1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Routines having to do with the 'struct sk_buff' memory handlers.
4 *
5 * Authors: Alan Cox <alan@lxorguk.ukuu.org.uk>
6 * Florian La Roche <rzsfl@rz.uni-sb.de>
7 *
8 * Fixes:
9 * Alan Cox : Fixed the worst of the load
10 * balancer bugs.
11 * Dave Platt : Interrupt stacking fix.
12 * Richard Kooijman : Timestamp fixes.
13 * Alan Cox : Changed buffer format.
14 * Alan Cox : destructor hook for AF_UNIX etc.
15 * Linus Torvalds : Better skb_clone.
16 * Alan Cox : Added skb_copy.
17 * Alan Cox : Added all the changed routines Linus
18 * only put in the headers
19 * Ray VanTassle : Fixed --skb->lock in free
20 * Alan Cox : skb_copy copy arp field
21 * Andi Kleen : slabified it.
22 * Robert Olsson : Removed skb_head_pool
23 *
24 * NOTE:
25 * The __skb_ routines should be called with interrupts
26 * disabled, or you better be *real* sure that the operation is atomic
27 * with respect to whatever list is being frobbed (e.g. via lock_sock()
28 * or via disabling bottom half handlers, etc).
29 */
30
31 /*
32 * The functions in this file will not compile correctly with gcc 2.4.x
33 */
34
35 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
36
37 #include <linux/module.h>
38 #include <linux/types.h>
39 #include <linux/kernel.h>
40 #include <linux/mm.h>
41 #include <linux/interrupt.h>
42 #include <linux/in.h>
43 #include <linux/inet.h>
44 #include <linux/slab.h>
45 #include <linux/tcp.h>
46 #include <linux/udp.h>
47 #include <linux/sctp.h>
48 #include <linux/netdevice.h>
49 #ifdef CONFIG_NET_CLS_ACT
50 #include <net/pkt_sched.h>
51 #endif
52 #include <linux/string.h>
53 #include <linux/skbuff.h>
54 #include <linux/splice.h>
55 #include <linux/cache.h>
56 #include <linux/rtnetlink.h>
57 #include <linux/init.h>
58 #include <linux/scatterlist.h>
59 #include <linux/errqueue.h>
60 #include <linux/prefetch.h>
61 #include <linux/if_vlan.h>
62 #include <linux/mpls.h>
63
64 #include <net/protocol.h>
65 #include <net/dst.h>
66 #include <net/sock.h>
67 #include <net/checksum.h>
68 #include <net/ip6_checksum.h>
69 #include <net/xfrm.h>
70 #include <net/mpls.h>
71 #include <net/mptcp.h>
72
73 #include <linux/uaccess.h>
74 #include <trace/events/skb.h>
75 #include <linux/highmem.h>
76 #include <linux/capability.h>
77 #include <linux/user_namespace.h>
78 #include <linux/indirect_call_wrapper.h>
79
80 #include "datagram.h"
81
82 struct kmem_cache *skbuff_head_cache __ro_after_init;
83 static struct kmem_cache *skbuff_fclone_cache __ro_after_init;
84 #ifdef CONFIG_SKB_EXTENSIONS
85 static struct kmem_cache *skbuff_ext_cache __ro_after_init;
86 #endif
87 int sysctl_max_skb_frags __read_mostly = MAX_SKB_FRAGS;
88 EXPORT_SYMBOL(sysctl_max_skb_frags);
89
90 /**
91 * skb_panic - private function for out-of-line support
92 * @skb: buffer
93 * @sz: size
94 * @addr: address
95 * @msg: skb_over_panic or skb_under_panic
96 *
97 * Out-of-line support for skb_put() and skb_push().
98 * Called via the wrapper skb_over_panic() or skb_under_panic().
99 * Keep out of line to prevent kernel bloat.
100 * __builtin_return_address is not used because it is not always reliable.
101 */
skb_panic(struct sk_buff * skb,unsigned int sz,void * addr,const char msg[])102 static void skb_panic(struct sk_buff *skb, unsigned int sz, void *addr,
103 const char msg[])
104 {
105 pr_emerg("%s: text:%px len:%d put:%d head:%px data:%px tail:%#lx end:%#lx dev:%s\n",
106 msg, addr, skb->len, sz, skb->head, skb->data,
107 (unsigned long)skb->tail, (unsigned long)skb->end,
108 skb->dev ? skb->dev->name : "<NULL>");
109 BUG();
110 }
111
skb_over_panic(struct sk_buff * skb,unsigned int sz,void * addr)112 static void skb_over_panic(struct sk_buff *skb, unsigned int sz, void *addr)
113 {
114 skb_panic(skb, sz, addr, __func__);
115 }
116
skb_under_panic(struct sk_buff * skb,unsigned int sz,void * addr)117 static void skb_under_panic(struct sk_buff *skb, unsigned int sz, void *addr)
118 {
119 skb_panic(skb, sz, addr, __func__);
120 }
121
122 /*
123 * kmalloc_reserve is a wrapper around kmalloc_node_track_caller that tells
124 * the caller if emergency pfmemalloc reserves are being used. If it is and
125 * the socket is later found to be SOCK_MEMALLOC then PFMEMALLOC reserves
126 * may be used. Otherwise, the packet data may be discarded until enough
127 * memory is free
128 */
129 #define kmalloc_reserve(size, gfp, node, pfmemalloc) \
130 __kmalloc_reserve(size, gfp, node, _RET_IP_, pfmemalloc)
131
__kmalloc_reserve(size_t size,gfp_t flags,int node,unsigned long ip,bool * pfmemalloc)132 static void *__kmalloc_reserve(size_t size, gfp_t flags, int node,
133 unsigned long ip, bool *pfmemalloc)
134 {
135 void *obj;
136 bool ret_pfmemalloc = false;
137
138 /*
139 * Try a regular allocation, when that fails and we're not entitled
140 * to the reserves, fail.
141 */
142 obj = kmalloc_node_track_caller(size,
143 flags | __GFP_NOMEMALLOC | __GFP_NOWARN,
144 node);
145 if (obj || !(gfp_pfmemalloc_allowed(flags)))
146 goto out;
147
148 /* Try again but now we are using pfmemalloc reserves */
149 ret_pfmemalloc = true;
150 obj = kmalloc_node_track_caller(size, flags, node);
151
152 out:
153 if (pfmemalloc)
154 *pfmemalloc = ret_pfmemalloc;
155
156 return obj;
157 }
158
159 /* Allocate a new skbuff. We do this ourselves so we can fill in a few
160 * 'private' fields and also do memory statistics to find all the
161 * [BEEP] leaks.
162 *
163 */
164
165 /**
166 * __alloc_skb - allocate a network buffer
167 * @size: size to allocate
168 * @gfp_mask: allocation mask
169 * @flags: If SKB_ALLOC_FCLONE is set, allocate from fclone cache
170 * instead of head cache and allocate a cloned (child) skb.
171 * If SKB_ALLOC_RX is set, __GFP_MEMALLOC will be used for
172 * allocations in case the data is required for writeback
173 * @node: numa node to allocate memory on
174 *
175 * Allocate a new &sk_buff. The returned buffer has no headroom and a
176 * tail room of at least size bytes. The object has a reference count
177 * of one. The return is the buffer. On a failure the return is %NULL.
178 *
179 * Buffers may only be allocated from interrupts using a @gfp_mask of
180 * %GFP_ATOMIC.
181 */
__alloc_skb(unsigned int size,gfp_t gfp_mask,int flags,int node)182 struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
183 int flags, int node)
184 {
185 struct kmem_cache *cache;
186 struct skb_shared_info *shinfo;
187 struct sk_buff *skb;
188 u8 *data;
189 bool pfmemalloc;
190
191 cache = (flags & SKB_ALLOC_FCLONE)
192 ? skbuff_fclone_cache : skbuff_head_cache;
193
194 if (sk_memalloc_socks() && (flags & SKB_ALLOC_RX))
195 gfp_mask |= __GFP_MEMALLOC;
196
197 /* Get the HEAD */
198 skb = kmem_cache_alloc_node(cache, gfp_mask & ~__GFP_DMA, node);
199 if (!skb)
200 goto out;
201 prefetchw(skb);
202
203 /* We do our best to align skb_shared_info on a separate cache
204 * line. It usually works because kmalloc(X > SMP_CACHE_BYTES) gives
205 * aligned memory blocks, unless SLUB/SLAB debug is enabled.
206 * Both skb->head and skb_shared_info are cache line aligned.
207 */
208 size = SKB_DATA_ALIGN(size);
209 size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
210 data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc);
211 if (!data)
212 goto nodata;
213 /* kmalloc(size) might give us more room than requested.
214 * Put skb_shared_info exactly at the end of allocated zone,
215 * to allow max possible filling before reallocation.
216 */
217 size = SKB_WITH_OVERHEAD(ksize(data));
218 prefetchw(data + size);
219
220 /*
221 * Only clear those fields we need to clear, not those that we will
222 * actually initialise below. Hence, don't put any more fields after
223 * the tail pointer in struct sk_buff!
224 */
225 memset(skb, 0, offsetof(struct sk_buff, tail));
226 /* Account for allocated memory : skb + skb->head */
227 skb->truesize = SKB_TRUESIZE(size);
228 skb->pfmemalloc = pfmemalloc;
229 refcount_set(&skb->users, 1);
230 skb->head = data;
231 skb->data = data;
232 skb_reset_tail_pointer(skb);
233 skb->end = skb->tail + size;
234 skb->mac_header = (typeof(skb->mac_header))~0U;
235 skb->transport_header = (typeof(skb->transport_header))~0U;
236
237 /* make sure we initialize shinfo sequentially */
238 shinfo = skb_shinfo(skb);
239 memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
240 atomic_set(&shinfo->dataref, 1);
241
242 if (flags & SKB_ALLOC_FCLONE) {
243 struct sk_buff_fclones *fclones;
244
245 fclones = container_of(skb, struct sk_buff_fclones, skb1);
246
247 skb->fclone = SKB_FCLONE_ORIG;
248 refcount_set(&fclones->fclone_ref, 1);
249
250 fclones->skb2.fclone = SKB_FCLONE_CLONE;
251 }
252
253 skb_set_kcov_handle(skb, kcov_common_handle());
254
255 out:
256 return skb;
257 nodata:
258 kmem_cache_free(cache, skb);
259 skb = NULL;
260 goto out;
261 }
262 EXPORT_SYMBOL(__alloc_skb);
263
264 /* Caller must provide SKB that is memset cleared */
__build_skb_around(struct sk_buff * skb,void * data,unsigned int frag_size)265 static struct sk_buff *__build_skb_around(struct sk_buff *skb,
266 void *data, unsigned int frag_size)
267 {
268 struct skb_shared_info *shinfo;
269 unsigned int size = frag_size ? : ksize(data);
270
271 size -= SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
272
273 /* Assumes caller memset cleared SKB */
274 skb->truesize = SKB_TRUESIZE(size);
275 refcount_set(&skb->users, 1);
276 skb->head = data;
277 skb->data = data;
278 skb_reset_tail_pointer(skb);
279 skb->end = skb->tail + size;
280 skb->mac_header = (typeof(skb->mac_header))~0U;
281 skb->transport_header = (typeof(skb->transport_header))~0U;
282
283 /* make sure we initialize shinfo sequentially */
284 shinfo = skb_shinfo(skb);
285 memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
286 atomic_set(&shinfo->dataref, 1);
287
288 skb_set_kcov_handle(skb, kcov_common_handle());
289
290 return skb;
291 }
292
293 /**
294 * __build_skb - build a network buffer
295 * @data: data buffer provided by caller
296 * @frag_size: size of data, or 0 if head was kmalloced
297 *
298 * Allocate a new &sk_buff. Caller provides space holding head and
299 * skb_shared_info. @data must have been allocated by kmalloc() only if
300 * @frag_size is 0, otherwise data should come from the page allocator
301 * or vmalloc()
302 * The return is the new skb buffer.
303 * On a failure the return is %NULL, and @data is not freed.
304 * Notes :
305 * Before IO, driver allocates only data buffer where NIC put incoming frame
306 * Driver should add room at head (NET_SKB_PAD) and
307 * MUST add room at tail (SKB_DATA_ALIGN(skb_shared_info))
308 * After IO, driver calls build_skb(), to allocate sk_buff and populate it
309 * before giving packet to stack.
310 * RX rings only contains data buffers, not full skbs.
311 */
__build_skb(void * data,unsigned int frag_size)312 struct sk_buff *__build_skb(void *data, unsigned int frag_size)
313 {
314 struct sk_buff *skb;
315
316 skb = kmem_cache_alloc(skbuff_head_cache, GFP_ATOMIC);
317 if (unlikely(!skb))
318 return NULL;
319
320 memset(skb, 0, offsetof(struct sk_buff, tail));
321
322 return __build_skb_around(skb, data, frag_size);
323 }
324
325 /* build_skb() is wrapper over __build_skb(), that specifically
326 * takes care of skb->head and skb->pfmemalloc
327 * This means that if @frag_size is not zero, then @data must be backed
328 * by a page fragment, not kmalloc() or vmalloc()
329 */
build_skb(void * data,unsigned int frag_size)330 struct sk_buff *build_skb(void *data, unsigned int frag_size)
331 {
332 struct sk_buff *skb = __build_skb(data, frag_size);
333
334 if (skb && frag_size) {
335 skb->head_frag = 1;
336 if (page_is_pfmemalloc(virt_to_head_page(data)))
337 skb->pfmemalloc = 1;
338 }
339 return skb;
340 }
341 EXPORT_SYMBOL(build_skb);
342
343 /**
344 * build_skb_around - build a network buffer around provided skb
345 * @skb: sk_buff provide by caller, must be memset cleared
346 * @data: data buffer provided by caller
347 * @frag_size: size of data, or 0 if head was kmalloced
348 */
build_skb_around(struct sk_buff * skb,void * data,unsigned int frag_size)349 struct sk_buff *build_skb_around(struct sk_buff *skb,
350 void *data, unsigned int frag_size)
351 {
352 if (unlikely(!skb))
353 return NULL;
354
355 skb = __build_skb_around(skb, data, frag_size);
356
357 if (skb && frag_size) {
358 skb->head_frag = 1;
359 if (page_is_pfmemalloc(virt_to_head_page(data)))
360 skb->pfmemalloc = 1;
361 }
362 return skb;
363 }
364 EXPORT_SYMBOL(build_skb_around);
365
366 #define NAPI_SKB_CACHE_SIZE 64
367
368 struct napi_alloc_cache {
369 struct page_frag_cache page;
370 unsigned int skb_count;
371 void *skb_cache[NAPI_SKB_CACHE_SIZE];
372 };
373
374 static DEFINE_PER_CPU(struct page_frag_cache, netdev_alloc_cache);
375 static DEFINE_PER_CPU(struct napi_alloc_cache, napi_alloc_cache);
376
__napi_alloc_frag(unsigned int fragsz,gfp_t gfp_mask)377 static void *__napi_alloc_frag(unsigned int fragsz, gfp_t gfp_mask)
378 {
379 struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
380
381 return page_frag_alloc(&nc->page, fragsz, gfp_mask);
382 }
383
napi_alloc_frag(unsigned int fragsz)384 void *napi_alloc_frag(unsigned int fragsz)
385 {
386 fragsz = SKB_DATA_ALIGN(fragsz);
387
388 return __napi_alloc_frag(fragsz, GFP_ATOMIC);
389 }
390 EXPORT_SYMBOL(napi_alloc_frag);
391
392 /**
393 * netdev_alloc_frag - allocate a page fragment
394 * @fragsz: fragment size
395 *
396 * Allocates a frag from a page for receive buffer.
397 * Uses GFP_ATOMIC allocations.
