mptcp_subr.c source code [xnu/bsd/netinet/mptcp_subr.c]

1	/*
2	* Copyright (c) 2012-2017 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28
29	#include <kern/locks.h>
30	#include <kern/policy_internal.h>
31	#include <kern/zalloc.h>
32
33	#include <mach/sdt.h>
34
35	#include <sys/domain.h>
36	#include <sys/kdebug.h>
37	#include <sys/kern_control.h>
38	#include <sys/kernel.h>
39	#include <sys/mbuf.h>
40	#include <sys/mcache.h>
41	#include <sys/param.h>
42	#include <sys/proc.h>
43	#include <sys/protosw.h>
44	#include <sys/resourcevar.h>
45	#include <sys/socket.h>
46	#include <sys/socketvar.h>
47	#include <sys/sysctl.h>
48	#include <sys/syslog.h>
49	#include <sys/systm.h>
50
51	#include <net/content_filter.h>
52	#include <net/if.h>
53	#include <net/if_var.h>
54	#include <netinet/in.h>
55	#include <netinet/in_pcb.h>
56	#include <netinet/in_var.h>
57	#include <netinet/tcp.h>
58	#include <netinet/tcp_fsm.h>
59	#include <netinet/tcp_seq.h>
60	#include <netinet/tcp_var.h>
61	#include <netinet/mptcp_var.h>
62	#include <netinet/mptcp.h>
63	#include <netinet/mptcp_opt.h>
64	#include <netinet/mptcp_seq.h>
65	#include <netinet/mptcp_timer.h>
66	#include <libkern/crypto/sha1.h>
67	#if INET6
68	#include <netinet6/in6_pcb.h>
69	#include <netinet6/ip6protosw.h>
70	#endif /* INET6 */
71	#include <dev/random/randomdev.h>
72
73	/*
74	* Notes on MPTCP implementation.
75	*
76	* MPTCP is implemented as <SOCK_STREAM,IPPROTO_TCP> protocol in PF_MULTIPATH
77	* communication domain. The structure mtcbinfo describes the MPTCP instance
78	* of a Multipath protocol in that domain. It is used to keep track of all
79	* MPTCP PCB instances in the system, and is protected by the global lock
80	* mppi_lock.
81	*
82	* An MPTCP socket is opened by calling socket(PF_MULTIPATH, SOCK_STREAM,
83	* IPPROTO_TCP). Upon success, a Multipath PCB gets allocated and along with
84	* it comes an MPTCP Session and an MPTCP PCB. All three structures are
85	* allocated from the same memory block, and each structure has a pointer
86	* to the adjacent ones. The layout is defined by the mpp_mtp structure.
87	* The socket lock (mpp_lock) is used to protect accesses to the Multipath
88	* PCB (mppcb) as well as the MPTCP Session (mptses).
89	*
90	* The MPTCP Session is an MPTCP-specific extension to the Multipath PCB;
91	*
92	* A functioning MPTCP Session consists of one or more subflow sockets. Each
93	* subflow socket is essentially a regular PF_INET/PF_INET6 TCP socket, and is
94	* represented by the mptsub structure. Because each subflow requires access
95	* to the MPTCP Session, the MPTCP socket's so_usecount is bumped up for each
96	* subflow. This gets decremented prior to the subflow's destruction.
97	*
98	* To handle events (read, write, control) from the subflows, we do direct
99	* upcalls into the specific function.
100	*
101	* The whole MPTCP connection is protected by a single lock, the MPTCP socket's
102	* lock. Incoming data on a subflow also ends up taking this single lock. To
103	* achieve the latter, tcp_lock/unlock has been changed to rather use the lock
104	* of the MPTCP-socket.
105	*
106	* An MPTCP socket will be destroyed when its so_usecount drops to zero; this
107	* work is done by the MPTCP garbage collector which is invoked on demand by
108	* the PF_MULTIPATH garbage collector. This process will take place once all
109	* of the subflows have been destroyed.
110	*/
111
112	static void mptcp_attach_to_subf(struct socket , struct* mptcb *, uint8_t);
113	static void mptcp_detach_mptcb_from_subf(struct mptcb , struct* socket *);
114
115	static uint32_t mptcp_gc(struct mppcbinfo *);
116	static int mptcp_subflow_soreceive(struct socket , struct* sockaddr **,
117	struct uio , struct* mbuf , struct mbuf , int *);
118	static int mptcp_subflow_sosend(struct socket , struct* sockaddr *,
119	struct uio , struct* mbuf , struct* mbuf , int*);
120	static void mptcp_subflow_rupcall(struct socket , void* , int*);
121	static void mptcp_subflow_input(struct mptses , struct* mptsub *);
122	static void mptcp_subflow_wupcall(struct socket , void* , int*);
123	static void mptcp_subflow_eupcall1(struct socket , void* *, uint32_t);
124	static void mptcp_update_last_owner(struct socket so, struct* socket *mp_so);
125	static void mptcp_drop_tfo_data(struct mptses , struct* mptsub *);
126
127	static void mptcp_subflow_abort(struct mptsub , int*);
128
129	static void mptcp_send_dfin(struct socket *so);
130
131	/*
132	* Possible return values for subflow event handlers. Note that success
133	* values must be greater or equal than MPTS_EVRET_OK. Values less than that
134	* indicate errors or actions which require immediate attention; they will
135	* prevent the rest of the handlers from processing their respective events
136	* until the next round of events processing.
137	*/
138	typedef enum {
139	MPTS_EVRET_DELETE = `1`, / delete this subflow /
140	MPTS_EVRET_OK = `2`, / OK /
141	MPTS_EVRET_CONNECT_PENDING = `3`, / resume pended connects /
142	MPTS_EVRET_DISCONNECT_FALLBACK = `4`, / abort all but preferred /
143	} ev_ret_t;
144
145	static ev_ret_t mptcp_subflow_events(struct mptses , struct* mptsub , uint64_t );
146	static ev_ret_t mptcp_subflow_propagate_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
147	static ev_ret_t mptcp_subflow_nosrcaddr_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
148	static ev_ret_t mptcp_subflow_failover_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
149	static ev_ret_t mptcp_subflow_ifdenied_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
150	static ev_ret_t mptcp_subflow_connected_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
151	static ev_ret_t mptcp_subflow_disconnected_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
152	static ev_ret_t mptcp_subflow_mpstatus_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
153	static ev_ret_t mptcp_subflow_mustrst_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
154	static ev_ret_t mptcp_subflow_mpcantrcvmore_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
155	static ev_ret_t mptcp_subflow_adaptive_rtimo_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
156	static ev_ret_t mptcp_subflow_adaptive_wtimo_ev(struct mptses , struct* mptsub , uint64_t , uint64_t);
157
158	static const char *mptcp_evret2str(ev_ret_t);
159
160	static void mptcp_do_sha1(mptcp_key_t , char* *);
161	static void mptcp_init_local_parms(struct mptses *);
162
163	static unsigned int mptsub_zone_size; / size of mptsub /
164	static struct zone mptsub_zone; /* zone for mptsub /
165
166	static unsigned int mptopt_zone_size; / size of mptopt /
167	static struct zone mptopt_zone; /* zone for mptopt /
168
169	static unsigned int mpt_subauth_entry_size; / size of subf auth entry /
170	static struct zone mpt_subauth_zone; /* zone of subf auth entry /
171
172	struct mppcbinfo mtcbinfo;
173
174	#define MPTCP_SUBFLOW_WRITELEN (8 * 1024) /* bytes to write each time */
175	#define MPTCP_SUBFLOW_READLEN (8 * 1024) /* bytes to read each time */
176
177	SYSCTL_DECL(_net_inet);
178
179	SYSCTL_NODE(_net_inet, OID_AUTO, mptcp, CTLFLAG_RW\|CTLFLAG_LOCKED, `0`, "MPTCP");
180
181	uint32_t mptcp_dbg_area = `31`; / more noise if greater than 1 /
182	SYSCTL_UINT(_net_inet_mptcp, OID_AUTO, dbg_area, CTLFLAG_RW\|CTLFLAG_LOCKED,
183	&mptcp_dbg_area, `0`, "MPTCP debug area");
184
185	uint32_t mptcp_dbg_level = `1`;
186	SYSCTL_INT(_net_inet_mptcp, OID_AUTO, dbg_level, CTLFLAG_RW \| CTLFLAG_LOCKED,
187	&mptcp_dbg_level, `0`, "MPTCP debug level");
188
189	SYSCTL_UINT(_net_inet_mptcp, OID_AUTO, pcbcount, CTLFLAG_RD\|CTLFLAG_LOCKED,
190	&mtcbinfo.mppi_count, `0`, "Number of active PCBs");
191
192
193	static int mptcp_alternate_port = `0`;
194	SYSCTL_INT(_net_inet_mptcp, OID_AUTO, alternate_port, CTLFLAG_RW \| CTLFLAG_LOCKED,
195	&mptcp_alternate_port, `0`, "Set alternate port for MPTCP connections");
196
197	static struct protosw mptcp_subflow_protosw;
198	static struct pr_usrreqs mptcp_subflow_usrreqs;
199	#if INET6
200	static struct ip6protosw mptcp_subflow_protosw6;
201	static struct pr_usrreqs mptcp_subflow_usrreqs6;
202	#endif /* INET6 */
203
204	static uint8_t mptcp_create_subflows_scheduled;
205
206	typedef struct mptcp_subflow_event_entry {
207	uint64_t sofilt_hint_mask;
208	ev_ret_t (*sofilt_hint_ev_hdlr)(
209	struct mptses *mpte,
210	struct mptsub *mpts,
211	uint64_t *p_mpsofilt_hint,
212	uint64_t event);
213	} mptsub_ev_entry_t;
214
215	static uint8_t mptcp_cellicon_is_set;
216	static uint32_t mptcp_last_cellicon_set;
217	#define MPTCP_CELLICON_TOGGLE_RATE (5 * TCP_RETRANSHZ) /* Only toggle every 5 seconds */
218
219	/*
220	* XXX The order of the event handlers below is really
221	* really important. Think twice before changing it.
222	*/
223	static mptsub_ev_entry_t mpsub_ev_entry_tbl [] = {
224	{
225	.sofilt_hint_mask = SO_FILT_HINT_MPCANTRCVMORE,
226	.sofilt_hint_ev_hdlr = mptcp_subflow_mpcantrcvmore_ev,
227	},
228	{
229	.sofilt_hint_mask = SO_FILT_HINT_MPFAILOVER,
230	.sofilt_hint_ev_hdlr = mptcp_subflow_failover_ev,
231	},
232	{
233	.sofilt_hint_mask = SO_FILT_HINT_CONNRESET,
234	.sofilt_hint_ev_hdlr = mptcp_subflow_propagate_ev,
235	},
236	{
237	.sofilt_hint_mask = SO_FILT_HINT_MUSTRST,
238	.sofilt_hint_ev_hdlr = mptcp_subflow_mustrst_ev,
239	},
240	{
241	.sofilt_hint_mask = SO_FILT_HINT_CANTRCVMORE,
242	.sofilt_hint_ev_hdlr = mptcp_subflow_propagate_ev,
243	},
244	{
245	.sofilt_hint_mask = SO_FILT_HINT_TIMEOUT,
246	.sofilt_hint_ev_hdlr = mptcp_subflow_propagate_ev,
247	},
248	{
249	.sofilt_hint_mask = SO_FILT_HINT_NOSRCADDR,
250	.sofilt_hint_ev_hdlr = mptcp_subflow_nosrcaddr_ev,
251	},
252	{
253	.sofilt_hint_mask = SO_FILT_HINT_IFDENIED,
254	.sofilt_hint_ev_hdlr = mptcp_subflow_ifdenied_ev,
255	},
256	{
257	.sofilt_hint_mask = SO_FILT_HINT_CONNECTED,
258	.sofilt_hint_ev_hdlr = mptcp_subflow_connected_ev,
259	},
260	{
261	.sofilt_hint_mask = SO_FILT_HINT_MPSTATUS,
262	.sofilt_hint_ev_hdlr = mptcp_subflow_mpstatus_ev,
263	},
264	{
265	.sofilt_hint_mask = SO_FILT_HINT_DISCONNECTED,
266	.sofilt_hint_ev_hdlr = mptcp_subflow_disconnected_ev,
267	},
268	{
269	.sofilt_hint_mask = SO_FILT_HINT_ADAPTIVE_RTIMO,
270	.sofilt_hint_ev_hdlr = mptcp_subflow_adaptive_rtimo_ev,
271	},
272	{
273	.sofilt_hint_mask = SO_FILT_HINT_ADAPTIVE_WTIMO,
274	.sofilt_hint_ev_hdlr = mptcp_subflow_adaptive_wtimo_ev,
275	},
276	};
277
278	os_log_t mptcp_log_handle;
279
280	/*
281	* Protocol pr_init callback.
282	*/
283	void
284	mptcp_init(struct protosw pp, struct* domain *dp)
285	{
286	#pragma unused(dp)
287	static int mptcp_initialized = `0`;
288	struct protosw *prp;
289	#if INET6
290	struct ip6protosw *prp6;
291	#endif /* INET6 */
292
293	VERIFY((pp->pr_flags & (PR_INITIALIZED\|PR_ATTACHED)) == PR_ATTACHED);
294
295	/ do this only once /
296	if (mptcp_initialized)
297	return;
298	mptcp_initialized = `1`;
299
300	/*
301	* Since PF_MULTIPATH gets initialized after PF_INET/INET6,
302	* we must be able to find IPPROTO_TCP entries for both.
303	*/
304	prp = pffindproto_locked(PF_INET, IPPROTO_TCP, SOCK_STREAM);
305	VERIFY(prp != NULL);
306	bcopy(prp, &mptcp_subflow_protosw, sizeof (*prp));
307	bcopy(prp->pr_usrreqs, &mptcp_subflow_usrreqs,
308	sizeof (mptcp_subflow_usrreqs));
309	mptcp_subflow_protosw.pr_entry.tqe_next = NULL;
310	mptcp_subflow_protosw.pr_entry.tqe_prev = NULL;
311	mptcp_subflow_protosw.pr_usrreqs = &mptcp_subflow_usrreqs;
312	mptcp_subflow_usrreqs.pru_soreceive = mptcp_subflow_soreceive;
313	mptcp_subflow_usrreqs.pru_sosend = mptcp_subflow_sosend;
314	mptcp_subflow_usrreqs.pru_rcvoob = pru_rcvoob_notsupp;
315	/*
316	* Socket filters shouldn't attach/detach to/from this protosw
317	* since pr_protosw is to be used instead, which points to the
318	* real protocol; if they do, it is a bug and we should panic.
319	*/
320	mptcp_subflow_protosw.pr_filter_head.tqh_first =
321	(struct socket_filter *)(uintptr_t)`0xdeadbeefdeadbeef`;
322	mptcp_subflow_protosw.pr_filter_head.tqh_last =
323	(struct socket_filter **)(uintptr_t)`0xdeadbeefdeadbeef`;
324
325	#if INET6
326	prp6 = (struct ip6protosw *)pffindproto_locked(PF_INET6,
327	IPPROTO_TCP, SOCK_STREAM);
328	VERIFY(prp6 != NULL);
329	bcopy(prp6, &mptcp_subflow_protosw6, sizeof (*prp6));
330	bcopy(prp6->pr_usrreqs, &mptcp_subflow_usrreqs6,
331	sizeof (mptcp_subflow_usrreqs6));
332	mptcp_subflow_protosw6.pr_entry.tqe_next = NULL;
333	mptcp_subflow_protosw6.pr_entry.tqe_prev = NULL;
334	mptcp_subflow_protosw6.pr_usrreqs = &mptcp_subflow_usrreqs6;
335	mptcp_subflow_usrreqs6.pru_soreceive = mptcp_subflow_soreceive;
336	mptcp_subflow_usrreqs6.pru_sosend = mptcp_subflow_sosend;
337	mptcp_subflow_usrreqs6.pru_rcvoob = pru_rcvoob_notsupp;
338	/*
339	* Socket filters shouldn't attach/detach to/from this protosw
340	* since pr_protosw is to be used instead, which points to the
341	* real protocol; if they do, it is a bug and we should panic.
342	*/
343	mptcp_subflow_protosw6.pr_filter_head.tqh_first =
344	(struct socket_filter *)(uintptr_t)`0xdeadbeefdeadbeef`;
345	mptcp_subflow_protosw6.pr_filter_head.tqh_last =
346	(struct socket_filter **)(uintptr_t)`0xdeadbeefdeadbeef`;
347	#endif /* INET6 */
348
349	bzero(&mtcbinfo, sizeof (mtcbinfo));
350	TAILQ_INIT(&mtcbinfo.mppi_pcbs);
351	mtcbinfo.mppi_size = sizeof (struct mpp_mtp);
352	if ((mtcbinfo.mppi_zone = zinit(mtcbinfo.mppi_size,
353	`1024` * mtcbinfo.mppi_size, `8192`, "mptcb")) == NULL) {
354	panic("%s: unable to allocate MPTCP PCB zone\n", __func__);
355	/ NOTREACHED /
356	}
357	zone_change(mtcbinfo.mppi_zone, Z_CALLERACCT, FALSE);
358	zone_change(mtcbinfo.mppi_zone, Z_EXPAND, TRUE);
359
360	mtcbinfo.mppi_lock_grp_attr = lck_grp_attr_alloc_init();
361	mtcbinfo.mppi_lock_grp = lck_grp_alloc_init("mppcb",
362	mtcbinfo.mppi_lock_grp_attr);
363	mtcbinfo.mppi_lock_attr = lck_attr_alloc_init();
364	lck_mtx_init(&mtcbinfo.mppi_lock, mtcbinfo.mppi_lock_grp,
365	mtcbinfo.mppi_lock_attr);
366
367	mtcbinfo.mppi_gc = mptcp_gc;
368	mtcbinfo.mppi_timer = mptcp_timer;
369
370	/ attach to MP domain for garbage collection to take place /
371	mp_pcbinfo_attach(&mtcbinfo);
372
373	mptsub_zone_size = sizeof (struct mptsub);
374	if ((mptsub_zone = zinit(mptsub_zone_size, `1024` * mptsub_zone_size,
375	`8192`, "mptsub")) == NULL) {
376	panic("%s: unable to allocate MPTCP subflow zone\n", __func__);
377	/ NOTREACHED /
378	}
379	zone_change(mptsub_zone, Z_CALLERACCT, FALSE);
380	zone_change(mptsub_zone, Z_EXPAND, TRUE);
381
382	mptopt_zone_size = sizeof (struct mptopt);
383	if ((mptopt_zone = zinit(mptopt_zone_size, `128` * mptopt_zone_size,
384	`1024`, "mptopt")) == NULL) {
385	panic("%s: unable to allocate MPTCP option zone\n", __func__);
386	/ NOTREACHED /
387	}
388	zone_change(mptopt_zone, Z_CALLERACCT, FALSE);
389	zone_change(mptopt_zone, Z_EXPAND, TRUE);
390
391	mpt_subauth_entry_size = sizeof (struct mptcp_subf_auth_entry);
392	if ((mpt_subauth_zone = zinit(mpt_subauth_entry_size,
393	`1024` * mpt_subauth_entry_size, `8192`, "mptauth")) == NULL) {
394	panic("%s: unable to allocate MPTCP address auth zone \n",
395	__func__);
396	/ NOTREACHED /
397	}
398	zone_change(mpt_subauth_zone, Z_CALLERACCT, FALSE);
399	zone_change(mpt_subauth_zone, Z_EXPAND, TRUE);
400
401	mptcp_last_cellicon_set = tcp_now;
402
403	mptcp_log_handle = os_log_create("com.apple.xnu.net.mptcp", "mptcp");
404	}
405
406	int
407	mptcp_get_statsindex(struct mptcp_itf_stats stats, const* struct mptsub *mpts)
408	{
409	const struct ifnet *ifp = sotoinpcb(mpts->mpts_socket)->inp_last_outifp;
410
411	int i, index = -`1`;
412
413	if (ifp == NULL) {
414	mptcplog((LOG_ERR, "%s: no ifp on subflow\n", __func__),
415	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
416	return (-`1`);
417	}
418
419	for (i = `0`; i < MPTCP_ITFSTATS_SIZE; i++) {
420	if (stats[i].ifindex == IFSCOPE_NONE) {
421	if (index < `0`)
422	index = i;
423	continue;
424	}
425
426	if (stats[i].ifindex == ifp->if_index) {
427	index = i;
428	return (index);
429	}
430	}
431
432	if (index != -`1`) {
433	stats[index].ifindex = ifp->if_index;
434	if (stats[index].is_expensive == `0`)
435	stats[index].is_expensive = IFNET_IS_CELLULAR(ifp);
436	}
437
438	return (index);
439	}
440
441	void
442	mptcpstats_inc_switch(struct mptses mpte, const* struct mptsub *mpts)
443	{
444	int index;
445
446	tcpstat.tcps_mp_switches++;
447	mpte->mpte_subflow_switches++;
448
449	index = mptcp_get_statsindex(mpte->mpte_itfstats, mpts);
450
451	if (index != -`1`)
452	mpte->mpte_itfstats[index].switches++;
453	}
454
455	/*
456	* Flushes all recorded socket options from an MP socket.
457	*/
458	static void
459	mptcp_flush_sopts(struct mptses *mpte)
460	{
461	struct mptopt mpo, tmpo;
462
463	TAILQ_FOREACH_SAFE(mpo, &mpte->mpte_sopts, mpo_entry, tmpo) {
464	mptcp_sopt_remove(mpte, mpo);
465	mptcp_sopt_free(mpo);
466	}
467	VERIFY(TAILQ_EMPTY(&mpte->mpte_sopts));
468	}
469
470	/*
471	* Create an MPTCP session, called as a result of opening a MPTCP socket.
472	*/
473	int
474	mptcp_sescreate(struct mppcb *mpp)
475	{
476	struct mppcbinfo *mppi;
477	struct mptses *mpte;
478	struct mptcb *mp_tp;
479
480	VERIFY(mpp != NULL);
481	mppi = mpp->mpp_pcbinfo;
482	VERIFY(mppi != NULL);
483
484	__IGNORE_WCASTALIGN(mpte = &((struct mpp_mtp *)mpp)->mpp_ses);
485	__IGNORE_WCASTALIGN(mp_tp = &((struct mpp_mtp *)mpp)->mtcb);
486
487	/ MPTCP Multipath PCB Extension /
488	bzero(mpte, sizeof (*mpte));
489	VERIFY(mpp->mpp_pcbe == NULL);
490	mpp->mpp_pcbe = mpte;
491	mpte->mpte_mppcb = mpp;
492	mpte->mpte_mptcb = mp_tp;
493
494	TAILQ_INIT(&mpte->mpte_sopts);
495	TAILQ_INIT(&mpte->mpte_subflows);
496	mpte->mpte_associd = SAE_ASSOCID_ANY;
497	mpte->mpte_connid_last = SAE_CONNID_ANY;
498
499	mpte->mpte_itfinfo = &mpte->_mpte_itfinfo[`0`];
500	mpte->mpte_itfinfo_size = MPTE_ITFINFO_SIZE;
501
502	if (mptcp_alternate_port)
503	mpte->mpte_alternate_port = htons(mptcp_alternate_port);
504
505	/ MPTCP Protocol Control Block /
506	bzero(mp_tp, sizeof (*mp_tp));
507	mp_tp->mpt_mpte = mpte;
508	mp_tp->mpt_state = MPTCPS_CLOSED;
509
510	DTRACE_MPTCP1(session__create, struct mppcb *, mpp);
511
512	return (`0`);
513	}
514
515	static void
516	mptcpstats_get_bytes(struct mptses *mpte, boolean_t initial_cell,
517	uint64_t cellbytes, uint64_t allbytes)
518	{
519	int64_t mycellbytes = `0`;
520	uint64_t myallbytes = `0`;
521	int i;
522
523	for (i = `0`; i < MPTCP_ITFSTATS_SIZE; i++) {
524	if (mpte->mpte_itfstats[i].is_expensive) {
525	mycellbytes += mpte->mpte_itfstats[i].mpis_txbytes;
526	mycellbytes += mpte->mpte_itfstats[i].mpis_rxbytes;
527	}
528
529	myallbytes += mpte->mpte_itfstats[i].mpis_txbytes;
530	myallbytes += mpte->mpte_itfstats[i].mpis_rxbytes;
531	}
532
533	if (initial_cell) {
534	mycellbytes -= mpte->mpte_init_txbytes;
535	mycellbytes -= mpte->mpte_init_txbytes;
536	}
537
538	if (mycellbytes < `0`) {
539	mptcplog((LOG_ERR, "%s cellbytes is %d\n", __func__, mycellbytes),
540	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
541	*cellbytes = `0`;
542	*allbytes = `0`;
543	} else {
544	*cellbytes = mycellbytes;
545	*allbytes = myallbytes;
546	}
547	}
548
549	static void
550	mptcpstats_session_wrapup(struct mptses *mpte)
551	{
552	boolean_t cell = mpte->mpte_initial_cell;
553
554	switch (mpte->mpte_svctype) {
555	case MPTCP_SVCTYPE_HANDOVER:
556	if (mpte->mpte_flags & MPTE_FIRSTPARTY) {
557	tcpstat.tcps_mptcp_fp_handover_attempt++;
558
559	if (cell && mpte->mpte_handshake_success) {
560	tcpstat.tcps_mptcp_fp_handover_success_cell++;
561
562	if (mpte->mpte_used_wifi)
563	tcpstat.tcps_mptcp_handover_wifi_from_cell++;
564	} else if (mpte->mpte_handshake_success) {
565	tcpstat.tcps_mptcp_fp_handover_success_wifi++;
566
567	if (mpte->mpte_used_cell)
568	tcpstat.tcps_mptcp_handover_cell_from_wifi++;
569	}
570	} else {
571	tcpstat.tcps_mptcp_handover_attempt++;
572
573	if (cell && mpte->mpte_handshake_success) {
574	tcpstat.tcps_mptcp_handover_success_cell++;
575
576	if (mpte->mpte_used_wifi)
577	tcpstat.tcps_mptcp_handover_wifi_from_cell++;
578	} else if (mpte->mpte_handshake_success) {
579	tcpstat.tcps_mptcp_handover_success_wifi++;
580
581	if (mpte->mpte_used_cell)
582	tcpstat.tcps_mptcp_handover_cell_from_wifi++;
583	}
584	}
585
586	if (mpte->mpte_handshake_success) {
587	uint64_t cellbytes;
588	uint64_t allbytes;
589
590	mptcpstats_get_bytes(mpte, cell, &cellbytes, &allbytes);
591
592	tcpstat.tcps_mptcp_handover_cell_bytes += cellbytes;
593	tcpstat.tcps_mptcp_handover_all_bytes += allbytes;
594	}
595	break;
596	case MPTCP_SVCTYPE_INTERACTIVE:
597	if (mpte->mpte_flags & MPTE_FIRSTPARTY) {
598	tcpstat.tcps_mptcp_fp_interactive_attempt++;
599
600	if (mpte->mpte_handshake_success) {
601	tcpstat.tcps_mptcp_fp_interactive_success++;
602
603	if (!cell && mpte->mpte_used_cell)
604	tcpstat.tcps_mptcp_interactive_cell_from_wifi++;
605	}
606	} else {
607	tcpstat.tcps_mptcp_interactive_attempt++;
608
609	if (mpte->mpte_handshake_success) {
610	tcpstat.tcps_mptcp_interactive_success++;
611
612	if (!cell && mpte->mpte_used_cell)
613	tcpstat.tcps_mptcp_interactive_cell_from_wifi++;
614	}
615	}
616
617	if (mpte->mpte_handshake_success) {
618	uint64_t cellbytes;
619	uint64_t allbytes;
620
621	mptcpstats_get_bytes(mpte, cell, &cellbytes, &allbytes);
622
623	tcpstat.tcps_mptcp_interactive_cell_bytes += cellbytes;
624	tcpstat.tcps_mptcp_interactive_all_bytes += allbytes;
625	}
626	break;
627	case MPTCP_SVCTYPE_AGGREGATE:
628	if (mpte->mpte_flags & MPTE_FIRSTPARTY) {
629	tcpstat.tcps_mptcp_fp_aggregate_attempt++;
630
631	if (mpte->mpte_handshake_success)
632	tcpstat.tcps_mptcp_fp_aggregate_success++;
633	} else {
634	tcpstat.tcps_mptcp_aggregate_attempt++;
635
636	if (mpte->mpte_handshake_success) {
637	tcpstat.tcps_mptcp_aggregate_success++;
638	}
639	}
640
641	if (mpte->mpte_handshake_success) {
642	uint64_t cellbytes;
643	uint64_t allbytes;
644
645	mptcpstats_get_bytes(mpte, cell, &cellbytes, &allbytes);
646
647	tcpstat.tcps_mptcp_aggregate_cell_bytes += cellbytes;
648	tcpstat.tcps_mptcp_aggregate_all_bytes += allbytes;
649	}
650	break;
651	}
652
653	if (cell && mpte->mpte_handshake_success && mpte->mpte_used_wifi)
654	tcpstat.tcps_mptcp_back_to_wifi++;
655
656	if (mpte->mpte_triggered_cell)
657	tcpstat.tcps_mptcp_triggered_cell++;
658	}
659
660	/*
661	* Destroy an MPTCP session.
