENT:
5695			case TCPS_SYN_RCVD:
5696				/*
5697				 * ICMP can snipe away incipient
5698				 * TCP connections as long as
5699				 * seq number is same as initial
5700				 * send seq number.
5701				 */
5702				if (seg_seq == tcp->tcp_iss) {
5703					(void) tcp_clean_death(tcp,
5704					    ECONNREFUSED);
5705				}
5706				break;
5707			}
5708			break;
5709		case ICMP_HOST_UNREACHABLE:
5710		case ICMP_NET_UNREACHABLE:
5711			/* Record the error in case we finally time out. */
5712			if (icmph->icmph_code == ICMP_HOST_UNREACHABLE)
5713				tcp->tcp_client_errno = EHOSTUNREACH;
5714			else
5715				tcp->tcp_client_errno = ENETUNREACH;
5716			if (tcp->tcp_state == TCPS_SYN_RCVD) {
5717				if (tcp->tcp_listener != NULL &&
5718				    tcp->tcp_listener->tcp_syn_defense) {
5719					/*
5720					 * Ditch the half-open connection if we
5721					 * suspect a SYN attack is under way.
5722					 */
5723					(void) tcp_clean_death(tcp,
5724					    tcp->tcp_client_errno);
5725				}
5726			}
5727			break;
5728		default:
5729			break;
5730		}
5731		break;
5732	case ICMP_SOURCE_QUENCH: {
5733		/*
5734		 * use a global boolean to control
5735		 * whether TCP should respond to ICMP_SOURCE_QUENCH.
5736		 * The default is false.
5737		 */
5738		if (tcp_icmp_source_quench) {
5739			/*
5740			 * Reduce the sending rate as if we got a
5741			 * retransmit timeout
5742			 */
5743			uint32_t npkt;
5744
5745			npkt = ((tcp->tcp_snxt - tcp->tcp_suna) >> 1) /
5746			    tcp->tcp_mss;
5747			tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * tcp->tcp_mss;
5748
5749			DTRACE_PROBE3(cwnd__source__quench, tcp_t *, tcp,
5750			    uint32_t, tcp->tcp_cwnd,
5751			    uint32_t, tcp->tcp_mss);
5752			tcp->tcp_cwnd = tcp->tcp_mss;
5753			tcp->tcp_cwnd_cnt = 0;
5754		}
5755		break;
5756	}
5757	}
5758	freemsg(mp);
5759}
5760
5761/*
5762 * tcp_icmp_error_ipv6 is called from tcp_icmp_input to process ICMPv6
5763 * error messages passed up by IP.
5764 * Assumes that IP has pulled up all the extension headers as well
5765 * as the ICMPv6 header.
5766 */
5767static void
5768tcp_icmp_error_ipv6(tcp_t *tcp, mblk_t *mp, ip_recv_attr_t *ira)
5769{
5770	icmp6_t		*icmp6;
5771	ip6_t		*ip6h;
5772	uint16_t	iph_hdr_length = ira->ira_ip_hdr_length;
5773	tcpha_t		*tcpha;
5774	uint8_t		*nexthdrp;
5775	uint32_t	seg_seq;
5776
5777	/*
5778	 * Verify that we have a complete IP header.
5779	 */
5780	ASSERT((MBLKL(mp) >= sizeof (ip6_t)));
5781
5782	icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
5783	ip6h = (ip6_t *)&icmp6[1];
5784	/*
5785	 * Verify if we have a complete ICMP and inner IP header.
5786	 */
5787	if ((uchar_t *)&ip6h[1] > mp->b_wptr) {
5788noticmpv6:
5789		freemsg(mp);
5790		return;
5791	}
5792
5793	if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp))
5794		goto noticmpv6;
5795	tcpha = (tcpha_t *)((char *)ip6h + iph_hdr_length);
5796	/*
5797	 * Validate inner header. If the ULP is not IPPROTO_TCP or if we don't
5798	 * have at least ICMP_MIN_TCP_HDR bytes of  TCP header drop the
5799	 * packet.
5800	 */
5801	if ((*nexthdrp != IPPROTO_TCP) ||
5802	    ((uchar_t *)tcpha + ICMP_MIN_TCP_HDR) > mp->b_wptr) {
5803		goto noticmpv6;
5804	}
5805
5806	seg_seq = ntohl(tcpha->tha_seq);
5807	switch (icmp6->icmp6_type) {
5808	case ICMP6_PACKET_TOO_BIG:
5809		/*
5810		 * Update Path MTU, then try to send something out.