398 */
netdev_alloc_frag(unsigned int fragsz)399 void *netdev_alloc_frag(unsigned int fragsz)
400 {
401 struct page_frag_cache *nc;
402 void *data;
403
404 fragsz = SKB_DATA_ALIGN(fragsz);
405 if (in_irq() || irqs_disabled()) {
406 nc = this_cpu_ptr(&netdev_alloc_cache);
407 data = page_frag_alloc(nc, fragsz, GFP_ATOMIC);
408 } else {
409 local_bh_disable();
410 data = __napi_alloc_frag(fragsz, GFP_ATOMIC);
411 local_bh_enable();
412 }
413 return data;
414 }
415 EXPORT_SYMBOL(netdev_alloc_frag);
416
417 /**
418 * __netdev_alloc_skb - allocate an skbuff for rx on a specific device
419 * @dev: network device to receive on
420 * @len: length to allocate
421 * @gfp_mask: get_free_pages mask, passed to alloc_skb
422 *
423 * Allocate a new &sk_buff and assign it a usage count of one. The
424 * buffer has NET_SKB_PAD headroom built in. Users should allocate
425 * the headroom they think they need without accounting for the
426 * built in space. The built in space is used for optimisations.
427 *
428 * %NULL is returned if there is no free memory.
429 */
__netdev_alloc_skb(struct net_device * dev,unsigned int len,gfp_t gfp_mask)430 struct sk_buff *__netdev_alloc_skb(struct net_device *dev, unsigned int len,
431 gfp_t gfp_mask)
432 {
433 struct page_frag_cache *nc;
434 struct sk_buff *skb;
435 bool pfmemalloc;
436 void *data;
437
438 len += NET_SKB_PAD;
439
440 /* If requested length is either too small or too big,
441 * we use kmalloc() for skb->head allocation.
442 */
443 if (len <= SKB_WITH_OVERHEAD(1024) ||
444 len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
445 (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
446 skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
447 if (!skb)
448 goto skb_fail;
449 goto skb_success;
450 }
451
452 len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
453 len = SKB_DATA_ALIGN(len);
454
455 if (sk_memalloc_socks())
456 gfp_mask |= __GFP_MEMALLOC;
457
458 if (in_irq() || irqs_disabled()) {
459 nc = this_cpu_ptr(&netdev_alloc_cache);
460 data = page_frag_alloc(nc, len, gfp_mask);
461 pfmemalloc = nc->pfmemalloc;
462 } else {
463 local_bh_disable();
464 nc = this_cpu_ptr(&napi_alloc_cache.page);
465 data = page_frag_alloc(nc, len, gfp_mask);
466 pfmemalloc = nc->pfmemalloc;
467 local_bh_enable();
468 }
469
470 if (unlikely(!data))
471 return NULL;
472
473 skb = __build_skb(data, len);
474 if (unlikely(!skb)) {
475 skb_free_frag(data);
476 return NULL;
477 }
478
479 if (pfmemalloc)
480 skb->pfmemalloc = 1;
481 skb->head_frag = 1;
482
483 skb_success:
484 skb_reserve(skb, NET_SKB_PAD);
485 skb->dev = dev;
486
487 skb_fail:
488 return skb;
489 }
490 EXPORT_SYMBOL(__netdev_alloc_skb);
491
492 /**
493 * __napi_alloc_skb - allocate skbuff for rx in a specific NAPI instance
494 * @napi: napi instance this buffer was allocated for
495 * @len: length to allocate
496 * @gfp_mask: get_free_pages mask, passed to alloc_skb and alloc_pages
497 *
498 * Allocate a new sk_buff for use in NAPI receive. This buffer will
499 * attempt to allocate the head from a special reserved region used
500 * only for NAPI Rx allocation. By doing this we can save several
501 * CPU cycles by avoiding having to disable and re-enable IRQs.
502 *
503 * %NULL is returned if there is no free memory.
504 */
__napi_alloc_skb(struct napi_struct * napi,unsigned int len,gfp_t gfp_mask)505 struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len,
506 gfp_t gfp_mask)
507 {
508 struct napi_alloc_cache *nc;
509 struct sk_buff *skb;
510 void *data;
511
512 len += NET_SKB_PAD + NET_IP_ALIGN;
513
514 /* If requested length is either too small or too big,
515 * we use kmalloc() for skb->head allocation.
516 */
517 if (len <= SKB_WITH_OVERHEAD(1024) ||
518 len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
519 (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
520 skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
521 if (!skb)
522 goto skb_fail;
523 goto skb_success;
524 }
525
526 nc = this_cpu_ptr(&napi_alloc_cache);
527 len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
528 len = SKB_DATA_ALIGN(len);
529
530 if (sk_memalloc_socks())
531 gfp_mask |= __GFP_MEMALLOC;
532
533 data = page_frag_alloc(&nc->page, len, gfp_mask);
534 if (unlikely(!data))
535 return NULL;
536
537 skb = __build_skb(data, len);
538 if (unlikely(!skb)) {
539 skb_free_frag(data);
540 return NULL;
541 }
542
543 if (nc->page.pfmemalloc)
544 skb->pfmemalloc = 1;
545 skb->head_frag = 1;
546
547 skb_success:
548 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
549 skb->dev = napi->dev;
550
551 skb_fail:
552 return skb;
553 }
554 EXPORT_SYMBOL(__napi_alloc_skb);
555
skb_add_rx_frag(struct sk_buff * skb,int i,struct page * page,int off,int size,unsigned int truesize)556 void skb_add_rx_frag(struct sk_buff *skb, int i, struct page *page, int off,
557 int size, unsigned int truesize)
558 {
559 skb_fill_page_desc(skb, i, page, off, size);
560 skb->len += size;
561 skb->data_len += size;
562 skb->truesize += truesize;
563 }
564 EXPORT_SYMBOL(skb_add_rx_frag);
565
skb_coalesce_rx_frag(struct sk_buff * skb,int i,int size,unsigned int truesize)566 void skb_coalesce_rx_frag(struct sk_buff *skb, int i, int size,
567 unsigned int truesize)
568 {
569 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
570
571 skb_frag_size_add(frag, size);
572 skb->len += size;
573 skb->data_len += size;
574 skb->truesize += truesize;
575 }
576 EXPORT_SYMBOL(skb_coalesce_rx_frag);
577
skb_drop_list(struct sk_buff ** listp)578 static void skb_drop_list(struct sk_buff **listp)
579 {
580 kfree_skb_list(*listp);
581 *listp = NULL;
582 }
583
skb_drop_fraglist(struct sk_buff * skb)584 static inline void skb_drop_fraglist(struct sk_buff *skb)
585 {
586 skb_drop_list(&skb_shinfo(skb)->frag_list);
587 }
588
skb_clone_fraglist(struct sk_buff * skb)589 static void skb_clone_fraglist(struct sk_buff *skb)
590 {
591 struct sk_buff *list;
592
593 skb_walk_frags(skb, list)
594 skb_get(list);
595 }
596
skb_free_head(struct sk_buff * skb)597 static void skb_free_head(struct sk_buff *skb)
598 {
599 unsigned char *head = skb->head;
600
601 if (skb->head_frag)
602 skb_free_frag(head);
603 else
604 kfree(head);
605 }
606
skb_release_data(struct sk_buff * skb)607 static void skb_release_data(struct sk_buff *skb)
608 {
609 struct skb_shared_info *shinfo = skb_shinfo(skb);
610 int i;
611
612 if (skb->cloned &&
613 atomic_sub_return(skb->nohdr ? (1 << SKB_DATAREF_SHIFT) + 1 : 1,
614 &shinfo->dataref))
615 return;
616
617 for (i = 0; i < shinfo->nr_frags; i++)
618 __skb_frag_unref(&shinfo->frags[i]);
619
620 if (shinfo->frag_list)
621 kfree_skb_list(shinfo->frag_list);
622
623 skb_zcopy_clear(skb, true);
624 skb_free_head(skb);
625 }
626
627 /*
628 * Free an skbuff by memory without cleaning the state.
629 */
kfree_skbmem(struct sk_buff * skb)630 static void kfree_skbmem(struct sk_buff *skb)
631 {
632 struct sk_buff_fclones *fclones;
633
634 switch (skb->fclone) {
635 case SKB_FCLONE_UNAVAILABLE:
636 kmem_cache_free(skbuff_head_cache, skb);
637 return;
638
639 case SKB_FCLONE_ORIG:
640 fclones = container_of(skb, struct sk_buff_fclones, skb1);
641
642 /* We usually free the clone (TX completion) before original skb
643 * This test would have no chance to be true for the clone,
644 * while here, branch prediction will be good.
645 */
646 if (refcount_read(&fclones->fclone_ref) == 1)
647 goto fastpath;
648 break;
649
650 default: /* SKB_FCLONE_CLONE */
651 fclones = container_of(skb, struct sk_buff_fclones, skb2);
652 break;
653 }
654 if (!refcount_dec_and_test(&fclones->fclone_ref))
655 return;
656 fastpath:
657 kmem_cache_free(skbuff_fclone_cache, fclones);
658 }
659
skb_release_head_state(struct sk_buff * skb)660 void skb_release_head_state(struct sk_buff *skb)
661 {
662 skb_dst_drop(skb);
663 if (skb->destructor) {
664 WARN_ON(in_irq());
665 skb->destructor(skb);
666 }
667 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
668 nf_conntrack_put(skb_nfct(skb));
669 #endif
670 skb_ext_put(skb);
671 }
672
673 /* Free everything but the sk_buff shell. */
skb_release_all(struct sk_buff * skb)674 static void skb_release_all(struct sk_buff *skb)
675 {
676 skb_release_head_state(skb);
677 if (likely(skb->head))
678 skb_release_data(skb);
679 }
680
681 /**
682 * __kfree_skb - private function
683 * @skb: buffer
684 *
685 * Free an sk_buff. Release anything attached to the buffer.
686 * Clean the state. This is an internal helper function. Users should
687 * always call kfree_skb
688 */
689
__kfree_skb(struct sk_buff * skb)690 void __kfree_skb(struct sk_buff *skb)
691 {
692 skb_release_all(skb);
693 kfree_skbmem(skb);
694 }
695 EXPORT_SYMBOL(__kfree_skb);
696
697 /**
698 * kfree_skb - free an sk_buff
699 * @skb: buffer to free
700 *
701 * Drop a reference to the buffer and free it if the usage count has
702 * hit zero.
703 */
kfree_skb(struct sk_buff * skb)704 void kfree_skb(struct sk_buff *skb)
705 {
706 if (!skb_unref(skb))
707 return;
708
709 trace_kfree_skb(skb, __builtin_return_address(0));
710 __kfree_skb(skb);
711 }
712 EXPORT_SYMBOL(kfree_skb);
713
kfree_skb_list(struct sk_buff * segs)714 void kfree_skb_list(struct sk_buff *segs)
715 {
716 while (segs) {
717 struct sk_buff *next = segs->next;
718
719 kfree_skb(segs);
720 segs = next;
721 }
722 }
723 EXPORT_SYMBOL(kfree_skb_list);
724
725 /* Dump skb information and contents.
726 *
727 * Must only be called from net_ratelimit()-ed paths.
728 *
729 * Dumps whole packets if full_pkt, only headers otherwise.
730 */
skb_dump(const char * level,const struct sk_buff * skb,bool full_pkt)731 void skb_dump(const char *level, const struct sk_buff *skb, bool full_pkt)
732 {
733 struct skb_shared_info *sh = skb_shinfo(skb);
734 struct net_device *dev = skb->dev;
735 struct sock *sk = skb->sk;
736 struct sk_buff *list_skb;
737 bool has_mac, has_trans;
738 int headroom, tailroom;
739 int i, len, seg_len;
740
741 if (full_pkt)
742 len = skb->len;
743 else
744 len = min_t(int, skb->len, MAX_HEADER + 128);
745
746 headroom = skb_headroom(skb);
747 tailroom = skb_tailroom(skb);
748
749 has_mac = skb_mac_header_was_set(skb);
750 has_trans = skb_transport_header_was_set(skb);
751
752 printk("%sskb len=%u headroom=%u headlen=%u tailroom=%u\n"
753 "mac=(%d,%d) net=(%d,%d) trans=%d\n"
754 "shinfo(txflags=%u nr_frags=%u gso(size=%hu type=%u segs=%hu))\n"
755 "csum(0x%x ip_summed=%u complete_sw=%u valid=%u level=%u)\n"
756 "hash(0x%x sw=%u l4=%u) proto=0x%04x pkttype=%u iif=%d\n",
757 level, skb->len, headroom, skb_headlen(skb), tailroom,
758 has_mac ? skb->mac_header : -1,
759 has_mac ? skb_mac_header_len(skb) : -1,
760 skb->network_header,
761 has_trans ? skb_network_header_len(skb) : -1,
762 has_trans ? skb->transport_header : -1,
763 sh->tx_flags, sh->nr_frags,
764 sh->gso_size, sh->gso_type, sh->gso_segs,
765 skb->csum, skb->ip_summed, skb->csum_complete_sw,
766 skb->csum_valid, skb->csum_level,
767 skb->hash, skb->sw_hash, skb->l4_hash,
768 ntohs(skb->protocol), skb->pkt_type, skb->skb_iif);
769
770 if (dev)
771 printk("%sdev name=%s feat=%pNF\n",
772 level, dev->name, &dev->features);
773 if (sk)
774 printk("%ssk family=%hu type=%u proto=%u\n",
775 level, sk->sk_family, sk->sk_type, sk->sk_protocol);
776
777 if (full_pkt && headroom)
778 print_hex_dump(level, "skb headroom: ", DUMP_PREFIX_OFFSET,
779 16, 1, skb->head, headroom, false);
780
781 seg_len = min_t(int, skb_headlen(skb), len);
782 if (seg_len)
783 print_hex_dump(level, "skb linear: ", DUMP_PREFIX_OFFSET,
784 16, 1, skb->data, seg_len, false);
785 len -= seg_len;
786
787 if (full_pkt && tailroom)
788 print_hex_dump(level, "skb tailroom: ", DUMP_PREFIX_OFFSET,
789 16, 1, skb_tail_pointer(skb), tailroom, false);
790
791 for (i = 0; len && i < skb_shinfo(skb)->nr_frags; i++) {
792 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
793 u32 p_off, p_len, copied;
794 struct page *p;
795 u8 *vaddr;
796
797 skb_frag_foreach_page(frag, skb_frag_off(frag),
798 skb_frag_size(frag), p, p_off, p_len,
799 copied) {
800 seg_len = min_t(int, p_len, len);
801 vaddr = kmap_atomic(p);
802 print_hex_dump(level, "skb frag: ",
803 DUMP_PREFIX_OFFSET,
804 16, 1, vaddr + p_off, seg_len, false);
805 kunmap_atomic(vaddr);
806 len -= seg_len;
807 if (!len)
808 break;
809 }
810 }
811
812 if (full_pkt && skb_has_frag_list(skb)) {
813 printk("skb fraglist:\n");
814 skb_walk_frags(skb, list_skb)
815 skb_dump(level, list_skb, true);
816 }
817 }
818 EXPORT_SYMBOL(skb_dump);
819
820 /**
821 * skb_tx_error - report an sk_buff xmit error
822 * @skb: buffer that triggered an error
823 *
824 * Report xmit error if a device callback is tracking this skb.
825 * skb must be freed afterwards.