662	*/
663	static void
664	mptcp_session_destroy(struct mptses *mpte)
665	{
666	struct mptcb *mp_tp;
667
668	mpte_lock_assert_held(mpte); / same as MP socket lock /
669
670	mp_tp = mpte->mpte_mptcb;
671	VERIFY(mp_tp != NULL);
672
673	mptcpstats_session_wrapup(mpte);
674
675	mptcp_unset_cellicon();
676
677	/*
678	* MPTCP Multipath PCB Extension section
679	*/
680	mptcp_flush_sopts(mpte);
681	VERIFY(TAILQ_EMPTY(&mpte->mpte_subflows) && mpte->mpte_numflows == `0`);
682
683	if (mpte->mpte_itfinfo_size > MPTE_ITFINFO_SIZE)
684	_FREE(mpte->mpte_itfinfo, M_TEMP);
685
686	mpte->mpte_itfinfo = NULL;
687
688	m_freem_list(mpte->mpte_reinjectq);
689
690	/*
691	* MPTCP Protocol Control Block section
692	*/
693	DTRACE_MPTCP2(session__destroy, struct mptses *, mpte,
694	struct mptcb *, mp_tp);
695	}
696
697	static boolean_t
698	mptcp_ok_to_create_subflows(struct mptcb *mp_tp)
699	{
700	return (mp_tp->mpt_state >= MPTCPS_ESTABLISHED &&
701	mp_tp->mpt_state < MPTCPS_FIN_WAIT_1 &&
702	!(mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP));
703	}
704
705	static int
706	mptcp_synthesize_nat64(struct in6_addr addr, uint32_t len, struct* in_addr *addrv4)
707	{
708	static const struct in6_addr well_known_prefix = {
709	.__u6_addr.__u6_addr8 = {`0x00`, `0x64`, `0xff`, `0x9b`, `0x00`, `0x00`,
710	`0x00`, `0x00`, `0x00`, `0x00`, `0x00`, `0x00`,
711	`0x00`, `0x00`, `0x00`, `0x00`},
712	};
713	char buf[MAX_IPv6_STR_LEN];
714	char ptrv4 = (char* *)addrv4;
715	char ptr = (char* *)addr;
716
717	if (IN_ZERONET(ntohl(addrv4->s_addr)) \|\| // 0.0.0.0/8 Source hosts on local network
718	IN_LOOPBACK(ntohl(addrv4->s_addr)) \|\| // 127.0.0.0/8 Loopback
719	IN_LINKLOCAL(ntohl(addrv4->s_addr)) \|\| // 169.254.0.0/16 Link Local
720	IN_DS_LITE(ntohl(addrv4->s_addr)) \|\| // 192.0.0.0/29 DS-Lite
721	IN_6TO4_RELAY_ANYCAST(ntohl(addrv4->s_addr)) \|\| // 192.88.99.0/24 6to4 Relay Anycast
722	IN_MULTICAST(ntohl(addrv4->s_addr)) \|\| // 224.0.0.0/4 Multicast
723	INADDR_BROADCAST == addrv4->s_addr) { // 255.255.255.255/32 Limited Broadcast
724	return (-`1`);
725	}
726
727	/ Check for the well-known prefix /
728	if (len == NAT64_PREFIX_LEN_96 &&
729	IN6_ARE_ADDR_EQUAL(addr, &well_known_prefix)) {
730	if (IN_PRIVATE(ntohl(addrv4->s_addr)) \|\| // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private-Use
731	IN_SHARED_ADDRESS_SPACE(ntohl(addrv4->s_addr))) // 100.64.0.0/10 Shared Address Space
732	return (-`1`);
733	}
734
735	switch (len) {
736	case NAT64_PREFIX_LEN_96:
737	memcpy(ptr + `12`, ptrv4, `4`);
738	break;
739	case NAT64_PREFIX_LEN_64:
740	memcpy(ptr + `9`, ptrv4, `4`);
741	break;
742	case NAT64_PREFIX_LEN_56:
743	memcpy(ptr + `7`, ptrv4, `1`);
744	memcpy(ptr + `9`, ptrv4 + `1`, `3`);
745	break;
746	case NAT64_PREFIX_LEN_48:
747	memcpy(ptr + `6`, ptrv4, `2`);
748	memcpy(ptr + `9`, ptrv4 + `2`, `2`);
749	break;
750	case NAT64_PREFIX_LEN_40:
751	memcpy(ptr + `5`, ptrv4, `3`);
752	memcpy(ptr + `9`, ptrv4 + `3`, `1`);
753	break;
754	case NAT64_PREFIX_LEN_32:
755	memcpy(ptr + `4`, ptrv4, `4`);
756	break;
757	default:
758	panic("NAT64-prefix len is wrong: %u\n", len);
759	}
760
761	os_log_info(mptcp_log_handle, "%s: nat64prefix-len %u synthesized %s\n",
762	__func__, len,
763	inet_ntop(AF_INET6, (void )addr, buf, sizeof*(buf)));
764
765	return (`0`);
766	}
767
768	static void
769	mptcp_trigger_cell_bringup(struct mptses *mpte)
770	{
771	struct socket *mp_so = mptetoso(mpte);
772
773	if (!uuid_is_null(mpsotomppcb(mp_so)->necp_client_uuid)) {
774	uuid_string_t uuidstr;
775	int err;
776
777	err = necp_client_assert_bb_radio_manager(mpsotomppcb(mp_so)->necp_client_uuid,
778	TRUE);
779
780	if (err == `0`)
781	mpte->mpte_triggered_cell = `1`;
782
783	uuid_unparse_upper(mpsotomppcb(mp_so)->necp_client_uuid, uuidstr);
784	os_log_info(mptcp_log_handle, "%s asked irat to bringup cell for uuid %s, err %d\n",
785	__func__, uuidstr, err);
786	} else {
787	os_log_info(mptcp_log_handle, "%s UUID is already null\n", __func__);
788	}
789	}
790
791
792	void
793	mptcp_check_subflows_and_add(struct mptses *mpte)
794	{
795	struct mptcb *mp_tp = mpte->mpte_mptcb;
796	boolean_t cellular_viable = FALSE;
797	boolean_t want_cellular = TRUE;
798	uint32_t i;
799
800	if (!mptcp_ok_to_create_subflows(mp_tp))
801	return;
802
803	for (i = `0`; i < mpte->mpte_itfinfo_size; i++) {
804	struct mpt_itf_info *info;
805	struct mptsub *mpts;
806	struct ifnet *ifp;
807	uint32_t ifindex;
808	int found = `0`;
809
810	info = &mpte->mpte_itfinfo[i];
811
812	if (info->no_mptcp_support)
813	continue;
814
815	ifindex = info->ifindex;
816	if (ifindex == IFSCOPE_NONE)
817	continue;
818
819	ifnet_head_lock_shared();
820	ifp = ifindex2ifnet[ifindex];
821	ifnet_head_done();
822
823	if (ifp == NULL)
824	continue;
825
826	if (IFNET_IS_CELLULAR(ifp))
827	cellular_viable = TRUE;
828
829	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
830	const struct ifnet *subifp = sotoinpcb(mpts->mpts_socket)->inp_last_outifp;
831
832	if (subifp == NULL)
833	continue;
834
835	/*
836	* In Handover mode, only create cell subflow if
837	* 1. Wi-Fi Assist is active
838	* 2. Symptoms marked WiFi as weak
839	* 3. We are experiencing RTOs or we are not sending data.
840	*
841	* This covers the scenario, where:
842	* 1. We send and get retransmission timeouts (thus,
843	* we confirmed that WiFi is indeed bad).
844	* 2. We are not sending and the server tries to send.
845	* Establshing a cell-subflow gives the server a
846	* chance to send us some data over cell if WiFi
847	* is dead. We establish the subflow with the
848	* backup-bit set, so the server is not allowed to
849	* send on this subflow as long as WiFi is providing
850	* good performance.
851	*/
852	if (mpte->mpte_svctype == MPTCP_SVCTYPE_HANDOVER &&
853	!IFNET_IS_CELLULAR(subifp) &&
854	!(mpts->mpts_flags & (MPTSF_DISCONNECTING \| MPTSF_DISCONNECTED \| MPTSF_CLOSE_REQD)) &&
855	(mptcp_is_wifi_unusable(mpte) == `0` \|\|
856	(sototcpcb(mpts->mpts_socket)->t_rxtshift < mptcp_fail_thresh * `2` &&
857	((mpte->mpte_flags & MPTE_FIRSTPARTY) \|\| mptetoso(mpte)->so_snd.sb_cc)))) {
858	os_log_debug(mptcp_log_handle, "%s handover, wifi state %d rxt %u first-party %u sb_cc %u ifindex %u this %u\n",
859	__func__, mptcp_is_wifi_unusable(mpte),
860	sototcpcb(mpts->mpts_socket)->t_rxtshift,
861	!!(mpte->mpte_flags & MPTE_FIRSTPARTY),
862	mptetoso(mpte)->so_snd.sb_cc,
863	ifindex, subifp->if_index);
864	found = `1`;
865
866	/ We found a proper subflow on WiFi - no need for cell /
867	want_cellular = FALSE;
868	break;
869	} else {
870	os_log_debug(mptcp_log_handle, "%s svc %u cell %u flags %#x unusable %d rtx %u first %u sbcc %u\n",
871	__func__, mpte->mpte_svctype, IFNET_IS_CELLULAR(subifp), mpts->mpts_flags,
872	mptcp_is_wifi_unusable(mpte), sototcpcb(mpts->mpts_socket)->t_rxtshift,
873	!!(mpte->mpte_flags & MPTE_FIRSTPARTY), mptetoso(mpte)->so_snd.sb_cc);
874
875	}
876
877	if (subifp->if_index == ifindex &&
878	!(mpts->mpts_socket->so_state & SS_ISDISCONNECTED) &&
879	sototcpcb(mpts->mpts_socket)->t_state != TCPS_CLOSED) {
880	/*
881	* We found a subflow on this interface.
882	* No need to create a new one.
883	*/
884	found = `1`;
885	break;
886	}
887	}
888
889	if (!found && !(mpte->mpte_flags & MPTE_FIRSTPARTY) &&
890	!(mpte->mpte_flags & MPTE_ACCESS_GRANTED) &&
891	mptcp_developer_mode == `0`) {
892	mptcp_ask_symptoms(mpte);
893	return;
894	}
895
896	if (!found) {
897	struct sockaddr *dst = &mpte->mpte_dst;
898	struct sockaddr_in6 nat64pre;
899
900	if (mpte->mpte_dst.sa_family == AF_INET &&
901	!info->has_v4_conn && info->has_nat64_conn) {
902	struct ipv6_prefix nat64prefixes[NAT64_MAX_NUM_PREFIXES];
903	int error, j;
904
905	bzero(&nat64pre, sizeof(struct sockaddr_in6));
906
907	error = ifnet_get_nat64prefix(ifp, nat64prefixes);
908	if (error) {
909	os_log_error(mptcp_log_handle, "%s: no NAT64-prefix on itf %s, error %d\n",
910	__func__, ifp->if_name, error);
911	continue;
912	}
913
914	for (j = `0`; j < NAT64_MAX_NUM_PREFIXES; j++) {
915	if (nat64prefixes[j].prefix_len != `0`)
916	break;
917	}
918
919	VERIFY(j < NAT64_MAX_NUM_PREFIXES);
920
921	error = mptcp_synthesize_nat64(&nat64prefixes[j].ipv6_prefix,
922	nat64prefixes[j].prefix_len,
923	&mpte->__mpte_dst_v4.sin_addr);
924	if (error != `0`) {
925	os_log_info(mptcp_log_handle, "%s: cannot synthesize this addr\n",
926	__func__);
927	continue;
928	}
929
930	memcpy(&nat64pre.sin6_addr,
931	&nat64prefixes[j].ipv6_prefix,
932	sizeof(nat64pre.sin6_addr));
933	nat64pre.sin6_len = sizeof(struct sockaddr_in6);
934	nat64pre.sin6_family = AF_INET6;
935	nat64pre.sin6_port = mpte->__mpte_dst_v6.sin6_port;
936	nat64pre.sin6_flowinfo = `0`;
937	nat64pre.sin6_scope_id = `0`;
938
939	dst = (struct sockaddr *)&nat64pre;
940	}
941
942	/ Initial subflow started on a NAT64'd address? /
943	if (mpte->mpte_dst.sa_family == AF_INET6 &&
944	mpte->mpte_dst_v4_nat64.sin_family == AF_INET) {
945	dst = (struct sockaddr *)&mpte->mpte_dst_v4_nat64;
946	}
947
948	if (dst->sa_family == AF_INET && !info->has_v4_conn)
949	continue;
950	if (dst->sa_family == AF_INET6 && !info->has_v6_conn)
951	continue;
952
953	mptcp_subflow_add(mpte, NULL, dst, ifindex, NULL);
954	}
955	}
956
957	if (!cellular_viable && want_cellular) {
958	/ Trigger Cell Bringup /
959	mptcp_trigger_cell_bringup(mpte);
960	}
961	}
962
963	/*
964	* Based on the MPTCP Service-type and the state of the subflows, we
965	* will destroy subflows here.
966	*/
967	static void
968	mptcp_check_subflows_and_remove(struct mptses *mpte)
969	{
970	struct mptsub mpts, tmpts;
971	int found_working_subflow = `0`, removed_some = `0`;
972	int wifi_unusable = mptcp_is_wifi_unusable(mpte);
973
974	if (mpte->mpte_svctype != MPTCP_SVCTYPE_HANDOVER)
975	return;
976
977	/*
978	* Look for a subflow that is on a non-cellular interface
979	* and actually works (aka, no retransmission timeout).
980	*/
981	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
982	const struct ifnet *ifp = sotoinpcb(mpts->mpts_socket)->inp_last_outifp;
983	struct socket *so;
984	struct tcpcb *tp;
985
986	if (ifp == NULL \|\| IFNET_IS_CELLULAR(ifp))
987	continue;
988
989	so = mpts->mpts_socket;
990	tp = sototcpcb(so);
991
992	if (!(mpts->mpts_flags & MPTSF_CONNECTED) \|\|
993	tp->t_state != TCPS_ESTABLISHED)
994	continue;
995
996	/ Is this subflow in good condition? /
997	if (tp->t_rxtshift == `0`)
998	found_working_subflow = `1`;
999
1000	/ Or WiFi is fine /
1001	if (!wifi_unusable)
1002	found_working_subflow = `1`;
1003	}
1004
1005	/*
1006	* Couldn't find a working subflow, let's not remove those on a cellular
1007	* interface.
1008	*/
1009	if (!found_working_subflow)
1010	return;
1011
1012	TAILQ_FOREACH_SAFE(mpts, &mpte->mpte_subflows, mpts_entry, tmpts) {
1013	const struct ifnet *ifp = sotoinpcb(mpts->mpts_socket)->inp_last_outifp;
1014
1015	/ Only remove cellular subflows /
1016	if (ifp == NULL \|\| !IFNET_IS_CELLULAR(ifp))
1017	continue;
1018
1019	soevent(mpts->mpts_socket, SO_FILT_HINT_LOCKED \| SO_FILT_HINT_MUSTRST);
1020	removed_some = `1`;
1021	}
1022
1023	if (removed_some)
1024	mptcp_unset_cellicon();
1025	}
1026
1027	static void
1028	mptcp_remove_subflows(struct mptses *mpte)
1029	{
1030	struct mptsub mpts, tmpts;
1031
1032	TAILQ_FOREACH_SAFE(mpts, &mpte->mpte_subflows, mpts_entry, tmpts) {
1033	if (mpts->mpts_flags & MPTSF_CLOSE_REQD) {
1034	mpts->mpts_flags &= ~MPTSF_CLOSE_REQD;
1035
1036	soevent(mpts->mpts_socket,
1037	SO_FILT_HINT_LOCKED \| SO_FILT_HINT_NOSRCADDR);
1038	}
1039	}
1040	}
1041
1042	static void
1043	mptcp_create_subflows(__unused void *arg)
1044	{
1045	struct mppcb *mpp;
1046
1047	/*
1048	* Start with clearing, because we might be processing connections
1049	* while a new event comes in.
1050	*/
1051	if (OSTestAndClear(`0x01`, &mptcp_create_subflows_scheduled))
1052	mptcplog((LOG_ERR, "%s: bit was already cleared!\n", __func__),
1053	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1054
1055	/ Iterate over all MPTCP connections /
1056
1057	lck_mtx_lock(&mtcbinfo.mppi_lock);
1058
1059	TAILQ_FOREACH(mpp, &mtcbinfo.mppi_pcbs, mpp_entry) {
1060	struct mptses *mpte;
1061	struct socket *mp_so;
1062
1063	if (!(mpp->mpp_flags & MPP_CREATE_SUBFLOWS))
1064	continue;
1065
1066	mpp_lock(mpp);
1067
1068	mpp->mpp_flags &= ~MPP_CREATE_SUBFLOWS;
1069
1070	mpte = mpp->mpp_pcbe;
1071	mp_so = mpp->mpp_socket;
1072
1073	VERIFY(mp_so->so_usecount > `0`);
1074
1075	mptcp_check_subflows_and_add(mpte);
1076	mptcp_remove_subflows(mpte);
1077
1078	mp_so->so_usecount--; / See mptcp_sched_create_subflows /
1079	mpp_unlock(mpp);
1080	}
1081
1082	lck_mtx_unlock(&mtcbinfo.mppi_lock);
1083	}
1084
1085	/*
1086	* We need this because we are coming from an NECP-event. This event gets posted
1087	* while holding NECP-locks. The creation of the subflow however leads us back
1088	* into NECP (e.g., to add the necp_cb and also from tcp_connect).
1089	* So, we would deadlock there as we already hold the NECP-lock.
1090	*
1091	* So, let's schedule this separately. It also gives NECP the chance to make
1092	* progress, without having to wait for MPTCP to finish its subflow creation.
1093	*/
1094	void
1095	mptcp_sched_create_subflows(struct mptses *mpte)
1096	{
1097	struct mppcb *mpp = mpte->mpte_mppcb;
1098	struct mptcb *mp_tp = mpte->mpte_mptcb;
1099	struct socket *mp_so = mpp->mpp_socket;
1100
1101	if (!mptcp_ok_to_create_subflows(mp_tp)) {
1102	mptcplog((LOG_DEBUG, "%s: not a good time for subflows, state %u flags %#x",
1103	__func__, mp_tp->mpt_state, mp_tp->mpt_flags),
1104	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
1105	return;
1106	}
1107
1108	if (!(mpp->mpp_flags & MPP_CREATE_SUBFLOWS)) {
1109	mp_so->so_usecount++; / To prevent it from being free'd in-between /
1110	mpp->mpp_flags \|= MPP_CREATE_SUBFLOWS;
1111	}
1112
1113	if (OSTestAndSet(`0x01`, &mptcp_create_subflows_scheduled))
1114	return;
1115
1116	/ Do the call in 100ms to allow NECP to schedule it on all sockets /
1117	timeout(mptcp_create_subflows, NULL, hz/`10`);
1118	}
1119
1120	/*
1121	* Allocate an MPTCP socket option structure.
1122	*/
1123	struct mptopt *
1124	mptcp_sopt_alloc(int how)
1125	{
1126	struct mptopt *mpo;
1127
1128	mpo = (how == M_WAITOK) ? zalloc(mptopt_zone) :
1129	zalloc_noblock(mptopt_zone);
1130	if (mpo != NULL) {
1131	bzero(mpo, mptopt_zone_size);
1132	}
1133
1134	return (mpo);
1135	}
1136
1137	/*
1138	* Free an MPTCP socket option structure.
1139	*/
1140	void
1141	mptcp_sopt_free(struct mptopt *mpo)
1142	{
1143	VERIFY(!(mpo->mpo_flags & MPOF_ATTACHED));
1144
1145	zfree(mptopt_zone, mpo);
1146	}
1147
1148	/*
1149	* Add a socket option to the MPTCP socket option list.
1150	*/
1151	void
1152	mptcp_sopt_insert(struct mptses mpte, struct* mptopt *mpo)
1153	{
1154	mpte_lock_assert_held(mpte); / same as MP socket lock /
1155	mpo->mpo_flags \|= MPOF_ATTACHED;
1156	TAILQ_INSERT_TAIL(&mpte->mpte_sopts, mpo, mpo_entry);
1157	}
1158
1159	/*
1160	* Remove a socket option from the MPTCP socket option list.
1161	*/
1162	void
1163	mptcp_sopt_remove(struct mptses mpte, struct* mptopt *mpo)
1164	{
1165	mpte_lock_assert_held(mpte); / same as MP socket lock /
1166	VERIFY(mpo->mpo_flags & MPOF_ATTACHED);
1167	mpo->mpo_flags &= ~MPOF_ATTACHED;
1168	TAILQ_REMOVE(&mpte->mpte_sopts, mpo, mpo_entry);
1169	}
1170
1171	/*
1172	* Search for an existing <sopt_level,sopt_name> socket option.
1173	*/
1174	struct mptopt *
1175	mptcp_sopt_find(struct mptses mpte, struct* sockopt *sopt)
1176	{
1177	struct mptopt *mpo;
1178
1179	mpte_lock_assert_held(mpte); / same as MP socket lock /
1180
1181	TAILQ_FOREACH(mpo, &mpte->mpte_sopts, mpo_entry) {
1182	if (mpo->mpo_level == sopt->sopt_level &&
1183	mpo->mpo_name == sopt->sopt_name)
1184	break;
1185	}
1186	return (mpo);
1187	}
1188
1189	/*
1190	* Allocate a MPTCP subflow structure.
1191	*/
1192	static struct mptsub *
1193	mptcp_subflow_alloc(void)
1194	{
1195	struct mptsub *mpts = zalloc(mptsub_zone);
1196
1197	if (mpts == NULL)
1198	return (NULL);
1199
1200	bzero(mpts, mptsub_zone_size);
1201	return (mpts);
1202	}
1203
1204	/*
1205	* Deallocate a subflow structure, called when all of the references held
1206	* on it have been released. This implies that the subflow has been deleted.
1207	*/
1208	static void
1209	mptcp_subflow_free(struct mptsub *mpts)
1210	{
1211	VERIFY(mpts->mpts_refcnt == `0`);
1212	VERIFY(!(mpts->mpts_flags & MPTSF_ATTACHED));
1213	VERIFY(mpts->mpts_mpte == NULL);
1214	VERIFY(mpts->mpts_socket == NULL);
1215
1216	if (mpts->mpts_src != NULL) {
1217	FREE(mpts->mpts_src, M_SONAME);
1218	mpts->mpts_src = NULL;
1219	}
1220
1221	zfree(mptsub_zone, mpts);
1222	}
1223
1224	static void
1225	mptcp_subflow_addref(struct mptsub *mpts)
1226	{
1227	if (++mpts->mpts_refcnt == `0`)
1228	panic("%s: mpts %p wraparound refcnt\n", __func__, mpts);
1229	/ NOTREACHED /
1230	}
1231
1232	static void
1233	mptcp_subflow_remref(struct mptsub *mpts)
1234	{
1235	if (mpts->mpts_refcnt == `0`) {
1236	panic("%s: mpts %p negative refcnt\n", __func__, mpts);
1237	/ NOTREACHED /
1238	}
1239	if (--mpts->mpts_refcnt > `0`)
1240	return;
1241
1242	/ callee will unlock and destroy lock /
1243	mptcp_subflow_free(mpts);
1244	}
1245
1246	static void
1247	mptcp_subflow_attach(struct mptses mpte, struct* mptsub mpts, struct* socket *so)
1248	{
1249	struct socket *mp_so = mpte->mpte_mppcb->mpp_socket;
1250	struct tcpcb *tp = sototcpcb(so);
1251
1252	/*
1253	* From this moment on, the subflow is linked to the MPTCP-connection.
1254	* Locking,... happens now at the MPTCP-layer
1255	*/
1256	tp->t_mptcb = mpte->mpte_mptcb;
1257	so->so_flags \|= SOF_MP_SUBFLOW;
1258	mp_so->so_usecount++;
1259
1260	/*
1261	* Insert the subflow into the list, and associate the MPTCP PCB
1262	* as well as the the subflow socket. From this point on, removing
1263	* the subflow needs to be done via mptcp_subflow_del().
1264	*/
1265	TAILQ_INSERT_TAIL(&mpte->mpte_subflows, mpts, mpts_entry);
1266	mpte->mpte_numflows++;
1267
1268	atomic_bitset_32(&mpts->mpts_flags, MPTSF_ATTACHED);
1269	mpts->mpts_mpte = mpte;
1270	mpts->mpts_socket = so;
1271	tp->t_mpsub = mpts;
1272	mptcp_subflow_addref(mpts); / for being in MPTCP subflow list /
1273	mptcp_subflow_addref(mpts); / for subflow socket /
1274	}
1275
1276	static void
1277	mptcp_subflow_necp_cb(void handle, __unused int* action,
1278	__unused uint32_t interface_index,
1279	uint32_t necp_flags, bool *viable)
1280	{
1281	boolean_t low_power = !!(necp_flags & NECP_CLIENT_RESULT_FLAG_INTERFACE_LOW_POWER);
1282	struct inpcb inp = (struct* inpcb *)handle;
1283	struct socket *so = inp->inp_socket;
1284	struct mptsub *mpts;
1285	struct mptses *mpte;
1286
1287	if (low_power)
1288	action = NECP_CLIENT_CBACTION_NONVIABLE;
1289
1290	if (action != NECP_CLIENT_CBACTION_NONVIABLE)
1291	return;
1292
1293	/*
1294	* The socket is being garbage-collected. There is nothing to be done
1295	* here.
1296	*/
1297	if (so->so_usecount == `0`)
1298	return;
1299
1300	socket_lock(so, `1`);
1301
1302	/ Check again after we acquired the lock. /
1303	if (so->so_usecount == `0`)
1304	goto out;
1305
1306	mpte = tptomptp(sototcpcb(so))->mpt_mpte;
1307	mpts = sototcpcb(so)->t_mpsub;
1308
1309	os_log_debug(mptcp_log_handle, "%s Subflow on itf %u became non-viable, power %u",
1310	__func__, mpts->mpts_ifscope, low_power);
1311
1312	mpts->mpts_flags \|= MPTSF_CLOSE_REQD;
1313
1314	mptcp_sched_create_subflows(mpte);
1315
1316	if (mpte->mpte_svctype == MPTCP_SVCTYPE_HANDOVER && viable != NULL)
1317	*viable = `1`;
1318
1319	out:
1320	socket_unlock(so, `1`);
1321	}
1322
1323	/*
1324	* Create an MPTCP subflow socket.
1325	*/
1326	static int
1327	mptcp_subflow_socreate(struct mptses mpte, struct* mptsub mpts, int* dom,
1328	struct socket **so)
1329	{
1330	lck_mtx_t *subflow_mtx;
1331	struct mptopt smpo, mpo, tmpo;
1332	struct proc *p;
1333	struct socket *mp_so;
1334	int error;
1335
1336	*so = NULL;
1337	mpte_lock_assert_held(mpte); / same as MP socket lock /
1338	mp_so = mptetoso(mpte);
1339
1340	p = proc_find(mp_so->last_pid);
1341	if (p == PROC_NULL) {
1342	mptcplog((LOG_ERR, "%s: Couldn't find proc for pid %u\n", __func__, mp_so->last_pid),
1343	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1344
1345	return (ESRCH);
1346	}
1347
1348	/*
1349	* Create the subflow socket (multipath subflow, non-blocking.)
1350	*
1351	* This will cause SOF_MP_SUBFLOW socket flag to be set on the subflow
1352	* socket; it will be cleared when the socket is peeled off or closed.
1353	* It also indicates to the underlying TCP to handle MPTCP options.
1354	* A multipath subflow socket implies SS_NOFDREF state.
1355	*/
1356
1357	/*
1358	* Unlock, because tcp_usr_attach ends up in in_pcballoc, which takes
1359	* the ipi-lock. We cannot hold the socket-lock at that point.
1360	*/
1361	mpte_unlock(mpte);
1362	error = socreate_internal(dom, so, SOCK_STREAM, IPPROTO_TCP, p,
1363	SOCF_ASYNC, PROC_NULL);
1364	mpte_lock(mpte);
1365	if (error) {
1366	mptcplog((LOG_ERR, "%s: subflow socreate mp_so 0x%llx unable to create subflow socket error %d\n",
1367	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so), error),
1368	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1369
1370	proc_rele(p);
1371
1372	mptcp_subflow_free(mpts);
1373	return (error);
1374	}
1375
1376	/*
1377	* We need to protect the setting of SOF_MP_SUBFLOW with a lock, because
1378	* this marks the moment of lock-switch from the TCP-lock to the MPTCP-lock.
1379	* Which is why we also need to get the lock with pr_getlock, as after
1380	* setting the flag, socket_unlock will work on the MPTCP-level lock.
1381	*/
1382	subflow_mtx = ((so)->so_proto->pr_getlock)(so, `0`);
1383	lck_mtx_lock(subflow_mtx);
1384
1385	/*
1386	* Must be the first thing we do, to make sure all pointers for this
1387	* subflow are set.
1388	*/
1389	mptcp_subflow_attach(mpte, mpts, *so);
1390
1391	/*
1392	* A multipath subflow socket is used internally in the kernel,
1393	* therefore it does not have a file desciptor associated by
1394	* default.
1395	*/
1396	(*so)->so_state \|= SS_NOFDREF;
1397
1398	lck_mtx_unlock(subflow_mtx);
1399
1400	/ prevent the socket buffers from being compressed /
1401	(*so)->so_rcv.sb_flags \|= SB_NOCOMPRESS;
1402	(*so)->so_snd.sb_flags \|= SB_NOCOMPRESS;
1403
1404	/ Inherit preconnect and TFO data flags /
1405	if (mp_so->so_flags1 & SOF1_PRECONNECT_DATA)
1406	(*so)->so_flags1 \|= SOF1_PRECONNECT_DATA;
1407	if (mp_so->so_flags1 & SOF1_DATA_IDEMPOTENT)
1408	(*so)->so_flags1 \|= SOF1_DATA_IDEMPOTENT;
1409
1410	/ Inherit uuid and create the related flow. /
1411	if (!uuid_is_null(mpsotomppcb(mp_so)->necp_client_uuid)) {
1412	struct mptcb *mp_tp = mpte->mpte_mptcb;
1413
1414	sotoinpcb(*so)->necp_cb = mptcp_subflow_necp_cb;
1415
1416	/*
1417	* A note on the unlock: With MPTCP, we do multiple times a
1418	* necp_client_register_socket_flow. This is problematic,
1419	* because now the lock-ordering guarantee (first necp-locks,
1420	* then socket-locks) is no more respected. So, we need to
1421	* unlock here.
1422	*/
1423	mpte_unlock(mpte);
1424	error = necp_client_register_socket_flow(mp_so->last_pid,
1425	mpsotomppcb(mp_so)->necp_client_uuid, sotoinpcb(*so));
1426	mpte_lock(mpte);
1427
1428	if (error)
1429	goto out_err;
1430
1431	/ Possible state-change during the unlock above /
1432	if (mp_tp->mpt_state >= MPTCPS_TIME_WAIT \|\|
1433	(mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP))
1434	goto out_err;
1435
1436	uuid_copy(sotoinpcb(*so)->necp_client_uuid, mpsotomppcb(mp_so)->necp_client_uuid);
1437	} else {
1438	mptcplog((LOG_NOTICE, "%s: uuid is not set!\n"),
1439	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_LOG);
1440	}
1441
1442	/ inherit the other socket options /
1443	bzero(&smpo, sizeof (smpo));
1444	smpo.mpo_flags \|= MPOF_SUBFLOW_OK;
1445	smpo.mpo_level = SOL_SOCKET;
1446	smpo.mpo_intval = `1`;
1447
1448	/ disable SIGPIPE /
1449	smpo.mpo_name = SO_NOSIGPIPE;
1450	if ((error = mptcp_subflow_sosetopt(mpte, mpts, &smpo)) != `0`)
1451	goto out_err;
1452
1453	/ find out if the subflow's source address goes away /
1454	smpo.mpo_name = SO_NOADDRERR;
1455	if ((error = mptcp_subflow_sosetopt(mpte, mpts, &smpo)) != `0`)
1456	goto out_err;
1457
1458	/ enable keepalive /
1459	smpo.mpo_name = SO_KEEPALIVE;
1460	if ((error = mptcp_subflow_sosetopt(mpte, mpts, &smpo)) != `0`)
1461	goto out_err;
1462
1463	smpo.mpo_level = IPPROTO_TCP;
1464	smpo.mpo_intval = mptcp_subflow_keeptime;
1465	smpo.mpo_name = TCP_KEEPALIVE;
1466	if ((error = mptcp_subflow_sosetopt(mpte, mpts, &smpo)) != `0`)
1467	goto out_err;
1468
1469	if (mpte->mpte_mptcb->mpt_state >= MPTCPS_ESTABLISHED) {
1470	/*
1471	* On secondary subflows we might need to set the cell-fallback
1472	* flag (see conditions in mptcp_subflow_sosetopt).
1473	*/
1474	smpo.mpo_level = SOL_SOCKET;
1475	smpo.mpo_name = SO_MARK_CELLFALLBACK;
1476	smpo.mpo_intval = `1`;
1477	if ((error = mptcp_subflow_sosetopt(mpte, mpts, &smpo)) != `0`)
1478	goto out_err;
1479	}
1480
1481	/ replay setsockopt(2) on the subflow sockets for eligible options /
1482	TAILQ_FOREACH_SAFE(mpo, &mpte->mpte_sopts, mpo_entry, tmpo) {
1483	int interim;
1484
1485	if (!(mpo->mpo_flags & MPOF_SUBFLOW_OK))
1486	continue;
1487
1488	/*
1489	* Skip those that are handled internally; these options
1490	* should not have been recorded and marked with the
1491	* MPOF_SUBFLOW_OK by mptcp_setopt(), but just in case.
1492	*/
1493	if (mpo->mpo_level == SOL_SOCKET &&
1494	(mpo->mpo_name == SO_NOSIGPIPE \|\|
1495	mpo->mpo_name == SO_NOADDRERR \|\|
1496	mpo->mpo_name == SO_KEEPALIVE))
1497	continue;
1498
1499	interim = (mpo->mpo_flags & MPOF_INTERIM);
1500	if (mptcp_subflow_sosetopt(mpte, mpts, mpo) != `0` && interim) {
1501	mptcplog((LOG_ERR, "%s: subflow socreate mp_so 0x%llx"
1502	" sopt %s val %d interim record removed\n", __func__,
1503	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
1504	mptcp_sopt2str(mpo->mpo_level, mpo->mpo_name),
1505	mpo->mpo_intval),
1506	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1507	mptcp_sopt_remove(mpte, mpo);
1508	mptcp_sopt_free(mpo);
1509	continue;
1510	}
1511	}
1512
1513	/*
1514	* We need to receive everything that the subflow socket has,
1515	* so use a customized socket receive function. We will undo
1516	* this when the socket is peeled off or closed.
1517	*/
1518	switch (dom) {
1519	case PF_INET:
1520	(*so)->so_proto = &mptcp_subflow_protosw;
1521	break;
1522	#if INET6
1523	case PF_INET6:
1524	(so)->so_proto = (struct* protosw *)&mptcp_subflow_protosw6;
1525	break;
1526	#endif /* INET6 */
1527	default:
1528	VERIFY(`0`);
1529	/ NOTREACHED /
1530	}
1531
1532	proc_rele(p);
1533
1534	DTRACE_MPTCP3(subflow__create, struct mptses *, mpte,
1535	int, dom, int, error);
1536
1537	return (`0`);
1538
1539	out_err:
1540	mptcp_subflow_abort(mpts, error);
1541
1542	proc_rele(p);
1543
1544	mptcplog((LOG_ERR, "%s: subflow socreate failed with error %d\n",
1545	__func__, error), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1546
1547	return (error);
1548	}
1549
1550	/*
1551	* Close an MPTCP subflow socket.