5811		 */
5812		tcp_update_pmtu(tcp, B_TRUE);
5813		tcp_rexmit_after_error(tcp);
5814		break;
5815	case ICMP6_DST_UNREACH:
5816		switch (icmp6->icmp6_code) {
5817		case ICMP6_DST_UNREACH_NOPORT:
5818			if (((tcp->tcp_state == TCPS_SYN_SENT) ||
5819			    (tcp->tcp_state == TCPS_SYN_RCVD)) &&
5820			    (seg_seq == tcp->tcp_iss)) {
5821				(void) tcp_clean_death(tcp, ECONNREFUSED);
5822			}
5823			break;
5824		case ICMP6_DST_UNREACH_ADMIN:
5825		case ICMP6_DST_UNREACH_NOROUTE:
5826		case ICMP6_DST_UNREACH_BEYONDSCOPE:
5827		case ICMP6_DST_UNREACH_ADDR:
5828			/* Record the error in case we finally time out. */
5829			tcp->tcp_client_errno = EHOSTUNREACH;
5830			if (((tcp->tcp_state == TCPS_SYN_SENT) ||
5831			    (tcp->tcp_state == TCPS_SYN_RCVD)) &&
5832			    (seg_seq == tcp->tcp_iss)) {
5833				if (tcp->tcp_listener != NULL &&
5834				    tcp->tcp_listener->tcp_syn_defense) {
5835					/*
5836					 * Ditch the half-open connection if we
5837					 * suspect a SYN attack is under way.
5838					 */
5839					(void) tcp_clean_death(tcp,
5840					    tcp->tcp_client_errno);
5841				}
5842			}
5843
5844
5845			break;
5846		default:
5847			break;
5848		}
5849		break;
5850	case ICMP6_PARAM_PROB:
5851		/* If this corresponds to an ICMP_PROTOCOL_UNREACHABLE */
5852		if (icmp6->icmp6_code == ICMP6_PARAMPROB_NEXTHEADER &&
5853		    (uchar_t *)ip6h + icmp6->icmp6_pptr ==
5854		    (uchar_t *)nexthdrp) {
5855			if (tcp->tcp_state == TCPS_SYN_SENT ||
5856			    tcp->tcp_state == TCPS_SYN_RCVD) {
5857				(void) tcp_clean_death(tcp, ECONNREFUSED);
5858			}
5859			break;
5860		}
5861		break;
5862
5863	case ICMP6_TIME_EXCEEDED:
5864	default:
5865		break;
5866	}
5867	freemsg(mp);
5868}
5869
5870/*
5871 * CALLED OUTSIDE OF SQUEUE! It can not follow any pointers that tcp might
5872 * change. But it can refer to fields like tcp_suna and tcp_snxt.
5873 *
5874 * Function tcp_verifyicmp is called as conn_verifyicmp to verify the ICMP
5875 * error messages received by IP. The message is always received on the correct
5876 * tcp_t.
5877 */
5878/* ARGSUSED */
5879boolean_t
5880tcp_verifyicmp(conn_t *connp, void *arg2, icmph_t *icmph, icmp6_t *icmp6,
5881    ip_recv_attr_t *ira)
5882{
5883	tcpha_t		*tcpha = (tcpha_t *)arg2;
5884	uint32_t	seq = ntohl(tcpha->tha_seq);
5885	tcp_t		*tcp = connp->conn_tcp;
5886
5887	/*
5888	 * TCP sequence number contained in payload of the ICMP error message
5889	 * should be within the range SND.UNA <= SEG.SEQ < SND.NXT. Otherwise,
5890	 * the message is either a stale ICMP error, or an attack from the
5891	 * network. Fail the verification.
5892	 */
5893	if (SEQ_LT(seq, tcp->tcp_suna) || SEQ_GEQ(seq, tcp->tcp_snxt))
5894		return (B_FALSE);
5895
5896	/* For "too big" we also check the ignore flag */
5897	if (ira->ira_flags & IRAF_IS_IPV4) {
5898		ASSERT(icmph != NULL);
5899		if (icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
5900		    icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED &&
5901		    tcp->tcp_tcps->tcps_ignore_path_mtu)
5902			return (B_FALSE);
5903	} else {
5904		ASSERT(icmp6 != NULL);
5905		if (icmp6->icmp6_type == ICMP6_PACKET_TOO_BIG &&
5906		    tcp->tcp_tcps->tcps_ignore_path_mtu)
5907			return (B_FALSE);
5908	}
5909	return (B_TRUE);
5910}
5911