826 */
skb_tx_error(struct sk_buff * skb)827 void skb_tx_error(struct sk_buff *skb)
828 {
829 skb_zcopy_clear(skb, true);
830 }
831 EXPORT_SYMBOL(skb_tx_error);
832
833 #ifdef CONFIG_TRACEPOINTS
834 /**
835 * consume_skb - free an skbuff
836 * @skb: buffer to free
837 *
838 * Drop a ref to the buffer and free it if the usage count has hit zero
839 * Functions identically to kfree_skb, but kfree_skb assumes that the frame
840 * is being dropped after a failure and notes that
841 */
consume_skb(struct sk_buff * skb)842 void consume_skb(struct sk_buff *skb)
843 {
844 if (!skb_unref(skb))
845 return;
846
847 trace_consume_skb(skb);
848 __kfree_skb(skb);
849 }
850 EXPORT_SYMBOL(consume_skb);
851 #endif
852
853 /**
854 * consume_stateless_skb - free an skbuff, assuming it is stateless
855 * @skb: buffer to free
856 *
857 * Alike consume_skb(), but this variant assumes that this is the last
858 * skb reference and all the head states have been already dropped
859 */
__consume_stateless_skb(struct sk_buff * skb)860 void __consume_stateless_skb(struct sk_buff *skb)
861 {
862 trace_consume_skb(skb);
863 skb_release_data(skb);
864 kfree_skbmem(skb);
865 }
866
__kfree_skb_flush(void)867 void __kfree_skb_flush(void)
868 {
869 struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
870
871 /* flush skb_cache if containing objects */
872 if (nc->skb_count) {
873 kmem_cache_free_bulk(skbuff_head_cache, nc->skb_count,
874 nc->skb_cache);
875 nc->skb_count = 0;
876 }
877 }
878
_kfree_skb_defer(struct sk_buff * skb)879 static inline void _kfree_skb_defer(struct sk_buff *skb)
880 {
881 struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
882
883 /* drop skb->head and call any destructors for packet */
884 skb_release_all(skb);
885
886 /* record skb to CPU local list */
887 nc->skb_cache[nc->skb_count++] = skb;
888
889 #ifdef CONFIG_SLUB
890 /* SLUB writes into objects when freeing */
891 prefetchw(skb);
892 #endif
893
894 /* flush skb_cache if it is filled */
895 if (unlikely(nc->skb_count == NAPI_SKB_CACHE_SIZE)) {
896 kmem_cache_free_bulk(skbuff_head_cache, NAPI_SKB_CACHE_SIZE,
897 nc->skb_cache);
898 nc->skb_count = 0;
899 }
900 }
__kfree_skb_defer(struct sk_buff * skb)901 void __kfree_skb_defer(struct sk_buff *skb)
902 {
903 _kfree_skb_defer(skb);
904 }
905
napi_consume_skb(struct sk_buff * skb,int budget)906 void napi_consume_skb(struct sk_buff *skb, int budget)
907 {
908 /* Zero budget indicate non-NAPI context called us, like netpoll */
909 if (unlikely(!budget)) {
910 dev_consume_skb_any(skb);
911 return;
912 }
913
914 if (!skb_unref(skb))
915 return;
916
917 /* if reaching here SKB is ready to free */
918 trace_consume_skb(skb);
919
920 /* if SKB is a clone, don't handle this case */
921 if (skb->fclone != SKB_FCLONE_UNAVAILABLE) {
922 __kfree_skb(skb);
923 return;
924 }
925
926 _kfree_skb_defer(skb);
927 }
928 EXPORT_SYMBOL(napi_consume_skb);
929
930 /* Make sure a field is enclosed inside headers_start/headers_end section */
931 #define CHECK_SKB_FIELD(field) \
932 BUILD_BUG_ON(offsetof(struct sk_buff, field) < \
933 offsetof(struct sk_buff, headers_start)); \
934 BUILD_BUG_ON(offsetof(struct sk_buff, field) > \
935 offsetof(struct sk_buff, headers_end)); \
936
__copy_skb_header(struct sk_buff * new,const struct sk_buff * old)937 static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
938 {
939 new->tstamp = old->tstamp;
940 /* We do not copy old->sk */
941 new->dev = old->dev;
942 memcpy(new->cb, old->cb, sizeof(old->cb));
943 skb_dst_copy(new, old);
944 __skb_ext_copy(new, old);
945 __nf_copy(new, old, false);
946
947 /* Note : this field could be in headers_start/headers_end section
948 * It is not yet because we do not want to have a 16 bit hole
949 */
950 new->queue_mapping = old->queue_mapping;
951
952 memcpy(&new->headers_start, &old->headers_start,
953 offsetof(struct sk_buff, headers_end) -
954 offsetof(struct sk_buff, headers_start));
955 CHECK_SKB_FIELD(protocol);
956 CHECK_SKB_FIELD(csum);
957 CHECK_SKB_FIELD(hash);
958 CHECK_SKB_FIELD(priority);
959 CHECK_SKB_FIELD(skb_iif);
960 CHECK_SKB_FIELD(vlan_proto);
961 CHECK_SKB_FIELD(vlan_tci);
962 CHECK_SKB_FIELD(transport_header);
963 CHECK_SKB_FIELD(network_header);
964 CHECK_SKB_FIELD(mac_header);
965 CHECK_SKB_FIELD(inner_protocol);
966 CHECK_SKB_FIELD(inner_transport_header);
967 CHECK_SKB_FIELD(inner_network_header);
968 CHECK_SKB_FIELD(inner_mac_header);
969 CHECK_SKB_FIELD(mark);
970 #ifdef CONFIG_NETWORK_SECMARK
971 CHECK_SKB_FIELD(secmark);
972 #endif
973 #ifdef CONFIG_NET_RX_BUSY_POLL
974 CHECK_SKB_FIELD(napi_id);
975 #endif
976 #ifdef CONFIG_XPS
977 CHECK_SKB_FIELD(sender_cpu);
978 #endif
979 #ifdef CONFIG_NET_SCHED
980 CHECK_SKB_FIELD(tc_index);
981 #endif
982
983 }
984
985 /*
986 * You should not add any new code to this function. Add it to
987 * __copy_skb_header above instead.
988 */
__skb_clone(struct sk_buff * n,struct sk_buff * skb)989 static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
990 {
991 #define C(x) n->x = skb->x
992
993 n->next = n->prev = NULL;
994 n->sk = NULL;
995 __copy_skb_header(n, skb);
996
997 C(len);
998 C(data_len);
999 C(mac_len);
1000 n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
1001 n->cloned = 1;
1002 n->nohdr = 0;
1003 n->peeked = 0;
1004 C(pfmemalloc);
1005 n->destructor = NULL;
1006 C(tail);
1007 C(end);
1008 C(head);
1009 C(head_frag);
1010 C(data);
1011 C(truesize);
1012 refcount_set(&n->users, 1);
1013
1014 atomic_inc(&(skb_shinfo(skb)->dataref));
1015 skb->cloned = 1;
1016
1017 return n;
1018 #undef C
1019 }
1020
1021 /**
1022 * alloc_skb_for_msg() - allocate sk_buff to wrap frag list forming a msg
1023 * @first: first sk_buff of the msg
1024 */
alloc_skb_for_msg(struct sk_buff * first)1025 struct sk_buff *alloc_skb_for_msg(struct sk_buff *first)
1026 {
1027 struct sk_buff *n;
1028
1029 n = alloc_skb(0, GFP_ATOMIC);
1030 if (!n)
1031 return NULL;
1032
1033 n->len = first->len;
1034 n->data_len = first->len;
1035 n->truesize = first->truesize;
1036
1037 skb_shinfo(n)->frag_list = first;
1038
1039 __copy_skb_header(n, first);
1040 n->destructor = NULL;
1041
1042 return n;
1043 }
1044 EXPORT_SYMBOL_GPL(alloc_skb_for_msg);
1045
1046 /**
1047 * skb_morph - morph one skb into another
1048 * @dst: the skb to receive the contents
1049 * @src: the skb to supply the contents
1050 *
1051 * This is identical to skb_clone except that the target skb is
1052 * supplied by the user.
1053 *
1054 * The target skb is returned upon exit.
1055 */
skb_morph(struct sk_buff * dst,struct sk_buff * src)1056 struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src)
1057 {
1058 skb_release_all(dst);
1059 return __skb_clone(dst, src);
1060 }
1061 EXPORT_SYMBOL_GPL(skb_morph);
1062
mm_account_pinned_pages(struct mmpin * mmp,size_t size)1063 int mm_account_pinned_pages(struct mmpin *mmp, size_t size)
1064 {
1065 unsigned long max_pg, num_pg, new_pg, old_pg;
1066 struct user_struct *user;
1067
1068 if (capable(CAP_IPC_LOCK) || !size)
1069 return 0;
1070
1071 num_pg = (size >> PAGE_SHIFT) + 2; /* worst case */
1072 max_pg = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
1073 user = mmp->user ? : current_user();
1074
1075 do {
1076 old_pg = atomic_long_read(&user->locked_vm);
1077 new_pg = old_pg + num_pg;
1078 if (new_pg > max_pg)
1079 return -ENOBUFS;
1080 } while (atomic_long_cmpxchg(&user->locked_vm, old_pg, new_pg) !=
1081 old_pg);
1082
1083 if (!mmp->user) {
1084 mmp->user = get_uid(user);
1085 mmp->num_pg = num_pg;
1086 } else {
1087 mmp->num_pg += num_pg;
1088 }
1089
1090 return 0;
1091 }
1092 EXPORT_SYMBOL_GPL(mm_account_pinned_pages);
1093
mm_unaccount_pinned_pages(struct mmpin * mmp)1094 void mm_unaccount_pinned_pages(struct mmpin *mmp)
1095 {
1096 if (mmp->user) {
1097 atomic_long_sub(mmp->num_pg, &mmp->user->locked_vm);
1098 free_uid(mmp->user);
1099 }
1100 }
1101 EXPORT_SYMBOL_GPL(mm_unaccount_pinned_pages);
1102
sock_zerocopy_alloc(struct sock * sk,size_t size)1103 struct ubuf_info *sock_zerocopy_alloc(struct sock *sk, size_t size)
1104 {
1105 struct ubuf_info *uarg;
1106 struct sk_buff *skb;
1107
1108 WARN_ON_ONCE(!in_task());
1109
1110 skb = sock_omalloc(sk, 0, GFP_KERNEL);
1111 if (!skb)
1112 return NULL;
1113
1114 BUILD_BUG_ON(sizeof(*uarg) > sizeof(skb->cb));
1115 uarg = (void *)skb->cb;
1116 uarg->mmp.user = NULL;
1117
1118 if (mm_account_pinned_pages(&uarg->mmp, size)) {
1119 kfree_skb(skb);
1120 return NULL;
1121 }
1122
1123 uarg->callback = sock_zerocopy_callback;
1124 uarg->id = ((u32)atomic_inc_return(&sk->sk_zckey)) - 1;
1125 uarg->len = 1;
1126 uarg->bytelen = size;
1127 uarg->zerocopy = 1;
1128 refcount_set(&uarg->refcnt, 1);
1129 sock_hold(sk);
1130
1131 return uarg;
1132 }
1133 EXPORT_SYMBOL_GPL(sock_zerocopy_alloc);
1134
skb_from_uarg(struct ubuf_info * uarg)1135 static inline struct sk_buff *skb_from_uarg(struct ubuf_info *uarg)
1136 {
1137 return container_of((void *)uarg, struct sk_buff, cb);
1138 }
1139
sock_zerocopy_realloc(struct sock * sk,size_t size,struct ubuf_info * uarg)1140 struct ubuf_info *sock_zerocopy_realloc(struct sock *sk, size_t size,
1141 struct ubuf_info *uarg)
1142 {
1143 if (uarg) {
1144 const u32 byte_limit = 1 << 19; /* limit to a few TSO */
1145 u32 bytelen, next;
1146
1147 /* realloc only when socket is locked (TCP, UDP cork),
1148 * so uarg->len and sk_zckey access is serialized
1149 */
1150 if (!sock_owned_by_user(sk)) {
1151 WARN_ON_ONCE(1);
1152 return NULL;
1153 }
1154
1155 bytelen = uarg->bytelen + size;
1156 if (uarg->len == USHRT_MAX - 1 || bytelen > byte_limit) {
1157 /* TCP can create new skb to attach new uarg */
1158 if (sk->sk_type == SOCK_STREAM)
1159 goto new_alloc;
1160 return NULL;
1161 }
1162
1163 next = (u32)atomic_read(&sk->sk_zckey);
1164 if ((u32)(uarg->id + uarg->len) == next) {
1165 if (mm_account_pinned_pages(&uarg->mmp, size))
1166 return NULL;
1167 uarg->len++;
1168 uarg->bytelen = bytelen;
1169 atomic_set(&sk->sk_zckey, ++next);
1170
1171 /* no extra ref when appending to datagram (MSG_MORE) */
1172 if (sk->sk_type == SOCK_STREAM)
1173 sock_zerocopy_get(uarg);
1174
1175 return uarg;
1176 }
1177 }
1178
1179 new_alloc:
1180 return sock_zerocopy_alloc(sk, size);
1181 }
1182 EXPORT_SYMBOL_GPL(sock_zerocopy_realloc);
1183
skb_zerocopy_notify_extend(struct sk_buff * skb,u32 lo,u16 len)1184 static bool skb_zerocopy_notify_extend(struct sk_buff *skb, u32 lo, u16 len)
1185 {
1186 struct sock_exterr_skb *serr = SKB_EXT_ERR(skb);
1187 u32 old_lo, old_hi;
1188 u64 sum_len;
1189
1190 old_lo = serr->ee.ee_info;
1191 old_hi = serr->ee.ee_data;
1192 sum_len = old_hi - old_lo + 1ULL + len;
1193
1194 if (sum_len >= (1ULL << 32))
1195 return false;
1196
1197 if (lo != old_hi + 1)
1198 return false;
1199
1200 serr->ee.ee_data += len;
1201 return true;
1202 }
1203
sock_zerocopy_callback(struct ubuf_info * uarg,bool success)1204 void sock_zerocopy_callback(struct ubuf_info *uarg, bool success)
1205 {
1206 struct sk_buff *tail, *skb = skb_from_uarg(uarg);
1207 struct sock_exterr_skb *serr;
1208 struct sock *sk = skb->sk;
1209 struct sk_buff_head *q;
1210 unsigned long flags;
1211 u32 lo, hi;
1212 u16 len;
1213
1214 mm_unaccount_pinned_pages(&uarg->mmp);
1215
1216 /* if !len, there was only 1 call, and it was aborted
1217 * so do not queue a completion notification
1218 */
1219 if (!uarg->len || sock_flag(sk, SOCK_DEAD))
1220 goto release;
1221
1222 len = uarg->len;
1223 lo = uarg->id;
1224 hi = uarg->id + len - 1;
1225
1226 serr = SKB_EXT_ERR(skb);
1227 memset(serr, 0, sizeof(*serr));
1228 serr->ee.ee_errno = 0;
1229 serr->ee.ee_origin = SO_EE_ORIGIN_ZEROCOPY;
1230 serr->ee.ee_data = hi;
1231 serr->ee.ee_info = lo;
1232 if (!success)
1233 serr->ee.ee_code |= SO_EE_CODE_ZEROCOPY_COPIED;
1234
1235 q = &sk->sk_error_queue;
1236 spin_lock_irqsave(&q->lock, flags);
1237 tail = skb_peek_tail(q);
1238 if (!tail || SKB_EXT_ERR(tail)->ee.ee_origin != SO_EE_ORIGIN_ZEROCOPY ||
1239 !skb_zerocopy_notify_extend(tail, lo, len)) {
1240 __skb_queue_tail(q, skb);
1241 skb = NULL;
1242 }
1243 spin_unlock_irqrestore(&q->lock, flags);
1244
1245 sk->sk_error_report(sk);
1246
1247 release:
1248 consume_skb(skb);
1249 sock_put(sk);
1250 }
1251 EXPORT_SYMBOL_GPL(sock_zerocopy_callback);
1252
sock_zerocopy_put(struct ubuf_info * uarg)1253 void sock_zerocopy_put(struct ubuf_info *uarg)
1254 {
1255 if (uarg && refcount_dec_and_test(&uarg->refcnt)) {
1256 if (uarg->callback)
1257 uarg->callback(uarg, uarg->zerocopy);
1258 else
1259 consume_skb(skb_from_uarg(uarg));
1260 }
1261 }
1262 EXPORT_SYMBOL_GPL(sock_zerocopy_put);
1263
sock_zerocopy_put_abort(struct ubuf_info * uarg,bool have_uref)1264 void sock_zerocopy_put_abort(struct ubuf_info *uarg, bool have_uref)
1265 {
1266 if (uarg) {
1267 struct sock *sk = skb_from_uarg(uarg)->sk;
1268
1269 atomic_dec(&sk->sk_zckey);
1270 uarg->len--;
1271
1272 if (have_uref)
1273 sock_zerocopy_put(uarg);
1274 }
1275 }
1276 EXPORT_SYMBOL_GPL(sock_zerocopy_put_abort);
1277
skb_zerocopy_iter_dgram(struct sk_buff * skb,struct msghdr * msg,int len)1278 int skb_zerocopy_iter_dgram(struct sk_buff *skb, struct msghdr *msg, int len)
1279 {
1280 return __zerocopy_sg_from_iter(skb->sk, skb, &msg->msg_iter, len);
1281 }
1282 EXPORT_SYMBOL_GPL(skb_zerocopy_iter_dgram);
1283
skb_zerocopy_iter_stream(struct sock * sk,struct sk_buff * skb,struct msghdr * msg,int len,struct ubuf_info * uarg)1284 int skb_zerocopy_iter_stream(struct sock *sk, struct sk_buff *skb,
1285 struct msghdr *msg, int len,
1286 struct ubuf_info *uarg)
1287 {
1288 struct ubuf_info *orig_uarg = skb_zcopy(skb);
1289 struct iov_iter orig_iter = msg->msg_iter;
1290 int err, orig_len = skb->len;
1291
1292 /* An skb can only point to one uarg. This edge case happens when
1293 * TCP appends to an skb, but zerocopy_realloc triggered a new alloc.