1552	*
1553	* Note that this may be called on an embryonic subflow, and the only
1554	* thing that is guaranteed valid is the protocol-user request.
1555	*/
1556	static void
1557	mptcp_subflow_soclose(struct mptsub *mpts)
1558	{
1559	struct socket *so = mpts->mpts_socket;
1560
1561	if (mpts->mpts_flags & MPTSF_CLOSED)
1562	return;
1563
1564	VERIFY(so != NULL);
1565	VERIFY(so->so_flags & SOF_MP_SUBFLOW);
1566	VERIFY((so->so_state & (SS_NBIO\|SS_NOFDREF)) == (SS_NBIO\|SS_NOFDREF));
1567
1568	DTRACE_MPTCP5(subflow__close, struct mptsub *, mpts,
1569	struct socket *, so,
1570	struct sockbuf *, &so->so_rcv,
1571	struct sockbuf *, &so->so_snd,
1572	struct mptses *, mpts->mpts_mpte);
1573
1574	mpts->mpts_flags \|= MPTSF_CLOSED;
1575
1576	if (so->so_retaincnt == `0`) {
1577	soclose_locked(so);
1578
1579	return;
1580	} else {
1581	VERIFY(so->so_usecount > `0`);
1582	so->so_usecount--;
1583	}
1584
1585	return;
1586	}
1587
1588	/*
1589	* Connect an MPTCP subflow socket.
1590	*
1591	* Note that in the pending connect case, the subflow socket may have been
1592	* bound to an interface and/or a source IP address which may no longer be
1593	* around by the time this routine is called; in that case the connect attempt
1594	* will most likely fail.
1595	*/
1596	static int
1597	mptcp_subflow_soconnectx(struct mptses mpte, struct* mptsub *mpts)
1598	{
1599	char dbuf[MAX_IPv6_STR_LEN];
1600	struct socket mp_so, so;
1601	struct mptcb *mp_tp;
1602	struct sockaddr *dst;
1603	struct proc *p;
1604	int af, error, dport;
1605
1606	mp_so = mptetoso(mpte);
1607	mp_tp = mpte->mpte_mptcb;
1608	so = mpts->mpts_socket;
1609	af = mpts->mpts_dst.sa_family;
1610	dst = &mpts->mpts_dst;
1611
1612	VERIFY((mpts->mpts_flags & (MPTSF_CONNECTING\|MPTSF_CONNECTED)) == MPTSF_CONNECTING);
1613	VERIFY(mpts->mpts_socket != NULL);
1614	VERIFY(af == AF_INET \|\| af == AF_INET6);
1615
1616	if (af == AF_INET) {
1617	inet_ntop(af, &SIN(dst)->sin_addr.s_addr, dbuf, sizeof (dbuf));
1618	dport = ntohs(SIN(dst)->sin_port);
1619	} else {
1620	inet_ntop(af, &SIN6(dst)->sin6_addr, dbuf, sizeof (dbuf));
1621	dport = ntohs(SIN6(dst)->sin6_port);
1622	}
1623
1624	os_log_info(mptcp_log_handle,
1625	"%s: ifindex %u dst %s:%d pended %u\n", __func__, mpts->mpts_ifscope,
1626	dbuf, dport, !!(mpts->mpts_flags & MPTSF_CONNECT_PENDING));
1627
1628	p = proc_find(mp_so->last_pid);
1629	if (p == PROC_NULL) {
1630	mptcplog((LOG_ERR, "%s: Couldn't find proc for pid %u\n", __func__, mp_so->last_pid),
1631	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1632
1633	return (ESRCH);
1634	}
1635
1636	mpts->mpts_flags &= ~MPTSF_CONNECT_PENDING;
1637
1638	mptcp_attach_to_subf(so, mpte->mpte_mptcb, mpte->mpte_addrid_last);
1639
1640	/ connect the subflow socket /
1641	error = soconnectxlocked(so, mpts->mpts_src, &mpts->mpts_dst,
1642	p, mpts->mpts_ifscope,
1643	mpte->mpte_associd, NULL, `0`, NULL, `0`, NULL, NULL);
1644
1645	mpts->mpts_iss = sototcpcb(so)->iss;
1646
1647	/ See tcp_connect_complete /
1648	if (mp_tp->mpt_state < MPTCPS_ESTABLISHED &&
1649	(mp_so->so_flags1 & SOF1_PRECONNECT_DATA)) {
1650	mp_tp->mpt_sndwnd = sototcpcb(so)->snd_wnd;
1651	}
1652
1653	/ Allocate a unique address id per subflow /
1654	mpte->mpte_addrid_last++;
1655	if (mpte->mpte_addrid_last == `0`)
1656	mpte->mpte_addrid_last++;
1657
1658	proc_rele(p);
1659
1660	DTRACE_MPTCP3(subflow__connect, struct mptses *, mpte,
1661	struct mptsub , mpts, int*, error);
1662	if (error)
1663	mptcplog((LOG_ERR, "%s: connectx failed with error %d ifscope %u\n",
1664	__func__, error, mpts->mpts_ifscope),
1665	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
1666
1667	return (error);
1668	}
1669
1670	/*
1671	* MPTCP subflow socket receive routine, derived from soreceive().
1672	*/
1673	static int
1674	mptcp_subflow_soreceive(struct socket so, struct* sockaddr **psa,
1675	struct uio uio, struct* mbuf mp0, struct mbuf controlp, int *flagsp)
1676	{
1677	#pragma unused(uio)
1678	struct socket *mp_so = mptetoso(tptomptp(sototcpcb(so))->mpt_mpte);
1679	int flags, error = `0`;
1680	struct proc *p = current_proc();
1681	struct mbuf m, *mp = mp0;
1682	boolean_t proc_held = FALSE;
1683
1684	mpte_lock_assert_held(tptomptp(sototcpcb(so))->mpt_mpte);
1685	VERIFY(so->so_proto->pr_flags & PR_CONNREQUIRED);
1686
1687	#ifdef MORE_LOCKING_DEBUG
1688	if (so->so_usecount == `1`) {
1689	panic("%s: so=%x no other reference on socket\n", __func__, so);
1690	/ NOTREACHED /
1691	}
1692	#endif
1693	/*
1694	* We return all that is there in the subflow's socket receive buffer
1695	* to the MPTCP layer, so we require that the caller passes in the
1696	* expected parameters.
1697	*/
1698	if (mp == NULL \|\| controlp != NULL)
1699	return (EINVAL);
1700
1701	*mp = NULL;
1702	if (psa != NULL)
1703	*psa = NULL;
1704	if (flagsp != NULL)
1705	flags = *flagsp &~ MSG_EOR;
1706	else
1707	flags = `0`;
1708
1709	if (flags & (MSG_PEEK\|MSG_OOB\|MSG_NEEDSA\|MSG_WAITALL\|MSG_WAITSTREAM))
1710	return (EOPNOTSUPP);
1711
1712	flags \|= (MSG_DONTWAIT\|MSG_NBIO);
1713
1714	/*
1715	* If a recv attempt is made on a previously-accepted socket
1716	* that has been marked as inactive (disconnected), reject
1717	* the request.
1718	*/
1719	if (so->so_flags & SOF_DEFUNCT) {
1720	struct sockbuf *sb = &so->so_rcv;
1721
1722	error = ENOTCONN;
1723	/*
1724	* This socket should have been disconnected and flushed
1725	* prior to being returned from sodefunct(); there should
1726	* be no data on its receive list, so panic otherwise.
1727	*/
1728	if (so->so_state & SS_DEFUNCT)
1729	sb_empty_assert(sb, __func__);
1730	return (error);
1731	}
1732
1733	/*
1734	* See if the socket has been closed (SS_NOFDREF\|SS_CANTRCVMORE)
1735	* and if so just return to the caller. This could happen when
1736	* soreceive() is called by a socket upcall function during the
1737	* time the socket is freed. The socket buffer would have been
1738	* locked across the upcall, therefore we cannot put this thread
1739	* to sleep (else we will deadlock) or return EWOULDBLOCK (else
1740	* we may livelock), because the lock on the socket buffer will
1741	* only be released when the upcall routine returns to its caller.
1742	* Because the socket has been officially closed, there can be
1743	* no further read on it.
1744	*
1745	* A multipath subflow socket would have its SS_NOFDREF set by
1746	* default, so check for SOF_MP_SUBFLOW socket flag; when the
1747	* socket is closed for real, SOF_MP_SUBFLOW would be cleared.
1748	*/
1749	if ((so->so_state & (SS_NOFDREF \| SS_CANTRCVMORE)) ==
1750	(SS_NOFDREF \| SS_CANTRCVMORE) && !(so->so_flags & SOF_MP_SUBFLOW))
1751	return (`0`);
1752
1753	/*
1754	* For consistency with soreceive() semantics, we need to obey
1755	* SB_LOCK in case some other code path has locked the buffer.
1756	*/
1757	error = sblock(&so->so_rcv, `0`);
1758	if (error != `0`)
1759	return (error);
1760
1761	m = so->so_rcv.sb_mb;
1762	if (m == NULL) {
1763	/*
1764	* Panic if we notice inconsistencies in the socket's
1765	* receive list; both sb_mb and sb_cc should correctly
1766	* reflect the contents of the list, otherwise we may
1767	* end up with false positives during select() or poll()
1768	* which could put the application in a bad state.
1769	*/
1770	SB_MB_CHECK(&so->so_rcv);
1771
1772	if (so->so_error != `0`) {
1773	error = so->so_error;
1774	so->so_error = `0`;
1775	goto release;
1776	}
1777
1778	if (so->so_state & SS_CANTRCVMORE) {
1779	goto release;
1780	}
1781
1782	if (!(so->so_state & (SS_ISCONNECTED\|SS_ISCONNECTING))) {
1783	error = ENOTCONN;
1784	goto release;
1785	}
1786
1787	/*
1788	* MSG_DONTWAIT is implicitly defined and this routine will
1789	* never block, so return EWOULDBLOCK when there is nothing.
1790	*/
1791	error = EWOULDBLOCK;
1792	goto release;
1793	}
1794
1795	mptcp_update_last_owner(so, mp_so);
1796
1797	if (mp_so->last_pid != proc_pid(p)) {
1798	p = proc_find(mp_so->last_pid);
1799	if (p == PROC_NULL) {
1800	p = current_proc();
1801	} else {
1802	proc_held = TRUE;
1803	}
1804	}
1805
1806	OSIncrementAtomicLong(&p->p_stats->p_ru.ru_msgrcv);
1807	SBLASTRECORDCHK(&so->so_rcv, "mptcp_subflow_soreceive 1");
1808	SBLASTMBUFCHK(&so->so_rcv, "mptcp_subflow_soreceive 1");
1809
1810	while (m != NULL) {
1811	int dlen = `0`, dfin = `0`, error_out = `0`;
1812	struct mbuf *start = m;
1813	uint64_t dsn;
1814	uint32_t sseq;
1815	uint16_t orig_dlen;
1816	uint16_t csum;
1817
1818	VERIFY(m->m_nextpkt == NULL);
1819
1820	if ((m->m_flags & M_PKTHDR) && (m->m_pkthdr.pkt_flags & PKTF_MPTCP)) {
1821	orig_dlen = dlen = m->m_pkthdr.mp_rlen;
1822	dsn = m->m_pkthdr.mp_dsn;
1823	sseq = m->m_pkthdr.mp_rseq;
1824	csum = m->m_pkthdr.mp_csum;
1825	} else {
1826	/ We did fallback /
1827	mptcp_adj_rmap(so, m, `0`, `0`, `0`, `0`);
1828
1829	sbfree(&so->so_rcv, m);
1830
1831	if (mp != NULL) {
1832	*mp = m;
1833	mp = &m->m_next;
1834	so->so_rcv.sb_mb = m = m->m_next;
1835	*mp = NULL;
1836
1837	}
1838
1839	if (m != NULL) {
1840	so->so_rcv.sb_lastrecord = m;
1841	} else {
1842	SB_EMPTY_FIXUP(&so->so_rcv);
1843	}
1844
1845	continue;
1846	}
1847
1848	if (m->m_pkthdr.pkt_flags & PKTF_MPTCP_DFIN)
1849	dfin = `1`;
1850
1851	/*
1852	* Check if the full mapping is now present
1853	*/
1854	if ((int)so->so_rcv.sb_cc < dlen - dfin) {
1855	mptcplog((LOG_INFO, "%s not enough data (%u) need %u for dsn %u\n",
1856	__func__, so->so_rcv.sb_cc, dlen, (uint32_t)dsn),
1857	MPTCP_RECEIVER_DBG, MPTCP_LOGLVL_LOG);
1858
1859	if (*mp0 == NULL)
1860	error = EWOULDBLOCK;
1861	goto release;
1862	}
1863
1864	/ Now, get the full mapping /
1865	while (dlen > `0`) {
1866	if (mptcp_adj_rmap(so, m, orig_dlen - dlen, dsn, sseq, orig_dlen)) {
1867	error_out = `1`;
1868	error = EIO;
1869	dlen = `0`;
1870	soevent(so, SO_FILT_HINT_LOCKED \| SO_FILT_HINT_MUSTRST);
1871	break;
1872	}
1873
1874	dlen -= m->m_len;
1875	sbfree(&so->so_rcv, m);
1876
1877	if (mp != NULL) {
1878	*mp = m;
1879	mp = &m->m_next;
1880	so->so_rcv.sb_mb = m = m->m_next;
1881	*mp = NULL;
1882	}
1883
1884	if (dlen - dfin == `0`)
1885	dlen = `0`;
1886
1887	VERIFY(dlen <= `0` \|\| m);
1888	}
1889
1890	VERIFY(dlen == `0`);
1891
1892	if (m != NULL) {
1893	so->so_rcv.sb_lastrecord = m;
1894	} else {
1895	SB_EMPTY_FIXUP(&so->so_rcv);
1896	}
1897
1898	if (error_out)
1899	goto release;
1900
1901
1902	if (mptcp_validate_csum(sototcpcb(so), start, dsn, sseq, orig_dlen, csum, dfin)) {
1903	error = EIO;
1904	*mp0 = NULL;
1905	goto release;
1906	}
1907
1908	SBLASTRECORDCHK(&so->so_rcv, "mptcp_subflow_soreceive 2");
1909	SBLASTMBUFCHK(&so->so_rcv, "mptcp_subflow_soreceive 2");
1910	}
1911
1912	DTRACE_MPTCP3(subflow__receive, struct socket *, so,
1913	struct sockbuf , &so->so_rcv, struct* sockbuf *, &so->so_snd);
1914
1915	if (flagsp != NULL)
1916	*flagsp \|= flags;
1917
1918	release:
1919	sbunlock(&so->so_rcv, TRUE);
1920
1921	if (proc_held)
1922	proc_rele(p);
1923
1924	return (error);
1925
1926	}
1927
1928	/*
1929	* MPTCP subflow socket send routine, derived from sosend().
1930	*/
1931	static int
1932	mptcp_subflow_sosend(struct socket so, struct* sockaddr addr, struct* uio *uio,
1933	struct mbuf top, struct* mbuf control, int* flags)
1934	{
1935	struct socket *mp_so = mptetoso(tptomptp(sototcpcb(so))->mpt_mpte);
1936	struct proc *p = current_proc();
1937	boolean_t en_tracing = FALSE, proc_held = FALSE;
1938	int en_tracing_val;
1939	int sblocked = `1`; / Pretend as if it is already locked, so we won't relock it /
1940	int error;
1941
1942	VERIFY(control == NULL);
1943	VERIFY(addr == NULL);
1944	VERIFY(uio == NULL);
1945	VERIFY(flags == `0`);
1946	VERIFY((so->so_flags & SOF_CONTENT_FILTER) == `0`);
1947
1948	VERIFY(top->m_pkthdr.len > `0` && top->m_pkthdr.len <= UINT16_MAX);
1949	VERIFY(top->m_pkthdr.pkt_flags & PKTF_MPTCP);
1950
1951	/*
1952	* trace if tracing & network (vs. unix) sockets & and
1953	* non-loopback
1954	*/
1955	if (ENTR_SHOULDTRACE &&
1956	(SOCK_CHECK_DOM(so, AF_INET) \|\| SOCK_CHECK_DOM(so, AF_INET6))) {
1957	struct inpcb *inp = sotoinpcb(so);
1958	if (inp->inp_last_outifp != NULL &&
1959	!(inp->inp_last_outifp->if_flags & IFF_LOOPBACK)) {
1960	en_tracing = TRUE;
1961	en_tracing_val = top->m_pkthdr.len;
1962	KERNEL_ENERGYTRACE(kEnTrActKernSockWrite, DBG_FUNC_START,
1963	VM_KERNEL_ADDRPERM(so),
1964	((so->so_state & SS_NBIO) ? kEnTrFlagNonBlocking : `0`),
1965	(int64_t)en_tracing_val);
1966	}
1967	}
1968
1969	mptcp_update_last_owner(so, mp_so);
1970
1971	if (mp_so->last_pid != proc_pid(p)) {
1972	p = proc_find(mp_so->last_pid);
1973	if (p == PROC_NULL) {
1974	p = current_proc();
1975	} else {
1976	proc_held = TRUE;
1977	}
1978	}
1979
1980	#if NECP
1981	inp_update_necp_policy(sotoinpcb(so), NULL, NULL, `0`);
1982	#endif /* NECP */
1983
1984	OSIncrementAtomicLong(&p->p_stats->p_ru.ru_msgsnd);
1985
1986	error = sosendcheck(so, NULL, top->m_pkthdr.len, `0`, `1`, `0`, &sblocked, NULL);
1987	if (error)
1988	goto out;
1989
1990	error = (*so->so_proto->pr_usrreqs->pru_send)(so, `0`, top, NULL, NULL, p);
1991	top = NULL;
1992
1993	out:
1994	if (top != NULL)
1995	m_freem(top);
1996
1997	if (proc_held)
1998	proc_rele(p);
1999
2000	soclearfastopen(so);
2001
2002	if (en_tracing) {
2003	KERNEL_ENERGYTRACE(kEnTrActKernSockWrite, DBG_FUNC_END,
2004	VM_KERNEL_ADDRPERM(so),
2005	((error == EWOULDBLOCK) ? kEnTrFlagNoWork : `0`),
2006	(int64_t)en_tracing_val);
2007	}
2008
2009	return (error);
2010
2011	}
2012
2013	/*
2014	* Establish an initial MPTCP connection (if first subflow and not yet
2015	* connected), or add a subflow to an existing MPTCP connection.
2016	*/
2017	int
2018	mptcp_subflow_add(struct mptses mpte, struct* sockaddr *src,
2019	struct sockaddr dst, uint32_t ifscope, sae_connid_t pcid)
2020	{
2021	struct socket mp_so, so = NULL;
2022	struct mptcb *mp_tp;
2023	struct mptsub *mpts = NULL;
2024	int af, error = `0`;
2025
2026	mpte_lock_assert_held(mpte); / same as MP socket lock /
2027	mp_so = mptetoso(mpte);
2028	mp_tp = mpte->mpte_mptcb;
2029
2030	if (mp_tp->mpt_state >= MPTCPS_CLOSE_WAIT) {
2031	/ If the remote end sends Data FIN, refuse subflow adds /
2032	mptcplog((LOG_ERR, "%s state %u\n", __func__, mp_tp->mpt_state),
2033	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
2034	error = ENOTCONN;
2035	goto out_err;
2036	}
2037
2038	mpts = mptcp_subflow_alloc();
2039	if (mpts == NULL) {
2040	mptcplog((LOG_ERR, "%s malloc subflow failed\n", __func__),
2041	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
2042	error = ENOMEM;
2043	goto out_err;
2044	}
2045
2046	if (src != NULL) {
2047	int len = src->sa_len;
2048
2049	MALLOC(mpts->mpts_src, struct sockaddr *, len, M_SONAME,
2050	M_WAITOK \| M_ZERO);
2051	if (mpts->mpts_src == NULL) {
2052	mptcplog((LOG_ERR, "%s malloc mpts_src failed", __func__),
2053	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
2054	error = ENOMEM;
2055	goto out_err;
2056	}
2057	bcopy(src, mpts->mpts_src, len);
2058	}
2059
2060	memcpy(&mpts->mpts_dst, dst, dst->sa_len);
2061
2062	af = mpts->mpts_dst.sa_family;
2063
2064	mpts->mpts_ifscope = ifscope;
2065
2066	/ create the subflow socket /
2067	if ((error = mptcp_subflow_socreate(mpte, mpts, af, &so)) != `0`)
2068	/*
2069	* Returning (error) and not cleaning up, because up to here
2070	* all we did is creating mpts.
2071	*
2072	* And the contract is that the call to mptcp_subflow_socreate,
2073	* moves ownership of mpts to mptcp_subflow_socreate.
2074	*/
2075	return (error);
2076
2077	/*
2078	* We may be called from within the kernel. Still need to account this
2079	* one to the real app.
2080	*/
2081	mptcp_update_last_owner(mpts->mpts_socket, mp_so);
2082
2083	/*
2084	* Increment the counter, while avoiding 0 (SAE_CONNID_ANY) and
2085	* -1 (SAE_CONNID_ALL).
2086	*/
2087	mpte->mpte_connid_last++;
2088	if (mpte->mpte_connid_last == SAE_CONNID_ALL \|\|
2089	mpte->mpte_connid_last == SAE_CONNID_ANY)
2090	mpte->mpte_connid_last++;
2091
2092	mpts->mpts_connid = mpte->mpte_connid_last;
2093
2094	mpts->mpts_rel_seq = `1`;
2095
2096	/ Allocate a unique address id per subflow /
2097	mpte->mpte_addrid_last++;
2098	if (mpte->mpte_addrid_last == `0`)
2099	mpte->mpte_addrid_last++;
2100
2101	/ register for subflow socket read/write events /
2102	sock_setupcalls_locked(so, mptcp_subflow_rupcall, mpts, mptcp_subflow_wupcall, mpts, `1`);
2103
2104	/ Register for subflow socket control events /
2105	sock_catchevents_locked(so, mptcp_subflow_eupcall1, mpts,
2106	SO_FILT_HINT_CONNRESET \| SO_FILT_HINT_CANTRCVMORE \|
2107	SO_FILT_HINT_TIMEOUT \| SO_FILT_HINT_NOSRCADDR \|
2108	SO_FILT_HINT_IFDENIED \| SO_FILT_HINT_CONNECTED \|
2109	SO_FILT_HINT_DISCONNECTED \| SO_FILT_HINT_MPFAILOVER \|
2110	SO_FILT_HINT_MPSTATUS \| SO_FILT_HINT_MUSTRST \|
2111	SO_FILT_HINT_MPCANTRCVMORE \| SO_FILT_HINT_ADAPTIVE_RTIMO \|
2112	SO_FILT_HINT_ADAPTIVE_WTIMO);
2113
2114	/ sanity check /
2115	VERIFY(!(mpts->mpts_flags &
2116	(MPTSF_CONNECTING\|MPTSF_CONNECTED\|MPTSF_CONNECT_PENDING)));
2117
2118	/*
2119	* Indicate to the TCP subflow whether or not it should establish
2120	* the initial MPTCP connection, or join an existing one. Fill
2121	* in the connection request structure with additional info needed
2122	* by the underlying TCP (to be used in the TCP options, etc.)
2123	*/
2124	if (mp_tp->mpt_state < MPTCPS_ESTABLISHED && mpte->mpte_numflows == `1`) {
2125	mpts->mpts_flags \|= MPTSF_INITIAL_SUB;
2126
2127	if (mp_tp->mpt_state == MPTCPS_CLOSED) {
2128	mptcp_init_local_parms(mpte);
2129	}
2130	soisconnecting(mp_so);
2131
2132	/ If fastopen is requested, set state in mpts /
2133	if (so->so_flags1 & SOF1_PRECONNECT_DATA)
2134	mpts->mpts_flags \|= MPTSF_TFO_REQD;
2135	} else {
2136	if (!(mp_tp->mpt_flags & MPTCPF_JOIN_READY))
2137	mpts->mpts_flags \|= MPTSF_CONNECT_PENDING;
2138	}
2139
2140	mpts->mpts_flags \|= MPTSF_CONNECTING;
2141
2142	if (af == AF_INET \|\| af == AF_INET6) {
2143	char dbuf[MAX_IPv6_STR_LEN];
2144
2145	mptcplog((LOG_DEBUG, "MPTCP Socket: %s "
2146	"mp_so 0x%llx dst %s[%d] cid %d "
2147	"[pending %s]\n", __func__,
2148	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
2149	inet_ntop(af, ((af == AF_INET) ?
2150	(void *)&SIN(&mpts->mpts_dst)->sin_addr.s_addr :
2151	(void *)&SIN6(&mpts->mpts_dst)->sin6_addr),
2152	dbuf, sizeof (dbuf)), ((af == AF_INET) ?
2153	ntohs(SIN(&mpts->mpts_dst)->sin_port) :
2154	ntohs(SIN6(&mpts->mpts_dst)->sin6_port)),
2155	mpts->mpts_connid,
2156	((mpts->mpts_flags & MPTSF_CONNECT_PENDING) ?
2157	"YES" : "NO")),
2158	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2159	}
2160
2161	/ connect right away if first attempt, or if join can be done now /
2162	if (!(mpts->mpts_flags & MPTSF_CONNECT_PENDING))
2163	error = mptcp_subflow_soconnectx(mpte, mpts);
2164
2165	if (error)
2166	goto out_err_close;
2167
2168	if (pcid)
2169	*pcid = mpts->mpts_connid;
2170
2171	return (`0`);
2172
2173	out_err_close:
2174	mptcp_subflow_abort(mpts, error);
2175
2176	return (error);
2177
2178	out_err:
2179	if (mpts)
2180	mptcp_subflow_free(mpts);
2181
2182	return (error);
2183	}
2184
2185	void
2186	mptcpstats_update(struct mptcp_itf_stats stats, struct* mptsub *mpts)
2187	{
2188	int index = mptcp_get_statsindex(stats, mpts);
2189
2190	if (index != -`1`) {
2191	struct inpcb *inp = sotoinpcb(mpts->mpts_socket);
2192
2193	stats[index].mpis_txbytes += inp->inp_stat->txbytes;
2194	stats[index].mpis_rxbytes += inp->inp_stat->rxbytes;
2195	}
2196	}
2197
2198	/*
2199	* Delete/remove a subflow from an MPTCP. The underlying subflow socket
2200	* will no longer be accessible after a subflow is deleted, thus this
2201	* should occur only after the subflow socket has been disconnected.
2202	*/
2203	void
2204	mptcp_subflow_del(struct mptses mpte, struct* mptsub *mpts)
2205	{
2206	struct socket *mp_so = mptetoso(mpte);
2207	struct socket *so = mpts->mpts_socket;
2208	struct tcpcb *tp = sototcpcb(so);
2209
2210	mpte_lock_assert_held(mpte); / same as MP socket lock /
2211	VERIFY(mpts->mpts_mpte == mpte);
2212	VERIFY(mpts->mpts_flags & MPTSF_ATTACHED);
2213	VERIFY(mpte->mpte_numflows != `0`);
2214	VERIFY(mp_so->so_usecount > `0`);
2215
2216	mptcplog((LOG_DEBUG, "%s: mp_so 0x%llx [u=%d,r=%d] cid %d %x error %d\n",
2217	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
2218	mp_so->so_usecount, mp_so->so_retaincnt, mpts->mpts_connid,
2219	mpts->mpts_flags, mp_so->so_error),
2220	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2221
2222	mptcpstats_update(mpte->mpte_itfstats, mpts);
2223	mpte->mpte_init_rxbytes = sotoinpcb(so)->inp_stat->rxbytes;
2224	mpte->mpte_init_txbytes = sotoinpcb(so)->inp_stat->txbytes;
2225
2226	atomic_bitclear_32(&mpts->mpts_flags, MPTSF_ATTACHED);
2227	TAILQ_REMOVE(&mpte->mpte_subflows, mpts, mpts_entry);
2228	mpte->mpte_numflows--;
2229	if (mpte->mpte_active_sub == mpts)
2230	mpte->mpte_active_sub = NULL;
2231
2232	/*
2233	* Drop references held by this subflow socket; there
2234	* will be no further upcalls made from this point.
2235	*/
2236	sock_setupcalls_locked(so, NULL, NULL, NULL, NULL, `0`);
2237	sock_catchevents_locked(so, NULL, NULL, `0`);
2238
2239	mptcp_detach_mptcb_from_subf(mpte->mpte_mptcb, so);
2240
2241	mp_so->so_usecount--; / for subflow socket /
2242	mpts->mpts_mpte = NULL;
2243	mpts->mpts_socket = NULL;
2244
2245	mptcp_subflow_remref(mpts); / for MPTCP subflow list /
2246	mptcp_subflow_remref(mpts); / for subflow socket /
2247
2248	so->so_flags &= ~SOF_MP_SUBFLOW;
2249	tp->t_mptcb = NULL;
2250	tp->t_mpsub = NULL;
2251	}
2252
2253	void
2254	mptcp_subflow_shutdown(struct mptses mpte, struct* mptsub *mpts)
2255	{
2256	struct socket *so = mpts->mpts_socket;
2257	struct mptcb *mp_tp = mpte->mpte_mptcb;
2258	int send_dfin = `0`;
2259
2260	if (mp_tp->mpt_state > MPTCPS_CLOSE_WAIT)
2261	send_dfin = `1`;
2262
2263	if (!(so->so_state & (SS_ISDISCONNECTING \| SS_ISDISCONNECTED)) &&
2264	(so->so_state & SS_ISCONNECTED)) {
2265	mptcplog((LOG_DEBUG, "MPTCP subflow shutdown %s: cid %d fin %d\n",
2266	__func__, mpts->mpts_connid, send_dfin),
2267	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2268
2269	if (send_dfin)
2270	mptcp_send_dfin(so);
2271	soshutdownlock(so, SHUT_WR);
2272	}
2273
2274	}
2275
2276	static void
2277	mptcp_subflow_abort(struct mptsub mpts, int* error)
2278	{
2279	struct socket *so = mpts->mpts_socket;
2280	struct tcpcb *tp = sototcpcb(so);
2281
2282	if (mpts->mpts_flags & MPTSF_DISCONNECTED)
2283	return;
2284
2285	mptcplog((LOG_DEBUG, "%s aborting connection state %u\n", __func__, tp->t_state),
2286	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2287
2288	if (tp->t_state != TCPS_CLOSED)
2289	tcp_drop(tp, error);
2290
2291	mptcp_subflow_eupcall1(so, mpts, SO_FILT_HINT_DISCONNECTED);
2292	}
2293
2294	/*
2295	* Disconnect a subflow socket.
2296	*/
2297	void
2298	mptcp_subflow_disconnect(struct mptses mpte, struct* mptsub *mpts)
2299	{
2300	struct socket *so;
2301	struct mptcb *mp_tp;
2302	int send_dfin = `0`;
2303
2304	mpte_lock_assert_held(mpte); / same as MP socket lock /
2305
2306	VERIFY(mpts->mpts_mpte == mpte);
2307	VERIFY(mpts->mpts_socket != NULL);
2308
2309	if (mpts->mpts_flags & (MPTSF_DISCONNECTING\|MPTSF_DISCONNECTED))
2310	return;
2311
2312	mpts->mpts_flags \|= MPTSF_DISCONNECTING;
2313
2314	so = mpts->mpts_socket;
2315	mp_tp = mpte->mpte_mptcb;
2316	if (mp_tp->mpt_state > MPTCPS_CLOSE_WAIT)
2317	send_dfin = `1`;
2318
2319	if (!(so->so_state & (SS_ISDISCONNECTING \| SS_ISDISCONNECTED)) &&
2320	(so->so_state & SS_ISCONNECTED)) {
2321	mptcplog((LOG_DEBUG, "%s: cid %d fin %d\n",
2322	__func__, mpts->mpts_connid, send_dfin),
2323	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2324
2325	if (send_dfin)
2326	mptcp_send_dfin(so);
2327	(void) soshutdownlock(so, SHUT_RD);
2328	(void) soshutdownlock(so, SHUT_WR);
2329	(void) sodisconnectlocked(so);
2330	}
2331	/*
2332	* Generate a disconnect event for this subflow socket, in case
2333	* the lower layer doesn't do it; this is needed because the
2334	* subflow socket deletion relies on it.
2335	*/
2336	mptcp_subflow_eupcall1(so, mpts, SO_FILT_HINT_DISCONNECTED);
2337	}
2338
2339	/*
2340	* Called when the associated subflow socket posted a read event.
2341	*/
2342	static void
2343	mptcp_subflow_rupcall(struct socket so, void* arg, int* waitf)
2344	{
2345	#pragma unused(so, waitf)
2346	struct mptsub mpts = arg, tmpts;
2347	struct mptses *mpte = mpts->mpts_mpte;
2348
2349	VERIFY(mpte != NULL);
2350
2351	if (mptcp_should_defer_upcall(mpte->mpte_mppcb)) {
2352	if (!(mpte->mpte_mppcb->mpp_flags & MPP_RUPCALL))
2353	mpte->mpte_mppcb->mpp_flags \|= MPP_SHOULD_RWAKEUP;
2354	return;
2355	}
2356
2357	mpte->mpte_mppcb->mpp_flags \|= MPP_RUPCALL;
2358	TAILQ_FOREACH_SAFE(mpts, &mpte->mpte_subflows, mpts_entry, tmpts) {
2359	if (mpts->mpts_socket->so_usecount == `0`) {
2360	/ Will be removed soon by tcp_garbage_collect /
2361	continue;
2362	}
2363
2364	mptcp_subflow_addref(mpts);
2365	mpts->mpts_socket->so_usecount++;
2366
2367	mptcp_subflow_input(mpte, mpts);
2368
2369	mptcp_subflow_remref(mpts); / ours /
2370
2371	VERIFY(mpts->mpts_socket->so_usecount != `0`);
2372	mpts->mpts_socket->so_usecount--;
2373	}
2374
2375	mptcp_handle_deferred_upcalls(mpte->mpte_mppcb, MPP_RUPCALL);
2376	}
2377
2378	/*
2379	* Subflow socket input.
2380	*/
2381	static void
2382	mptcp_subflow_input(struct mptses mpte, struct* mptsub *mpts)
2383	{
2384	struct socket *mp_so = mptetoso(mpte);
2385	struct mbuf *m = NULL;
2386	struct socket *so;
2387	int error, wakeup = `0`;
2388
2389	VERIFY(!(mpte->mpte_mppcb->mpp_flags & MPP_INSIDE_INPUT));
2390	mpte->mpte_mppcb->mpp_flags \|= MPP_INSIDE_INPUT;
2391
2392	DTRACE_MPTCP2(subflow__input, struct mptses *, mpte,
2393	struct mptsub *, mpts);
2394
2395	if (!(mpts->mpts_flags & MPTSF_CONNECTED))
2396	goto out;
2397
2398	so = mpts->mpts_socket;
2399
2400	error = sock_receive_internal(so, NULL, &m, `0`, NULL);
2401	if (error != `0` && error != EWOULDBLOCK) {
2402	mptcplog((LOG_ERR, "%s: cid %d error %d\n",
2403	__func__, mpts->mpts_connid, error),
2404	MPTCP_RECEIVER_DBG, MPTCP_LOGLVL_ERR);
2405	if (error == ENODATA) {
2406	/*
2407	* Don't ignore ENODATA so as to discover
2408	* nasty middleboxes.
2409	*/
2410	mp_so->so_error = ENODATA;
2411
2412	wakeup = `1`;
2413	goto out;
2414	}
2415	} else if (error == `0`) {
2416	mptcplog((LOG_DEBUG, "%s: cid %d \n", __func__, mpts->mpts_connid),
2417	MPTCP_RECEIVER_DBG, MPTCP_LOGLVL_VERBOSE);
2418	}
2419
2420	/ In fallback, make sure to accept data on all but one subflow /
2421	if (m && (mpts->mpts_flags & MPTSF_MP_DEGRADED) &&
2422	!(mpts->mpts_flags & MPTSF_ACTIVE)) {
2423	mptcplog((LOG_DEBUG, "%s: degraded and got data on non-active flow\n",
2424	__func__), MPTCP_RECEIVER_DBG, MPTCP_LOGLVL_VERBOSE);
2425	m_freem(m);
2426	goto out;
2427	}
2428
2429	if (m != NULL) {
2430	if (IFNET_IS_CELLULAR(sotoinpcb(so)->inp_last_outifp)) {
2431	mpte->mpte_mppcb->mpp_flags \|= MPP_SET_CELLICON;
2432
2433	mpte->mpte_used_cell = `1`;
2434	} else {
2435	mpte->mpte_mppcb->mpp_flags \|= MPP_UNSET_CELLICON;
2436
2437	mpte->mpte_used_wifi = `1`;
2438	}
2439
2440	mptcp_input(mpte, m);
2441	}
2442
2443	/ notify protocol that we drained all the data /
2444	if (error == `0` && m != NULL &&
2445	(so->so_proto->pr_flags & PR_WANTRCVD) && so->so_pcb != NULL)
2446	(*so->so_proto->pr_usrreqs->pru_rcvd)(so, `0`);
2447
2448	out:
2449	if (wakeup)
2450	mpte->mpte_mppcb->mpp_flags \|= MPP_SHOULD_RWAKEUP;
2451
2452	mptcp_handle_deferred_upcalls(mpte->mpte_mppcb, MPP_INSIDE_INPUT);
2453	}
2454
2455	/*
2456	* Subflow socket write upcall.
2457	*
2458	* Called when the associated subflow socket posted a read event.
2459	*/
2460	static void
2461	mptcp_subflow_wupcall(struct socket so, void* arg, int* waitf)
2462	{
2463	#pragma unused(so, waitf)
2464	struct mptsub *mpts = arg;
2465	struct mptses *mpte = mpts->mpts_mpte;
2466
2467	VERIFY(mpte != NULL);
2468
2469	if (mptcp_should_defer_upcall(mpte->mpte_mppcb)) {
2470	if (!(mpte->mpte_mppcb->mpp_flags & MPP_WUPCALL))
2471	mpte->mpte_mppcb->mpp_flags \|= MPP_SHOULD_WWAKEUP;
2472	return;
2473	}
2474
2475	mptcp_output(mpte);
2476	}
2477
2478	static boolean_t
2479	mptcp_search_seq_in_sub(struct mbuf m, struct* socket *so)
2480	{
2481	struct mbuf *so_m = so->so_snd.sb_mb;
2482	uint64_t dsn = m->m_pkthdr.mp_dsn;
2483
2484	while (so_m) {
2485	VERIFY(so_m->m_flags & M_PKTHDR);
2486	VERIFY(so_m->m_pkthdr.pkt_flags & PKTF_MPTCP);
2487
2488	/ Part of the segment is covered, don't reinject here /
2489	if (so_m->m_pkthdr.mp_dsn <= dsn &&
2490	so_m->m_pkthdr.mp_dsn + so_m->m_pkthdr.mp_rlen > dsn)
2491	return TRUE;
2492
2493	so_m = so_m->m_next;
2494	}
2495
2496	return FALSE;
2497	}
2498
2499	/*
2500	* Subflow socket output.
2501	*
2502	* Called for sending data from MPTCP to the underlying subflow socket.
2503	*/
2504	int
2505	mptcp_subflow_output(struct mptses mpte, struct* mptsub mpts, int* flags)
2506	{
2507	struct mptcb *mp_tp = mpte->mpte_mptcb;
2508	struct mbuf sb_mb, m, mpt_mbuf = NULL, head, *tail;
2509	struct socket mp_so, so;
2510	struct tcpcb *tp;
2511	uint64_t mpt_dsn = `0`, off = `0`;
2512	int sb_cc = `0`, error = `0`, wakeup = `0`;
2513	uint32_t dss_csum;
2514	uint16_t tot_sent = `0`;
2515	boolean_t reinjected = FALSE;
2516
2517	mpte_lock_assert_held(mpte);
2518
2519	mp_so = mptetoso(mpte);
2520	so = mpts->mpts_socket;
2521	tp = sototcpcb(so);
2522
2523	VERIFY(!(mpte->mpte_mppcb->mpp_flags & MPP_INSIDE_OUTPUT));
2524	mpte->mpte_mppcb->mpp_flags \|= MPP_INSIDE_OUTPUT;
2525
2526	VERIFY(!INP_WAIT_FOR_IF_FEEDBACK(sotoinpcb(so)));
2527	VERIFY((mpts->mpts_flags & MPTSF_MP_CAPABLE) \|\|
2528	(mpts->mpts_flags & MPTSF_MP_DEGRADED) \|\|
2529	(mpts->mpts_flags & MPTSF_TFO_REQD));
2530	VERIFY(mptcp_subflow_cwnd_space(mpts->mpts_socket) > `0`);
2531
2532	mptcplog((LOG_DEBUG, "%s mpts_flags %#x, mpte_flags %#x cwnd_space %u\n",
2533	__func__, mpts->mpts_flags, mpte->mpte_flags,
2534	mptcp_subflow_cwnd_space(so)),
2535	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
2536	DTRACE_MPTCP2(subflow__output, struct mptses *, mpte,
2537	struct mptsub *, mpts);
2538
2539	/ Remove Addr Option is not sent reliably as per I-D /
2540	if (mpte->mpte_flags & MPTE_SND_REM_ADDR) {
2541	tp->t_rem_aid = mpte->mpte_lost_aid;
2542	tp->t_mpflags \|= TMPF_SND_REM_ADDR;
2543	mpte->mpte_flags &= ~MPTE_SND_REM_ADDR;
2544	}
2545
2546	/*
2547	* The mbuf chains containing the metadata (as well as pointing to
2548	* the user data sitting at the MPTCP output queue) would then be
2549	* sent down to the subflow socket.
2550	*
2551	* Some notes on data sequencing:
2552	*
2553	* a. Each mbuf must be a M_PKTHDR.
2554	* b. MPTCP metadata is stored in the mptcp_pktinfo structure
2555	* in the mbuf pkthdr structure.
2556	* c. Each mbuf containing the MPTCP metadata must have its
2557	* pkt_flags marked with the PKTF_MPTCP flag.
2558	*/
2559
2560	if (mpte->mpte_reinjectq)
2561	sb_mb = mpte->mpte_reinjectq;
2562	else
2563	sb_mb = mp_so->so_snd.sb_mb;
2564
2565	if (sb_mb == NULL) {
2566	mptcplog((LOG_ERR, "%s: No data in MPTCP-sendbuffer! smax %u snxt %u suna %u state %u flags %#x\n",
2567	__func__, (uint32_t)mp_tp->mpt_sndmax, (uint32_t)mp_tp->mpt_sndnxt,
2568	(uint32_t)mp_tp->mpt_snduna, mp_tp->mpt_state, mp_so->so_flags1),
2569	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2570
2571	/ Fix it to prevent looping /
2572	if (MPTCP_SEQ_LT(mp_tp->mpt_sndnxt, mp_tp->mpt_snduna))
2573	mp_tp->mpt_sndnxt = mp_tp->mpt_snduna;
2574	goto out;
2575	}
2576
2577	VERIFY(sb_mb->m_pkthdr.pkt_flags & PKTF_MPTCP);
2578
2579	if (sb_mb->m_pkthdr.mp_rlen == `0` &&
2580	!(so->so_state & SS_ISCONNECTED) &&
2581	(so->so_flags1 & SOF1_PRECONNECT_DATA)) {
2582	tp->t_mpflags \|= TMPF_TFO_REQUEST;
2583	goto zero_len_write;
2584	}
2585
2586	mpt_dsn = sb_mb->m_pkthdr.mp_dsn;
2587
2588	/ First, drop acknowledged data /
2589	if (MPTCP_SEQ_LT(mpt_dsn, mp_tp->mpt_snduna)) {
2590	mptcplog((LOG_ERR, "%s: dropping data, should have been done earlier "
2591	"dsn %u suna %u reinject? %u\n",
2592	__func__, (uint32_t)mpt_dsn,
2593	(uint32_t)mp_tp->mpt_snduna, !!mpte->mpte_reinjectq),
2594	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2595	if (mpte->mpte_reinjectq) {
2596	mptcp_clean_reinjectq(mpte);
2597	} else {
2598	uint64_t len = `0`;
2599	len = mp_tp->mpt_snduna - mpt_dsn;
2600	sbdrop(&mp_so->so_snd, (int)len);
2601	wakeup = `1`;
2602	}
2603	}
2604
2605	/ Check again because of above sbdrop /
2606	if (mp_so->so_snd.sb_mb == NULL && mpte->mpte_reinjectq == NULL) {
2607	mptcplog((LOG_ERR, "%s send-buffer is empty\n", __func__),
2608	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2609	goto out;
2610	}
2611
2612	/*
2613	* In degraded mode, we don't receive data acks, so force free
2614	* mbufs less than snd_nxt
2615	*/
2616	if ((mpts->mpts_flags & MPTSF_MP_DEGRADED) &&
2617	(mp_tp->mpt_flags & MPTCPF_POST_FALLBACK_SYNC) &&
2618	mp_so->so_snd.sb_mb) {
2619	mpt_dsn = mp_so->so_snd.sb_mb->m_pkthdr.mp_dsn;
2620	if (MPTCP_SEQ_LT(mpt_dsn, mp_tp->mpt_snduna)) {
2621	uint64_t len = `0`;
2622	len = mp_tp->mpt_snduna - mpt_dsn;
2623	sbdrop(&mp_so->so_snd, (int)len);
2624	wakeup = `1`;
2625
2626	mptcplog((LOG_ERR, "%s: dropping data in degraded mode, should have been done earlier dsn %u sndnxt %u suna %u\n",
2627	__func__, (uint32_t)mpt_dsn, (uint32_t)mp_tp->mpt_sndnxt, (uint32_t)mp_tp->mpt_snduna),
2628	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2629	}
2630	}
2631
2632	if ((mpts->mpts_flags & MPTSF_MP_DEGRADED) &&
2633	!(mp_tp->mpt_flags & MPTCPF_POST_FALLBACK_SYNC)) {
2634	mp_tp->mpt_flags \|= MPTCPF_POST_FALLBACK_SYNC;
2635	so->so_flags1 \|= SOF1_POST_FALLBACK_SYNC;
2636	}
2637
2638	/*
2639	* Adjust the top level notion of next byte used for retransmissions
2640	* and sending FINs.
2641	*/
2642	if (MPTCP_SEQ_LT(mp_tp->mpt_sndnxt, mp_tp->mpt_snduna))
2643	mp_tp->mpt_sndnxt = mp_tp->mpt_snduna;
2644
2645	/ Now determine the offset from which to start transmitting data /
2646	if (mpte->mpte_reinjectq)
2647	sb_mb = mpte->mpte_reinjectq;
2648	else
2649	dont_reinject:
2650	sb_mb = mp_so->so_snd.sb_mb;
2651	if (sb_mb == NULL) {
2652	mptcplog((LOG_ERR, "%s send-buffer is still empty\n", __func__),
2653	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2654	goto out;
2655	}
2656
2657	if (sb_mb == mpte->mpte_reinjectq) {
2658	sb_cc = sb_mb->m_pkthdr.mp_rlen;
2659	off = `0`;
2660
2661	if (mptcp_search_seq_in_sub(sb_mb, so)) {
2662	if (mptcp_can_send_more(mp_tp, TRUE)) {
2663	goto dont_reinject;
2664	}
2665
2666	error = ECANCELED;
2667	goto out;
2668	}
2669
2670	reinjected = TRUE;
2671	} else if (flags & MPTCP_SUBOUT_PROBING) {
2672	sb_cc = sb_mb->m_pkthdr.mp_rlen;
2673	off = `0`;
2674	} else {
2675	sb_cc = min(mp_so->so_snd.sb_cc, mp_tp->mpt_sndwnd);
2676
2677	/*
2678	* With TFO, there might be no data at all, thus still go into this
2679	* code-path here.
2680	*/
2681	if ((mp_so->so_flags1 & SOF1_PRECONNECT_DATA) \|\|
2682	MPTCP_SEQ_LT(mp_tp->mpt_sndnxt, mp_tp->mpt_sndmax)) {
2683	off = mp_tp->mpt_sndnxt - mp_tp->mpt_snduna;
2684	sb_cc -= off;
2685	} else {
2686	mptcplog((LOG_ERR, "%s this should not happen: sndnxt %u sndmax %u\n",
2687	__func__, (uint32_t)mp_tp->mpt_sndnxt,
2688	(uint32_t)mp_tp->mpt_sndmax),
2689	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2690
2691	goto out;
2692	}
2693	}
2694
2695	sb_cc = min(sb_cc, mptcp_subflow_cwnd_space(so));
2696	if (sb_cc <= `0`) {
2697	mptcplog((LOG_ERR, "%s sb_cc is %d, mp_so->sb_cc %u, sndwnd %u,sndnxt %u sndmax %u cwnd %u\n",
2698	__func__, sb_cc, mp_so->so_snd.sb_cc, mp_tp->mpt_sndwnd,
2699	(uint32_t)mp_tp->mpt_sndnxt, (uint32_t)mp_tp->mpt_sndmax,
2700	mptcp_subflow_cwnd_space(so)),
2701	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2702	}
2703
2704	sb_cc = min(sb_cc, UINT16_MAX);
2705
2706	/*
2707	* Create a DSN mapping for the data we are about to send. It all
2708	* has the same mapping.
2709	*/
2710	if (reinjected)
2711	mpt_dsn = sb_mb->m_pkthdr.mp_dsn;
2712	else
2713	mpt_dsn = mp_tp->mpt_snduna + off;
2714
2715	mpt_mbuf = sb_mb;
2716	while (mpt_mbuf && reinjected == FALSE &&
2717	(mpt_mbuf->m_pkthdr.mp_rlen == `0` \|\|
2718	mpt_mbuf->m_pkthdr.mp_rlen <= (uint32_t)off)) {
2719	off -= mpt_mbuf->m_pkthdr.mp_rlen;
2720	mpt_mbuf = mpt_mbuf->m_next;
2721	}
2722	if (mpts->mpts_flags & MPTSF_MP_DEGRADED)
2723	mptcplog((LOG_DEBUG, "%s: %u snduna = %u sndnxt = %u probe %d\n",
2724	__func__, mpts->mpts_connid, (uint32_t)mp_tp->mpt_snduna, (uint32_t)mp_tp->mpt_sndnxt,
2725	mpts->mpts_probecnt),
2726	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
2727
2728	VERIFY((mpt_mbuf == NULL) \|\| (mpt_mbuf->m_pkthdr.pkt_flags & PKTF_MPTCP));
2729
2730	head = tail = NULL;
2731
2732	while (tot_sent < sb_cc) {
2733	ssize_t mlen;
2734
2735	mlen = mpt_mbuf->m_len;
2736	mlen -= off;
2737	mlen = min(mlen, sb_cc - tot_sent);
2738
2739	if (mlen < `0`) {
2740	mptcplog((LOG_ERR, "%s mlen %d mp_rlen %u off %u sb_cc %u tot_sent %u\n",
2741	__func__, (int)mlen, mpt_mbuf->m_pkthdr.mp_rlen,
2742	(uint32_t)off, sb_cc, tot_sent),
2743	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2744	goto out;
2745	}
2746
2747	if (mlen == `0`)
2748	goto next;
2749
2750	m = m_copym_mode(mpt_mbuf, (int)off, mlen, M_DONTWAIT,
2751	M_COPYM_MUST_COPY_HDR);
2752	if (m == NULL) {
2753	mptcplog((LOG_ERR, "%s m_copym_mode failed\n", __func__),
2754	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2755	error = ENOBUFS;
2756	break;
2757	}
2758
2759	/ Create a DSN mapping for the data (m_copym does it) /
2760	VERIFY(m->m_flags & M_PKTHDR);
2761	VERIFY(m->m_next == NULL);
2762
2763	m->m_pkthdr.pkt_flags \|= PKTF_MPTCP;
2764	m->m_pkthdr.pkt_flags &= ~PKTF_MPSO;
2765	m->m_pkthdr.mp_dsn = mpt_dsn;
2766	m->m_pkthdr.mp_rseq = mpts->mpts_rel_seq;
2767	m->m_pkthdr.len = mlen;
2768
2769	if (head == NULL) {
2770	head = tail = m;
2771	} else {
2772	tail->m_next = m;
2773	tail = m;
2774	}
2775
2776	tot_sent += mlen;
2777	off = `0`;
2778	next:
2779	mpt_mbuf = mpt_mbuf->m_next;
2780	}
2781
2782	if (reinjected) {
2783	if (sb_cc < sb_mb->m_pkthdr.mp_rlen) {
2784	struct mbuf *n = sb_mb;
2785
2786	while (n) {
2787	n->m_pkthdr.mp_dsn += sb_cc;
2788	n->m_pkthdr.mp_rlen -= sb_cc;
2789	n = n->m_next;
2790	}
2791	m_adj(sb_mb, sb_cc);
2792	} else {
2793	mpte->mpte_reinjectq = sb_mb->m_nextpkt;
2794	m_freem(sb_mb);
2795	}
2796	}
2797
2798	mptcplog((LOG_DEBUG, "%s: Queued dsn %u ssn %u len %u on sub %u\n",
2799	__func__, (uint32_t)mpt_dsn, mpts->mpts_rel_seq,
2800	tot_sent, mpts->mpts_connid), MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
2801
2802	if (head && (mp_tp->mpt_flags & MPTCPF_CHECKSUM)) {
2803	dss_csum = mptcp_output_csum(head, mpt_dsn, mpts->mpts_rel_seq,
2804	tot_sent);
2805	}
2806
2807	/ Now, let's update rel-seq and the data-level length /
2808	mpts->mpts_rel_seq += tot_sent;
2809	m = head;
2810	while (m) {
2811	if (mp_tp->mpt_flags & MPTCPF_CHECKSUM)
2812	m->m_pkthdr.mp_csum = dss_csum;
2813	m->m_pkthdr.mp_rlen = tot_sent;
2814	m = m->m_next;
2815	}
2816
2817	if (head != NULL) {
2818	if ((mpts->mpts_flags & MPTSF_TFO_REQD) &&
2819	(tp->t_tfo_stats == `0`))
2820	tp->t_mpflags \|= TMPF_TFO_REQUEST;
2821
2822	error = sock_sendmbuf(so, NULL, head, `0`, NULL);
2823
2824	DTRACE_MPTCP7(send, struct mbuf , m, struct* socket *, so,
2825	struct sockbuf *, &so->so_rcv,
2826	struct sockbuf *, &so->so_snd,
2827	struct mptses , mpte, struct* mptsub *, mpts,
2828	size_t, tot_sent);
2829	}
2830
2831	done_sending:
2832	if (error == `0` \|\|
2833	(error == EWOULDBLOCK && (tp->t_mpflags & TMPF_TFO_REQUEST))) {
2834	uint64_t new_sndnxt = mp_tp->mpt_sndnxt + tot_sent;
2835
2836	if (mpts->mpts_probesoon && mpts->mpts_maxseg && tot_sent) {
2837	tcpstat.tcps_mp_num_probes++;
2838	if ((uint32_t)tot_sent < mpts->mpts_maxseg)
2839	mpts->mpts_probecnt += `1`;
2840	else
2841	mpts->mpts_probecnt +=
2842	tot_sent/mpts->mpts_maxseg;
2843	}
2844
2845	if (!reinjected && !(flags & MPTCP_SUBOUT_PROBING)) {
2846	if (MPTCP_DATASEQ_HIGH32(new_sndnxt) >
2847	MPTCP_DATASEQ_HIGH32(mp_tp->mpt_sndnxt))
2848	mp_tp->mpt_flags \|= MPTCPF_SND_64BITDSN;
2849	mp_tp->mpt_sndnxt = new_sndnxt;
2850	}
2851
2852	mptcp_cancel_timer(mp_tp, MPTT_REXMT);
2853
2854	/ Must be here as mptcp_can_send_more() checks for this /
2855	soclearfastopen(mp_so);
2856
2857	if ((mpts->mpts_flags & MPTSF_MP_DEGRADED) \|\|
2858	(mpts->mpts_probesoon != `0`))
2859	mptcplog((LOG_DEBUG, "%s %u degraded %u wrote %d %d probe %d probedelta %d\n",
2860	__func__, mpts->mpts_connid,
2861	!!(mpts->mpts_flags & MPTSF_MP_DEGRADED),
2862	tot_sent, (int) sb_cc, mpts->mpts_probecnt,
2863	(tcp_now - mpts->mpts_probesoon)),
2864	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
2865
2866	if (IFNET_IS_CELLULAR(sotoinpcb(so)->inp_last_outifp)) {
2867	mpte->mpte_mppcb->mpp_flags \|= MPP_SET_CELLICON;
2868
2869	mpte->mpte_used_cell = `1`;
2870	} else {
2871	mpte->mpte_mppcb->mpp_flags \|= MPP_UNSET_CELLICON;
2872
2873	mpte->mpte_used_wifi = `1`;
2874	}
2875
2876	/*
2877	* Don't propagate EWOULDBLOCK - it's already taken care of
2878	* in mptcp_usr_send for TFO.
2879	*/
2880	error = `0`;
2881	} else {
2882	mptcplog((LOG_ERR, "%s: %u error %d len %d subflags %#x sostate %#x soerror %u hiwat %u lowat %u\n",
2883	__func__, mpts->mpts_connid, error, tot_sent, so->so_flags, so->so_state, so->so_error, so->so_snd.sb_hiwat, so->so_snd.sb_lowat),
2884	MPTCP_SENDER_DBG, MPTCP_LOGLVL_ERR);
2885	}
2886	out:
2887
2888	if (wakeup)
2889	mpte->mpte_mppcb->mpp_flags \|= MPP_SHOULD_WWAKEUP;
2890
2891	mptcp_handle_deferred_upcalls(mpte->mpte_mppcb, MPP_INSIDE_OUTPUT);
2892	return (error);
2893
2894	zero_len_write:
2895	/ Opting to call pru_send as no mbuf at subflow level /
2896	error = (*so->so_proto->pr_usrreqs->pru_send)(so, `0`, NULL, NULL,
2897	NULL, current_proc());
2898
2899	goto done_sending;
2900	}
2901
2902	static void
2903	mptcp_add_reinjectq(struct mptses mpte, struct* mbuf *m)
2904	{
2905	struct mbuf n, prev = NULL;
2906
2907	mptcplog((LOG_DEBUG, "%s reinjecting dsn %u dlen %u rseq %u\n",
2908	__func__, (uint32_t)m->m_pkthdr.mp_dsn, m->m_pkthdr.mp_rlen,
2909	m->m_pkthdr.mp_rseq),
2910	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2911
2912	n = mpte->mpte_reinjectq;
2913
2914	/ First, look for an mbuf n, whose data-sequence-number is bigger or*
2915	* equal than m's sequence number.
2916	*/
2917	while (n) {
2918	if (MPTCP_SEQ_GEQ(n->m_pkthdr.mp_dsn, m->m_pkthdr.mp_dsn))
2919	break;
2920
2921	prev = n;
2922
2923	n = n->m_nextpkt;
2924	}
2925
2926	if (n) {
2927	/ m is already fully covered by the next mbuf in the queue /
2928	if (n->m_pkthdr.mp_dsn == m->m_pkthdr.mp_dsn &&
2929	n->m_pkthdr.mp_rlen >= m->m_pkthdr.mp_rlen) {
2930	mptcplog((LOG_DEBUG, "%s fully covered with len %u\n",
2931	__func__, n->m_pkthdr.mp_rlen),
2932	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2933	goto dont_queue;
2934	}
2935
2936	/ m is covering the next mbuf entirely, thus we remove this guy /
2937	if (m->m_pkthdr.mp_dsn + m->m_pkthdr.mp_rlen >= n->m_pkthdr.mp_dsn + n->m_pkthdr.mp_rlen) {
2938	struct mbuf *tmp = n->m_nextpkt;
2939
2940	mptcplog((LOG_DEBUG, "%s m is covering that guy dsn %u len %u dsn %u len %u\n",
2941	__func__, m->m_pkthdr.mp_dsn, m->m_pkthdr.mp_rlen,
2942	n->m_pkthdr.mp_dsn, n->m_pkthdr.mp_rlen),
2943	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2944
2945	m->m_nextpkt = NULL;
2946	if (prev == NULL)
2947	mpte->mpte_reinjectq = tmp;
2948	else
2949	prev->m_nextpkt = tmp;
2950
2951	m_freem(n);
2952	n = tmp;
2953	}
2954
2955	}
2956
2957	if (prev) {
2958	/ m is already fully covered by the previous mbuf in the queue /
2959	if (prev->m_pkthdr.mp_dsn + prev->m_pkthdr.mp_rlen >= m->m_pkthdr.mp_dsn + m->m_pkthdr.len) {
2960	mptcplog((LOG_DEBUG, "%s prev covers us from %u with len %u\n",
2961	__func__, prev->m_pkthdr.mp_dsn, prev->m_pkthdr.mp_rlen),
2962	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
2963	goto dont_queue;
2964	}
2965	}
2966
2967	if (prev == NULL)
2968	mpte->mpte_reinjectq = m;
2969	else
2970	prev->m_nextpkt = m;
2971
2972	m->m_nextpkt = n;
2973
2974	return;
2975
2976	dont_queue:
2977	m_freem(m);
2978	return;
2979	}
2980
2981	static struct mbuf *
2982	mptcp_lookup_dsn(struct mptses *mpte, uint64_t dsn)
2983	{
2984	struct socket *mp_so = mptetoso(mpte);
2985	struct mbuf *m;
2986
2987	m = mp_so->so_snd.sb_mb;
2988
2989	while (m) {
2990	/ If this segment covers what we are looking for, return it. /
2991	if (MPTCP_SEQ_LEQ(m->m_pkthdr.mp_dsn, dsn) &&
2992	MPTCP_SEQ_GT(m->m_pkthdr.mp_dsn + m->m_pkthdr.mp_rlen, dsn))
2993	break;
2994
2995
2996	/ Segment is no more in the queue /
2997	if (MPTCP_SEQ_GT(m->m_pkthdr.mp_dsn, dsn))
2998	return NULL;
2999
3000	m = m->m_next;
3001	}
3002
3003	return m;
3004	}
3005
3006	static struct mbuf *
3007	mptcp_copy_mbuf_list(struct mbuf m, int* len)
3008	{
3009	struct mbuf top = NULL, tail = NULL;
3010	uint64_t dsn;
3011	uint32_t dlen, rseq;
3012
3013	dsn = m->m_pkthdr.mp_dsn;
3014	dlen = m->m_pkthdr.mp_rlen;
3015	rseq = m->m_pkthdr.mp_rseq;
3016
3017	while (len > `0`) {
3018	struct mbuf *n;
3019
3020	VERIFY((m->m_flags & M_PKTHDR) && (m->m_pkthdr.pkt_flags & PKTF_MPTCP));
3021
3022	n = m_copym_mode(m, `0`, m->m_len, M_DONTWAIT, M_COPYM_MUST_COPY_HDR);
3023	if (n == NULL) {
3024	mptcplog((LOG_ERR, "%s m_copym_mode returned NULL\n", __func__),
3025	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
3026	goto err;
3027	}
3028
3029	VERIFY(n->m_flags & M_PKTHDR);
3030	VERIFY(n->m_next == NULL);
3031	VERIFY(n->m_pkthdr.mp_dsn == dsn);
3032	VERIFY(n->m_pkthdr.mp_rlen == dlen);
3033	VERIFY(n->m_pkthdr.mp_rseq == rseq);
3034	VERIFY(n->m_len == m->m_len);
3035
3036	n->m_pkthdr.pkt_flags \|= (PKTF_MPSO \| PKTF_MPTCP);
3037
3038	if (top == NULL)
3039	top = n;
3040
3041	if (tail != NULL)
3042	tail->m_next = n;
3043
3044	tail = n;
3045
3046	len -= m->m_len;
3047	m = m->m_next;
3048	}
3049
3050	return top;
3051
3052	err:
3053	if (top)
3054	m_freem(top);
3055
3056	return NULL;
3057	}
3058
3059	static void
3060	mptcp_reinject_mbufs(struct socket *so)
3061	{
3062	struct tcpcb *tp = sototcpcb(so);
3063	struct mptsub *mpts = tp->t_mpsub;
3064	struct mptcb *mp_tp = tptomptp(tp);
3065	struct mptses *mpte = mp_tp->mpt_mpte;;
3066	struct sockbuf *sb = &so->so_snd;
3067	struct mbuf *m;
3068
3069	m = sb->sb_mb;
3070	while (m) {
3071	struct mbuf n = m->m_next, orig = m;
3072
3073	mptcplog((LOG_DEBUG, "%s working on suna %u relseq %u iss %u len %u pktflags %#x\n",
3074	__func__, tp->snd_una, m->m_pkthdr.mp_rseq, mpts->mpts_iss,
3075	m->m_pkthdr.mp_rlen, m->m_pkthdr.pkt_flags),
3076	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
3077
3078	VERIFY((m->m_flags & M_PKTHDR) && (m->m_pkthdr.pkt_flags & PKTF_MPTCP));
3079
3080	if (m->m_pkthdr.pkt_flags & PKTF_MPTCP_REINJ)
3081	goto next;
3082
3083	/ Has it all already been acknowledged at the data-level? /
3084	if (MPTCP_SEQ_GEQ(mp_tp->mpt_snduna, m->m_pkthdr.mp_dsn + m->m_pkthdr.mp_rlen))
3085	goto next;
3086
3087	/ Part of this has already been acknowledged - lookup in the*
3088	* MPTCP-socket for the segment.