1294 */
1295 if (orig_uarg && uarg != orig_uarg)
1296 return -EEXIST;
1297
1298 err = __zerocopy_sg_from_iter(sk, skb, &msg->msg_iter, len);
1299 if (err == -EFAULT || (err == -EMSGSIZE && skb->len == orig_len)) {
1300 struct sock *save_sk = skb->sk;
1301
1302 /* Streams do not free skb on error. Reset to prev state. */
1303 msg->msg_iter = orig_iter;
1304 skb->sk = sk;
1305 ___pskb_trim(skb, orig_len);
1306 skb->sk = save_sk;
1307 return err;
1308 }
1309
1310 skb_zcopy_set(skb, uarg, NULL);
1311 return skb->len - orig_len;
1312 }
1313 EXPORT_SYMBOL_GPL(skb_zerocopy_iter_stream);
1314
skb_zerocopy_clone(struct sk_buff * nskb,struct sk_buff * orig,gfp_t gfp_mask)1315 static int skb_zerocopy_clone(struct sk_buff *nskb, struct sk_buff *orig,
1316 gfp_t gfp_mask)
1317 {
1318 if (skb_zcopy(orig)) {
1319 if (skb_zcopy(nskb)) {
1320 /* !gfp_mask callers are verified to !skb_zcopy(nskb) */
1321 if (!gfp_mask) {
1322 WARN_ON_ONCE(1);
1323 return -ENOMEM;
1324 }
1325 if (skb_uarg(nskb) == skb_uarg(orig))
1326 return 0;
1327 if (skb_copy_ubufs(nskb, GFP_ATOMIC))
1328 return -EIO;
1329 }
1330 skb_zcopy_set(nskb, skb_uarg(orig), NULL);
1331 }
1332 return 0;
1333 }
1334
1335 /**
1336 * skb_copy_ubufs - copy userspace skb frags buffers to kernel
1337 * @skb: the skb to modify
1338 * @gfp_mask: allocation priority
1339 *
1340 * This must be called on SKBTX_DEV_ZEROCOPY skb.
1341 * It will copy all frags into kernel and drop the reference
1342 * to userspace pages.
1343 *
1344 * If this function is called from an interrupt gfp_mask() must be
1345 * %GFP_ATOMIC.
1346 *
1347 * Returns 0 on success or a negative error code on failure
1348 * to allocate kernel memory to copy to.
1349 */
skb_copy_ubufs(struct sk_buff * skb,gfp_t gfp_mask)1350 int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
1351 {
1352 int num_frags = skb_shinfo(skb)->nr_frags;
1353 struct page *page, *head = NULL;
1354 int i, new_frags;
1355 u32 d_off;
1356
1357 if (skb_shared(skb) || skb_unclone(skb, gfp_mask))
1358 return -EINVAL;
1359
1360 if (!num_frags)
1361 goto release;
1362
1363 new_frags = (__skb_pagelen(skb) + PAGE_SIZE - 1) >> PAGE_SHIFT;
1364 for (i = 0; i < new_frags; i++) {
1365 page = alloc_page(gfp_mask);
1366 if (!page) {
1367 while (head) {
1368 struct page *next = (struct page *)page_private(head);
1369 put_page(head);
1370 head = next;
1371 }
1372 return -ENOMEM;
1373 }
1374 set_page_private(page, (unsigned long)head);
1375 head = page;
1376 }
1377
1378 page = head;
1379 d_off = 0;
1380 for (i = 0; i < num_frags; i++) {
1381 skb_frag_t *f = &skb_shinfo(skb)->frags[i];
1382 u32 p_off, p_len, copied;
1383 struct page *p;
1384 u8 *vaddr;
1385
1386 skb_frag_foreach_page(f, skb_frag_off(f), skb_frag_size(f),
1387 p, p_off, p_len, copied) {
1388 u32 copy, done = 0;
1389 vaddr = kmap_atomic(p);
1390
1391 while (done < p_len) {
1392 if (d_off == PAGE_SIZE) {
1393 d_off = 0;
1394 page = (struct page *)page_private(page);
1395 }
1396 copy = min_t(u32, PAGE_SIZE - d_off, p_len - done);
1397 memcpy(page_address(page) + d_off,
1398 vaddr + p_off + done, copy);
1399 done += copy;
1400 d_off += copy;
1401 }
1402 kunmap_atomic(vaddr);
1403 }
1404 }
1405
1406 /* skb frags release userspace buffers */
1407 for (i = 0; i < num_frags; i++)
1408 skb_frag_unref(skb, i);
1409
1410 /* skb frags point to kernel buffers */
1411 for (i = 0; i < new_frags - 1; i++) {
1412 __skb_fill_page_desc(skb, i, head, 0, PAGE_SIZE);
1413 head = (struct page *)page_private(head);
1414 }
1415 __skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off);
1416 skb_shinfo(skb)->nr_frags = new_frags;
1417
1418 release:
1419 skb_zcopy_clear(skb, false);
1420 return 0;
1421 }
1422 EXPORT_SYMBOL_GPL(skb_copy_ubufs);
1423
1424 /**
1425 * skb_clone - duplicate an sk_buff
1426 * @skb: buffer to clone
1427 * @gfp_mask: allocation priority
1428 *
1429 * Duplicate an &sk_buff. The new one is not owned by a socket. Both
1430 * copies share the same packet data but not structure. The new
1431 * buffer has a reference count of 1. If the allocation fails the
1432 * function returns %NULL otherwise the new buffer is returned.
1433 *
1434 * If this function is called from an interrupt gfp_mask() must be
1435 * %GFP_ATOMIC.
1436 */
1437
skb_clone(struct sk_buff * skb,gfp_t gfp_mask)1438 struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
1439 {
1440 struct sk_buff_fclones *fclones = container_of(skb,
1441 struct sk_buff_fclones,
1442 skb1);
1443 struct sk_buff *n;
1444
1445 if (skb_orphan_frags(skb, gfp_mask))
1446 return NULL;
1447
1448 if (skb->fclone == SKB_FCLONE_ORIG &&
1449 refcount_read(&fclones->fclone_ref) == 1) {
1450 n = &fclones->skb2;
1451 refcount_set(&fclones->fclone_ref, 2);
1452 } else {
1453 if (skb_pfmemalloc(skb))
1454 gfp_mask |= __GFP_MEMALLOC;
1455
1456 n = kmem_cache_alloc(skbuff_head_cache, gfp_mask);
1457 if (!n)
1458 return NULL;
1459
1460 n->fclone = SKB_FCLONE_UNAVAILABLE;
1461 }
1462
1463 return __skb_clone(n, skb);
1464 }
1465 EXPORT_SYMBOL(skb_clone);
1466
skb_headers_offset_update(struct sk_buff * skb,int off)1467 void skb_headers_offset_update(struct sk_buff *skb, int off)
1468 {
1469 /* Only adjust this if it actually is csum_start rather than csum */
1470 if (skb->ip_summed == CHECKSUM_PARTIAL)
1471 skb->csum_start += off;
1472 /* {transport,network,mac}_header and tail are relative to skb->head */
1473 skb->transport_header += off;
1474 skb->network_header += off;
1475 if (skb_mac_header_was_set(skb))
1476 skb->mac_header += off;
1477 skb->inner_transport_header += off;
1478 skb->inner_network_header += off;
1479 skb->inner_mac_header += off;
1480 }
1481 EXPORT_SYMBOL(skb_headers_offset_update);
1482
skb_copy_header(struct sk_buff * new,const struct sk_buff * old)1483 void skb_copy_header(struct sk_buff *new, const struct sk_buff *old)
1484 {
1485 __copy_skb_header(new, old);
1486
1487 skb_shinfo(new)->gso_size = skb_shinfo(old)->gso_size;
1488 skb_shinfo(new)->gso_segs = skb_shinfo(old)->gso_segs;
1489 skb_shinfo(new)->gso_type = skb_shinfo(old)->gso_type;
1490 }
1491 EXPORT_SYMBOL(skb_copy_header);
1492
skb_alloc_rx_flag(const struct sk_buff * skb)1493 static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
1494 {
1495 if (skb_pfmemalloc(skb))
1496 return SKB_ALLOC_RX;
1497 return 0;
1498 }
1499
1500 /**
1501 * skb_copy - create private copy of an sk_buff
1502 * @skb: buffer to copy
1503 * @gfp_mask: allocation priority
1504 *
1505 * Make a copy of both an &sk_buff and its data. This is used when the
1506 * caller wishes to modify the data and needs a private copy of the
1507 * data to alter. Returns %NULL on failure or the pointer to the buffer
1508 * on success. The returned buffer has a reference count of 1.
1509 *
1510 * As by-product this function converts non-linear &sk_buff to linear
1511 * one, so that &sk_buff becomes completely private and caller is allowed
1512 * to modify all the data of returned buffer. This means that this
1513 * function is not recommended for use in circumstances when only
1514 * header is going to be modified. Use pskb_copy() instead.
1515 */
1516
skb_copy(const struct sk_buff * skb,gfp_t gfp_mask)1517 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
1518 {
1519 struct sk_buff *n;
1520 unsigned int size;
1521 int headerlen;
1522
1523 if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
1524 return NULL;
1525
1526 headerlen = skb_headroom(skb);
1527 size = skb_end_offset(skb) + skb->data_len;
1528 n = __alloc_skb(size, gfp_mask,
1529 skb_alloc_rx_flag(skb), NUMA_NO_NODE);
1530 if (!n)
1531 return NULL;
1532
1533 /* Set the data pointer */
1534 skb_reserve(n, headerlen);
1535 /* Set the tail pointer and length */
1536 skb_put(n, skb->len);
1537
1538 BUG_ON(skb_copy_bits(skb, -headerlen, n->head, headerlen + skb->len));
1539
1540 skb_copy_header(n, skb);
1541 return n;
1542 }
1543 EXPORT_SYMBOL(skb_copy);
1544
1545 /**
1546 * __pskb_copy_fclone - create copy of an sk_buff with private head.
1547 * @skb: buffer to copy
1548 * @headroom: headroom of new skb
1549 * @gfp_mask: allocation priority
1550 * @fclone: if true allocate the copy of the skb from the fclone
1551 * cache instead of the head cache; it is recommended to set this
1552 * to true for the cases where the copy will likely be cloned
1553 *
1554 * Make a copy of both an &sk_buff and part of its data, located
1555 * in header. Fragmented data remain shared. This is used when
1556 * the caller wishes to modify only header of &sk_buff and needs
1557 * private copy of the header to alter. Returns %NULL on failure
1558 * or the pointer to the buffer on success.
1559 * The returned buffer has a reference count of 1.
1560 */
1561
__pskb_copy_fclone(struct sk_buff * skb,int headroom,gfp_t gfp_mask,bool fclone)1562 struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
1563 gfp_t gfp_mask, bool fclone)
1564 {
1565 unsigned int size = skb_headlen(skb) + headroom;
1566 int flags = skb_alloc_rx_flag(skb) | (fclone ? SKB_ALLOC_FCLONE : 0);
1567 struct sk_buff *n = __alloc_skb(size, gfp_mask, flags, NUMA_NO_NODE);
1568
1569 if (!n)
1570 goto out;
1571
1572 /* Set the data pointer */
1573 skb_reserve(n, headroom);
1574 /* Set the tail pointer and length */
1575 skb_put(n, skb_headlen(skb));
1576 /* Copy the bytes */
1577 skb_copy_from_linear_data(skb, n->data, n->len);
1578
1579 n->truesize += skb->data_len;
1580 n->data_len = skb->data_len;
1581 n->len = skb->len;
1582
1583 if (skb_shinfo(skb)->nr_frags) {
1584 int i;
1585
1586 if (skb_orphan_frags(skb, gfp_mask) ||
1587 skb_zerocopy_clone(n, skb, gfp_mask)) {
1588 kfree_skb(n);
1589 n = NULL;
1590 goto out;
1591 }
1592 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
1593 skb_shinfo(n)->frags[i] = skb_shinfo(skb)->frags[i];
1594 skb_frag_ref(skb, i);
1595 }
1596 skb_shinfo(n)->nr_frags = i;
1597 }
1598
1599 if (skb_has_frag_list(skb)) {
1600 skb_shinfo(n)->frag_list = skb_shinfo(skb)->frag_list;
1601 skb_clone_fraglist(n);
1602 }
1603
1604 skb_copy_header(n, skb);
1605 out:
1606 return n;
1607 }
1608 EXPORT_SYMBOL(__pskb_copy_fclone);
1609
1610 /**
1611 * pskb_expand_head - reallocate header of &sk_buff
1612 * @skb: buffer to reallocate
1613 * @nhead: room to add at head
1614 * @ntail: room to add at tail
1615 * @gfp_mask: allocation priority
1616 *
1617 * Expands (or creates identical copy, if @nhead and @ntail are zero)
1618 * header of @skb. &sk_buff itself is not changed. &sk_buff MUST have
1619 * reference count of 1. Returns zero in the case of success or error,
1620 * if expansion failed. In the last case, &sk_buff is not changed.
1621 *
1622 * All the pointers pointing into skb header may change and must be
1623 * reloaded after call to this function.
1624 */
1625
pskb_expand_head(struct sk_buff * skb,int nhead,int ntail,gfp_t gfp_mask)1626 int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
1627 gfp_t gfp_mask)
1628 {
1629 int i, osize = skb_end_offset(skb);
1630 int size = osize + nhead + ntail;
1631 long off;
1632 u8 *data;
1633
1634 BUG_ON(nhead < 0);
1635
1636 BUG_ON(skb_shared(skb));
1637
1638 size = SKB_DATA_ALIGN(size);
1639
1640 if (skb_pfmemalloc(skb))
1641 gfp_mask |= __GFP_MEMALLOC;
1642 data = kmalloc_reserve(size + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
1643 gfp_mask, NUMA_NO_NODE, NULL);
1644 if (!data)
1645 goto nodata;
1646 size = SKB_WITH_OVERHEAD(ksize(data));
1647
1648 /* Copy only real data... and, alas, header. This should be
1649 * optimized for the cases when header is void.