3089	*/
3090	if (SEQ_GT(tp->snd_una - mpts->mpts_iss, m->m_pkthdr.mp_rseq)) {
3091	m = mptcp_lookup_dsn(mpte, m->m_pkthdr.mp_dsn);
3092	if (m == NULL)
3093	goto next;
3094	}
3095
3096	/ Copy the mbuf with headers (aka, DSN-numbers) /
3097	m = mptcp_copy_mbuf_list(m, m->m_pkthdr.mp_rlen);
3098	if (m == NULL)
3099	break;
3100
3101	VERIFY(m->m_nextpkt == NULL);
3102
3103	/ Now, add to the reinject-queue, eliminating overlapping*
3104	* segments
3105	*/
3106	mptcp_add_reinjectq(mpte, m);
3107
3108	orig->m_pkthdr.pkt_flags \|= PKTF_MPTCP_REINJ;
3109
3110	next:
3111	/ mp_rlen can cover multiple mbufs, so advance to the end of it. /
3112	while (n) {
3113	VERIFY((n->m_flags & M_PKTHDR) && (n->m_pkthdr.pkt_flags & PKTF_MPTCP));
3114
3115	if (n->m_pkthdr.mp_dsn != orig->m_pkthdr.mp_dsn)
3116	break;
3117
3118	n->m_pkthdr.pkt_flags \|= PKTF_MPTCP_REINJ;
3119	n = n->m_next;
3120	}
3121
3122	m = n;
3123	}
3124	}
3125
3126	void
3127	mptcp_clean_reinjectq(struct mptses *mpte)
3128	{
3129	struct mptcb *mp_tp = mpte->mpte_mptcb;
3130
3131	mpte_lock_assert_held(mpte);
3132
3133	while (mpte->mpte_reinjectq) {
3134	struct mbuf *m = mpte->mpte_reinjectq;
3135
3136	if (MPTCP_SEQ_GEQ(m->m_pkthdr.mp_dsn, mp_tp->mpt_snduna) \|\|
3137	MPTCP_SEQ_GT(m->m_pkthdr.mp_dsn + m->m_pkthdr.mp_rlen, mp_tp->mpt_snduna))
3138	break;
3139
3140	mpte->mpte_reinjectq = m->m_nextpkt;
3141	m->m_nextpkt = NULL;
3142	m_freem(m);
3143	}
3144	}
3145
3146	/*
3147	* Subflow socket control event upcall.
3148	*/
3149	static void
3150	mptcp_subflow_eupcall1(struct socket so, void* *arg, uint32_t events)
3151	{
3152	#pragma unused(so)
3153	struct mptsub *mpts = arg;
3154	struct mptses *mpte = mpts->mpts_mpte;
3155
3156	VERIFY(mpte != NULL);
3157	mpte_lock_assert_held(mpte);
3158
3159	if ((mpts->mpts_evctl & events) == events)
3160	return;
3161
3162	mpts->mpts_evctl \|= events;
3163
3164	if (mptcp_should_defer_upcall(mpte->mpte_mppcb)) {
3165	mpte->mpte_mppcb->mpp_flags \|= MPP_SHOULD_WORKLOOP;
3166	return;
3167	}
3168
3169	mptcp_subflow_workloop(mpte);
3170	}
3171
3172	/*
3173	* Subflow socket control events.
3174	*
3175	* Called for handling events related to the underlying subflow socket.
3176	*/
3177	static ev_ret_t
3178	mptcp_subflow_events(struct mptses mpte, struct* mptsub *mpts,
3179	uint64_t *p_mpsofilt_hint)
3180	{
3181	ev_ret_t ret = MPTS_EVRET_OK;
3182	int i, mpsub_ev_entry_count = sizeof(mpsub_ev_entry_tbl) /
3183	sizeof(mpsub_ev_entry_tbl[`0`]);
3184
3185	mpte_lock_assert_held(mpte); / same as MP socket lock /
3186
3187	/ bail if there's nothing to process /
3188	if (!mpts->mpts_evctl)
3189	return (ret);
3190
3191	if (mpts->mpts_evctl & (SO_FILT_HINT_CONNRESET\|SO_FILT_HINT_MUSTRST\|
3192	SO_FILT_HINT_CANTSENDMORE\|SO_FILT_HINT_TIMEOUT\|
3193	SO_FILT_HINT_NOSRCADDR\|SO_FILT_HINT_IFDENIED\|
3194	SO_FILT_HINT_DISCONNECTED)) {
3195	mpts->mpts_evctl \|= SO_FILT_HINT_MPFAILOVER;
3196	}
3197
3198	DTRACE_MPTCP3(subflow__events, struct mptses *, mpte,
3199	struct mptsub *, mpts, uint32_t, mpts->mpts_evctl);
3200
3201	mptcplog((LOG_DEBUG, "%s cid %d events=%b\n", __func__,
3202	mpts->mpts_connid, mpts->mpts_evctl, SO_FILT_HINT_BITS),
3203	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_VERBOSE);
3204
3205	/*
3206	* Process all the socket filter hints and reset the hint
3207	* once it is handled
3208	*/
3209	for (i = `0`; i < mpsub_ev_entry_count && mpts->mpts_evctl; i++) {
3210	/*
3211	* Always execute the DISCONNECTED event, because it will wakeup
3212	* the app.
3213	*/
3214	if ((mpts->mpts_evctl & mpsub_ev_entry_tbl[i].sofilt_hint_mask) &&
3215	(ret >= MPTS_EVRET_OK \|\|
3216	mpsub_ev_entry_tbl[i].sofilt_hint_mask == SO_FILT_HINT_DISCONNECTED)) {
3217	mpts->mpts_evctl &= ~mpsub_ev_entry_tbl[i].sofilt_hint_mask;
3218	ev_ret_t error =
3219	mpsub_ev_entry_tbl[i].sofilt_hint_ev_hdlr(mpte, mpts, p_mpsofilt_hint, mpsub_ev_entry_tbl[i].sofilt_hint_mask);
3220	ret = ((error >= MPTS_EVRET_OK) ? MAX(error, ret) : error);
3221	}
3222	}
3223
3224	/*
3225	* We should be getting only events specified via sock_catchevents(),
3226	* so loudly complain if we have any unprocessed one(s).
3227	*/
3228	if (mpts->mpts_evctl \|\| ret < MPTS_EVRET_OK)
3229	mptcplog((LOG_WARNING, "%s%s: cid %d evret %s (%d) unhandled events=%b\n", __func__,
3230	(mpts->mpts_evctl && ret == MPTS_EVRET_OK) ? "MPTCP_ERROR " : "",
3231	mpts->mpts_connid,
3232	mptcp_evret2str(ret), ret, mpts->mpts_evctl, SO_FILT_HINT_BITS),
3233	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3234	else
3235	mptcplog((LOG_DEBUG, "%s: Done, events %b\n", __func__,
3236	mpts->mpts_evctl, SO_FILT_HINT_BITS),
3237	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_VERBOSE);
3238
3239	return (ret);
3240	}
3241
3242	static ev_ret_t
3243	mptcp_subflow_propagate_ev(struct mptses mpte, struct* mptsub *mpts,
3244	uint64_t *p_mpsofilt_hint, uint64_t event)
3245	{
3246	struct socket mp_so, so;
3247	struct mptcb *mp_tp;
3248
3249	mpte_lock_assert_held(mpte); / same as MP socket lock /
3250	VERIFY(mpte->mpte_mppcb != NULL);
3251	mp_so = mptetoso(mpte);
3252	mp_tp = mpte->mpte_mptcb;
3253	so = mpts->mpts_socket;
3254
3255	mptcplog((LOG_DEBUG, "%s: cid %d event %d\n", __func__,
3256	mpts->mpts_connid, event),
3257	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3258
3259	/*
3260	* We got an event for this subflow that might need to be propagated,
3261	* based on the state of the MPTCP connection.
3262	*/
3263	if (mp_tp->mpt_state < MPTCPS_ESTABLISHED \|\|
3264	((mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP) && (mpts->mpts_flags & MPTSF_ACTIVE))) {
3265	mp_so->so_error = so->so_error;
3266	*p_mpsofilt_hint \|= event;
3267	}
3268
3269	return (MPTS_EVRET_OK);
3270	}
3271
3272	/*
3273	* Handle SO_FILT_HINT_NOSRCADDR subflow socket event.
3274	*/
3275	static ev_ret_t
3276	mptcp_subflow_nosrcaddr_ev(struct mptses mpte, struct* mptsub *mpts,
3277	uint64_t *p_mpsofilt_hint, uint64_t event)
3278	{
3279	#pragma unused(p_mpsofilt_hint, event)
3280	struct socket *mp_so;
3281	struct tcpcb *tp;
3282
3283	mpte_lock_assert_held(mpte); / same as MP socket lock /
3284
3285	VERIFY(mpte->mpte_mppcb != NULL);
3286	mp_so = mptetoso(mpte);
3287	tp = intotcpcb(sotoinpcb(mpts->mpts_socket));
3288
3289	/*
3290	* This overwrites any previous mpte_lost_aid to avoid storing
3291	* too much state when the typical case has only two subflows.
3292	*/
3293	mpte->mpte_flags \|= MPTE_SND_REM_ADDR;
3294	mpte->mpte_lost_aid = tp->t_local_aid;
3295
3296	mptcplog((LOG_DEBUG, "%s cid %d\n", __func__, mpts->mpts_connid),
3297	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3298
3299	/*
3300	* The subflow connection has lost its source address.
3301	*/
3302	mptcp_subflow_abort(mpts, EADDRNOTAVAIL);
3303
3304	if (mp_so->so_flags & SOF_NOADDRAVAIL)
3305	mptcp_subflow_propagate_ev(mpte, mpts, p_mpsofilt_hint, event);
3306
3307	return (MPTS_EVRET_DELETE);
3308	}
3309
3310	/*
3311	* Handle SO_FILT_HINT_MPCANTRCVMORE subflow socket event that
3312	* indicates that the remote side sent a Data FIN
3313	*/
3314	static ev_ret_t
3315	mptcp_subflow_mpcantrcvmore_ev(struct mptses mpte, struct* mptsub *mpts,
3316	uint64_t *p_mpsofilt_hint, uint64_t event)
3317	{
3318	#pragma unused(event)
3319	struct mptcb *mp_tp;
3320
3321	mpte_lock_assert_held(mpte); / same as MP socket lock /
3322	mp_tp = mpte->mpte_mptcb;
3323
3324	mptcplog((LOG_DEBUG, "%s: cid %d\n", __func__, mpts->mpts_connid),
3325	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3326
3327	/*
3328	* We got a Data FIN for the MPTCP connection.
3329	* The FIN may arrive with data. The data is handed up to the
3330	* mptcp socket and the user is notified so that it may close
3331	* the socket if needed.
3332	*/
3333	if (mp_tp->mpt_state == MPTCPS_CLOSE_WAIT)
3334	*p_mpsofilt_hint \|= SO_FILT_HINT_CANTRCVMORE;
3335
3336	return (MPTS_EVRET_OK); / keep the subflow socket around /
3337	}
3338
3339	/*
3340	* Handle SO_FILT_HINT_MPFAILOVER subflow socket event
3341	*/
3342	static ev_ret_t
3343	mptcp_subflow_failover_ev(struct mptses mpte, struct* mptsub *mpts,
3344	uint64_t *p_mpsofilt_hint, uint64_t event)
3345	{
3346	#pragma unused(event, p_mpsofilt_hint)
3347	struct mptsub *mpts_alt = NULL;
3348	struct socket *alt_so = NULL;
3349	struct socket *mp_so;
3350	int altpath_exists = `0`;
3351
3352	mpte_lock_assert_held(mpte);
3353	mp_so = mptetoso(mpte);
3354	mptcplog((LOG_NOTICE, "%s: mp_so 0x%llx\n", __func__,
3355	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so)),
3356	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3357
3358	mptcp_reinject_mbufs(mpts->mpts_socket);
3359
3360	mpts_alt = mptcp_get_subflow(mpte, mpts, NULL);
3361	/*
3362	* If there is no alternate eligible subflow, ignore the
3363	* failover hint.
3364	*/
3365	if (mpts_alt == NULL) {
3366	mptcplog((LOG_WARNING, "%s: no alternate path\n", __func__),
3367	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3368
3369	goto done;
3370	}
3371
3372	altpath_exists = `1`;
3373	alt_so = mpts_alt->mpts_socket;
3374	if (mpts_alt->mpts_flags & MPTSF_FAILINGOVER) {
3375	/ All data acknowledged and no RTT spike /
3376	if (alt_so->so_snd.sb_cc == `0` && mptcp_no_rto_spike(alt_so)) {
3377	mpts_alt->mpts_flags &= ~MPTSF_FAILINGOVER;
3378	} else {
3379	/ no alternate path available /
3380	altpath_exists = `0`;
3381	}
3382	}
3383
3384	if (altpath_exists) {
3385	mpts_alt->mpts_flags \|= MPTSF_ACTIVE;
3386
3387	mpte->mpte_active_sub = mpts_alt;
3388	mpts->mpts_flags \|= MPTSF_FAILINGOVER;
3389	mpts->mpts_flags &= ~MPTSF_ACTIVE;
3390
3391	mptcplog((LOG_NOTICE, "%s: switched from %d to %d\n",
3392	__func__, mpts->mpts_connid, mpts_alt->mpts_connid),
3393	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3394
3395	mptcpstats_inc_switch(mpte, mpts);
3396
3397	sowwakeup(alt_so);
3398	} else {
3399	mptcplog((LOG_DEBUG, "%s: no alt cid = %d\n", __func__,
3400	mpts->mpts_connid),
3401	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3402	done:
3403	mpts->mpts_socket->so_flags &= ~SOF_MP_TRYFAILOVER;
3404	}
3405
3406	return (MPTS_EVRET_OK);
3407	}
3408
3409	/*
3410	* Handle SO_FILT_HINT_IFDENIED subflow socket event.
3411	*/
3412	static ev_ret_t
3413	mptcp_subflow_ifdenied_ev(struct mptses mpte, struct* mptsub *mpts,
3414	uint64_t *p_mpsofilt_hint, uint64_t event)
3415	{
3416	mpte_lock_assert_held(mpte); / same as MP socket lock /
3417	VERIFY(mpte->mpte_mppcb != NULL);
3418
3419	mptcplog((LOG_DEBUG, "%s: cid %d\n", __func__,
3420	mpts->mpts_connid), MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3421
3422	/*
3423	* The subflow connection cannot use the outgoing interface, let's
3424	* close this subflow.
3425	*/
3426	mptcp_subflow_abort(mpts, EPERM);
3427
3428	mptcp_subflow_propagate_ev(mpte, mpts, p_mpsofilt_hint, event);
3429
3430	return (MPTS_EVRET_DELETE);
3431	}
3432
3433	/*
3434	* https://tools.ietf.org/html/rfc6052#section-2
3435	* https://tools.ietf.org/html/rfc6147#section-5.2
3436	*/
3437	static boolean_t
3438	mptcp_desynthesize_ipv6_addr(const struct in6_addr *addr,
3439	const struct ipv6_prefix *prefix,
3440	struct in_addr *addrv4)
3441	{
3442	char buf[MAX_IPv4_STR_LEN];
3443	char ptrv4 = (char* *)addrv4;
3444	const char ptr = (const* char *)addr;
3445
3446	if (memcmp(addr, &prefix->ipv6_prefix, prefix->prefix_len) != `0`)
3447	return false;
3448
3449	switch (prefix->prefix_len) {
3450	case NAT64_PREFIX_LEN_96:
3451	memcpy(ptrv4, ptr + `12`, `4`);
3452	break;
3453	case NAT64_PREFIX_LEN_64:
3454	memcpy(ptrv4, ptr + `9`, `4`);
3455	break;
3456	case NAT64_PREFIX_LEN_56:
3457	memcpy(ptrv4, ptr + `7`, `1`);
3458	memcpy(ptrv4 + `1`, ptr + `9`, `3`);
3459	break;
3460	case NAT64_PREFIX_LEN_48:
3461	memcpy(ptrv4, ptr + `6`, `2`);
3462	memcpy(ptrv4 + `2`, ptr + `9`, `2`);
3463	break;
3464	case NAT64_PREFIX_LEN_40:
3465	memcpy(ptrv4, ptr + `5`, `3`);
3466	memcpy(ptrv4 + `3`, ptr + `9`, `1`);
3467	break;
3468	case NAT64_PREFIX_LEN_32:
3469	memcpy(ptrv4, ptr + `4`, `4`);
3470	break;
3471	default:
3472	panic("NAT64-prefix len is wrong: %u\n",
3473	prefix->prefix_len);
3474	}
3475
3476	os_log_info(mptcp_log_handle, "%s desynthesized to %s\n", __func__,
3477	inet_ntop(AF_INET, (void )addrv4, buf, sizeof*(buf)));
3478
3479	return true;
3480	}
3481
3482	static void
3483	mptcp_handle_ipv6_connection(struct mptses mpte, const* struct mptsub *mpts)
3484	{
3485	struct ipv6_prefix nat64prefixes[NAT64_MAX_NUM_PREFIXES];
3486	struct socket *so = mpts->mpts_socket;
3487	struct ifnet *ifp;
3488	int j;
3489
3490	ifp = sotoinpcb(so)->inp_last_outifp;
3491
3492	if (ifnet_get_nat64prefix(ifp, nat64prefixes) == ENOENT) {
3493	mptcp_ask_for_nat64(ifp);
3494	return;
3495	}
3496
3497
3498	for (j = `0`; j < NAT64_MAX_NUM_PREFIXES; j++) {
3499	int success;
3500
3501	if (nat64prefixes[j].prefix_len == `0`)
3502	continue;
3503
3504	success = mptcp_desynthesize_ipv6_addr(&mpte->__mpte_dst_v6.sin6_addr,
3505	&nat64prefixes[j],
3506	&mpte->mpte_dst_v4_nat64.sin_addr);
3507	if (success) {
3508	mpte->mpte_dst_v4_nat64.sin_len = sizeof(mpte->mpte_dst_v4_nat64);
3509	mpte->mpte_dst_v4_nat64.sin_family = AF_INET;
3510	mpte->mpte_dst_v4_nat64.sin_port = mpte->__mpte_dst_v6.sin6_port;
3511	break;
3512	}
3513	}
3514	}
3515
3516	/*
3517	* Handle SO_FILT_HINT_CONNECTED subflow socket event.
3518	*/
3519	static ev_ret_t
3520	mptcp_subflow_connected_ev(struct mptses mpte, struct* mptsub *mpts,
3521	uint64_t *p_mpsofilt_hint, uint64_t event)
3522	{
3523	#pragma unused(event, p_mpsofilt_hint)
3524	struct socket mp_so, so;
3525	struct inpcb *inp;
3526	struct tcpcb *tp;
3527	struct mptcb *mp_tp;
3528	int af;
3529	boolean_t mpok = FALSE;
3530
3531	mpte_lock_assert_held(mpte); / same as MP socket lock /
3532	VERIFY(mpte->mpte_mppcb != NULL);
3533
3534	mp_so = mptetoso(mpte);
3535	mp_tp = mpte->mpte_mptcb;
3536	so = mpts->mpts_socket;
3537	tp = sototcpcb(so);
3538	af = mpts->mpts_dst.sa_family;
3539
3540	if (mpts->mpts_flags & MPTSF_CONNECTED)
3541	return (MPTS_EVRET_OK);
3542
3543	if ((mpts->mpts_flags & MPTSF_DISCONNECTED) \|\|
3544	(mpts->mpts_flags & MPTSF_DISCONNECTING)) {
3545	if (!(so->so_state & (SS_ISDISCONNECTING \| SS_ISDISCONNECTED)) &&
3546	(so->so_state & SS_ISCONNECTED)) {
3547	mptcplog((LOG_DEBUG, "%s: cid %d disconnect before tcp connect\n",
3548	__func__, mpts->mpts_connid),
3549	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3550	(void) soshutdownlock(so, SHUT_RD);
3551	(void) soshutdownlock(so, SHUT_WR);
3552	(void) sodisconnectlocked(so);
3553	}
3554	return (MPTS_EVRET_OK);
3555	}
3556
3557	/*
3558	* The subflow connection has been connected. Find out whether it
3559	* is connected as a regular TCP or as a MPTCP subflow. The idea is:
3560	*
3561	* a. If MPTCP connection is not yet established, then this must be
3562	* the first subflow connection. If MPTCP failed to negotiate,
3563	* fallback to regular TCP by degrading this subflow.
3564	*
3565	* b. If MPTCP connection has been established, then this must be
3566	* one of the subsequent subflow connections. If MPTCP failed
3567	* to negotiate, disconnect the connection.
3568	*
3569	* Right now, we simply unblock any waiters at the MPTCP socket layer
3570	* if the MPTCP connection has not been established.
3571	*/
3572
3573	if (so->so_state & SS_ISDISCONNECTED) {
3574	/*
3575	* With MPTCP joins, a connection is connected at the subflow
3576	* level, but the 4th ACK from the server elevates the MPTCP
3577	* subflow to connected state. So there is a small window
3578	* where the subflow could get disconnected before the
3579	* connected event is processed.
3580	*/
3581	return (MPTS_EVRET_OK);
3582	}
3583
3584	if (mpts->mpts_flags & MPTSF_TFO_REQD)
3585	mptcp_drop_tfo_data(mpte, mpts);
3586
3587	mpts->mpts_flags &= ~(MPTSF_CONNECTING \| MPTSF_TFO_REQD);
3588	mpts->mpts_flags \|= MPTSF_CONNECTED;
3589
3590	if (tp->t_mpflags & TMPF_MPTCP_TRUE)
3591	mpts->mpts_flags \|= MPTSF_MP_CAPABLE;
3592
3593	tp->t_mpflags &= ~TMPF_TFO_REQUEST;
3594
3595	/ get/verify the outbound interface /
3596	inp = sotoinpcb(so);
3597
3598	mpts->mpts_maxseg = tp->t_maxseg;
3599
3600	mptcplog((LOG_DEBUG, "%s: cid %d outif %s is %s\n", __func__, mpts->mpts_connid,
3601	((inp->inp_last_outifp != NULL) ? inp->inp_last_outifp->if_xname : "NULL"),
3602	((mpts->mpts_flags & MPTSF_MP_CAPABLE) ? "MPTCP capable" : "a regular TCP")),
3603	(MPTCP_SOCKET_DBG \| MPTCP_EVENTS_DBG), MPTCP_LOGLVL_LOG);
3604
3605	mpok = (mpts->mpts_flags & MPTSF_MP_CAPABLE);
3606
3607	if (mp_tp->mpt_state < MPTCPS_ESTABLISHED) {
3608	mp_tp->mpt_state = MPTCPS_ESTABLISHED;
3609	mpte->mpte_associd = mpts->mpts_connid;
3610	DTRACE_MPTCP2(state__change,
3611	struct mptcb *, mp_tp,
3612	uint32_t, `0` / event /);
3613
3614	if (SOCK_DOM(so) == AF_INET) {
3615	in_getsockaddr_s(so, &mpte->__mpte_src_v4);
3616	} else {
3617	in6_getsockaddr_s(so, &mpte->__mpte_src_v6);
3618	}
3619
3620	mpts->mpts_flags \|= MPTSF_ACTIVE;
3621
3622	/ case (a) above /
3623	if (!mpok) {
3624	tcpstat.tcps_mpcap_fallback++;
3625
3626	tp->t_mpflags \|= TMPF_INFIN_SENT;
3627	mptcp_notify_mpfail(so);
3628	} else {
3629	if (IFNET_IS_CELLULAR(inp->inp_last_outifp) &&
3630	mpte->mpte_svctype != MPTCP_SVCTYPE_AGGREGATE) {
3631	tp->t_mpflags \|= (TMPF_BACKUP_PATH \| TMPF_SND_MPPRIO);
3632	} else {
3633	mpts->mpts_flags \|= MPTSF_PREFERRED;
3634	}
3635	mpts->mpts_flags \|= MPTSF_MPCAP_CTRSET;
3636	mpte->mpte_nummpcapflows++;
3637
3638	if (SOCK_DOM(so) == AF_INET6)
3639	mptcp_handle_ipv6_connection(mpte, mpts);
3640
3641	mptcp_check_subflows_and_add(mpte);
3642
3643	if (IFNET_IS_CELLULAR(inp->inp_last_outifp))
3644	mpte->mpte_initial_cell = `1`;
3645
3646	mpte->mpte_handshake_success = `1`;
3647	}
3648
3649	mp_tp->mpt_sndwnd = tp->snd_wnd;
3650	mp_tp->mpt_sndwl1 = mp_tp->mpt_rcvnxt;
3651	mp_tp->mpt_sndwl2 = mp_tp->mpt_snduna;
3652	soisconnected(mp_so);
3653
3654	mptcplog((LOG_DEBUG, "%s: MPTCPS_ESTABLISHED for mp_so 0x%llx mpok %u\n",
3655	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so), mpok),
3656	MPTCP_STATE_DBG, MPTCP_LOGLVL_LOG);
3657	} else if (mpok) {
3658	/*
3659	* case (b) above
3660	* In case of additional flows, the MPTCP socket is not
3661	* MPTSF_MP_CAPABLE until an ACK is received from server
3662	* for 3-way handshake. TCP would have guaranteed that this
3663	* is an MPTCP subflow.
3664	*/
3665	if (IFNET_IS_CELLULAR(inp->inp_last_outifp) &&
3666	!(tp->t_mpflags & TMPF_BACKUP_PATH) &&
3667	mpte->mpte_svctype != MPTCP_SVCTYPE_AGGREGATE) {
3668	tp->t_mpflags \|= (TMPF_BACKUP_PATH \| TMPF_SND_MPPRIO);
3669	mpts->mpts_flags &= ~MPTSF_PREFERRED;
3670	} else {
3671	mpts->mpts_flags \|= MPTSF_PREFERRED;
3672	}
3673
3674	mpts->mpts_flags \|= MPTSF_MPCAP_CTRSET;
3675	mpte->mpte_nummpcapflows++;
3676
3677	mpts->mpts_rel_seq = `1`;
3678
3679	mptcp_check_subflows_and_remove(mpte);
3680	} else {
3681	unsigned int i;
3682
3683	/ Should we try the alternate port? /
3684	if (mpte->mpte_alternate_port &&
3685	inp->inp_fport != mpte->mpte_alternate_port) {
3686	union sockaddr_in_4_6 dst;
3687	struct sockaddr_in dst_in = (struct* sockaddr_in *)&dst;
3688
3689	memcpy(&dst, &mpts->mpts_dst, mpts->mpts_dst.sa_len);
3690
3691	dst_in->sin_port = mpte->mpte_alternate_port;
3692
3693	mptcp_subflow_add(mpte, NULL, (struct sockaddr *)&dst,
3694	mpts->mpts_ifscope , NULL);
3695	} else { / Else, we tried all we could, mark this interface as non-MPTCP /
3696	for (i = `0`; i < mpte->mpte_itfinfo_size; i++) {
3697	struct mpt_itf_info *info = &mpte->mpte_itfinfo[i];
3698
3699	if (inp->inp_last_outifp->if_index == info->ifindex) {
3700	info->no_mptcp_support = `1`;
3701	break;
3702	}
3703	}
3704	}
3705
3706	tcpstat.tcps_join_fallback++;
3707	if (IFNET_IS_CELLULAR(inp->inp_last_outifp))
3708	tcpstat.tcps_mptcp_cell_proxy++;
3709	else
3710	tcpstat.tcps_mptcp_wifi_proxy++;
3711
3712	soevent(mpts->mpts_socket, SO_FILT_HINT_LOCKED \| SO_FILT_HINT_MUSTRST);
3713
3714	return (MPTS_EVRET_OK);
3715	}
3716
3717	/ This call, just to "book" an entry in the stats-table for this ifindex /
3718	mptcp_get_statsindex(mpte->mpte_itfstats, mpts);
3719
3720	mptcp_output(mpte);
3721
3722	return (MPTS_EVRET_OK); / keep the subflow socket around /
3723	}
3724
3725	/*
3726	* Handle SO_FILT_HINT_DISCONNECTED subflow socket event.
3727	*/
3728	static ev_ret_t
3729	mptcp_subflow_disconnected_ev(struct mptses mpte, struct* mptsub *mpts,
3730	uint64_t *p_mpsofilt_hint, uint64_t event)
3731	{
3732	#pragma unused(event, p_mpsofilt_hint)
3733	struct socket mp_so, so;
3734	struct mptcb *mp_tp;
3735
3736	mpte_lock_assert_held(mpte); / same as MP socket lock /
3737	VERIFY(mpte->mpte_mppcb != NULL);
3738	mp_so = mptetoso(mpte);
3739	mp_tp = mpte->mpte_mptcb;
3740	so = mpts->mpts_socket;
3741
3742	mptcplog((LOG_DEBUG, "%s: cid %d, so_err %d, mpt_state %u fallback %u active %u flags %#x\n",
3743	__func__, mpts->mpts_connid, so->so_error, mp_tp->mpt_state,
3744	!!(mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP),
3745	!!(mpts->mpts_flags & MPTSF_ACTIVE), sototcpcb(so)->t_mpflags),
3746	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3747
3748	if (mpts->mpts_flags & MPTSF_DISCONNECTED)
3749	return (MPTS_EVRET_DELETE);
3750
3751	mpts->mpts_flags \|= MPTSF_DISCONNECTED;
3752
3753	/ The subflow connection has been disconnected. /
3754
3755	if (mpts->mpts_flags & MPTSF_MPCAP_CTRSET) {
3756	mpte->mpte_nummpcapflows--;
3757	if (mpte->mpte_active_sub == mpts) {
3758	mpte->mpte_active_sub = NULL;
3759	mptcplog((LOG_DEBUG, "%s: resetting active subflow \n",
3760	__func__), MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3761	}
3762	mpts->mpts_flags &= ~MPTSF_MPCAP_CTRSET;
3763	}
3764
3765	if (mp_tp->mpt_state < MPTCPS_ESTABLISHED \|\|
3766	((mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP) && (mpts->mpts_flags & MPTSF_ACTIVE)) \|\|
3767	(sototcpcb(so)->t_mpflags & TMPF_FASTCLOSERCV)) {
3768	mptcp_drop(mpte, mp_tp, so->so_error);
3769	}
3770
3771	/*
3772	* Clear flags that are used by getconninfo to return state.
3773	* Retain like MPTSF_DELETEOK for internal purposes.