1650 */
1651 memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
1652
1653 memcpy((struct skb_shared_info *)(data + size),
1654 skb_shinfo(skb),
1655 offsetof(struct skb_shared_info, frags[skb_shinfo(skb)->nr_frags]));
1656
1657 /*
1658 * if shinfo is shared we must drop the old head gracefully, but if it
1659 * is not we can just drop the old head and let the existing refcount
1660 * be since all we did is relocate the values
1661 */
1662 if (skb_cloned(skb)) {
1663 if (skb_orphan_frags(skb, gfp_mask))
1664 goto nofrags;
1665 if (skb_zcopy(skb))
1666 refcount_inc(&skb_uarg(skb)->refcnt);
1667 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
1668 skb_frag_ref(skb, i);
1669
1670 if (skb_has_frag_list(skb))
1671 skb_clone_fraglist(skb);
1672
1673 skb_release_data(skb);
1674 } else {
1675 skb_free_head(skb);
1676 }
1677 off = (data + nhead) - skb->head;
1678
1679 skb->head = data;
1680 skb->head_frag = 0;
1681 skb->data += off;
1682 #ifdef NET_SKBUFF_DATA_USES_OFFSET
1683 skb->end = size;
1684 off = nhead;
1685 #else
1686 skb->end = skb->head + size;
1687 #endif
1688 skb->tail += off;
1689 skb_headers_offset_update(skb, nhead);
1690 skb->cloned = 0;
1691 skb->hdr_len = 0;
1692 skb->nohdr = 0;
1693 atomic_set(&skb_shinfo(skb)->dataref, 1);
1694
1695 skb_metadata_clear(skb);
1696
1697 /* It is not generally safe to change skb->truesize.
1698 * For the moment, we really care of rx path, or
1699 * when skb is orphaned (not attached to a socket).
1700 */
1701 if (!skb->sk || skb->destructor == sock_edemux)
1702 skb->truesize += size - osize;
1703
1704 return 0;
1705
1706 nofrags:
1707 kfree(data);
1708 nodata:
1709 return -ENOMEM;
1710 }
1711 EXPORT_SYMBOL(pskb_expand_head);
1712
1713 /* Make private copy of skb with writable head and some headroom */
1714
skb_realloc_headroom(struct sk_buff * skb,unsigned int headroom)1715 struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
1716 {
1717 struct sk_buff *skb2;
1718 int delta = headroom - skb_headroom(skb);
1719
1720 if (delta <= 0)
1721 skb2 = pskb_copy(skb, GFP_ATOMIC);
1722 else {
1723 skb2 = skb_clone(skb, GFP_ATOMIC);
1724 if (skb2 && pskb_expand_head(skb2, SKB_DATA_ALIGN(delta), 0,
1725 GFP_ATOMIC)) {
1726 kfree_skb(skb2);
1727 skb2 = NULL;
1728 }
1729 }
1730 return skb2;
1731 }
1732 EXPORT_SYMBOL(skb_realloc_headroom);
1733
1734 /**
1735 * skb_copy_expand - copy and expand sk_buff
1736 * @skb: buffer to copy
1737 * @newheadroom: new free bytes at head
1738 * @newtailroom: new free bytes at tail
1739 * @gfp_mask: allocation priority
1740 *
1741 * Make a copy of both an &sk_buff and its data and while doing so
1742 * allocate additional space.
1743 *
1744 * This is used when the caller wishes to modify the data and needs a
1745 * private copy of the data to alter as well as more space for new fields.
1746 * Returns %NULL on failure or the pointer to the buffer
1747 * on success. The returned buffer has a reference count of 1.
1748 *
1749 * You must pass %GFP_ATOMIC as the allocation priority if this function
1750 * is called from an interrupt.
1751 */
skb_copy_expand(const struct sk_buff * skb,int newheadroom,int newtailroom,gfp_t gfp_mask)1752 struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
1753 int newheadroom, int newtailroom,
1754 gfp_t gfp_mask)
1755 {
1756 /*
1757 * Allocate the copy buffer
1758 */
1759 int head_copy_len, head_copy_off;
1760 struct sk_buff *n;
1761 int oldheadroom;
1762
1763 if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
1764 return NULL;
1765
1766 oldheadroom = skb_headroom(skb);
1767 n = __alloc_skb(newheadroom + skb->len + newtailroom,
1768 gfp_mask, skb_alloc_rx_flag(skb),
1769 NUMA_NO_NODE);
1770 if (!n)
1771 return NULL;
1772
1773 skb_reserve(n, newheadroom);
1774
1775 /* Set the tail pointer and length */
1776 skb_put(n, skb->len);
1777
1778 head_copy_len = oldheadroom;
1779 head_copy_off = 0;
1780 if (newheadroom <= head_copy_len)
1781 head_copy_len = newheadroom;
1782 else
1783 head_copy_off = newheadroom - head_copy_len;
1784
1785 /* Copy the linear header and data. */
1786 BUG_ON(skb_copy_bits(skb, -head_copy_len, n->head + head_copy_off,
1787 skb->len + head_copy_len));
1788
1789 skb_copy_header(n, skb);
1790
1791 skb_headers_offset_update(n, newheadroom - oldheadroom);
1792
1793 return n;
1794 }
1795 EXPORT_SYMBOL(skb_copy_expand);
1796
1797 /**
1798 * __skb_pad - zero pad the tail of an skb
1799 * @skb: buffer to pad
1800 * @pad: space to pad
1801 * @free_on_error: free buffer on error
1802 *
1803 * Ensure that a buffer is followed by a padding area that is zero
1804 * filled. Used by network drivers which may DMA or transfer data
1805 * beyond the buffer end onto the wire.
1806 *
1807 * May return error in out of memory cases. The skb is freed on error
1808 * if @free_on_error is true.
1809 */
1810
__skb_pad(struct sk_buff * skb,int pad,bool free_on_error)1811 int __skb_pad(struct sk_buff *skb, int pad, bool free_on_error)
1812 {
1813 int err;
1814 int ntail;
1815
1816 /* If the skbuff is non linear tailroom is always zero.. */
1817 if (!skb_cloned(skb) && skb_tailroom(skb) >= pad) {
1818 memset(skb->data+skb->len, 0, pad);
1819 return 0;
1820 }
1821
1822 ntail = skb->data_len + pad - (skb->end - skb->tail);
1823 if (likely(skb_cloned(skb) || ntail > 0)) {
1824 err = pskb_expand_head(skb, 0, ntail, GFP_ATOMIC);
1825 if (unlikely(err))
1826 goto free_skb;
1827 }
1828
1829 /* FIXME: The use of this function with non-linear skb's really needs
1830 * to be audited.
1831 */
1832 err = skb_linearize(skb);
1833 if (unlikely(err))
1834 goto free_skb;
1835
1836 memset(skb->data + skb->len, 0, pad);
1837 return 0;
1838
1839 free_skb:
1840 if (free_on_error)
1841 kfree_skb(skb);
1842 return err;
1843 }
1844 EXPORT_SYMBOL(__skb_pad);
1845
1846 /**
1847 * pskb_put - add data to the tail of a potentially fragmented buffer
1848 * @skb: start of the buffer to use
1849 * @tail: tail fragment of the buffer to use
1850 * @len: amount of data to add
1851 *
1852 * This function extends the used data area of the potentially
1853 * fragmented buffer. @tail must be the last fragment of @skb -- or
1854 * @skb itself. If this would exceed the total buffer size the kernel
1855 * will panic. A pointer to the first byte of the extra data is
1856 * returned.
1857 */
1858
pskb_put(struct sk_buff * skb,struct sk_buff * tail,int len)1859 void *pskb_put(struct sk_buff *skb, struct sk_buff *tail, int len)
1860 {
1861 if (tail != skb) {
1862 skb->data_len += len;
1863 skb->len += len;
1864 }
1865 return skb_put(tail, len);
1866 }
1867 EXPORT_SYMBOL_GPL(pskb_put);
1868
1869 /**
1870 * skb_put - add data to a buffer
1871 * @skb: buffer to use
1872 * @len: amount of data to add
1873 *
1874 * This function extends the used data area of the buffer. If this would
1875 * exceed the total buffer size the kernel will panic. A pointer to the
1876 * first byte of the extra data is returned.
1877 */
skb_put(struct sk_buff * skb,unsigned int len)1878 void *skb_put(struct sk_buff *skb, unsigned int len)
1879 {
1880 void *tmp = skb_tail_pointer(skb);
1881 SKB_LINEAR_ASSERT(skb);
1882 skb->tail += len;
1883 skb->len += len;
1884 if (unlikely(skb->tail > skb->end))
1885 skb_over_panic(skb, len, __builtin_return_address(0));
1886 return tmp;
1887 }
1888 EXPORT_SYMBOL(skb_put);
1889
1890 /**
1891 * skb_push - add data to the start of a buffer
1892 * @skb: buffer to use
1893 * @len: amount of data to add
1894 *
1895 * This function extends the used data area of the buffer at the buffer
1896 * start. If this would exceed the total buffer headroom the kernel will
1897 * panic. A pointer to the first byte of the extra data is returned.
1898 */
skb_push(struct sk_buff * skb,unsigned int len)1899 void *skb_push(struct sk_buff *skb, unsigned int len)
1900 {
1901 skb->data -= len;
1902 skb->len += len;
1903 if (unlikely(skb->data < skb->head))
1904 skb_under_panic(skb, len, __builtin_return_address(0));
1905 return skb->data;
1906 }
1907 EXPORT_SYMBOL(skb_push);
1908
1909 /**
1910 * skb_pull - remove data from the start of a buffer
1911 * @skb: buffer to use
1912 * @len: amount of data to remove
1913 *
1914 * This function removes data from the start of a buffer, returning
1915 * the memory to the headroom. A pointer to the next data in the buffer
1916 * is returned. Once the data has been pulled future pushes will overwrite
1917 * the old data.
1918 */
skb_pull(struct sk_buff * skb,unsigned int len)1919 void *skb_pull(struct sk_buff *skb, unsigned int len)
1920 {
1921 return skb_pull_inline(skb, len);
1922 }
1923 EXPORT_SYMBOL(skb_pull);
1924
1925 /**
1926 * skb_pull_data - remove data from the start of a buffer returning its
1927 * original position.
1928 * @skb: buffer to use
1929 * @len: amount of data to remove
1930 *
1931 * This function removes data from the start of a buffer, returning
1932 * the memory to the headroom. A pointer to the original data in the buffer
1933 * is returned after checking if there is enough data to pull. Once the
1934 * data has been pulled future pushes will overwrite the old data.
1935 */
skb_pull_data(struct sk_buff * skb,size_t len)1936 void *skb_pull_data(struct sk_buff *skb, size_t len)
1937 {
1938 void *data = skb->data;
1939
1940 if (skb->len < len)
1941 return NULL;
1942
1943 skb_pull(skb, len);
1944
1945 return data;
1946 }
1947 EXPORT_SYMBOL(skb_pull_data);
1948
1949 /**
1950 * skb_trim - remove end from a buffer
1951 * @skb: buffer to alter
1952 * @len: new length
1953 *
1954 * Cut the length of a buffer down by removing data from the tail. If
1955 * the buffer is already under the length specified it is not modified.
1956 * The skb must be linear.
1957 */
skb_trim(struct sk_buff * skb,unsigned int len)1958 void skb_trim(struct sk_buff *skb, unsigned int len)
1959 {
1960 if (skb->len > len)
1961 __skb_trim(skb, len);
1962 }
1963 EXPORT_SYMBOL(skb_trim);
1964
1965 /* Trims skb to length len. It can change skb pointers.
1966 */
1967
___pskb_trim(struct sk_buff * skb,unsigned int len)1968 int ___pskb_trim(struct sk_buff *skb, unsigned int len)
1969 {
1970 struct sk_buff **fragp;
1971 struct sk_buff *frag;
1972 int offset = skb_headlen(skb);
1973 int nfrags = skb_shinfo(skb)->nr_frags;
1974 int i;
1975 int err;
1976
1977 if (skb_cloned(skb) &&
1978 unlikely((err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC))))
1979 return err;
1980
1981 i = 0;
1982 if (offset >= len)
1983 goto drop_pages;
1984
1985 for (; i < nfrags; i++) {
1986 int end = offset + skb_frag_size(&skb_shinfo(skb)->frags[i]);
1987
1988 if (end < len) {
1989 offset = end;
1990 continue;
1991 }
1992
1993 skb_frag_size_set(&skb_shinfo(skb)->frags[i++], len - offset);
1994
1995 drop_pages:
1996 skb_shinfo(skb)->nr_frags = i;
1997
1998 for (; i < nfrags; i++)
1999 skb_frag_unref(skb, i);
2000
2001 if (skb_has_frag_list(skb))
2002 skb_drop_fraglist(skb);
2003 goto done;
2004 }
2005
2006 for (fragp = &skb_shinfo(skb)->frag_list; (frag = *fragp);
2007 fragp = &frag->next) {
2008 int end = offset + frag->len;
2009
2010 if (skb_shared(frag)) {
2011 struct sk_buff *nfrag;
2012
2013 nfrag = skb_clone(frag, GFP_ATOMIC);
2014 if (unlikely(!nfrag))
2015 return -ENOMEM;
2016
2017 nfrag->next = frag->next;
2018 consume_skb(frag);
2019 frag = nfrag;
2020 *fragp = frag;
2021 }
2022
2023 if (end < len) {
2024 offset = end;
2025 continue;
2026 }
2027
2028 if (end > len &&
2029 unlikely((err = pskb_trim(frag, len - offset))))
2030 return err;
2031
2032 if (frag->next)
2033 skb_drop_list(&frag->next);
2034 break;
2035 }
2036
2037 done:
2038 if (len > skb_headlen(skb)) {
2039 skb->data_len -= skb->len - len;
2040 skb->len = len;
2041 } else {
2042 skb->len = len;
2043 skb->data_len = 0;
2044 skb_set_tail_pointer(skb, len);
2045 }
2046
2047 if (!skb->sk || skb->destructor == sock_edemux)
2048 skb_condense(skb);
2049 return 0;
2050 }
2051 EXPORT_SYMBOL(___pskb_trim);
2052
2053 /* Note : use pskb_trim_rcsum() instead of calling this directly
2054 */
pskb_trim_rcsum_slow(struct sk_buff * skb,unsigned int len)2055 int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len)
2056 {
2057 if (skb->ip_summed == CHECKSUM_COMPLETE) {
2058 int delta = skb->len - len;
2059
2060 skb->csum = csum_block_sub(skb->csum,
2061 skb_checksum(skb, len, delta, 0),
2062 len);
2063 } else if (skb->ip_summed == CHECKSUM_PARTIAL) {
2064 int hdlen = (len > skb_headlen(skb)) ? skb_headlen(skb) : len;
2065 int offset = skb_checksum_start_offset(skb) + skb->csum_offset;
2066
2067 if (offset + sizeof(__sum16) > hdlen)
2068 return -EINVAL;
2069 }
2070 return __pskb_trim(skb, len);
2071 }
2072 EXPORT_SYMBOL(pskb_trim_rcsum_slow);
2073
2074 /**
2075 * __pskb_pull_tail - advance tail of skb header
2076 * @skb: buffer to reallocate
2077 * @delta: number of bytes to advance tail
2078 *
2079 * The function makes a sense only on a fragmented &sk_buff,
2080 * it expands header moving its tail forward and copying necessary
2081 * data from fragmented part.
2082 *
2083 * &sk_buff MUST have reference count of 1.
2084 *
2085 * Returns %NULL (and &sk_buff does not change) if pull failed
2086 * or value of new tail of skb in the case of success.
2087 *
2088 * All the pointers pointing into skb header may change and must be
2089 * reloaded after call to this function.
2090 */
2091
2092 /* Moves tail of skb head forward, copying data from fragmented part,
2093 * when it is necessary.
2094 * 1. It may fail due to malloc failure.
2095 * 2. It may change skb pointers.
2096 *
2097 * It is pretty complicated. Luckily, it is called only in exceptional cases.
2098 */
__pskb_pull_tail(struct sk_buff * skb,int delta)2099 void *__pskb_pull_tail(struct sk_buff *skb, int delta)
2100 {
2101 /* If skb has not enough free space at tail, get new one
2102 * plus 128 bytes for future expansions. If we have enough
2103 * room at tail, reallocate without expansion only if skb is cloned.