3774	*/
3775	mpts->mpts_flags &= ~(MPTSF_CONNECTING\|MPTSF_CONNECT_PENDING\|
3776	MPTSF_CONNECTED\|MPTSF_DISCONNECTING\|MPTSF_PREFERRED\|
3777	MPTSF_MP_CAPABLE\|MPTSF_MP_READY\|MPTSF_MP_DEGRADED\|MPTSF_ACTIVE);
3778
3779	return (MPTS_EVRET_DELETE);
3780	}
3781
3782	/*
3783	* Handle SO_FILT_HINT_MPSTATUS subflow socket event
3784	*/
3785	static ev_ret_t
3786	mptcp_subflow_mpstatus_ev(struct mptses mpte, struct* mptsub *mpts,
3787	uint64_t *p_mpsofilt_hint, uint64_t event)
3788	{
3789	#pragma unused(event, p_mpsofilt_hint)
3790	struct socket mp_so, so;
3791	struct mptcb *mp_tp;
3792	ev_ret_t ret = MPTS_EVRET_OK;
3793
3794	mpte_lock_assert_held(mpte); / same as MP socket lock /
3795	VERIFY(mpte->mpte_mppcb != NULL);
3796	mp_so = mptetoso(mpte);
3797	mp_tp = mpte->mpte_mptcb;
3798	so = mpts->mpts_socket;
3799
3800	if (sototcpcb(so)->t_mpflags & TMPF_MPTCP_TRUE)
3801	mpts->mpts_flags \|= MPTSF_MP_CAPABLE;
3802	else
3803	mpts->mpts_flags &= ~MPTSF_MP_CAPABLE;
3804
3805	if (sototcpcb(so)->t_mpflags & TMPF_TCP_FALLBACK) {
3806	if (mpts->mpts_flags & MPTSF_MP_DEGRADED)
3807	goto done;
3808	mpts->mpts_flags \|= MPTSF_MP_DEGRADED;
3809	} else {
3810	mpts->mpts_flags &= ~MPTSF_MP_DEGRADED;
3811	}
3812
3813	if (sototcpcb(so)->t_mpflags & TMPF_MPTCP_READY)
3814	mpts->mpts_flags \|= MPTSF_MP_READY;
3815	else
3816	mpts->mpts_flags &= ~MPTSF_MP_READY;
3817
3818	if (mpts->mpts_flags & MPTSF_MP_DEGRADED) {
3819	mp_tp->mpt_flags \|= MPTCPF_FALLBACK_TO_TCP;
3820	mp_tp->mpt_flags &= ~MPTCPF_JOIN_READY;
3821	}
3822
3823	if (mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP) {
3824	VERIFY(!(mp_tp->mpt_flags & MPTCPF_JOIN_READY));
3825	ret = MPTS_EVRET_DISCONNECT_FALLBACK;
3826
3827	m_freem_list(mpte->mpte_reinjectq);
3828	mpte->mpte_reinjectq = NULL;
3829	} else if (mpts->mpts_flags & MPTSF_MP_READY) {
3830	mp_tp->mpt_flags \|= MPTCPF_JOIN_READY;
3831	ret = MPTS_EVRET_CONNECT_PENDING;
3832	}
3833
3834	mptcplog((LOG_DEBUG, "%s: mp_so 0x%llx mpt_flags=%b cid %d mptsf=%b\n",
3835	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
3836	mp_tp->mpt_flags, MPTCPF_BITS, mpts->mpts_connid,
3837	mpts->mpts_flags, MPTSF_BITS),
3838	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3839
3840	done:
3841	return (ret);
3842	}
3843
3844	/*
3845	* Handle SO_FILT_HINT_MUSTRST subflow socket event
3846	*/
3847	static ev_ret_t
3848	mptcp_subflow_mustrst_ev(struct mptses mpte, struct* mptsub *mpts,
3849	uint64_t *p_mpsofilt_hint, uint64_t event)
3850	{
3851	#pragma unused(event)
3852	struct socket mp_so, so;
3853	struct mptcb *mp_tp;
3854	boolean_t is_fastclose;
3855
3856	mpte_lock_assert_held(mpte); / same as MP socket lock /
3857	VERIFY(mpte->mpte_mppcb != NULL);
3858	mp_so = mptetoso(mpte);
3859	mp_tp = mpte->mpte_mptcb;
3860	so = mpts->mpts_socket;
3861
3862	/ We got an invalid option or a fast close /
3863	struct tcptemp *t_template;
3864	struct inpcb *inp = sotoinpcb(so);
3865	struct tcpcb *tp = NULL;
3866
3867	tp = intotcpcb(inp);
3868	so->so_error = ECONNABORTED;
3869
3870	is_fastclose = !!(tp->t_mpflags & TMPF_FASTCLOSERCV);
3871
3872	t_template = tcp_maketemplate(tp);
3873	if (t_template) {
3874	struct tcp_respond_args tra;
3875
3876	bzero(&tra, sizeof(tra));
3877	if (inp->inp_flags & INP_BOUND_IF)
3878	tra.ifscope = inp->inp_boundifp->if_index;
3879	else
3880	tra.ifscope = IFSCOPE_NONE;
3881	tra.awdl_unrestricted = `1`;
3882
3883	tcp_respond(tp, t_template->tt_ipgen,
3884	&t_template->tt_t, (struct mbuf *)NULL,
3885	tp->rcv_nxt, tp->snd_una, TH_RST, &tra);
3886	(void) m_free(dtom(t_template));
3887	mptcplog((LOG_DEBUG, "MPTCP Events: "
3888	"%s: mp_so 0x%llx cid %d \n",
3889	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
3890	so, mpts->mpts_connid),
3891	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_LOG);
3892	}
3893	mptcp_subflow_abort(mpts, ECONNABORTED);
3894
3895	if (!(mp_tp->mpt_flags & MPTCPF_FALLBACK_TO_TCP) && is_fastclose) {
3896	*p_mpsofilt_hint \|= SO_FILT_HINT_CONNRESET;
3897
3898	if (mp_tp->mpt_state < MPTCPS_ESTABLISHED)
3899	mp_so->so_error = ECONNABORTED;
3900	else
3901	mp_so->so_error = ECONNRESET;
3902
3903	/*
3904	* mptcp_drop is being called after processing the events, to fully
3905	* close the MPTCP connection
3906	*/
3907	}
3908
3909	if (mp_tp->mpt_gc_ticks == MPT_GC_TICKS)
3910	mp_tp->mpt_gc_ticks = MPT_GC_TICKS_FAST;
3911
3912	return (MPTS_EVRET_DELETE);
3913	}
3914
3915	static ev_ret_t
3916	mptcp_subflow_adaptive_rtimo_ev(struct mptses mpte, struct* mptsub *mpts,
3917	uint64_t *p_mpsofilt_hint, uint64_t event)
3918	{
3919	#pragma unused(event)
3920	bool found_active = false;
3921
3922	mpts->mpts_flags \|= MPTSF_READ_STALL;
3923
3924	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
3925	struct tcpcb *tp = sototcpcb(mpts->mpts_socket);
3926
3927	if (!TCPS_HAVEESTABLISHED(tp->t_state) \|\|
3928	TCPS_HAVERCVDFIN2(tp->t_state))
3929	continue;
3930
3931	if (!(mpts->mpts_flags & MPTSF_READ_STALL)) {
3932	found_active = true;
3933	break;
3934	}
3935	}
3936
3937	if (!found_active)
3938	*p_mpsofilt_hint \|= SO_FILT_HINT_ADAPTIVE_RTIMO;
3939
3940	return (MPTS_EVRET_OK);
3941	}
3942
3943	static ev_ret_t
3944	mptcp_subflow_adaptive_wtimo_ev(struct mptses mpte, struct* mptsub *mpts,
3945	uint64_t *p_mpsofilt_hint, uint64_t event)
3946	{
3947	#pragma unused(event)
3948	bool found_active = false;
3949
3950	mpts->mpts_flags \|= MPTSF_WRITE_STALL;
3951
3952	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
3953	struct tcpcb *tp = sototcpcb(mpts->mpts_socket);
3954
3955	if (!TCPS_HAVEESTABLISHED(tp->t_state) \|\|
3956	tp->t_state > TCPS_CLOSE_WAIT)
3957	continue;
3958
3959	if (!(mpts->mpts_flags & MPTSF_WRITE_STALL)) {
3960	found_active = true;
3961	break;
3962	}
3963	}
3964
3965	if (!found_active)
3966	*p_mpsofilt_hint \|= SO_FILT_HINT_ADAPTIVE_WTIMO;
3967
3968	return (MPTS_EVRET_OK);
3969	}
3970
3971	static const char *
3972	mptcp_evret2str(ev_ret_t ret)
3973	{
3974	const char *c = "UNKNOWN";
3975
3976	switch (ret) {
3977	case MPTS_EVRET_DELETE:
3978	c = "MPTS_EVRET_DELETE";
3979	break;
3980	case MPTS_EVRET_CONNECT_PENDING:
3981	c = "MPTS_EVRET_CONNECT_PENDING";
3982	break;
3983	case MPTS_EVRET_DISCONNECT_FALLBACK:
3984	c = "MPTS_EVRET_DISCONNECT_FALLBACK";
3985	break;
3986	case MPTS_EVRET_OK:
3987	c = "MPTS_EVRET_OK";
3988	break;
3989	default:
3990	break;
3991	}
3992	return (c);
3993	}
3994
3995	/*
3996	* Issues SOPT_SET on an MPTCP subflow socket; socket must already be locked,
3997	* caller must ensure that the option can be issued on subflow sockets, via
3998	* MPOF_SUBFLOW_OK flag.
3999	*/
4000	int
4001	mptcp_subflow_sosetopt(struct mptses mpte, struct* mptsub mpts, struct* mptopt *mpo)
4002	{
4003	struct socket mp_so, so;
4004	struct sockopt sopt;
4005	int error;
4006
4007	VERIFY(mpo->mpo_flags & MPOF_SUBFLOW_OK);
4008	mpte_lock_assert_held(mpte);
4009
4010	mp_so = mptetoso(mpte);
4011	so = mpts->mpts_socket;
4012
4013	if (mpte->mpte_mptcb->mpt_state >= MPTCPS_ESTABLISHED &&
4014	mpo->mpo_level == SOL_SOCKET &&
4015	mpo->mpo_name == SO_MARK_CELLFALLBACK) {
4016	struct ifnet *ifp = ifindex2ifnet[mpts->mpts_ifscope];
4017
4018	mptcplog((LOG_DEBUG, "%s Setting CELL_FALLBACK, mpte_flags %#x, svctype %u wifi unusable %d lastcell? %d boundcell? %d\n",
4019	__func__, mpte->mpte_flags, mpte->mpte_svctype, mptcp_is_wifi_unusable(mpte),
4020	sotoinpcb(so)->inp_last_outifp ? IFNET_IS_CELLULAR(sotoinpcb(so)->inp_last_outifp) : -`1`,
4021	mpts->mpts_ifscope != IFSCOPE_NONE && ifp ? IFNET_IS_CELLULAR(ifp) : -`1`),
4022	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4023
4024	/*
4025	* When we open a new subflow, mark it as cell fallback, if
4026	* this subflow goes over cell.
4027	*
4028	* (except for first-party apps)
4029	*/
4030
4031	if (mpte->mpte_flags & MPTE_FIRSTPARTY)
4032	return (`0`);
4033
4034	if (sotoinpcb(so)->inp_last_outifp &&
4035	!IFNET_IS_CELLULAR(sotoinpcb(so)->inp_last_outifp))
4036	return (`0`);
4037
4038	/*
4039	* This here is an OR, because if the app is not binding to the
4040	* interface, then it definitely is not a cell-fallback
4041	* connection.
4042	*/
4043	if (mpts->mpts_ifscope == IFSCOPE_NONE \|\| ifp == NULL \|\|
4044	!IFNET_IS_CELLULAR(ifp))
4045	return (`0`);
4046	}
4047
4048	mpo->mpo_flags &= ~MPOF_INTERIM;
4049
4050	bzero(&sopt, sizeof (sopt));
4051	sopt.sopt_dir = SOPT_SET;
4052	sopt.sopt_level = mpo->mpo_level;
4053	sopt.sopt_name = mpo->mpo_name;
4054	sopt.sopt_val = CAST_USER_ADDR_T(&mpo->mpo_intval);
4055	sopt.sopt_valsize = sizeof (int);
4056	sopt.sopt_p = kernproc;
4057
4058	error = sosetoptlock(so, &sopt, `0`);
4059	if (error == `0`) {
4060	mptcplog((LOG_INFO, "%s: mp_so 0x%llx sopt %s "
4061	"val %d set successful\n", __func__,
4062	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4063	mptcp_sopt2str(mpo->mpo_level, mpo->mpo_name),
4064	mpo->mpo_intval),
4065	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_LOG);
4066	} else {
4067	mptcplog((LOG_ERR, "%s:mp_so 0x%llx sopt %s "
4068	"val %d set error %d\n", __func__,
4069	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4070	mptcp_sopt2str(mpo->mpo_level, mpo->mpo_name),
4071	mpo->mpo_intval, error),
4072	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
4073	}
4074	return (error);
4075	}
4076
4077	/*
4078	* Issues SOPT_GET on an MPTCP subflow socket; socket must already be locked,
4079	* caller must ensure that the option can be issued on subflow sockets, via
4080	* MPOF_SUBFLOW_OK flag.
4081	*/
4082	int
4083	mptcp_subflow_sogetopt(struct mptses mpte, struct* socket *so,
4084	struct mptopt *mpo)
4085	{
4086	struct socket *mp_so;
4087	struct sockopt sopt;
4088	int error;
4089
4090	VERIFY(mpo->mpo_flags & MPOF_SUBFLOW_OK);
4091	mpte_lock_assert_held(mpte); / same as MP socket lock /
4092	mp_so = mptetoso(mpte);
4093
4094	bzero(&sopt, sizeof (sopt));
4095	sopt.sopt_dir = SOPT_GET;
4096	sopt.sopt_level = mpo->mpo_level;
4097	sopt.sopt_name = mpo->mpo_name;
4098	sopt.sopt_val = CAST_USER_ADDR_T(&mpo->mpo_intval);
4099	sopt.sopt_valsize = sizeof (int);
4100	sopt.sopt_p = kernproc;
4101
4102	error = sogetoptlock(so, &sopt, `0`); / already locked /
4103	if (error == `0`) {
4104	mptcplog((LOG_DEBUG, "MPTCP Socket: "
4105	"%s: mp_so 0x%llx sopt %s "
4106	"val %d get successful\n", __func__,
4107	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4108	mptcp_sopt2str(mpo->mpo_level, mpo->mpo_name),
4109	mpo->mpo_intval),
4110	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4111	} else {
4112	mptcplog((LOG_ERR, "MPTCP Socket: "
4113	"%s: mp_so 0x%llx sopt %s get error %d\n",
4114	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4115	mptcp_sopt2str(mpo->mpo_level, mpo->mpo_name), error),
4116	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
4117	}
4118	return (error);
4119	}
4120
4121
4122	/*
4123	* MPTCP garbage collector.
4124	*
4125	* This routine is called by the MP domain on-demand, periodic callout,
4126	* which is triggered when a MPTCP socket is closed. The callout will
4127	* repeat as long as this routine returns a non-zero value.
4128	*/
4129	static uint32_t
4130	mptcp_gc(struct mppcbinfo *mppi)
4131	{
4132	struct mppcb mpp, tmpp;
4133	uint32_t active = `0`;
4134
4135	LCK_MTX_ASSERT(&mppi->mppi_lock, LCK_MTX_ASSERT_OWNED);
4136
4137	TAILQ_FOREACH_SAFE(mpp, &mppi->mppi_pcbs, mpp_entry, tmpp) {
4138	struct socket *mp_so;
4139	struct mptses *mpte;
4140	struct mptcb *mp_tp;
4141
4142	VERIFY(mpp->mpp_flags & MPP_ATTACHED);
4143	mp_so = mpp->mpp_socket;
4144	VERIFY(mp_so != NULL);
4145	mpte = mptompte(mpp);
4146	VERIFY(mpte != NULL);
4147	mp_tp = mpte->mpte_mptcb;
4148	VERIFY(mp_tp != NULL);
4149
4150	mptcplog((LOG_DEBUG, "MPTCP Socket: "
4151	"%s: mp_so 0x%llx found "
4152	"(u=%d,r=%d,s=%d)\n", __func__,
4153	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so), mp_so->so_usecount,
4154	mp_so->so_retaincnt, mpp->mpp_state),
4155	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4156
4157	if (!mpte_try_lock(mpte)) {
4158	mptcplog((LOG_DEBUG, "MPTCP Socket: "
4159	"%s: mp_so 0x%llx skipped lock "
4160	"(u=%d,r=%d)\n", __func__,
4161	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4162	mp_so->so_usecount, mp_so->so_retaincnt),
4163	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4164	active++;
4165	continue;
4166	}
4167
4168	/ check again under the lock /
4169	if (mp_so->so_usecount > `0`) {
4170	boolean_t wakeup = FALSE;
4171	struct mptsub mpts, tmpts;
4172
4173	mptcplog((LOG_DEBUG, "MPTCP Socket: "
4174	"%s: mp_so 0x%llx skipped usecount "
4175	"[u=%d,r=%d] %d %d\n", __func__,
4176	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4177	mp_so->so_usecount, mp_so->so_retaincnt,
4178	mp_tp->mpt_gc_ticks,
4179	mp_tp->mpt_state),
4180	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4181
4182	if (mp_tp->mpt_state >= MPTCPS_FIN_WAIT_1) {
4183	if (mp_tp->mpt_gc_ticks > `0`)
4184	mp_tp->mpt_gc_ticks--;
4185	if (mp_tp->mpt_gc_ticks == `0`) {
4186	wakeup = TRUE;
4187	}
4188	}
4189	if (wakeup) {
4190	TAILQ_FOREACH_SAFE(mpts,
4191	&mpte->mpte_subflows, mpts_entry, tmpts) {
4192	mptcp_subflow_eupcall1(mpts->mpts_socket,
4193	mpts, SO_FILT_HINT_DISCONNECTED);
4194	}
4195	}
4196	mpte_unlock(mpte);
4197	active++;
4198	continue;
4199	}
4200
4201	if (mpp->mpp_state != MPPCB_STATE_DEAD) {
4202	panic("MPTCP Socket: %s: mp_so 0x%llx skipped state "
4203	"[u=%d,r=%d,s=%d]\n", __func__,
4204	(u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4205	mp_so->so_usecount, mp_so->so_retaincnt,
4206	mpp->mpp_state);
4207	}
4208
4209	if (mp_tp->mpt_state == MPTCPS_TIME_WAIT)
4210	mptcp_close(mpte, mp_tp);
4211
4212	mptcp_session_destroy(mpte);
4213
4214	mptcplog((LOG_DEBUG, "MPTCP Socket: "
4215	"%s: mp_so 0x%llx destroyed [u=%d,r=%d]\n",
4216	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
4217	mp_so->so_usecount, mp_so->so_retaincnt),
4218	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4219
4220	DTRACE_MPTCP4(dispose, struct socket *, mp_so,
4221	struct sockbuf *, &mp_so->so_rcv,
4222	struct sockbuf *, &mp_so->so_snd,
4223	struct mppcb *, mpp);
4224
4225	mp_pcbdispose(mpp);
4226	sodealloc(mp_so);
4227	}
4228
4229	return (active);
4230	}
4231
4232	/*
4233	* Drop a MPTCP connection, reporting the specified error.
4234	*/
4235	struct mptses *
4236	mptcp_drop(struct mptses mpte, struct* mptcb mp_tp, int* errno)
4237	{
4238	struct socket *mp_so;
4239
4240	mpte_lock_assert_held(mpte); / same as MP socket lock /
4241	VERIFY(mpte->mpte_mptcb == mp_tp);
4242	mp_so = mptetoso(mpte);
4243
4244	DTRACE_MPTCP2(state__change, struct mptcb *, mp_tp,
4245	uint32_t, `0` / event /);
4246
4247	if (errno == ETIMEDOUT && mp_tp->mpt_softerror != `0`)
4248	errno = mp_tp->mpt_softerror;
4249	mp_so->so_error = errno;
4250
4251	return (mptcp_close(mpte, mp_tp));
4252	}
4253
4254	/*
4255	* Close a MPTCP control block.
4256	*/
4257	struct mptses *
4258	mptcp_close(struct mptses mpte, struct* mptcb *mp_tp)
4259	{
4260	struct socket *mp_so = NULL;
4261	struct mptsub mpts = NULL, tmpts = NULL;
4262
4263	mpte_lock_assert_held(mpte); / same as MP socket lock /
4264	VERIFY(mpte->mpte_mptcb == mp_tp);
4265	mp_so = mptetoso(mpte);
4266
4267	mp_tp->mpt_state = MPTCPS_TERMINATE;
4268
4269	mptcp_freeq(mp_tp);
4270
4271	soisdisconnected(mp_so);
4272
4273	/ Clean up all subflows /
4274	TAILQ_FOREACH_SAFE(mpts, &mpte->mpte_subflows, mpts_entry, tmpts) {
4275	mptcp_subflow_disconnect(mpte, mpts);
4276	}
4277
4278	return (NULL);
4279	}
4280
4281	void
4282	mptcp_notify_close(struct socket *so)
4283	{
4284	soevent(so, (SO_FILT_HINT_LOCKED \| SO_FILT_HINT_DISCONNECTED));
4285	}
4286
4287	/*
4288	* MPTCP workloop.
4289	*/
4290	void
4291	mptcp_subflow_workloop(struct mptses *mpte)
4292	{
4293	struct socket *mp_so;
4294	struct mptsub mpts, tmpts;
4295	boolean_t connect_pending = FALSE, disconnect_fallback = FALSE;
4296	uint64_t mpsofilt_hint_mask = SO_FILT_HINT_LOCKED;
4297
4298	mpte_lock_assert_held(mpte);
4299	VERIFY(mpte->mpte_mppcb != NULL);
4300	mp_so = mptetoso(mpte);
4301	VERIFY(mp_so != NULL);
4302
4303	TAILQ_FOREACH_SAFE(mpts, &mpte->mpte_subflows, mpts_entry, tmpts) {
4304	ev_ret_t ret;
4305
4306	if (mpts->mpts_socket->so_usecount == `0`) {
4307	/ Will be removed soon by tcp_garbage_collect /
4308	continue;
4309	}
4310
4311	mptcp_subflow_addref(mpts);
4312	mpts->mpts_socket->so_usecount++;
4313
4314	ret = mptcp_subflow_events(mpte, mpts, &mpsofilt_hint_mask);
4315
4316	/*
4317	* If MPTCP socket is closed, disconnect all subflows.
4318	* This will generate a disconnect event which will
4319	* be handled during the next iteration, causing a
4320	* non-zero error to be returned above.
4321	*/
4322	if (mp_so->so_flags & SOF_PCBCLEARING)
4323	mptcp_subflow_disconnect(mpte, mpts);
4324
4325	switch (ret) {
4326	case MPTS_EVRET_OK:
4327	/ nothing to do /
4328	break;
4329	case MPTS_EVRET_DELETE:
4330	mptcp_subflow_soclose(mpts);
4331	break;
4332	case MPTS_EVRET_CONNECT_PENDING:
4333	connect_pending = TRUE;
4334	break;
4335	case MPTS_EVRET_DISCONNECT_FALLBACK:
4336	disconnect_fallback = TRUE;
4337	break;
4338	default:
4339	mptcplog((LOG_DEBUG,
4340	"MPTCP Socket: %s: mptcp_subflow_events "
4341	"returned invalid value: %d\n", __func__,
4342	ret),
4343	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4344	break;
4345	}
4346	mptcp_subflow_remref(mpts); / ours /
4347
4348	VERIFY(mpts->mpts_socket->so_usecount != `0`);
4349	mpts->mpts_socket->so_usecount--;
4350	}
4351
4352	if (mpsofilt_hint_mask != SO_FILT_HINT_LOCKED) {
4353	VERIFY(mpsofilt_hint_mask & SO_FILT_HINT_LOCKED);
4354
4355	soevent(mp_so, mpsofilt_hint_mask);
4356	}
4357
4358	if (!connect_pending && !disconnect_fallback)
4359	return;
4360
4361	TAILQ_FOREACH_SAFE(mpts, &mpte->mpte_subflows, mpts_entry, tmpts) {
4362	if (disconnect_fallback) {
4363	struct socket *so = NULL;
4364	struct inpcb *inp = NULL;
4365	struct tcpcb *tp = NULL;
4366
4367	if (mpts->mpts_flags & MPTSF_MP_DEGRADED)
4368	continue;
4369
4370	mpts->mpts_flags \|= MPTSF_MP_DEGRADED;
4371
4372	if (mpts->mpts_flags & (MPTSF_DISCONNECTING\|
4373	MPTSF_DISCONNECTED\|MPTSF_CONNECT_PENDING))
4374	continue;
4375
4376	so = mpts->mpts_socket;
4377
4378	/*
4379	* The MPTCP connection has degraded to a fallback
4380	* mode, so there is no point in keeping this subflow
4381	* regardless of its MPTCP-readiness state, unless it
4382	* is the primary one which we use for fallback. This
4383	* assumes that the subflow used for fallback is the
4384	* ACTIVE one.
4385	*/
4386
4387	inp = sotoinpcb(so);
4388	tp = intotcpcb(inp);
4389	tp->t_mpflags &=
4390	~(TMPF_MPTCP_READY\|TMPF_MPTCP_TRUE);
4391	tp->t_mpflags \|= TMPF_TCP_FALLBACK;
4392
4393	if (mpts->mpts_flags & MPTSF_ACTIVE) {
4394	continue;
4395	}
4396	tp->t_mpflags \|= TMPF_RESET;
4397	soevent(so, SO_FILT_HINT_MUSTRST);
4398	} else if (connect_pending) {
4399	/*
4400	* The MPTCP connection has progressed to a state
4401	* where it supports full multipath semantics; allow
4402	* additional joins to be attempted for all subflows
4403	* that are in the PENDING state.
4404	*/
4405	if (mpts->mpts_flags & MPTSF_CONNECT_PENDING) {
4406	int error = mptcp_subflow_soconnectx(mpte, mpts);
4407
4408	if (error)
4409	mptcp_subflow_abort(mpts, error);
4410	}
4411	}
4412	}
4413	}
4414
4415	/*
4416	* Protocol pr_lock callback.
4417	*/
4418	int
4419	mptcp_lock(struct socket mp_so, int* refcount, void *lr)
4420	{
4421	struct mppcb *mpp = mpsotomppcb(mp_so);
4422	void *lr_saved;
4423
4424	if (lr == NULL)
4425	lr_saved = __builtin_return_address(`0`);
4426	else
4427	lr_saved = lr;
4428
4429	if (mpp == NULL) {
4430	panic("%s: so=%p NO PCB! lr=%p lrh= %s\n", __func__,
4431	mp_so, lr_saved, solockhistory_nr(mp_so));
4432	/ NOTREACHED /
4433	}
4434	mpp_lock(mpp);
4435
4436	if (mp_so->so_usecount < `0`) {
4437	panic("%s: so=%p so_pcb=%p lr=%p ref=%x lrh= %s\n", __func__,
4438	mp_so, mp_so->so_pcb, lr_saved, mp_so->so_usecount,
4439	solockhistory_nr(mp_so));
4440	/ NOTREACHED /
4441	}
4442	if (refcount != `0`)
4443	mp_so->so_usecount++;
4444	mp_so->lock_lr[mp_so->next_lock_lr] = lr_saved;
4445	mp_so->next_lock_lr = (mp_so->next_lock_lr + `1`) % SO_LCKDBG_MAX;
4446
4447	return (`0`);
4448	}
4449
4450	/*
4451	* Protocol pr_unlock callback.
4452	*/
4453	int
4454	mptcp_unlock(struct socket mp_so, int* refcount, void *lr)
4455	{
4456	struct mppcb *mpp = mpsotomppcb(mp_so);
4457	void *lr_saved;
4458
4459	if (lr == NULL)
4460	lr_saved = __builtin_return_address(`0`);
4461	else
4462	lr_saved = lr;
4463
4464	if (mpp == NULL) {
4465	panic("%s: so=%p NO PCB usecount=%x lr=%p lrh= %s\n", __func__,
4466	mp_so, mp_so->so_usecount, lr_saved,
4467	solockhistory_nr(mp_so));
4468	/ NOTREACHED /
4469	}
4470	mpp_lock_assert_held(mpp);
4471
4472	if (refcount != `0`)
4473	mp_so->so_usecount--;
4474
4475	if (mp_so->so_usecount < `0`) {
4476	panic("%s: so=%p usecount=%x lrh= %s\n", __func__,
4477	mp_so, mp_so->so_usecount, solockhistory_nr(mp_so));
4478	/ NOTREACHED /
4479	}
4480	mp_so->unlock_lr[mp_so->next_unlock_lr] = lr_saved;
4481	mp_so->next_unlock_lr = (mp_so->next_unlock_lr + `1`) % SO_LCKDBG_MAX;
4482	mpp_unlock(mpp);
4483
4484	return (`0`);
4485	}
4486
4487	/*
4488	* Protocol pr_getlock callback.
4489	*/
4490	lck_mtx_t *
4491	mptcp_getlock(struct socket mp_so, int* flags)
4492	{
4493	struct mppcb *mpp = mpsotomppcb(mp_so);
4494
4495	if (mpp == NULL) {
4496	panic("%s: so=%p NULL so_pcb %s\n", __func__, mp_so,
4497	solockhistory_nr(mp_so));
4498	/ NOTREACHED /
4499	}
4500	if (mp_so->so_usecount < `0`) {
4501	panic("%s: so=%p usecount=%x lrh= %s\n", __func__,
4502	mp_so, mp_so->so_usecount, solockhistory_nr(mp_so));
4503	/ NOTREACHED /
4504	}
4505	return (mpp_getlock(mpp, flags));
4506	}
4507
4508	/*
4509	* MPTCP Join support
4510	*/
4511
4512	static void
4513	mptcp_attach_to_subf(struct socket so, struct* mptcb *mp_tp,
4514	uint8_t addr_id)
4515	{
4516	struct tcpcb *tp = sototcpcb(so);
4517	struct mptcp_subf_auth_entry *sauth_entry;
4518	mpte_lock_assert_held(mp_tp->mpt_mpte);
4519
4520	/*
4521	* The address ID of the first flow is implicitly 0.