2104 */
2105 int i, k, eat = (skb->tail + delta) - skb->end;
2106
2107 if (eat > 0 || skb_cloned(skb)) {
2108 if (pskb_expand_head(skb, 0, eat > 0 ? eat + 128 : 0,
2109 GFP_ATOMIC))
2110 return NULL;
2111 }
2112
2113 BUG_ON(skb_copy_bits(skb, skb_headlen(skb),
2114 skb_tail_pointer(skb), delta));
2115
2116 /* Optimization: no fragments, no reasons to preestimate
2117 * size of pulled pages. Superb.
2118 */
2119 if (!skb_has_frag_list(skb))
2120 goto pull_pages;
2121
2122 /* Estimate size of pulled pages. */
2123 eat = delta;
2124 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2125 int size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
2126
2127 if (size >= eat)
2128 goto pull_pages;
2129 eat -= size;
2130 }
2131
2132 /* If we need update frag list, we are in troubles.
2133 * Certainly, it is possible to add an offset to skb data,
2134 * but taking into account that pulling is expected to
2135 * be very rare operation, it is worth to fight against
2136 * further bloating skb head and crucify ourselves here instead.
2137 * Pure masohism, indeed. 8)8)
2138 */
2139 if (eat) {
2140 struct sk_buff *list = skb_shinfo(skb)->frag_list;
2141 struct sk_buff *clone = NULL;
2142 struct sk_buff *insp = NULL;
2143
2144 do {
2145 if (list->len <= eat) {
2146 /* Eaten as whole. */
2147 eat -= list->len;
2148 list = list->next;
2149 insp = list;
2150 } else {
2151 /* Eaten partially. */
2152 if (skb_is_gso(skb) && !list->head_frag &&
2153 skb_headlen(list))
2154 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
2155
2156 if (skb_shared(list)) {
2157 /* Sucks! We need to fork list. :-( */
2158 clone = skb_clone(list, GFP_ATOMIC);
2159 if (!clone)
2160 return NULL;
2161 insp = list->next;
2162 list = clone;
2163 } else {
2164 /* This may be pulled without
2165 * problems. */
2166 insp = list;
2167 }
2168 if (!pskb_pull(list, eat)) {
2169 kfree_skb(clone);
2170 return NULL;
2171 }
2172 break;
2173 }
2174 } while (eat);
2175
2176 /* Free pulled out fragments. */
2177 while ((list = skb_shinfo(skb)->frag_list) != insp) {
2178 skb_shinfo(skb)->frag_list = list->next;
2179 consume_skb(list);
2180 }
2181 /* And insert new clone at head. */
2182 if (clone) {
2183 clone->next = list;
2184 skb_shinfo(skb)->frag_list = clone;
2185 }
2186 }
2187 /* Success! Now we may commit changes to skb data. */
2188
2189 pull_pages:
2190 eat = delta;
2191 k = 0;
2192 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2193 int size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
2194
2195 if (size <= eat) {
2196 skb_frag_unref(skb, i);
2197 eat -= size;
2198 } else {
2199 skb_frag_t *frag = &skb_shinfo(skb)->frags[k];
2200
2201 *frag = skb_shinfo(skb)->frags[i];
2202 if (eat) {
2203 skb_frag_off_add(frag, eat);
2204 skb_frag_size_sub(frag, eat);
2205 if (!i)
2206 goto end;
2207 eat = 0;
2208 }
2209 k++;
2210 }
2211 }
2212 skb_shinfo(skb)->nr_frags = k;
2213
2214 end:
2215 skb->tail += delta;
2216 skb->data_len -= delta;
2217
2218 if (!skb->data_len)
2219 skb_zcopy_clear(skb, false);
2220
2221 return skb_tail_pointer(skb);
2222 }
2223 EXPORT_SYMBOL(__pskb_pull_tail);
2224
2225 /**
2226 * skb_copy_bits - copy bits from skb to kernel buffer
2227 * @skb: source skb
2228 * @offset: offset in source
2229 * @to: destination buffer
2230 * @len: number of bytes to copy
2231 *
2232 * Copy the specified number of bytes from the source skb to the
2233 * destination buffer.
2234 *
2235 * CAUTION ! :
2236 * If its prototype is ever changed,
2237 * check arch/{*}/net/{*}.S files,
2238 * since it is called from BPF assembly code.
2239 */
skb_copy_bits(const struct sk_buff * skb,int offset,void * to,int len)2240 int skb_copy_bits(const struct sk_buff *skb, int offset, void *to, int len)
2241 {
2242 int start = skb_headlen(skb);
2243 struct sk_buff *frag_iter;
2244 int i, copy;
2245
2246 if (offset > (int)skb->len - len)
2247 goto fault;
2248
2249 /* Copy header. */
2250 if ((copy = start - offset) > 0) {
2251 if (copy > len)
2252 copy = len;
2253 skb_copy_from_linear_data_offset(skb, offset, to, copy);
2254 if ((len -= copy) == 0)
2255 return 0;
2256 offset += copy;
2257 to += copy;
2258 }
2259
2260 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2261 int end;
2262 skb_frag_t *f = &skb_shinfo(skb)->frags[i];
2263
2264 WARN_ON(start > offset + len);
2265
2266 end = start + skb_frag_size(f);
2267 if ((copy = end - offset) > 0) {
2268 u32 p_off, p_len, copied;
2269 struct page *p;
2270 u8 *vaddr;
2271
2272 if (copy > len)
2273 copy = len;
2274
2275 skb_frag_foreach_page(f,
2276 skb_frag_off(f) + offset - start,
2277 copy, p, p_off, p_len, copied) {
2278 vaddr = kmap_atomic(p);
2279 memcpy(to + copied, vaddr + p_off, p_len);
2280 kunmap_atomic(vaddr);
2281 }
2282
2283 if ((len -= copy) == 0)
2284 return 0;
2285 offset += copy;
2286 to += copy;
2287 }
2288 start = end;
2289 }
2290
2291 skb_walk_frags(skb, frag_iter) {
2292 int end;
2293
2294 WARN_ON(start > offset + len);
2295
2296 end = start + frag_iter->len;
2297 if ((copy = end - offset) > 0) {
2298 if (copy > len)
2299 copy = len;
2300 if (skb_copy_bits(frag_iter, offset - start, to, copy))
2301 goto fault;
2302 if ((len -= copy) == 0)
2303 return 0;
2304 offset += copy;
2305 to += copy;
2306 }
2307 start = end;
2308 }
2309
2310 if (!len)
2311 return 0;
2312
2313 fault:
2314 return -EFAULT;
2315 }
2316 EXPORT_SYMBOL(skb_copy_bits);
2317
2318 /*
2319 * Callback from splice_to_pipe(), if we need to release some pages
2320 * at the end of the spd in case we error'ed out in filling the pipe.
2321 */
sock_spd_release(struct splice_pipe_desc * spd,unsigned int i)2322 static void sock_spd_release(struct splice_pipe_desc *spd, unsigned int i)
2323 {
2324 put_page(spd->pages[i]);
2325 }
2326
linear_to_page(struct page * page,unsigned int * len,unsigned int * offset,struct sock * sk)2327 static struct page *linear_to_page(struct page *page, unsigned int *len,
2328 unsigned int *offset,
2329 struct sock *sk)
2330 {
2331 struct page_frag *pfrag = sk_page_frag(sk);
2332
2333 if (!sk_page_frag_refill(sk, pfrag))
2334 return NULL;
2335
2336 *len = min_t(unsigned int, *len, pfrag->size - pfrag->offset);
2337
2338 memcpy(page_address(pfrag->page) + pfrag->offset,
2339 page_address(page) + *offset, *len);
2340 *offset = pfrag->offset;
2341 pfrag->offset += *len;
2342
2343 return pfrag->page;
2344 }
2345
spd_can_coalesce(const struct splice_pipe_desc * spd,struct page * page,unsigned int offset)2346 static bool spd_can_coalesce(const struct splice_pipe_desc *spd,
2347 struct page *page,
2348 unsigned int offset)
2349 {
2350 return spd->nr_pages &&
2351 spd->pages[spd->nr_pages - 1] == page &&
2352 (spd->partial[spd->nr_pages - 1].offset +
2353 spd->partial[spd->nr_pages - 1].len == offset);
2354 }
2355
2356 /*
2357 * Fill page/offset/length into spd, if it can hold more pages.
2358 */
spd_fill_page(struct splice_pipe_desc * spd,struct pipe_inode_info * pipe,struct page * page,unsigned int * len,unsigned int offset,bool linear,struct sock * sk)2359 static bool spd_fill_page(struct splice_pipe_desc *spd,
2360 struct pipe_inode_info *pipe, struct page *page,
2361 unsigned int *len, unsigned int offset,
2362 bool linear,
2363 struct sock *sk)
2364 {
2365 if (unlikely(spd->nr_pages == MAX_SKB_FRAGS))
2366 return true;
2367
2368 if (linear) {
2369 page = linear_to_page(page, len, &offset, sk);
2370 if (!page)
2371 return true;
2372 }
2373 if (spd_can_coalesce(spd, page, offset)) {
2374 spd->partial[spd->nr_pages - 1].len += *len;
2375 return false;
2376 }
2377 get_page(page);
2378 spd->pages[spd->nr_pages] = page;
2379 spd->partial[spd->nr_pages].len = *len;
2380 spd->partial[spd->nr_pages].offset = offset;
2381 spd->nr_pages++;
2382
2383 return false;
2384 }
2385
__splice_segment(struct page * page,unsigned int poff,unsigned int plen,unsigned int * off,unsigned int * len,struct splice_pipe_desc * spd,bool linear,struct sock * sk,struct pipe_inode_info * pipe)2386 static bool __splice_segment(struct page *page, unsigned int poff,
2387 unsigned int plen, unsigned int *off,
2388 unsigned int *len,
2389 struct splice_pipe_desc *spd, bool linear,
2390 struct sock *sk,
2391 struct pipe_inode_info *pipe)
2392 {
2393 if (!*len)
2394 return true;
2395
2396 /* skip this segment if already processed */
2397 if (*off >= plen) {
2398 *off -= plen;
2399 return false;
2400 }
2401
2402 /* ignore any bits we already processed */
2403 poff += *off;
2404 plen -= *off;
2405 *off = 0;
2406
2407 do {
2408 unsigned int flen = min(*len, plen);
2409
2410 if (spd_fill_page(spd, pipe, page, &flen, poff,
2411 linear, sk))
2412 return true;
2413 poff += flen;
2414 plen -= flen;
2415 *len -= flen;
2416 } while (*len && plen);
2417
2418 return false;
2419 }
2420
2421 /*
2422 * Map linear and fragment data from the skb to spd. It reports true if the
2423 * pipe is full or if we already spliced the requested length.
2424 */
__skb_splice_bits(struct sk_buff * skb,struct pipe_inode_info * pipe,unsigned int * offset,unsigned int * len,struct splice_pipe_desc * spd,struct sock * sk)2425 static bool __skb_splice_bits(struct sk_buff *skb, struct pipe_inode_info *pipe,
2426 unsigned int *offset, unsigned int *len,
2427 struct splice_pipe_desc *spd, struct sock *sk)
2428 {
2429 int seg;
2430 struct sk_buff *iter;
2431
2432 /* map the linear part :
2433 * If skb->head_frag is set, this 'linear' part is backed by a
2434 * fragment, and if the head is not shared with any clones then
2435 * we can avoid a copy since we own the head portion of this page.
2436 */
2437 if (__splice_segment(virt_to_page(skb->data),
2438 (unsigned long) skb->data & (PAGE_SIZE - 1),
2439 skb_headlen(skb),
2440 offset, len, spd,
2441 skb_head_is_locked(skb),
2442 sk, pipe))
2443 return true;
2444
2445 /*
2446 * then map the fragments
2447 */
2448 for (seg = 0; seg < skb_shinfo(skb)->nr_frags; seg++) {
2449 const skb_frag_t *f = &skb_shinfo(skb)->frags[seg];
2450
2451 if (__splice_segment(skb_frag_page(f),
2452 skb_frag_off(f), skb_frag_size(f),
2453 offset, len, spd, false, sk, pipe))
2454 return true;
2455 }
2456
2457 skb_walk_frags(skb, iter) {
2458 if (*offset >= iter->len) {
2459 *offset -= iter->len;
2460 continue;
2461 }
2462 /* __skb_splice_bits() only fails if the output has no room
2463 * left, so no point in going over the frag_list for the error
2464 * case.
2465 */
2466 if (__skb_splice_bits(iter, pipe, offset, len, spd, sk))
2467 return true;
2468 }
2469
2470 return false;
2471 }
2472
2473 /*
2474 * Map data from the skb to a pipe. Should handle both the linear part,
2475 * the fragments, and the frag list.
2476 */
skb_splice_bits(struct sk_buff * skb,struct sock * sk,unsigned int offset,struct pipe_inode_info * pipe,unsigned int tlen,unsigned int flags)2477 int skb_splice_bits(struct sk_buff *skb, struct sock *sk, unsigned int offset,
2478 struct pipe_inode_info *pipe, unsigned int tlen,
2479 unsigned int flags)
2480 {
2481 struct partial_page partial[MAX_SKB_FRAGS];
2482 struct page *pages[MAX_SKB_FRAGS];
2483 struct splice_pipe_desc spd = {
2484 .pages = pages,
2485 .partial = partial,
2486 .nr_pages_max = MAX_SKB_FRAGS,
2487 .ops = &nosteal_pipe_buf_ops,
2488 .spd_release = sock_spd_release,
2489 };
2490 int ret = 0;
2491
2492 __skb_splice_bits(skb, pipe, &offset, &tlen, &spd, sk);
2493
2494 if (spd.nr_pages)
2495 ret = splice_to_pipe(pipe, &spd);
2496
2497 return ret;
2498 }
2499 EXPORT_SYMBOL_GPL(skb_splice_bits);
2500
2501 /* Send skb data on a socket. Socket must be locked. */
skb_send_sock_locked(struct sock * sk,struct sk_buff * skb,int offset,int len)2502 int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
2503 int len)
2504 {
2505 unsigned int orig_len = len;
2506 struct sk_buff *head = skb;
2507 unsigned short fragidx;
2508 int slen, ret;
2509
2510 do_frag_list:
2511
2512 /* Deal with head data */
2513 while (offset < skb_headlen(skb) && len) {
2514 struct kvec kv;
2515 struct msghdr msg;
2516
2517 slen = min_t(int, len, skb_headlen(skb) - offset);
2518 kv.iov_base = skb->data + offset;
2519 kv.iov_len = slen;
2520 memset(&msg, 0, sizeof(msg));
2521 msg.msg_flags = MSG_DONTWAIT;
2522
2523 ret = kernel_sendmsg_locked(sk, &msg, &kv, 1, slen);
2524 if (ret <= 0)
2525 goto error;
2526
2527 offset += ret;
2528 len -= ret;
2529 }
2530
2531 /* All the data was skb head? */
2532 if (!len)
2533 goto out;
2534
2535 /* Make offset relative to start of frags */
2536 offset -= skb_headlen(skb);
2537
2538 /* Find where we are in frag list */
2539 for (fragidx = 0; fragidx < skb_shinfo(skb)->nr_frags; fragidx++) {
2540 skb_frag_t *frag = &skb_shinfo(skb)->frags[fragidx];
2541
2542 if (offset < skb_frag_size(frag))
2543 break;
2544
2545 offset -= skb_frag_size(frag);
2546 }
2547
2548 for (; len && fragidx < skb_shinfo(skb)->nr_frags; fragidx++) {
2549 skb_frag_t *frag = &skb_shinfo(skb)->frags[fragidx];
2550
2551 slen = min_t(size_t, len, skb_frag_size(frag) - offset);
2552
2553 while (slen) {
2554 ret = kernel_sendpage_locked(sk, skb_frag_page(frag),
2555 skb_frag_off(frag) + offset,
2556 slen, MSG_DONTWAIT);
2557 if (ret <= 0)
2558 goto error;
2559
2560 len -= ret;
2561 offset += ret;
2562 slen -= ret;
2563 }
2564
2565 offset = 0;
2566 }
2567
2568 if (len) {
2569 /* Process any frag lists */
2570
2571 if (skb == head) {
2572 if (skb_has_frag_list(skb)) {
2573 skb = skb_shinfo(skb)->frag_list;
2574 goto do_frag_list;
2575 }
2576 } else if (skb->next) {
2577 skb = skb->next;
2578 goto do_frag_list;
2579 }
2580 }
2581
2582 out:
2583 return orig_len - len;
2584
2585 error:
2586 return orig_len == len ? ret : orig_len - len;
2587 }
2588 EXPORT_SYMBOL_GPL(skb_send_sock_locked);
2589
2590 /**
2591 * skb_store_bits - store bits from kernel buffer to skb
2592 * @skb: destination buffer
2593 * @offset: offset in destination
2594 * @from: source buffer
2595 * @len: number of bytes to copy
2596 *
2597 * Copy the specified number of bytes from the source buffer to the
2598 * destination skb. This function handles all the messy bits of
2599 * traversing fragment lists and such.