4522	*/
4523	if (mp_tp->mpt_state == MPTCPS_CLOSED) {
4524	tp->t_local_aid = `0`;
4525	} else {
4526	tp->t_local_aid = addr_id;
4527	tp->t_mpflags \|= (TMPF_PREESTABLISHED \| TMPF_JOINED_FLOW);
4528	so->so_flags \|= SOF_MP_SEC_SUBFLOW;
4529	}
4530	sauth_entry = zalloc(mpt_subauth_zone);
4531	sauth_entry->msae_laddr_id = tp->t_local_aid;
4532	sauth_entry->msae_raddr_id = `0`;
4533	sauth_entry->msae_raddr_rand = `0`;
4534	try_again:
4535	sauth_entry->msae_laddr_rand = RandomULong();
4536	if (sauth_entry->msae_laddr_rand == `0`)
4537	goto try_again;
4538	LIST_INSERT_HEAD(&mp_tp->mpt_subauth_list, sauth_entry, msae_next);
4539	}
4540
4541	static void
4542	mptcp_detach_mptcb_from_subf(struct mptcb mp_tp, struct* socket *so)
4543	{
4544	struct mptcp_subf_auth_entry *sauth_entry;
4545	struct tcpcb *tp = NULL;
4546	int found = `0`;
4547
4548	tp = sototcpcb(so);
4549	if (tp == NULL)
4550	return;
4551
4552	LIST_FOREACH(sauth_entry, &mp_tp->mpt_subauth_list, msae_next) {
4553	if (sauth_entry->msae_laddr_id == tp->t_local_aid) {
4554	found = `1`;
4555	break;
4556	}
4557	}
4558	if (found) {
4559	LIST_REMOVE(sauth_entry, msae_next);
4560	}
4561
4562	if (found)
4563	zfree(mpt_subauth_zone, sauth_entry);
4564	}
4565
4566	void
4567	mptcp_get_rands(mptcp_addr_id addr_id, struct mptcb mp_tp, u_int32_t lrand,
4568	u_int32_t *rrand)
4569	{
4570	struct mptcp_subf_auth_entry *sauth_entry;
4571	mpte_lock_assert_held(mp_tp->mpt_mpte);
4572
4573	LIST_FOREACH(sauth_entry, &mp_tp->mpt_subauth_list, msae_next) {
4574	if (sauth_entry->msae_laddr_id == addr_id) {
4575	if (lrand)
4576	*lrand = sauth_entry->msae_laddr_rand;
4577	if (rrand)
4578	*rrand = sauth_entry->msae_raddr_rand;
4579	break;
4580	}
4581	}
4582	}
4583
4584	void
4585	mptcp_set_raddr_rand(mptcp_addr_id laddr_id, struct mptcb *mp_tp,
4586	mptcp_addr_id raddr_id, u_int32_t raddr_rand)
4587	{
4588	struct mptcp_subf_auth_entry *sauth_entry;
4589	mpte_lock_assert_held(mp_tp->mpt_mpte);
4590
4591	LIST_FOREACH(sauth_entry, &mp_tp->mpt_subauth_list, msae_next) {
4592	if (sauth_entry->msae_laddr_id == laddr_id) {
4593	if ((sauth_entry->msae_raddr_id != `0`) &&
4594	(sauth_entry->msae_raddr_id != raddr_id)) {
4595	mptcplog((LOG_ERR, "MPTCP Socket: %s mismatched"
4596	" address ids %d %d \n", __func__, raddr_id,
4597	sauth_entry->msae_raddr_id),
4598	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_LOG);
4599	return;
4600	}
4601	sauth_entry->msae_raddr_id = raddr_id;
4602	if ((sauth_entry->msae_raddr_rand != `0`) &&
4603	(sauth_entry->msae_raddr_rand != raddr_rand)) {
4604	mptcplog((LOG_ERR, "MPTCP Socket: "
4605	"%s: dup SYN_ACK %d %d \n",
4606	__func__, raddr_rand,
4607	sauth_entry->msae_raddr_rand),
4608	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_LOG);
4609	return;
4610	}
4611	sauth_entry->msae_raddr_rand = raddr_rand;
4612	return;
4613	}
4614	}
4615	}
4616
4617	/*
4618	* SHA1 support for MPTCP
4619	*/
4620	static void
4621	mptcp_do_sha1(mptcp_key_t key, char* *sha_digest)
4622	{
4623	SHA1_CTX sha1ctxt;
4624	const unsigned char *sha1_base;
4625	int sha1_size;
4626
4627	sha1_base = (const unsigned char *) key;
4628	sha1_size = sizeof (mptcp_key_t);
4629	SHA1Init(&sha1ctxt);
4630	SHA1Update(&sha1ctxt, sha1_base, sha1_size);
4631	SHA1Final(sha_digest, &sha1ctxt);
4632	}
4633
4634	void
4635	mptcp_hmac_sha1(mptcp_key_t key1, mptcp_key_t key2,
4636	u_int32_t rand1, u_int32_t rand2, u_char *digest)
4637	{
4638	SHA1_CTX sha1ctxt;
4639	mptcp_key_t key_ipad[`8`] = {`0`}; / key XOR'd with inner pad /
4640	mptcp_key_t key_opad[`8`] = {`0`}; / key XOR'd with outer pad /
4641	u_int32_t data[`2`];
4642	int i;
4643
4644	bzero(digest, SHA1_RESULTLEN);
4645
4646	/ Set up the Key for HMAC /
4647	key_ipad[`0`] = key1;
4648	key_ipad[`1`] = key2;
4649
4650	key_opad[`0`] = key1;
4651	key_opad[`1`] = key2;
4652
4653	/ Set up the message for HMAC /
4654	data[`0`] = rand1;
4655	data[`1`] = rand2;
4656
4657	/ Key is 512 block length, so no need to compute hash /
4658
4659	/ Compute SHA1(Key XOR opad, SHA1(Key XOR ipad, data)) /
4660
4661	for (i = `0`; i < `8`; i++) {
4662	key_ipad[i] ^= `0x3636363636363636`;
4663	key_opad[i] ^= `0x5c5c5c5c5c5c5c5c`;
4664	}
4665
4666	/ Perform inner SHA1 /
4667	SHA1Init(&sha1ctxt);
4668	SHA1Update(&sha1ctxt, (unsigned char )key_ipad, sizeof* (key_ipad));
4669	SHA1Update(&sha1ctxt, (unsigned char )data, sizeof* (data));
4670	SHA1Final(digest, &sha1ctxt);
4671
4672	/ Perform outer SHA1 /
4673	SHA1Init(&sha1ctxt);
4674	SHA1Update(&sha1ctxt, (unsigned char )key_opad, sizeof* (key_opad));
4675	SHA1Update(&sha1ctxt, (unsigned char *)digest, SHA1_RESULTLEN);
4676	SHA1Final(digest, &sha1ctxt);
4677	}
4678
4679	/*
4680	* corresponds to MAC-B = MAC (Key=(Key-B+Key-A), Msg=(R-B+R-A))
4681	* corresponds to MAC-A = MAC (Key=(Key-A+Key-B), Msg=(R-A+R-B))
4682	*/
4683	void
4684	mptcp_get_hmac(mptcp_addr_id aid, struct mptcb mp_tp, u_char digest)
4685	{
4686	uint32_t lrand, rrand;
4687
4688	mpte_lock_assert_held(mp_tp->mpt_mpte);
4689
4690	lrand = rrand = `0`;
4691	mptcp_get_rands(aid, mp_tp, &lrand, &rrand);
4692	mptcp_hmac_sha1(mp_tp->mpt_localkey, mp_tp->mpt_remotekey, lrand, rrand,
4693	digest);
4694	}
4695
4696	/*
4697	* Authentication data generation
4698	*/
4699	static void
4700	mptcp_generate_token(char sha_digest, int* sha_digest_len, caddr_t token,
4701	int token_len)
4702	{
4703	VERIFY(token_len == sizeof (u_int32_t));
4704	VERIFY(sha_digest_len == SHA1_RESULTLEN);
4705
4706	/ Most significant 32 bits of the SHA1 hash /
4707	bcopy(sha_digest, token, sizeof (u_int32_t));
4708	return;
4709	}
4710
4711	static void
4712	mptcp_generate_idsn(char sha_digest, int* sha_digest_len, caddr_t idsn,
4713	int idsn_len)
4714	{
4715	VERIFY(idsn_len == sizeof (u_int64_t));
4716	VERIFY(sha_digest_len == SHA1_RESULTLEN);
4717
4718	/*
4719	* Least significant 64 bits of the SHA1 hash
4720	*/
4721
4722	idsn[`7`] = sha_digest[`12`];
4723	idsn[`6`] = sha_digest[`13`];
4724	idsn[`5`] = sha_digest[`14`];
4725	idsn[`4`] = sha_digest[`15`];
4726	idsn[`3`] = sha_digest[`16`];
4727	idsn[`2`] = sha_digest[`17`];
4728	idsn[`1`] = sha_digest[`18`];
4729	idsn[`0`] = sha_digest[`19`];
4730	return;
4731	}
4732
4733	static void
4734	mptcp_conn_properties(struct mptcb *mp_tp)
4735	{
4736	/ There is only Version 0 at this time /
4737	mp_tp->mpt_version = MPTCP_STD_VERSION_0;
4738
4739	/ Set DSS checksum flag /
4740	if (mptcp_dss_csum)
4741	mp_tp->mpt_flags \|= MPTCPF_CHECKSUM;
4742
4743	/ Set up receive window /
4744	mp_tp->mpt_rcvwnd = mptcp_sbspace(mp_tp);
4745
4746	/ Set up gc ticks /
4747	mp_tp->mpt_gc_ticks = MPT_GC_TICKS;
4748	}
4749
4750	static void
4751	mptcp_init_local_parms(struct mptses *mpte)
4752	{
4753	struct mptcb *mp_tp = mpte->mpte_mptcb;
4754	char key_digest[SHA1_RESULTLEN];
4755
4756	read_frandom(&mp_tp->mpt_localkey, sizeof(mp_tp->mpt_localkey));
4757	mptcp_do_sha1(&mp_tp->mpt_localkey, key_digest);
4758
4759	mptcp_generate_token(key_digest, SHA1_RESULTLEN,
4760	(caddr_t)&mp_tp->mpt_localtoken, sizeof (mp_tp->mpt_localtoken));
4761	mptcp_generate_idsn(key_digest, SHA1_RESULTLEN,
4762	(caddr_t)&mp_tp->mpt_local_idsn, sizeof (u_int64_t));
4763
4764	/ The subflow SYN is also first MPTCP byte /
4765	mp_tp->mpt_snduna = mp_tp->mpt_sndmax = mp_tp->mpt_local_idsn + `1`;
4766	mp_tp->mpt_sndnxt = mp_tp->mpt_snduna;
4767
4768	mptcp_conn_properties(mp_tp);
4769	}
4770
4771	int
4772	mptcp_init_remote_parms(struct mptcb *mp_tp)
4773	{
4774	char remote_digest[SHA1_RESULTLEN];
4775	mpte_lock_assert_held(mp_tp->mpt_mpte);
4776
4777	/ Only Version 0 is supported for auth purposes /
4778	if (mp_tp->mpt_version != MPTCP_STD_VERSION_0)
4779	return (-`1`);
4780
4781	/ Setup local and remote tokens and Initial DSNs /
4782	mptcp_do_sha1(&mp_tp->mpt_remotekey, remote_digest);
4783	mptcp_generate_token(remote_digest, SHA1_RESULTLEN,
4784	(caddr_t)&mp_tp->mpt_remotetoken, sizeof (mp_tp->mpt_remotetoken));
4785	mptcp_generate_idsn(remote_digest, SHA1_RESULTLEN,
4786	(caddr_t)&mp_tp->mpt_remote_idsn, sizeof (u_int64_t));
4787	mp_tp->mpt_rcvnxt = mp_tp->mpt_remote_idsn + `1`;
4788
4789	return (`0`);
4790	}
4791
4792	static void
4793	mptcp_send_dfin(struct socket *so)
4794	{
4795	struct tcpcb *tp = NULL;
4796	struct inpcb *inp = NULL;
4797
4798	inp = sotoinpcb(so);
4799	if (!inp)
4800	return;
4801
4802	tp = intotcpcb(inp);
4803	if (!tp)
4804	return;
4805
4806	if (!(tp->t_mpflags & TMPF_RESET))
4807	tp->t_mpflags \|= TMPF_SEND_DFIN;
4808	}
4809
4810	/*
4811	* Data Sequence Mapping routines
4812	*/
4813	void
4814	mptcp_insert_dsn(struct mppcb mpp, struct* mbuf *m)
4815	{
4816	struct mptcb *mp_tp;
4817
4818	if (m == NULL)
4819	return;
4820
4821	__IGNORE_WCASTALIGN(mp_tp = &((struct mpp_mtp *)mpp)->mtcb);
4822	mpte_lock_assert_held(mp_tp->mpt_mpte);
4823
4824	while (m) {
4825	VERIFY(m->m_flags & M_PKTHDR);
4826	m->m_pkthdr.pkt_flags \|= (PKTF_MPTCP \| PKTF_MPSO);
4827	m->m_pkthdr.mp_dsn = mp_tp->mpt_sndmax;
4828	m->m_pkthdr.mp_rlen = m_pktlen(m);
4829	mp_tp->mpt_sndmax += m_pktlen(m);
4830	m = m->m_next;
4831	}
4832	}
4833
4834	void
4835	mptcp_fallback_sbdrop(struct socket so, struct* mbuf m, int* len)
4836	{
4837	struct mptcb *mp_tp = tptomptp(sototcpcb(so));
4838	uint64_t data_ack;
4839	uint64_t dsn;
4840
4841	if (!m \|\| len == `0`)
4842	return;
4843
4844	while (m && len > `0`) {
4845	VERIFY(m->m_flags & M_PKTHDR);
4846	VERIFY(m->m_pkthdr.pkt_flags & PKTF_MPTCP);
4847
4848	data_ack = m->m_pkthdr.mp_dsn + m->m_pkthdr.mp_rlen;
4849	dsn = m->m_pkthdr.mp_dsn;
4850
4851	len -= m->m_len;
4852	m = m->m_next;
4853	}
4854
4855	if (m && len == `0`) {
4856	/*
4857	* If there is one more mbuf in the chain, it automatically means
4858	* that up to m->mp_dsn has been ack'ed.
4859	*
4860	* This means, we actually correct data_ack back down (compared
4861	* to what we set inside the loop - dsn + data_len). Because in
4862	* the loop we are "optimistic" and assume that the full mapping
4863	* will be acked. If that's not the case and we get out of the
4864	* loop with m != NULL, it means only up to m->mp_dsn has been
4865	* really acked.
4866	*/
4867	data_ack = m->m_pkthdr.mp_dsn;
4868	}
4869
4870	if (len < `0`) {
4871	/*
4872	* If len is negative, meaning we acked in the middle of an mbuf,
4873	* only up to this mbuf's data-sequence number has been acked
4874	* at the MPTCP-level.
4875	*/
4876	data_ack = dsn;
4877	}
4878
4879	mptcplog((LOG_DEBUG, "%s inferred ack up to %u\n", __func__, (uint32_t)data_ack),
4880	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
4881	mptcp_data_ack_rcvd(mp_tp, sototcpcb(so), data_ack);
4882	}
4883
4884	void
4885	mptcp_preproc_sbdrop(struct socket so, struct* mbuf m, unsigned* int len)
4886	{
4887	int rewinding = `0`;
4888
4889	/ TFO makes things complicated. /
4890	if (so->so_flags1 & SOF1_TFO_REWIND) {
4891	rewinding = `1`;
4892	so->so_flags1 &= ~SOF1_TFO_REWIND;
4893	}
4894
4895	while (m && (!(so->so_flags & SOF_MP_SUBFLOW) \|\| rewinding)) {
4896	u_int32_t sub_len;
4897	VERIFY(m->m_flags & M_PKTHDR);
4898	VERIFY(m->m_pkthdr.pkt_flags & PKTF_MPTCP);
4899
4900	sub_len = m->m_pkthdr.mp_rlen;
4901
4902	if (sub_len < len) {
4903	m->m_pkthdr.mp_dsn += sub_len;
4904	if (!(m->m_pkthdr.pkt_flags & PKTF_MPSO)) {
4905	m->m_pkthdr.mp_rseq += sub_len;
4906	}
4907	m->m_pkthdr.mp_rlen = `0`;
4908	len -= sub_len;
4909	} else {
4910	/ sub_len >= len /
4911	if (rewinding == `0`)
4912	m->m_pkthdr.mp_dsn += len;
4913	if (!(m->m_pkthdr.pkt_flags & PKTF_MPSO)) {
4914	if (rewinding == `0`)
4915	m->m_pkthdr.mp_rseq += len;
4916	}
4917	mptcplog((LOG_DEBUG, "%s: dsn %u ssn %u len %d %d\n",
4918	__func__, (u_int32_t)m->m_pkthdr.mp_dsn,
4919	m->m_pkthdr.mp_rseq, m->m_pkthdr.mp_rlen, len),
4920	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
4921	m->m_pkthdr.mp_rlen -= len;
4922	break;
4923	}
4924	m = m->m_next;
4925	}
4926
4927	if (so->so_flags & SOF_MP_SUBFLOW &&
4928	!(sototcpcb(so)->t_mpflags & TMPF_TFO_REQUEST) &&
4929	!(sototcpcb(so)->t_mpflags & TMPF_RCVD_DACK)) {
4930	/*
4931	* Received an ack without receiving a DATA_ACK.
4932	* Need to fallback to regular TCP (or destroy this subflow).
4933	*/
4934	sototcpcb(so)->t_mpflags \|= TMPF_INFIN_SENT;
4935	mptcp_notify_mpfail(so);
4936	}
4937	}
4938
4939	/ Obtain the DSN mapping stored in the mbuf /
4940	void
4941	mptcp_output_getm_dsnmap32(struct socket so, int* off,
4942	uint32_t dsn, uint32_t relseq, uint16_t data_len, uint16_t dss_csum)
4943	{
4944	u_int64_t dsn64;
4945
4946	mptcp_output_getm_dsnmap64(so, off, &dsn64, relseq, data_len, dss_csum);
4947	*dsn = (u_int32_t)MPTCP_DATASEQ_LOW32(dsn64);
4948	}
4949
4950	void
4951	mptcp_output_getm_dsnmap64(struct socket so, int* off, uint64_t *dsn,
4952	uint32_t relseq, uint16_t data_len,
4953	uint16_t *dss_csum)
4954	{
4955	struct mbuf *m = so->so_snd.sb_mb;
4956	int off_orig = off;
4957
4958	VERIFY(off >= `0`);
4959
4960	/*
4961	* In the subflow socket, the DSN sequencing can be discontiguous,
4962	* but the subflow sequence mapping is contiguous. Use the subflow
4963	* sequence property to find the right mbuf and corresponding dsn
4964	* mapping.
4965	*/
4966
4967	while (m) {
4968	VERIFY(m->m_flags & M_PKTHDR);
4969	VERIFY(m->m_pkthdr.pkt_flags & PKTF_MPTCP);
4970
4971	if (off >= m->m_len) {
4972	off -= m->m_len;
4973	m = m->m_next;
4974	} else {
4975	break;
4976	}
4977	}
4978
4979	VERIFY(m);
4980	VERIFY(off >= `0`);
4981	VERIFY(m->m_pkthdr.mp_rlen <= UINT16_MAX);
4982
4983	*dsn = m->m_pkthdr.mp_dsn;
4984	*relseq = m->m_pkthdr.mp_rseq;
4985	*data_len = m->m_pkthdr.mp_rlen;
4986	*dss_csum = m->m_pkthdr.mp_csum;
4987
4988	mptcplog((LOG_DEBUG, "%s: dsn %u ssn %u data_len %d off %d off_orig %d\n",
4989	__func__, (u_int32_t)(dsn), relseq, *data_len, off, off_orig),
4990	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
4991	}
4992
4993	/*
4994	* Note that this is called only from tcp_input() via mptcp_input_preproc()
4995	* tcp_input() may trim data after the dsn mapping is inserted into the mbuf.
4996	* When it trims data tcp_input calls m_adj() which does not remove the
4997	* m_pkthdr even if the m_len becomes 0 as a result of trimming the mbuf.
4998	* The dsn map insertion cannot be delayed after trim, because data can be in
4999	* the reassembly queue for a while and the DSN option info in tp will be
5000	* overwritten for every new packet received.
5001	* The dsn map will be adjusted just prior to appending to subflow sockbuf
5002	* with mptcp_adj_rmap()
5003	*/
5004	void
5005	mptcp_insert_rmap(struct tcpcb tp, struct* mbuf m, struct* tcphdr *th)
5006	{
5007	VERIFY(m->m_flags & M_PKTHDR);
5008	VERIFY(!(m->m_pkthdr.pkt_flags & PKTF_MPTCP));
5009
5010	if (tp->t_mpflags & TMPF_EMBED_DSN) {
5011	m->m_pkthdr.mp_dsn = tp->t_rcv_map.mpt_dsn;
5012	m->m_pkthdr.mp_rseq = tp->t_rcv_map.mpt_sseq;
5013	m->m_pkthdr.mp_rlen = tp->t_rcv_map.mpt_len;
5014	m->m_pkthdr.mp_csum = tp->t_rcv_map.mpt_csum;
5015	if (tp->t_rcv_map.mpt_dfin)
5016	m->m_pkthdr.pkt_flags \|= PKTF_MPTCP_DFIN;
5017
5018	m->m_pkthdr.pkt_flags \|= PKTF_MPTCP;
5019
5020	tp->t_mpflags &= ~TMPF_EMBED_DSN;
5021	tp->t_mpflags \|= TMPF_MPTCP_ACKNOW;
5022	} else if (tp->t_mpflags & TMPF_TCP_FALLBACK) {
5023	if (th->th_flags & TH_FIN)
5024	m->m_pkthdr.pkt_flags \|= PKTF_MPTCP_DFIN;
5025	}
5026	}
5027
5028	int
5029	mptcp_adj_rmap(struct socket so, struct* mbuf m, int* off, uint64_t dsn,
5030	uint32_t rseq, uint16_t dlen)
5031	{
5032	struct mptsub *mpts = sototcpcb(so)->t_mpsub;
5033
5034	if (m_pktlen(m) == `0`)
5035	return (`0`);
5036
5037	if ((m->m_flags & M_PKTHDR) && (m->m_pkthdr.pkt_flags & PKTF_MPTCP)) {
5038	if (off && (dsn != m->m_pkthdr.mp_dsn \|\|
5039	rseq != m->m_pkthdr.mp_rseq \|\|
5040	dlen != m->m_pkthdr.mp_rlen)) {
5041	mptcplog((LOG_ERR, "%s: Received incorrect second mapping: %llu - %llu , %u - %u, %u - %u\n",
5042	__func__, dsn, m->m_pkthdr.mp_dsn,
5043	rseq, m->m_pkthdr.mp_rseq,
5044	dlen, m->m_pkthdr.mp_rlen),
5045	MPTCP_RECEIVER_DBG, MPTCP_LOGLVL_ERR);
5046	return (-`1`);
5047	}
5048	m->m_pkthdr.mp_dsn += off;
5049	m->m_pkthdr.mp_rseq += off;
5050	m->m_pkthdr.mp_rlen = m->m_pkthdr.len;
5051	} else {
5052	if (!(mpts->mpts_flags & MPTSF_CONFIRMED)) {
5053	/ data arrived without an DSS option mapping /
5054
5055	/ initial subflow can fallback right after SYN handshake /
5056	mptcp_notify_mpfail(so);
5057	}
5058	}
5059
5060	mpts->mpts_flags \|= MPTSF_CONFIRMED;
5061
5062	return (`0`);
5063	}
5064
5065	/*
5066	* Following routines help with failure detection and failover of data
5067	* transfer from one subflow to another.
5068	*/
5069	void
5070	mptcp_act_on_txfail(struct socket *so)
5071	{
5072	struct tcpcb *tp = NULL;
5073	struct inpcb *inp = sotoinpcb(so);
5074
5075	if (inp == NULL)
5076	return;
5077
5078	tp = intotcpcb(inp);
5079	if (tp == NULL)
5080	return;
5081
5082	if (so->so_flags & SOF_MP_TRYFAILOVER)
5083	return;
5084
5085	so->so_flags \|= SOF_MP_TRYFAILOVER;
5086	soevent(so, (SO_FILT_HINT_LOCKED \| SO_FILT_HINT_MPFAILOVER));
5087	}
5088
5089	/*
5090	* Support for MP_FAIL option
5091	*/
5092	int
5093	mptcp_get_map_for_dsn(struct socket so, u_int64_t dsn_fail, u_int32_t tcp_seq)
5094	{
5095	struct mbuf *m = so->so_snd.sb_mb;
5096	u_int64_t dsn;
5097	int off = `0`;
5098	u_int32_t datalen;
5099
5100	if (m == NULL)
5101	return (-`1`);
5102
5103	while (m != NULL) {
5104	VERIFY(m->m_pkthdr.pkt_flags & PKTF_MPTCP);
5105	VERIFY(m->m_flags & M_PKTHDR);
5106	dsn = m->m_pkthdr.mp_dsn;
5107	datalen = m->m_pkthdr.mp_rlen;
5108	if (MPTCP_SEQ_LEQ(dsn, dsn_fail) &&
5109	(MPTCP_SEQ_GEQ(dsn + datalen, dsn_fail))) {
5110	off = dsn_fail - dsn;
5111	*tcp_seq = m->m_pkthdr.mp_rseq + off;
5112	mptcplog((LOG_DEBUG, "%s: %llu %llu \n", __func__, dsn,
5113	dsn_fail), MPTCP_SENDER_DBG, MPTCP_LOGLVL_LOG);
5114	return (`0`);
5115	}
5116
5117	m = m->m_next;
5118	}
5119
5120	/*
5121	* If there was no mbuf data and a fallback to TCP occurred, there's
5122	* not much else to do.
5123	*/
5124
5125	mptcplog((LOG_ERR, "MPTCP Sender: "
5126	"%s: %llu not found \n", __func__, dsn_fail),
5127	MPTCP_SENDER_DBG, MPTCP_LOGLVL_LOG);
5128	return (-`1`);
5129	}
5130
5131	/*
5132	* Support for sending contiguous MPTCP bytes in subflow
5133	* Also for preventing sending data with ACK in 3-way handshake
5134	*/
5135	int32_t
5136	mptcp_adj_sendlen(struct socket *so, int32_t off)
5137	{
5138	struct tcpcb *tp = sototcpcb(so);
5139	struct mptsub *mpts = tp->t_mpsub;
5140	uint64_t mdss_dsn;
5141	uint32_t mdss_subflow_seq;
5142	int mdss_subflow_off;
5143	uint16_t mdss_data_len;
5144	uint16_t dss_csum;
5145
5146	mptcp_output_getm_dsnmap64(so, off, &mdss_dsn, &mdss_subflow_seq,
5147	&mdss_data_len, &dss_csum);
5148
5149	/*
5150	* We need to compute how much of the mapping still remains.
5151	* So, we compute the offset in the send-buffer of the dss-sub-seq.
5152	*/
5153	mdss_subflow_off = (mdss_subflow_seq + mpts->mpts_iss) - tp->snd_una;
5154
5155	/*
5156	* When TFO is used, we are sending the mpts->mpts_iss although the relative
5157	* seq has been set to 1 (while it should be 0).
5158	*/
5159	if (tp->t_mpflags & TMPF_TFO_REQUEST)
5160	mdss_subflow_off--;
5161
5162	if (off < mdss_subflow_off)
5163	printf("%s off %d mdss_subflow_off %d mdss_subflow_seq %u iss %u suna %u\n", __func__,
5164	off, mdss_subflow_off, mdss_subflow_seq, mpts->mpts_iss, tp->snd_una);
5165	VERIFY(off >= mdss_subflow_off);
5166
5167	mptcplog((LOG_DEBUG, "%s dlen %u off %d sub_off %d sub_seq %u iss %u suna %u\n",
5168	__func__, mdss_data_len, off, mdss_subflow_off, mdss_subflow_seq,
5169	mpts->mpts_iss, tp->snd_una), MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
5170	return (mdss_data_len - (off - mdss_subflow_off));
5171	}
5172
5173	static uint32_t
5174	mptcp_get_maxseg(struct mptses *mpte)
5175	{
5176	struct mptsub *mpts;
5177	uint32_t maxseg = `0`;
5178
5179	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
5180	struct tcpcb *tp = sototcpcb(mpts->mpts_socket);
5181
5182	if (!TCPS_HAVEESTABLISHED(tp->t_state) \|\|
5183	TCPS_HAVERCVDFIN2(tp->t_state))
5184	continue;
5185
5186	if (tp->t_maxseg > maxseg)
5187	maxseg = tp->t_maxseg;
5188	}
5189
5190	return (maxseg);
5191	}
5192
5193	static uint8_t
5194	mptcp_get_rcvscale(struct mptses *mpte)
5195	{
5196	struct mptsub *mpts;
5197	uint8_t rcvscale = UINT8_MAX;
5198
5199	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
5200	struct tcpcb *tp = sototcpcb(mpts->mpts_socket);
5201
5202	if (!TCPS_HAVEESTABLISHED(tp->t_state) \|\|
5203	TCPS_HAVERCVDFIN2(tp->t_state))
5204	continue;
5205
5206	if (tp->rcv_scale < rcvscale)
5207	rcvscale = tp->rcv_scale;
5208	}
5209
5210	return (rcvscale);
5211	}
5212
5213	/ Similar to tcp_sbrcv_reserve /
5214	static void
5215	mptcp_sbrcv_reserve(struct mptcb mp_tp, struct* sockbuf *sbrcv,
5216	u_int32_t newsize, u_int32_t idealsize)
5217	{
5218	uint8_t rcvscale = mptcp_get_rcvscale(mp_tp->mpt_mpte);
5219
5220	/ newsize should not exceed max /
5221	newsize = min(newsize, tcp_autorcvbuf_max);
5222
5223	/ The receive window scale negotiated at the*
5224	* beginning of the connection will also set a
5225	* limit on the socket buffer size
5226	*/
5227	newsize = min(newsize, TCP_MAXWIN << rcvscale);
5228
5229	/ Set new socket buffer size /
5230	if (newsize > sbrcv->sb_hiwat &&
5231	(sbreserve(sbrcv, newsize) == `1`)) {
5232	sbrcv->sb_idealsize = min(max(sbrcv->sb_idealsize,
5233	(idealsize != `0`) ? idealsize : newsize), tcp_autorcvbuf_max);
5234
5235	/ Again check the limit set by the advertised*
5236	* window scale
5237	*/
5238	sbrcv->sb_idealsize = min(sbrcv->sb_idealsize,
5239	TCP_MAXWIN << rcvscale);
5240	}
5241	}
5242
5243	void
5244	mptcp_sbrcv_grow(struct mptcb *mp_tp)
5245	{
5246	struct mptses *mpte = mp_tp->mpt_mpte;
5247	struct socket *mp_so = mpte->mpte_mppcb->mpp_socket;
5248	struct sockbuf *sbrcv = &mp_so->so_rcv;
5249	uint32_t hiwat_sum = `0`;
5250	uint32_t ideal_sum = `0`;
5251	struct mptsub *mpts;
5252
5253	/*
5254	* Do not grow the receive socket buffer if
5255	* - auto resizing is disabled, globally or on this socket
5256	* - the high water mark already reached the maximum
5257	* - the stream is in background and receive side is being
5258	* throttled
5259	* - if there are segments in reassembly queue indicating loss,
5260	* do not need to increase recv window during recovery as more
5261	* data is not going to be sent. A duplicate ack sent during
5262	* recovery should not change the receive window
5263	*/
5264	if (tcp_do_autorcvbuf == `0` \|\|
5265	(sbrcv->sb_flags & SB_AUTOSIZE) == `0` \|\|
5266	tcp_cansbgrow(sbrcv) == `0` \|\|
5267	sbrcv->sb_hiwat >= tcp_autorcvbuf_max \|\|
5268	(mp_so->so_flags1 & SOF1_EXTEND_BK_IDLE_WANTED) \|\|
5269	!LIST_EMPTY(&mp_tp->mpt_segq)) {
5270	/ Can not resize the socket buffer, just return /
5271	return;
5272	}
5273
5274	/*
5275	* Ideally, we want the rbuf to be (sum_i {bw_i} * rtt_max * 2)
5276	*
5277	* But, for this we first need accurate receiver-RTT estimations, which
5278	* we currently don't have.
5279	*
5280	* Let's use a dummy algorithm for now, just taking the sum of all
5281	* subflow's receive-buffers. It's too low, but that's all we can get
5282	* for now.
5283	*/
5284
5285	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
5286	hiwat_sum += mpts->mpts_socket->so_rcv.sb_hiwat;
5287	ideal_sum += mpts->mpts_socket->so_rcv.sb_idealsize;
5288	}
5289
5290	mptcp_sbrcv_reserve(mp_tp, sbrcv, hiwat_sum, ideal_sum);
5291	}
5292
5293	/*
5294	* Determine if we can grow the recieve socket buffer to avoid sending
5295	* a zero window update to the peer. We allow even socket buffers that
5296	* have fixed size (set by the application) to grow if the resource
5297	* constraints are met. They will also be trimmed after the application
5298	* reads data.
5299	*
5300	* Similar to tcp_sbrcv_grow_rwin
5301	*/
5302	static void
5303	mptcp_sbrcv_grow_rwin(struct mptcb mp_tp, struct* sockbuf *sb)
5304	{
5305	struct socket *mp_so = mp_tp->mpt_mpte->mpte_mppcb->mpp_socket;
5306	u_int32_t rcvbufinc = mptcp_get_maxseg(mp_tp->mpt_mpte) << `4`;
5307	u_int32_t rcvbuf = sb->sb_hiwat;
5308
5309	if (tcp_recv_bg == `1` \|\| IS_TCP_RECV_BG(mp_so))
5310	return;
5311
5312	if (tcp_do_autorcvbuf == `1` &&
5313	tcp_cansbgrow(sb) &&
5314	/ Diff to tcp_sbrcv_grow_rwin /
5315	(mp_so->so_flags1 & SOF1_EXTEND_BK_IDLE_WANTED) == `0` &&
5316	(rcvbuf - sb->sb_cc) < rcvbufinc &&
5317	rcvbuf < tcp_autorcvbuf_max &&
5318	(sb->sb_idealsize > `0` &&
5319	sb->sb_hiwat <= (sb->sb_idealsize + rcvbufinc))) {
5320	sbreserve(sb, min((sb->sb_hiwat + rcvbufinc), tcp_autorcvbuf_max));
5321	}
5322	}
5323
5324	/ Similar to tcp_sbspace /
5325	int32_t
5326	mptcp_sbspace(struct mptcb *mp_tp)
5327	{
5328	struct sockbuf *sb = &mp_tp->mpt_mpte->mpte_mppcb->mpp_socket->so_rcv;
5329	uint32_t rcvbuf;
5330	int32_t space;
5331	int32_t pending = `0`;
5332
5333	mpte_lock_assert_held(mp_tp->mpt_mpte);
5334
5335	mptcp_sbrcv_grow_rwin(mp_tp, sb);
5336
5337	/ hiwat might have changed /
5338	rcvbuf = sb->sb_hiwat;
5339
5340	space = ((int32_t) imin((rcvbuf - sb->sb_cc),
5341	(sb->sb_mbmax - sb->sb_mbcnt)));
5342	if (space < `0`)
5343	space = `0`;
5344
5345	#if CONTENT_FILTER
5346	/ Compensate for data being processed by content filters /
5347	pending = cfil_sock_data_space(sb);
5348	#endif /* CONTENT_FILTER */
5349	if (pending > space)
5350	space = `0`;
5351	else
5352	space -= pending;
5353
5354	return (space);
5355	}
5356
5357	/*
5358	* Support Fallback to Regular TCP
5359	*/
5360	void
5361	mptcp_notify_mpready(struct socket *so)
5362	{
5363	struct tcpcb *tp = NULL;
5364
5365	if (so == NULL)
5366	return;
5367
5368	tp = intotcpcb(sotoinpcb(so));
5369
5370	if (tp == NULL)
5371	return;
5372
5373	DTRACE_MPTCP4(multipath__ready, struct socket *, so,
5374	struct sockbuf , &so->so_rcv, struct* sockbuf *, &so->so_snd,
5375	struct tcpcb *, tp);
5376
5377	if (!(tp->t_mpflags & TMPF_MPTCP_TRUE))
5378	return;
5379
5380	if (tp->t_mpflags & TMPF_MPTCP_READY)
5381	return;
5382
5383	tp->t_mpflags &= ~TMPF_TCP_FALLBACK;
5384	tp->t_mpflags \|= TMPF_MPTCP_READY;
5385
5386	soevent(so, (SO_FILT_HINT_LOCKED \| SO_FILT_HINT_MPSTATUS));
5387	}
5388
5389	void
5390	mptcp_notify_mpfail(struct socket *so)
5391	{
5392	struct tcpcb *tp = NULL;
5393
5394	if (so == NULL)
5395	return;
5396
5397	tp = intotcpcb(sotoinpcb(so));
5398
5399	if (tp == NULL)
5400	return;
5401
5402	DTRACE_MPTCP4(multipath__failed, struct socket *, so,
5403	struct sockbuf , &so->so_rcv, struct* sockbuf *, &so->so_snd,
5404	struct tcpcb *, tp);
5405
5406	if (tp->t_mpflags & TMPF_TCP_FALLBACK)
5407	return;
5408
5409	tp->t_mpflags &= ~(TMPF_MPTCP_READY\|TMPF_MPTCP_TRUE);
5410	tp->t_mpflags \|= TMPF_TCP_FALLBACK;
5411
5412	soevent(so, (SO_FILT_HINT_LOCKED \| SO_FILT_HINT_MPSTATUS));
5413	}
5414
5415	/*
5416	* Keepalive helper function
5417	*/
5418	boolean_t
5419	mptcp_ok_to_keepalive(struct mptcb *mp_tp)
5420	{
5421	boolean_t ret = `1`;
5422	mpte_lock_assert_held(mp_tp->mpt_mpte);
5423
5424	if (mp_tp->mpt_state >= MPTCPS_CLOSE_WAIT) {
5425	ret = `0`;
5426	}
5427	return (ret);
5428	}
5429
5430	/*
5431	* MPTCP t_maxseg adjustment function
5432	*/
5433	int
5434	mptcp_adj_mss(struct tcpcb *tp, boolean_t mtudisc)
5435	{
5436	int mss_lower = `0`;
5437	struct mptcb *mp_tp = tptomptp(tp);
5438
5439	#define MPTCP_COMPUTE_LEN { \
5440	mss_lower = sizeof (struct mptcp_dss_ack_opt); \
5441	if (mp_tp->mpt_flags & MPTCPF_CHECKSUM) \
5442	mss_lower += 2; \
5443	else \
5444	/* adjust to 32-bit boundary + EOL */ \
5445	mss_lower += 2; \
5446	}
5447	if (mp_tp == NULL)
5448	return (`0`);
5449
5450	mpte_lock_assert_held(mp_tp->mpt_mpte);
5451
5452	/*
5453	* For the first subflow and subsequent subflows, adjust mss for
5454	* most common MPTCP option size, for case where tcp_mss is called
5455	* during option processing and MTU discovery.