2600 */
2601
skb_store_bits(struct sk_buff * skb,int offset,const void * from,int len)2602 int skb_store_bits(struct sk_buff *skb, int offset, const void *from, int len)
2603 {
2604 int start = skb_headlen(skb);
2605 struct sk_buff *frag_iter;
2606 int i, copy;
2607
2608 if (offset > (int)skb->len - len)
2609 goto fault;
2610
2611 if ((copy = start - offset) > 0) {
2612 if (copy > len)
2613 copy = len;
2614 skb_copy_to_linear_data_offset(skb, offset, from, copy);
2615 if ((len -= copy) == 0)
2616 return 0;
2617 offset += copy;
2618 from += copy;
2619 }
2620
2621 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2622 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
2623 int end;
2624
2625 WARN_ON(start > offset + len);
2626
2627 end = start + skb_frag_size(frag);
2628 if ((copy = end - offset) > 0) {
2629 u32 p_off, p_len, copied;
2630 struct page *p;
2631 u8 *vaddr;
2632
2633 if (copy > len)
2634 copy = len;
2635
2636 skb_frag_foreach_page(frag,
2637 skb_frag_off(frag) + offset - start,
2638 copy, p, p_off, p_len, copied) {
2639 vaddr = kmap_atomic(p);
2640 memcpy(vaddr + p_off, from + copied, p_len);
2641 kunmap_atomic(vaddr);
2642 }
2643
2644 if ((len -= copy) == 0)
2645 return 0;
2646 offset += copy;
2647 from += copy;
2648 }
2649 start = end;
2650 }
2651
2652 skb_walk_frags(skb, frag_iter) {
2653 int end;
2654
2655 WARN_ON(start > offset + len);
2656
2657 end = start + frag_iter->len;
2658 if ((copy = end - offset) > 0) {
2659 if (copy > len)
2660 copy = len;
2661 if (skb_store_bits(frag_iter, offset - start,
2662 from, copy))
2663 goto fault;
2664 if ((len -= copy) == 0)
2665 return 0;
2666 offset += copy;
2667 from += copy;
2668 }
2669 start = end;
2670 }
2671 if (!len)
2672 return 0;
2673
2674 fault:
2675 return -EFAULT;
2676 }
2677 EXPORT_SYMBOL(skb_store_bits);
2678
2679 /* Checksum skb data. */
__skb_checksum(const struct sk_buff * skb,int offset,int len,__wsum csum,const struct skb_checksum_ops * ops)2680 __wsum __skb_checksum(const struct sk_buff *skb, int offset, int len,
2681 __wsum csum, const struct skb_checksum_ops *ops)
2682 {
2683 int start = skb_headlen(skb);
2684 int i, copy = start - offset;
2685 struct sk_buff *frag_iter;
2686 int pos = 0;
2687
2688 /* Checksum header. */
2689 if (copy > 0) {
2690 if (copy > len)
2691 copy = len;
2692 csum = INDIRECT_CALL_1(ops->update, csum_partial_ext,
2693 skb->data + offset, copy, csum);
2694 if ((len -= copy) == 0)
2695 return csum;
2696 offset += copy;
2697 pos = copy;
2698 }
2699
2700 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2701 int end;
2702 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
2703
2704 WARN_ON(start > offset + len);
2705
2706 end = start + skb_frag_size(frag);
2707 if ((copy = end - offset) > 0) {
2708 u32 p_off, p_len, copied;
2709 struct page *p;
2710 __wsum csum2;
2711 u8 *vaddr;
2712
2713 if (copy > len)
2714 copy = len;
2715
2716 skb_frag_foreach_page(frag,
2717 skb_frag_off(frag) + offset - start,
2718 copy, p, p_off, p_len, copied) {
2719 vaddr = kmap_atomic(p);
2720 csum2 = INDIRECT_CALL_1(ops->update,
2721 csum_partial_ext,
2722 vaddr + p_off, p_len, 0);
2723 kunmap_atomic(vaddr);
2724 csum = INDIRECT_CALL_1(ops->combine,
2725 csum_block_add_ext, csum,
2726 csum2, pos, p_len);
2727 pos += p_len;
2728 }
2729
2730 if (!(len -= copy))
2731 return csum;
2732 offset += copy;
2733 }
2734 start = end;
2735 }
2736
2737 skb_walk_frags(skb, frag_iter) {
2738 int end;
2739
2740 WARN_ON(start > offset + len);
2741
2742 end = start + frag_iter->len;
2743 if ((copy = end - offset) > 0) {
2744 __wsum csum2;
2745 if (copy > len)
2746 copy = len;
2747 csum2 = __skb_checksum(frag_iter, offset - start,
2748 copy, 0, ops);
2749 csum = INDIRECT_CALL_1(ops->combine, csum_block_add_ext,
2750 csum, csum2, pos, copy);
2751 if ((len -= copy) == 0)
2752 return csum;
2753 offset += copy;
2754 pos += copy;
2755 }
2756 start = end;
2757 }
2758 BUG_ON(len);
2759
2760 return csum;
2761 }
2762 EXPORT_SYMBOL(__skb_checksum);
2763
skb_checksum(const struct sk_buff * skb,int offset,int len,__wsum csum)2764 __wsum skb_checksum(const struct sk_buff *skb, int offset,
2765 int len, __wsum csum)
2766 {
2767 const struct skb_checksum_ops ops = {
2768 .update = csum_partial_ext,
2769 .combine = csum_block_add_ext,
2770 };
2771
2772 return __skb_checksum(skb, offset, len, csum, &ops);
2773 }
2774 EXPORT_SYMBOL(skb_checksum);
2775
2776 /* Both of above in one bottle. */
2777
skb_copy_and_csum_bits(const struct sk_buff * skb,int offset,u8 * to,int len)2778 __wsum skb_copy_and_csum_bits(const struct sk_buff *skb, int offset,
2779 u8 *to, int len)
2780 {
2781 int start = skb_headlen(skb);
2782 int i, copy = start - offset;
2783 struct sk_buff *frag_iter;
2784 int pos = 0;
2785 __wsum csum = 0;
2786
2787 /* Copy header. */
2788 if (copy > 0) {
2789 if (copy > len)
2790 copy = len;
2791 csum = csum_partial_copy_nocheck(skb->data + offset, to,
2792 copy);
2793 if ((len -= copy) == 0)
2794 return csum;
2795 offset += copy;
2796 to += copy;
2797 pos = copy;
2798 }
2799
2800 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2801 int end;
2802
2803 WARN_ON(start > offset + len);
2804
2805 end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
2806 if ((copy = end - offset) > 0) {
2807 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
2808 u32 p_off, p_len, copied;
2809 struct page *p;
2810 __wsum csum2;
2811 u8 *vaddr;
2812
2813 if (copy > len)
2814 copy = len;
2815
2816 skb_frag_foreach_page(frag,
2817 skb_frag_off(frag) + offset - start,
2818 copy, p, p_off, p_len, copied) {
2819 vaddr = kmap_atomic(p);
2820 csum2 = csum_partial_copy_nocheck(vaddr + p_off,
2821 to + copied,
2822 p_len);
2823 kunmap_atomic(vaddr);
2824 csum = csum_block_add(csum, csum2, pos);
2825 pos += p_len;
2826 }
2827
2828 if (!(len -= copy))
2829 return csum;
2830 offset += copy;
2831 to += copy;
2832 }
2833 start = end;
2834 }
2835
2836 skb_walk_frags(skb, frag_iter) {
2837 __wsum csum2;
2838 int end;
2839
2840 WARN_ON(start > offset + len);
2841
2842 end = start + frag_iter->len;
2843 if ((copy = end - offset) > 0) {
2844 if (copy > len)
2845 copy = len;
2846 csum2 = skb_copy_and_csum_bits(frag_iter,
2847 offset - start,
2848 to, copy);
2849 csum = csum_block_add(csum, csum2, pos);
2850 if ((len -= copy) == 0)
2851 return csum;
2852 offset += copy;
2853 to += copy;
2854 pos += copy;
2855 }
2856 start = end;
2857 }
2858 BUG_ON(len);
2859 return csum;
2860 }
2861 EXPORT_SYMBOL(skb_copy_and_csum_bits);
2862
__skb_checksum_complete_head(struct sk_buff * skb,int len)2863 __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len)
2864 {
2865 __sum16 sum;
2866
2867 sum = csum_fold(skb_checksum(skb, 0, len, skb->csum));
2868 /* See comments in __skb_checksum_complete(). */
2869 if (likely(!sum)) {
2870 if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) &&
2871 !skb->csum_complete_sw)
2872 netdev_rx_csum_fault(skb->dev, skb);
2873 }
2874 if (!skb_shared(skb))
2875 skb->csum_valid = !sum;
2876 return sum;
2877 }
2878 EXPORT_SYMBOL(__skb_checksum_complete_head);
2879
2880 /* This function assumes skb->csum already holds pseudo header's checksum,
2881 * which has been changed from the hardware checksum, for example, by
2882 * __skb_checksum_validate_complete(). And, the original skb->csum must
2883 * have been validated unsuccessfully for CHECKSUM_COMPLETE case.
2884 *
2885 * It returns non-zero if the recomputed checksum is still invalid, otherwise
2886 * zero. The new checksum is stored back into skb->csum unless the skb is
2887 * shared.
2888 */
__skb_checksum_complete(struct sk_buff * skb)2889 __sum16 __skb_checksum_complete(struct sk_buff *skb)
2890 {
2891 __wsum csum;
2892 __sum16 sum;
2893
2894 csum = skb_checksum(skb, 0, skb->len, 0);
2895
2896 sum = csum_fold(csum_add(skb->csum, csum));
2897 /* This check is inverted, because we already knew the hardware
2898 * checksum is invalid before calling this function. So, if the
2899 * re-computed checksum is valid instead, then we have a mismatch
2900 * between the original skb->csum and skb_checksum(). This means either
2901 * the original hardware checksum is incorrect or we screw up skb->csum
2902 * when moving skb->data around.
2903 */
2904 if (likely(!sum)) {
2905 if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) &&
2906 !skb->csum_complete_sw)
2907 netdev_rx_csum_fault(skb->dev, skb);
2908 }
2909
2910 if (!skb_shared(skb)) {
2911 /* Save full packet checksum */
2912 skb->csum = csum;
2913 skb->ip_summed = CHECKSUM_COMPLETE;
2914 skb->csum_complete_sw = 1;
2915 skb->csum_valid = !sum;
2916 }
2917
2918 return sum;
2919 }
2920 EXPORT_SYMBOL(__skb_checksum_complete);
2921
warn_crc32c_csum_update(const void * buff,int len,__wsum sum)2922 static __wsum warn_crc32c_csum_update(const void *buff, int len, __wsum sum)
2923 {
2924 net_warn_ratelimited(
2925 "%s: attempt to compute crc32c without libcrc32c.ko\n",
2926 __func__);
2927 return 0;
2928 }
2929
warn_crc32c_csum_combine(__wsum csum,__wsum csum2,int offset,int len)2930 static __wsum warn_crc32c_csum_combine(__wsum csum, __wsum csum2,
2931 int offset, int len)
2932 {
2933 net_warn_ratelimited(
2934 "%s: attempt to compute crc32c without libcrc32c.ko\n",
2935 __func__);
2936 return 0;
2937 }
2938
2939 static const struct skb_checksum_ops default_crc32c_ops = {
2940 .update = warn_crc32c_csum_update,
2941 .combine = warn_crc32c_csum_combine,
2942 };
2943
2944 const struct skb_checksum_ops *crc32c_csum_stub __read_mostly =
2945 &default_crc32c_ops;
2946 EXPORT_SYMBOL(crc32c_csum_stub);
2947
2948 /**
2949 * skb_zerocopy_headlen - Calculate headroom needed for skb_zerocopy()
2950 * @from: source buffer
2951 *
2952 * Calculates the amount of linear headroom needed in the 'to' skb passed
2953 * into skb_zerocopy().
2954 */
2955 unsigned int
skb_zerocopy_headlen(const struct sk_buff * from)2956 skb_zerocopy_headlen(const struct sk_buff *from)
2957 {
2958 unsigned int hlen = 0;
2959
2960 if (!from->head_frag ||
2961 skb_headlen(from) < L1_CACHE_BYTES ||
2962 skb_shinfo(from)->nr_frags >= MAX_SKB_FRAGS) {
2963 hlen = skb_headlen(from);
2964 if (!hlen)
2965 hlen = from->len;
2966 }
2967
2968 if (skb_has_frag_list(from))
2969 hlen = from->len;
2970
2971 return hlen;
2972 }
2973 EXPORT_SYMBOL_GPL(skb_zerocopy_headlen);
2974
2975 /**
2976 * skb_zerocopy - Zero copy skb to skb
2977 * @to: destination buffer
2978 * @from: source buffer
2979 * @len: number of bytes to copy from source buffer
2980 * @hlen: size of linear headroom in destination buffer
2981 *
2982 * Copies up to `len` bytes from `from` to `to` by creating references
2983 * to the frags in the source buffer.
2984 *
2985 * The `hlen` as calculated by skb_zerocopy_headlen() specifies the
2986 * headroom in the `to` buffer.
2987 *
2988 * Return value:
2989 * 0: everything is OK
2990 * -ENOMEM: couldn't orphan frags of @from due to lack of memory
2991 * -EFAULT: skb_copy_bits() found some problem with skb geometry
2992 */
2993 int
skb_zerocopy(struct sk_buff * to,struct sk_buff * from,int len,int hlen)2994 skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen)
2995 {
2996 int i, j = 0;
2997 int plen = 0; /* length of skb->head fragment */
2998 int ret;
2999 struct page *page;
3000 unsigned int offset;
3001
3002 BUG_ON(!from->head_frag && !hlen);
3003
3004 /* dont bother with small payloads */
3005 if (len <= skb_tailroom(to))
3006 return skb_copy_bits(from, 0, skb_put(to, len), len);
3007
3008 if (hlen) {
3009 ret = skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
3010 if (unlikely(ret))
3011 return ret;
3012 len -= hlen;
3013 } else {
3014 plen = min_t(int, skb_headlen(from), len);
3015 if (plen) {
3016 page = virt_to_head_page(from->head);
3017 offset = from->data - (unsigned char *)page_address(page);
3018 __skb_fill_page_desc(to, 0, page, offset, plen);
3019 get_page(page);
3020 j = 1;
3021 len -= plen;
3022 }
3023 }
3024
3025 to->truesize += len + plen;
3026 to->len += len + plen;
3027 to->data_len += len + plen;
3028
3029 if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
3030 skb_tx_error(from);
3031 return -ENOMEM;
3032 }
3033 skb_zerocopy_clone(to, from, GFP_ATOMIC);
3034
3035 for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
3036 int size;
3037
3038 if (!len)
3039 break;
3040 skb_shinfo(to)->frags[j] = skb_shinfo(from)->frags[i];
3041 size = min_t(int, skb_frag_size(&skb_shinfo(to)->frags[j]),
3042 len);
3043 skb_frag_size_set(&skb_shinfo(to)->frags[j], size);
3044 len -= size;
3045 skb_frag_ref(to, j);
3046 j++;
3047 }
3048 skb_shinfo(to)->nr_frags = j;
3049
3050 return 0;
3051 }
3052 EXPORT_SYMBOL_GPL(skb_zerocopy);
3053
skb_copy_and_csum_dev(const struct sk_buff * skb,u8 * to)3054 void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to)
3055 {
3056 __wsum csum;
3057 long csstart;
3058
3059 if (skb->ip_summed == CHECKSUM_PARTIAL)
3060 csstart = skb_checksum_start_offset(skb);
3061 else
3062 csstart = skb_headlen(skb);
3063
3064 BUG_ON(csstart > skb_headlen(skb));
3065
3066 skb_copy_from_linear_data(skb, to, csstart);
3067
3068 csum = 0;
3069 if (csstart != skb->len)
3070 csum = skb_copy_and_csum_bits(skb, csstart, to + csstart,
3071 skb->len - csstart);
3072
3073 if (skb->ip_summed == CHECKSUM_PARTIAL) {
3074 long csstuff = csstart + skb->csum_offset;
3075
3076 *((__sum16 *)(to + csstuff)) = csum_fold(csum);
3077 }
3078 }
3079 EXPORT_SYMBOL(skb_copy_and_csum_dev);
3080
3081 /**
3082 * skb_dequeue - remove from the head of the queue
3083 * @list: list to dequeue from
3084 *
3085 * Remove the head of the list. The list lock is taken so the function
3086 * may be used safely with other locking list functions. The head item is
3087 * returned or %NULL if the list is empty.