5456	*/
5457	if (!mtudisc) {
5458	if (tp->t_mpflags & TMPF_MPTCP_TRUE &&
5459	!(tp->t_mpflags & TMPF_JOINED_FLOW)) {
5460	MPTCP_COMPUTE_LEN;
5461	}
5462
5463	if (tp->t_mpflags & TMPF_PREESTABLISHED &&
5464	tp->t_mpflags & TMPF_SENT_JOIN) {
5465	MPTCP_COMPUTE_LEN;
5466	}
5467	} else {
5468	if (tp->t_mpflags & TMPF_MPTCP_TRUE) {
5469	MPTCP_COMPUTE_LEN;
5470	}
5471	}
5472
5473	return (mss_lower);
5474	}
5475
5476	/*
5477	* Update the pid, upid, uuid of the subflow so, based on parent so
5478	*/
5479	void
5480	mptcp_update_last_owner(struct socket so, struct* socket *mp_so)
5481	{
5482	if (so->last_pid != mp_so->last_pid \|\|
5483	so->last_upid != mp_so->last_upid) {
5484	so->last_upid = mp_so->last_upid;
5485	so->last_pid = mp_so->last_pid;
5486	uuid_copy(so->last_uuid, mp_so->last_uuid);
5487	}
5488	so_update_policy(so);
5489	}
5490
5491	static void
5492	fill_mptcp_subflow(struct socket so, mptcp_flow_t flow, struct mptsub *mpts)
5493	{
5494	struct inpcb *inp;
5495
5496	tcp_getconninfo(so, &flow->flow_ci);
5497	inp = sotoinpcb(so);
5498	#if INET6
5499	if ((inp->inp_vflag & INP_IPV6) != `0`) {
5500	flow->flow_src.ss_family = AF_INET6;
5501	flow->flow_dst.ss_family = AF_INET6;
5502	flow->flow_src.ss_len = sizeof(struct sockaddr_in6);
5503	flow->flow_dst.ss_len = sizeof(struct sockaddr_in6);
5504	SIN6(&flow->flow_src)->sin6_port = inp->in6p_lport;
5505	SIN6(&flow->flow_dst)->sin6_port = inp->in6p_fport;
5506	SIN6(&flow->flow_src)->sin6_addr = inp->in6p_laddr;
5507	SIN6(&flow->flow_dst)->sin6_addr = inp->in6p_faddr;
5508	} else
5509	#endif
5510	if ((inp->inp_vflag & INP_IPV4) != `0`) {
5511	flow->flow_src.ss_family = AF_INET;
5512	flow->flow_dst.ss_family = AF_INET;
5513	flow->flow_src.ss_len = sizeof(struct sockaddr_in);
5514	flow->flow_dst.ss_len = sizeof(struct sockaddr_in);
5515	SIN(&flow->flow_src)->sin_port = inp->inp_lport;
5516	SIN(&flow->flow_dst)->sin_port = inp->inp_fport;
5517	SIN(&flow->flow_src)->sin_addr = inp->inp_laddr;
5518	SIN(&flow->flow_dst)->sin_addr = inp->inp_faddr;
5519	}
5520	flow->flow_len = sizeof(*flow);
5521	flow->flow_tcpci_offset = offsetof(mptcp_flow_t, flow_ci);
5522	flow->flow_flags = mpts->mpts_flags;
5523	flow->flow_cid = mpts->mpts_connid;
5524	flow->flow_relseq = mpts->mpts_rel_seq;
5525	flow->flow_soerror = mpts->mpts_socket->so_error;
5526	flow->flow_probecnt = mpts->mpts_probecnt;
5527	}
5528
5529	static int
5530	mptcp_pcblist SYSCTL_HANDLER_ARGS
5531	{
5532	#pragma unused(oidp, arg1, arg2)
5533	int error = `0`, f;
5534	size_t len;
5535	struct mppcb *mpp;
5536	struct mptses *mpte;
5537	struct mptcb *mp_tp;
5538	struct mptsub *mpts;
5539	struct socket *so;
5540	conninfo_mptcp_t mptcpci;
5541	mptcp_flow_t *flows = NULL;
5542
5543	if (req->newptr != USER_ADDR_NULL)
5544	return (EPERM);
5545
5546	lck_mtx_lock(&mtcbinfo.mppi_lock);
5547	if (req->oldptr == USER_ADDR_NULL) {
5548	size_t n = mtcbinfo.mppi_count;
5549	lck_mtx_unlock(&mtcbinfo.mppi_lock);
5550	req->oldidx = (n + n/`8`) * sizeof(conninfo_mptcp_t) +
5551	`4` * (n + n/`8`) * sizeof(mptcp_flow_t);
5552	return (`0`);
5553	}
5554	TAILQ_FOREACH(mpp, &mtcbinfo.mppi_pcbs, mpp_entry) {
5555	flows = NULL;
5556	mpp_lock(mpp);
5557	VERIFY(mpp->mpp_flags & MPP_ATTACHED);
5558	mpte = mptompte(mpp);
5559	VERIFY(mpte != NULL);
5560	mpte_lock_assert_held(mpte);
5561	mp_tp = mpte->mpte_mptcb;
5562	VERIFY(mp_tp != NULL);
5563
5564	bzero(&mptcpci, sizeof(mptcpci));
5565	mptcpci.mptcpci_state = mp_tp->mpt_state;
5566	mptcpci.mptcpci_flags = mp_tp->mpt_flags;
5567	mptcpci.mptcpci_ltoken = mp_tp->mpt_localtoken;
5568	mptcpci.mptcpci_rtoken = mp_tp->mpt_remotetoken;
5569	mptcpci.mptcpci_notsent_lowat = mp_tp->mpt_notsent_lowat;
5570	mptcpci.mptcpci_snduna = mp_tp->mpt_snduna;
5571	mptcpci.mptcpci_sndnxt = mp_tp->mpt_sndnxt;
5572	mptcpci.mptcpci_sndmax = mp_tp->mpt_sndmax;
5573	mptcpci.mptcpci_lidsn = mp_tp->mpt_local_idsn;
5574	mptcpci.mptcpci_sndwnd = mp_tp->mpt_sndwnd;
5575	mptcpci.mptcpci_rcvnxt = mp_tp->mpt_rcvnxt;
5576	mptcpci.mptcpci_rcvatmark = mp_tp->mpt_rcvnxt;
5577	mptcpci.mptcpci_ridsn = mp_tp->mpt_remote_idsn;
5578	mptcpci.mptcpci_rcvwnd = mp_tp->mpt_rcvwnd;
5579
5580	mptcpci.mptcpci_nflows = mpte->mpte_numflows;
5581	mptcpci.mptcpci_mpte_flags = mpte->mpte_flags;
5582	mptcpci.mptcpci_mpte_addrid = mpte->mpte_addrid_last;
5583	mptcpci.mptcpci_flow_offset =
5584	offsetof(conninfo_mptcp_t, mptcpci_flows);
5585
5586	len = sizeof(flows) mpte->mpte_numflows;
5587	if (mpte->mpte_numflows != `0`) {
5588	flows = _MALLOC(len, M_TEMP, M_WAITOK \| M_ZERO);
5589	if (flows == NULL) {
5590	mpp_unlock(mpp);
5591	break;
5592	}
5593	mptcpci.mptcpci_len = sizeof(mptcpci) +
5594	sizeof(flows) (mptcpci.mptcpci_nflows - `1`);
5595	error = SYSCTL_OUT(req, &mptcpci,
5596	sizeof(mptcpci) - sizeof(mptcp_flow_t));
5597	} else {
5598	mptcpci.mptcpci_len = sizeof(mptcpci);
5599	error = SYSCTL_OUT(req, &mptcpci, sizeof(mptcpci));
5600	}
5601	if (error) {
5602	mpp_unlock(mpp);
5603	FREE(flows, M_TEMP);
5604	break;
5605	}
5606	f = `0`;
5607	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
5608	so = mpts->mpts_socket;
5609	fill_mptcp_subflow(so, &flows[f], mpts);
5610	f++;
5611	}
5612	mpp_unlock(mpp);
5613	if (flows) {
5614	error = SYSCTL_OUT(req, flows, len);
5615	FREE(flows, M_TEMP);
5616	if (error)
5617	break;
5618	}
5619	}
5620	lck_mtx_unlock(&mtcbinfo.mppi_lock);
5621
5622	return (error);
5623	}
5624
5625	SYSCTL_PROC(_net_inet_mptcp, OID_AUTO, pcblist, CTLFLAG_RD \| CTLFLAG_LOCKED,
5626	`0`, `0`, mptcp_pcblist, "S,conninfo_mptcp_t",
5627	"List of active MPTCP connections");
5628
5629	/*
5630	* Set notsent lowat mark on the MPTCB
5631	*/
5632	int
5633	mptcp_set_notsent_lowat(struct mptses mpte, int* optval)
5634	{
5635	struct mptcb *mp_tp = NULL;
5636	int error = `0`;
5637
5638	if (mpte->mpte_mppcb->mpp_flags & MPP_ATTACHED)
5639	mp_tp = mpte->mpte_mptcb;
5640
5641	if (mp_tp)
5642	mp_tp->mpt_notsent_lowat = optval;
5643	else
5644	error = EINVAL;
5645
5646	return (error);
5647	}
5648
5649	u_int32_t
5650	mptcp_get_notsent_lowat(struct mptses *mpte)
5651	{
5652	struct mptcb *mp_tp = NULL;
5653
5654	if (mpte->mpte_mppcb->mpp_flags & MPP_ATTACHED)
5655	mp_tp = mpte->mpte_mptcb;
5656
5657	if (mp_tp)
5658	return (mp_tp->mpt_notsent_lowat);
5659	else
5660	return (`0`);
5661	}
5662
5663	int
5664	mptcp_notsent_lowat_check(struct socket *so)
5665	{
5666	struct mptses *mpte;
5667	struct mppcb *mpp;
5668	struct mptcb *mp_tp;
5669	struct mptsub *mpts;
5670
5671	int notsent = `0`;
5672
5673	mpp = mpsotomppcb(so);
5674	if (mpp == NULL \|\| mpp->mpp_state == MPPCB_STATE_DEAD) {
5675	return (`0`);
5676	}
5677
5678	mpte = mptompte(mpp);
5679	mpte_lock_assert_held(mpte);
5680	mp_tp = mpte->mpte_mptcb;
5681
5682	notsent = so->so_snd.sb_cc;
5683
5684	if ((notsent == `0`) \|\|
5685	((notsent - (mp_tp->mpt_sndnxt - mp_tp->mpt_snduna)) <=
5686	mp_tp->mpt_notsent_lowat)) {
5687	mptcplog((LOG_DEBUG, "MPTCP Sender: "
5688	"lowat %d notsent %d actual %d \n",
5689	mp_tp->mpt_notsent_lowat, notsent,
5690	notsent - (mp_tp->mpt_sndnxt - mp_tp->mpt_snduna)),
5691	MPTCP_SENDER_DBG , MPTCP_LOGLVL_VERBOSE);
5692	return (`1`);
5693	}
5694
5695	/ When Nagle's algorithm is not disabled, it is better*
5696	* to wakeup the client even before there is atleast one
5697	* maxseg of data to write.
5698	*/
5699	TAILQ_FOREACH(mpts, &mpte->mpte_subflows, mpts_entry) {
5700	int retval = `0`;
5701	if (mpts->mpts_flags & MPTSF_ACTIVE) {
5702	struct socket *subf_so = mpts->mpts_socket;
5703	struct tcpcb *tp = intotcpcb(sotoinpcb(subf_so));
5704
5705	notsent = so->so_snd.sb_cc -
5706	(tp->snd_nxt - tp->snd_una);
5707
5708	if ((tp->t_flags & TF_NODELAY) == `0` &&
5709	notsent > `0` && (notsent <= (int)tp->t_maxseg)) {
5710	retval = `1`;
5711	}
5712	mptcplog((LOG_DEBUG, "MPTCP Sender: lowat %d notsent %d"
5713	" nodelay false \n",
5714	mp_tp->mpt_notsent_lowat, notsent),
5715	MPTCP_SENDER_DBG , MPTCP_LOGLVL_VERBOSE);
5716	return (retval);
5717	}
5718	}
5719	return (`0`);
5720	}
5721
5722	/ Using Symptoms Advisory to detect poor WiFi or poor Cell /
5723	static kern_ctl_ref mptcp_kern_ctrl_ref = NULL;
5724	static uint32_t mptcp_kern_skt_inuse = `0`;
5725	static uint32_t mptcp_kern_skt_unit;
5726	symptoms_advisory_t mptcp_advisory;
5727
5728	static errno_t
5729	mptcp_symptoms_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac,
5730	void **unitinfo)
5731	{
5732	#pragma unused(kctlref, sac, unitinfo)
5733
5734	if (OSIncrementAtomic(&mptcp_kern_skt_inuse) > `0`)
5735	os_log_error(mptcp_log_handle, "%s MPTCP kernel-control socket for Symptoms already open!", __func__);
5736
5737	mptcp_kern_skt_unit = sac->sc_unit;
5738
5739	return (`0`);
5740	}
5741
5742	static void
5743	mptcp_allow_uuid(uuid_t uuid)
5744	{
5745	struct mppcb *mpp;
5746
5747	/ Iterate over all MPTCP connections /
5748
5749	lck_mtx_lock(&mtcbinfo.mppi_lock);
5750
5751	TAILQ_FOREACH(mpp, &mtcbinfo.mppi_pcbs, mpp_entry) {
5752	struct mptses *mpte;
5753	struct socket *mp_so;
5754
5755	mpp_lock(mpp);
5756
5757	mpte = mpp->mpp_pcbe;
5758	mp_so = mpp->mpp_socket;
5759
5760	if (mp_so->so_flags & SOF_DELEGATED &&
5761	uuid_compare(uuid, mp_so->e_uuid))
5762	goto next;
5763	else if (!(mp_so->so_flags & SOF_DELEGATED) &&
5764	uuid_compare(uuid, mp_so->last_uuid))
5765	goto next;
5766
5767	mpte->mpte_flags \|= MPTE_ACCESS_GRANTED;
5768
5769	mptcp_check_subflows_and_add(mpte);
5770	mptcp_remove_subflows(mpte);
5771
5772	mpte->mpte_flags &= ~MPTE_ACCESS_GRANTED;
5773
5774	next:
5775	mpp_unlock(mpp);
5776	}
5777
5778	lck_mtx_unlock(&mtcbinfo.mppi_lock);
5779	}
5780
5781	static void
5782	mptcp_wifi_status_changed(void)
5783	{
5784	struct mppcb *mpp;
5785
5786	/ Iterate over all MPTCP connections /
5787
5788	lck_mtx_lock(&mtcbinfo.mppi_lock);
5789
5790	TAILQ_FOREACH(mpp, &mtcbinfo.mppi_pcbs, mpp_entry) {
5791	struct mptses *mpte;
5792	struct socket *mp_so;
5793
5794	mpp_lock(mpp);
5795
5796	mpte = mpp->mpp_pcbe;
5797	mp_so = mpp->mpp_socket;
5798
5799	/ Only handover-mode is purely driven by Symptom's Wi-Fi status /
5800	if (mpte->mpte_svctype != MPTCP_SVCTYPE_HANDOVER)
5801	goto next;
5802
5803	mptcp_check_subflows_and_add(mpte);
5804	mptcp_check_subflows_and_remove(mpte);
5805
5806	next:
5807	mpp_unlock(mpp);
5808	}
5809
5810	lck_mtx_unlock(&mtcbinfo.mppi_lock);
5811	}
5812
5813	void
5814	mptcp_ask_symptoms(struct mptses *mpte)
5815	{
5816	struct mptcp_symptoms_ask_uuid ask;
5817	struct socket *mp_so;
5818	struct proc *p;
5819	int pid, prio, err;
5820
5821	if (mptcp_kern_skt_unit == `0`) {
5822	os_log_error(mptcp_log_handle, "%s skt_unit is still 0\n", __func__);
5823	return;
5824	}
5825
5826	mp_so = mptetoso(mpte);
5827
5828	if (mp_so->so_flags & SOF_DELEGATED)
5829	pid = mp_so->e_pid;
5830	else
5831	pid = mp_so->last_pid;
5832
5833	p = proc_find(pid);
5834	if (p == PROC_NULL) {
5835	os_log_error(mptcp_log_handle, "%s Couldn't find proc for pid %u\n", __func__, pid);
5836	return;
5837	}
5838
5839	ask.cmd = MPTCP_SYMPTOMS_ASK_UUID;
5840
5841	if (mp_so->so_flags & SOF_DELEGATED)
5842	uuid_copy(ask.uuid, mp_so->e_uuid);
5843	else
5844	uuid_copy(ask.uuid, mp_so->last_uuid);
5845
5846	prio = proc_get_effective_task_policy(proc_task(p), TASK_POLICY_ROLE);
5847
5848	if (prio == TASK_BACKGROUND_APPLICATION)
5849	ask.priority = MPTCP_SYMPTOMS_BACKGROUND;
5850	else if (prio == TASK_FOREGROUND_APPLICATION)
5851	ask.priority = MPTCP_SYMPTOMS_FOREGROUND;
5852	else
5853	ask.priority = MPTCP_SYMPTOMS_UNKNOWN;
5854
5855	err = ctl_enqueuedata(mptcp_kern_ctrl_ref, mptcp_kern_skt_unit,
5856	&ask, sizeof(ask), CTL_DATA_EOR);
5857
5858	os_log_debug(mptcp_log_handle, "%s asked symptoms about pid %u, prio %u, err %d\n",
5859	__func__, pid, ask.priority, err);
5860
5861
5862	proc_rele(p);
5863	}
5864
5865	static errno_t
5866	mptcp_symptoms_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t kcunit,
5867	void *unitinfo)
5868	{
5869	#pragma unused(kctlref, kcunit, unitinfo)
5870
5871	OSDecrementAtomic(&mptcp_kern_skt_inuse);
5872
5873	return (`0`);
5874	}
5875
5876	static errno_t
5877	mptcp_symptoms_ctl_send(kern_ctl_ref kctlref, u_int32_t kcunit, void *unitinfo,
5878	mbuf_t m, int flags)
5879	{
5880	#pragma unused(kctlref, unitinfo, flags)
5881	symptoms_advisory_t *sa = NULL;
5882
5883	if (kcunit != mptcp_kern_skt_unit)
5884	os_log_error(mptcp_log_handle, "%s kcunit %u is different from expected one %u\n",
5885	__func__, kcunit, mptcp_kern_skt_unit);
5886
5887	if (mbuf_pkthdr_len(m) < sizeof(*sa)) {
5888	mbuf_freem(m);
5889	return (EINVAL);
5890	}
5891
5892	if (mbuf_len(m) < sizeof(*sa)) {
5893	mbuf_freem(m);
5894	return (EINVAL);
5895	}
5896
5897	sa = mbuf_data(m);
5898
5899	if (sa->sa_nwk_status != SYMPTOMS_ADVISORY_NOCOMMENT &&
5900	sa->sa_nwk_status != SYMPTOMS_ADVISORY_USEAPP) {
5901	uint8_t old_wifi_status = mptcp_advisory.sa_wifi_status;
5902
5903	mptcplog((LOG_DEBUG, "%s: wifi %d,%d\n",
5904	__func__, sa->sa_wifi_status, mptcp_advisory.sa_wifi_status),
5905	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_VERBOSE);
5906
5907	if ((sa->sa_wifi_status &
5908	(SYMPTOMS_ADVISORY_WIFI_BAD \| SYMPTOMS_ADVISORY_WIFI_OK)) !=
5909	(SYMPTOMS_ADVISORY_WIFI_BAD \| SYMPTOMS_ADVISORY_WIFI_OK))
5910	mptcp_advisory.sa_wifi_status = sa->sa_wifi_status;
5911
5912	if (old_wifi_status != mptcp_advisory.sa_wifi_status)
5913	mptcp_wifi_status_changed();
5914	} else if (sa->sa_nwk_status == SYMPTOMS_ADVISORY_NOCOMMENT) {
5915	mptcplog((LOG_DEBUG, "%s: NOCOMMENT wifi %d\n", __func__,
5916	mptcp_advisory.sa_wifi_status),
5917	MPTCP_EVENTS_DBG, MPTCP_LOGLVL_VERBOSE);
5918	} else if (sa->sa_nwk_status == SYMPTOMS_ADVISORY_USEAPP) {
5919	uuid_t uuid;
5920
5921	mptcplog((LOG_DEBUG, "%s Got response about useApp\n", __func__),
5922	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
5923
5924	uuid_copy(uuid, (unsigned char *)(sa + `1`));
5925
5926	mptcp_allow_uuid(uuid);
5927	}
5928
5929	mbuf_freem(m);
5930	return (`0`);
5931	}
5932
5933	void
5934	mptcp_control_register(void)
5935	{
5936	/ Set up the advisory control socket /
5937	struct kern_ctl_reg mptcp_kern_ctl;
5938
5939	bzero(&mptcp_kern_ctl, sizeof(mptcp_kern_ctl));
5940	strlcpy(mptcp_kern_ctl.ctl_name, MPTCP_KERN_CTL_NAME,
5941	sizeof(mptcp_kern_ctl.ctl_name));
5942	mptcp_kern_ctl.ctl_connect = mptcp_symptoms_ctl_connect;
5943	mptcp_kern_ctl.ctl_disconnect = mptcp_symptoms_ctl_disconnect;
5944	mptcp_kern_ctl.ctl_send = mptcp_symptoms_ctl_send;
5945	mptcp_kern_ctl.ctl_flags = CTL_FLAG_PRIVILEGED;
5946
5947	(void)ctl_register(&mptcp_kern_ctl, &mptcp_kern_ctrl_ref);
5948	}
5949
5950	/*
5951	* Three return-values:
5952	* 1 : WiFi is bad
5953	* 0 : WiFi is good
5954	* -1 : WiFi-state is unknown, use subflow-only heuristics
5955	*/
5956	int
5957	mptcp_is_wifi_unusable(struct mptses *mpte)
5958	{
5959	if (mpte->mpte_flags & MPTE_FIRSTPARTY) {
5960	if (mptcp_advisory.sa_wifi_status)
5961	return ((mptcp_advisory.sa_wifi_status & SYMPTOMS_ADVISORY_WIFI_BAD) ? `1` : `0`);
5962
5963	/*
5964	* If it's a first-party app and we don't have any info
5965	* about the Wi-Fi state, let's be pessimistic.
5966	*/
5967	return (-`1`);
5968	}
5969
5970	return ((mptcp_advisory.sa_wifi_status & SYMPTOMS_ADVISORY_WIFI_BAD) ? `1` : `0`);
5971	}
5972
5973	boolean_t
5974	mptcp_subflow_is_bad(struct mptses mpte, struct* mptsub *mpts)
5975	{
5976	struct tcpcb *tp = sototcpcb(mpts->mpts_socket);
5977	int fail_thresh = mptcp_fail_thresh;
5978
5979	if (mpte->mpte_svctype == MPTCP_SVCTYPE_HANDOVER)
5980	fail_thresh *= `2`;
5981
5982	return (tp->t_rxtshift >= fail_thresh &&
5983	(mptetoso(mpte)->so_snd.sb_cc \|\| mpte->mpte_reinjectq));
5984	}
5985
5986	/ If TFO data is succesfully acked, it must be dropped from the mptcp so /
5987	static void
5988	mptcp_drop_tfo_data(struct mptses mpte, struct* mptsub *mpts)
5989	{
5990	struct socket *mp_so = mptetoso(mpte);
5991	struct socket *so = mpts->mpts_socket;
5992	struct tcpcb *tp = intotcpcb(sotoinpcb(so));
5993	struct mptcb *mp_tp = mpte->mpte_mptcb;
5994
5995	/ If data was sent with SYN, rewind state /
5996	if (tp->t_tfo_stats & TFO_S_SYN_DATA_ACKED) {
5997	u_int64_t mp_droplen = mp_tp->mpt_sndnxt - mp_tp->mpt_snduna;
5998	unsigned int tcp_droplen = tp->snd_una - tp->iss - `1`;
5999
6000	VERIFY(mp_droplen <= (UINT_MAX));
6001	VERIFY(mp_droplen >= tcp_droplen);
6002
6003	mpts->mpts_flags &= ~MPTSF_TFO_REQD;
6004	mpts->mpts_iss += tcp_droplen;
6005	tp->t_mpflags &= ~TMPF_TFO_REQUEST;
6006
6007	if (mp_droplen > tcp_droplen) {
6008	/ handle partial TCP ack /
6009	mp_so->so_flags1 \|= SOF1_TFO_REWIND;
6010	mp_tp->mpt_sndnxt = mp_tp->mpt_snduna + (mp_droplen - tcp_droplen);
6011	mp_droplen = tcp_droplen;
6012	} else {
6013	/ all data on SYN was acked /
6014	mpts->mpts_rel_seq = `1`;
6015	mp_tp->mpt_sndnxt = mp_tp->mpt_snduna;
6016	}
6017	mp_tp->mpt_sndmax -= tcp_droplen;
6018
6019	if (mp_droplen != `0`) {
6020	VERIFY(mp_so->so_snd.sb_mb != NULL);
6021	sbdrop(&mp_so->so_snd, (int)mp_droplen);
6022	}
6023	mptcplog((LOG_DEBUG, "%s: mp_so 0x%llx cid %d TFO tcp len %d mptcp len %d\n",
6024	__func__, (u_int64_t)VM_KERNEL_ADDRPERM(mp_so),
6025	mpts->mpts_connid, tcp_droplen, mp_droplen),
6026	MPTCP_SENDER_DBG, MPTCP_LOGLVL_VERBOSE);
6027	}
6028	}
6029
6030	int
6031	mptcp_freeq(struct mptcb *mp_tp)
6032	{
6033	struct tseg_qent *q;
6034	int rv = `0`;
6035
6036	while ((q = LIST_FIRST(&mp_tp->mpt_segq)) != NULL) {
6037	LIST_REMOVE(q, tqe_q);
6038	m_freem(q->tqe_m);
6039	zfree(tcp_reass_zone, q);
6040	rv = `1`;
6041	}
6042	mp_tp->mpt_reassqlen = `0`;
6043	return (rv);
6044	}
6045
6046	static int
6047	mptcp_post_event(u_int32_t event_code, int value)
6048	{
6049	struct kev_mptcp_data event_data;
6050	struct kev_msg ev_msg;
6051
6052	memset(&ev_msg, `0`, sizeof(ev_msg));
6053
6054	ev_msg.vendor_code = KEV_VENDOR_APPLE;
6055	ev_msg.kev_class = KEV_NETWORK_CLASS;
6056	ev_msg.kev_subclass = KEV_MPTCP_SUBCLASS;
6057	ev_msg.event_code = event_code;
6058
6059	event_data.value = value;
6060
6061	ev_msg.dv[`0`].data_ptr = &event_data;
6062	ev_msg.dv[`0`].data_length = sizeof(event_data);
6063
6064	return kev_post_msg(&ev_msg);
6065	}
6066
6067	void
6068	mptcp_set_cellicon(struct mptses *mpte)
6069	{
6070	int error;
6071
6072	/ First-party apps (Siri) don't flip the cellicon /
6073	if (mpte->mpte_flags & MPTE_FIRSTPARTY)
6074	return;
6075
6076	/ Remember the last time we set the cellicon (see mptcp_unset_cellicon) /
6077	mptcp_last_cellicon_set = tcp_now;
6078
6079	/ If cellicon is already set, get out of here! /
6080	if (OSTestAndSet(`7`, &mptcp_cellicon_is_set))
6081	return;
6082
6083	error = mptcp_post_event(KEV_MPTCP_CELLUSE, `1`);
6084
6085	if (error)
6086	mptcplog((LOG_ERR, "%s: Setting cellicon failed with %d\n",
6087	__func__, error), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
6088	else
6089	mptcplog((LOG_DEBUG, "%s successfully set the cellicon\n", __func__),
6090	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
6091	}
6092
6093	void
6094	mptcp_unset_cellicon(void)
6095	{
6096	int error;
6097
6098	/ If cellicon is already unset, get out of here! /
6099	if (OSTestAndClear(`7`, &mptcp_cellicon_is_set))
6100	return;
6101
6102	/*
6103	* If during the past MPTCP_CELLICON_TOGGLE_RATE seconds we didn't
6104	* explicitly set the cellicon (see mptcp_set_cellicon()), then we unset
6105	* it again.
6106	*/
6107	if (TSTMP_GT(mptcp_last_cellicon_set + MPTCP_CELLICON_TOGGLE_RATE,
6108	tcp_now)) {
6109	OSTestAndSet(`7`, &mptcp_cellicon_is_set);
6110	return;
6111	}
6112
6113	error = mptcp_post_event(KEV_MPTCP_CELLUSE, `0`);
6114
6115	if (error)
6116	mptcplog((LOG_ERR, "%s: Unsetting cellicon failed with %d\n",
6117	__func__, error), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
6118	else
6119	mptcplog((LOG_DEBUG, "%s successfully unset the cellicon\n", __func__),
6120	MPTCP_SOCKET_DBG, MPTCP_LOGLVL_VERBOSE);
6121	}
6122
6123	void
6124	mptcp_reset_rexmit_state(struct tcpcb *tp)
6125	{
6126	struct mptsub *mpts;
6127	struct inpcb *inp;
6128	struct socket *so;
6129
6130	inp = tp->t_inpcb;
6131	if (inp == NULL)
6132	return;
6133
6134	so = inp->inp_socket;
6135	if (so == NULL)
6136	return;
6137
6138	if (!(so->so_flags & SOF_MP_SUBFLOW))
6139	return;
6140
6141	mpts = tp->t_mpsub;
6142
6143	mpts->mpts_flags &= ~MPTSF_WRITE_STALL;
6144	so->so_flags &= ~SOF_MP_TRYFAILOVER;
6145	}
6146
6147	void
6148	mptcp_reset_keepalive(struct tcpcb *tp)
6149	{
6150	struct mptsub *mpts = tp->t_mpsub;
6151
6152	mpts->mpts_flags &= ~MPTSF_READ_STALL;
6153	}
6154
6155

Browse the source code of xnu/bsd/netinet/mptcp_subr.c