3088 */
3089
skb_dequeue(struct sk_buff_head * list)3090 struct sk_buff *skb_dequeue(struct sk_buff_head *list)
3091 {
3092 unsigned long flags;
3093 struct sk_buff *result;
3094
3095 spin_lock_irqsave(&list->lock, flags);
3096 result = __skb_dequeue(list);
3097 spin_unlock_irqrestore(&list->lock, flags);
3098 return result;
3099 }
3100 EXPORT_SYMBOL(skb_dequeue);
3101
3102 /**
3103 * skb_dequeue_tail - remove from the tail of the queue
3104 * @list: list to dequeue from
3105 *
3106 * Remove the tail of the list. The list lock is taken so the function
3107 * may be used safely with other locking list functions. The tail item is
3108 * returned or %NULL if the list is empty.
3109 */
skb_dequeue_tail(struct sk_buff_head * list)3110 struct sk_buff *skb_dequeue_tail(struct sk_buff_head *list)
3111 {
3112 unsigned long flags;
3113 struct sk_buff *result;
3114
3115 spin_lock_irqsave(&list->lock, flags);
3116 result = __skb_dequeue_tail(list);
3117 spin_unlock_irqrestore(&list->lock, flags);
3118 return result;
3119 }
3120 EXPORT_SYMBOL(skb_dequeue_tail);
3121
3122 /**
3123 * skb_queue_purge - empty a list
3124 * @list: list to empty
3125 *
3126 * Delete all buffers on an &sk_buff list. Each buffer is removed from
3127 * the list and one reference dropped. This function takes the list
3128 * lock and is atomic with respect to other list locking functions.
3129 */
skb_queue_purge(struct sk_buff_head * list)3130 void skb_queue_purge(struct sk_buff_head *list)
3131 {
3132 struct sk_buff *skb;
3133 while ((skb = skb_dequeue(list)) != NULL)
3134 kfree_skb(skb);
3135 }
3136 EXPORT_SYMBOL(skb_queue_purge);
3137
3138 /**
3139 * skb_rbtree_purge - empty a skb rbtree
3140 * @root: root of the rbtree to empty
3141 * Return value: the sum of truesizes of all purged skbs.
3142 *
3143 * Delete all buffers on an &sk_buff rbtree. Each buffer is removed from
3144 * the list and one reference dropped. This function does not take
3145 * any lock. Synchronization should be handled by the caller (e.g., TCP
3146 * out-of-order queue is protected by the socket lock).
3147 */
skb_rbtree_purge(struct rb_root * root)3148 unsigned int skb_rbtree_purge(struct rb_root *root)
3149 {
3150 struct rb_node *p = rb_first(root);
3151 unsigned int sum = 0;
3152
3153 while (p) {
3154 struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
3155
3156 p = rb_next(p);
3157 rb_erase(&skb->rbnode, root);
3158 sum += skb->truesize;
3159 kfree_skb(skb);
3160 }
3161 return sum;
3162 }
3163
3164 /**
3165 * skb_queue_head - queue a buffer at the list head
3166 * @list: list to use
3167 * @newsk: buffer to queue
3168 *
3169 * Queue a buffer at the start of the list. This function takes the
3170 * list lock and can be used safely with other locking &sk_buff functions
3171 * safely.
3172 *
3173 * A buffer cannot be placed on two lists at the same time.
3174 */
skb_queue_head(struct sk_buff_head * list,struct sk_buff * newsk)3175 void skb_queue_head(struct sk_buff_head *list, struct sk_buff *newsk)
3176 {
3177 unsigned long flags;
3178
3179 spin_lock_irqsave(&list->lock, flags);
3180 __skb_queue_head(list, newsk);
3181 spin_unlock_irqrestore(&list->lock, flags);
3182 }
3183 EXPORT_SYMBOL(skb_queue_head);
3184
3185 /**
3186 * skb_queue_tail - queue a buffer at the list tail
3187 * @list: list to use
3188 * @newsk: buffer to queue
3189 *
3190 * Queue a buffer at the tail of the list. This function takes the
3191 * list lock and can be used safely with other locking &sk_buff functions
3192 * safely.
3193 *
3194 * A buffer cannot be placed on two lists at the same time.
3195 */
skb_queue_tail(struct sk_buff_head * list,struct sk_buff * newsk)3196 void skb_queue_tail(struct sk_buff_head *list, struct sk_buff *newsk)
3197 {
3198 unsigned long flags;
3199
3200 spin_lock_irqsave(&list->lock, flags);
3201 __skb_queue_tail(list, newsk);
3202 spin_unlock_irqrestore(&list->lock, flags);
3203 }
3204 EXPORT_SYMBOL(skb_queue_tail);
3205
3206 /**
3207 * skb_unlink - remove a buffer from a list
3208 * @skb: buffer to remove
3209 * @list: list to use
3210 *
3211 * Remove a packet from a list. The list locks are taken and this
3212 * function is atomic with respect to other list locked calls
3213 *
3214 * You must know what list the SKB is on.
3215 */
skb_unlink(struct sk_buff * skb,struct sk_buff_head * list)3216 void skb_unlink(struct sk_buff *skb, struct sk_buff_head *list)
3217 {
3218 unsigned long flags;
3219
3220 spin_lock_irqsave(&list->lock, flags);
3221 __skb_unlink(skb, list);
3222 spin_unlock_irqrestore(&list->lock, flags);
3223 }
3224 EXPORT_SYMBOL(skb_unlink);
3225
3226 /**
3227 * skb_append - append a buffer
3228 * @old: buffer to insert after
3229 * @newsk: buffer to insert
3230 * @list: list to use
3231 *
3232 * Place a packet after a given packet in a list. The list locks are taken
3233 * and this function is atomic with respect to other list locked calls.
3234 * A buffer cannot be placed on two lists at the same time.
3235 */
skb_append(struct sk_buff * old,struct sk_buff * newsk,struct sk_buff_head * list)3236 void skb_append(struct sk_buff *old, struct sk_buff *newsk, struct sk_buff_head *list)
3237 {
3238 unsigned long flags;
3239
3240 spin_lock_irqsave(&list->lock, flags);
3241 __skb_queue_after(list, old, newsk);
3242 spin_unlock_irqrestore(&list->lock, flags);
3243 }
3244 EXPORT_SYMBOL(skb_append);
3245
skb_split_inside_header(struct sk_buff * skb,struct sk_buff * skb1,const u32 len,const int pos)3246 static inline void skb_split_inside_header(struct sk_buff *skb,
3247 struct sk_buff* skb1,
3248 const u32 len, const int pos)
3249 {
3250 int i;
3251
3252 skb_copy_from_linear_data_offset(skb, len, skb_put(skb1, pos - len),
3253 pos - len);
3254 /* And move data appendix as is. */
3255 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
3256 skb_shinfo(skb1)->frags[i] = skb_shinfo(skb)->frags[i];
3257
3258 skb_shinfo(skb1)->nr_frags = skb_shinfo(skb)->nr_frags;
3259 skb_shinfo(skb)->nr_frags = 0;
3260 skb1->data_len = skb->data_len;
3261 skb1->len += skb1->data_len;
3262 skb->data_len = 0;
3263 skb->len = len;
3264 skb_set_tail_pointer(skb, len);
3265 }
3266
skb_split_no_header(struct sk_buff * skb,struct sk_buff * skb1,const u32 len,int pos)3267 static inline void skb_split_no_header(struct sk_buff *skb,
3268 struct sk_buff* skb1,
3269 const u32 len, int pos)
3270 {
3271 int i, k = 0;
3272 const int nfrags = skb_shinfo(skb)->nr_frags;
3273
3274 skb_shinfo(skb)->nr_frags = 0;
3275 skb1->len = skb1->data_len = skb->len - len;
3276 skb->len = len;
3277 skb->data_len = len - pos;
3278
3279 for (i = 0; i < nfrags; i++) {
3280 int size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
3281
3282 if (pos + size > len) {
3283 skb_shinfo(skb1)->frags[k] = skb_shinfo(skb)->frags[i];
3284
3285 if (pos < len) {
3286 /* Split frag.
3287 * We have two variants in this case:
3288 * 1. Move all the frag to the second
3289 * part, if it is possible. F.e.
3290 * this approach is mandatory for TUX,
3291 * where splitting is expensive.
3292 * 2. Split is accurately. We make this.
3293 */
3294 skb_frag_ref(skb, i);
3295 skb_frag_off_add(&skb_shinfo(skb1)->frags[0], len - pos);
3296 skb_frag_size_sub(&skb_shinfo(skb1)->frags[0], len - pos);
3297 skb_frag_size_set(&skb_shinfo(skb)->frags[i], len - pos);
3298 skb_shinfo(skb)->nr_frags++;
3299 }
3300 k++;
3301 } else
3302 skb_shinfo(skb)->nr_frags++;
3303 pos += size;
3304 }
3305 skb_shinfo(skb1)->nr_frags = k;
3306 }
3307
3308 /**
3309 * skb_split - Split fragmented skb to two parts at length len.
3310 * @skb: the buffer to split
3311 * @skb1: the buffer to receive the second part
3312 * @len: new length for skb
3313 */
skb_split(struct sk_buff * skb,struct sk_buff * skb1,const u32 len)3314 void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len)
3315 {
3316 int pos = skb_headlen(skb);
3317
3318 skb_shinfo(skb1)->tx_flags |= skb_shinfo(skb)->tx_flags &
3319 SKBTX_SHARED_FRAG;
3320 skb_zerocopy_clone(skb1, skb, 0);
3321 if (len < pos) /* Split line is inside header. */
3322 skb_split_inside_header(skb, skb1, len, pos);
3323 else /* Second chunk has no header, nothing to copy. */
3324 skb_split_no_header(skb, skb1, len, pos);
3325 }
3326 EXPORT_SYMBOL(skb_split);
3327
3328 /* Shifting from/to a cloned skb is a no-go.
3329 *
3330 * Caller cannot keep skb_shinfo related pointers past calling here!
3331 */
skb_prepare_for_shift(struct sk_buff * skb)3332 static int skb_prepare_for_shift(struct sk_buff *skb)
3333 {
3334 int ret = 0;
3335
3336 if (skb_cloned(skb)) {
3337 /* Save and restore truesize: pskb_expand_head() may reallocate
3338 * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we
3339 * cannot change truesize at this point.
3340 */
3341 unsigned int save_truesize = skb->truesize;
3342
3343 ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
3344 skb->truesize = save_truesize;
3345 }
3346 return ret;
3347 }
3348
3349 /**
3350 * skb_shift - Shifts paged data partially from skb to another
3351 * @tgt: buffer into which tail data gets added
3352 * @skb: buffer from which the paged data comes from
3353 * @shiftlen: shift up to this many bytes
3354 *
3355 * Attempts to shift up to shiftlen worth of bytes, which may be less than
3356 * the length of the skb, from skb to tgt. Returns number bytes shifted.
3357 * It's up to caller to free skb if everything was shifted.
3358 *
3359 * If @tgt runs out of frags, the whole operation is aborted.
3360 *
3361 * Skb cannot include anything else but paged data while tgt is allowed
3362 * to have non-paged data as well.
3363 *
3364 * TODO: full sized shift could be optimized but that would need
3365 * specialized skb free'er to handle frags without up-to-date nr_frags.
3366 */
skb_shift(struct sk_buff * tgt,struct sk_buff * skb,int shiftlen)3367 int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
3368 {
3369 int from, to, merge, todo;
3370 skb_frag_t *fragfrom, *fragto;
3371
3372 BUG_ON(shiftlen > skb->len);
3373
3374 if (skb_headlen(skb))
3375 return 0;
3376 if (skb_zcopy(tgt) || skb_zcopy(skb))
3377 return 0;
3378
3379 todo = shiftlen;
3380 from = 0;
3381 to = skb_shinfo(tgt)->nr_frags;
3382 fragfrom = &skb_shinfo(skb)->frags[from];
3383
3384 /* Actual merge is delayed until the point when we know we can
3385 * commit all, so that we don't have to undo partial changes
3386 */
3387 if (!to ||
3388 !skb_can_coalesce(tgt, to, skb_frag_page(fragfrom),
3389 skb_frag_off(fragfrom))) {
3390 merge = -1;
3391 } else {
3392 merge = to - 1;
3393
3394 todo -= skb_frag_size(fragfrom);
3395 if (todo < 0) {
3396 if (skb_prepare_for_shift(skb) ||
3397 skb_prepare_for_shift(tgt))
3398 return 0;
3399
3400 /* All previous frag pointers might be stale! */
3401 fragfrom = &skb_shinfo(skb)->frags[from];
3402 fragto = &skb_shinfo(tgt)->frags[merge];
3403
3404 skb_frag_size_add(fragto, shiftlen);
3405 skb_frag_size_sub(fragfrom, shiftlen);
3406 skb_frag_off_add(fragfrom, shiftlen);
3407
3408 goto onlymerged;
3409 }
3410
3411 from++;
3412 }
3413
3414 /* Skip full, not-fitting skb to avoid expensive operations */
3415 if ((shiftlen == skb->len) &&
3416 (skb_shinfo(skb)->nr_frags - from) > (MAX_SKB_FRAGS - to))
3417 return 0;
3418
3419 if (skb_prepare_for_shift(skb) || skb_prepare_for_shift(tgt))
3420 return 0;
3421
3422 while ((todo > 0) && (from < skb_shinfo(skb)->nr_frags)) {
3423 if (to == MAX_SKB_FRAGS)
3424 return 0;
3425
3426 fragfrom = &skb_shinfo(skb)->frags[from];
3427 fragto = &skb_shinfo(tgt)->frags[to];
3428
3429 if (todo >= skb_frag_size(fragfrom)) {
3430 *fragto = *fragfrom;
3431 todo -= skb_frag_size(fragfrom);
3432 from++;
3433 to++;
3434
3435 } else {
3436 __skb_frag_ref(fragfrom);
3437 skb_frag_page_copy(fragto, fragfrom);
3438 skb_frag_off_copy(fragto, fragfrom);
3439 skb_frag_size_set(fragto, todo);
3440
3441 skb_frag_off_add(fragfrom, todo);
3442 skb_frag_size_sub(fragfrom, todo);
3443 todo = 0;
3444
3445 to++;
3446 break;
3447 }
3448 }
3449
3450 /* Ready to "commit" this state change to tgt */
3451 skb_shinfo(tgt)->nr_frags = to;
3452
3453 if (merge >= 0) {
3454 fragfrom = &skb_shinfo(skb)->frags[0];
3455 fragto = &skb_shinfo(tgt)->frags[merge];
3456
3457 skb_frag_size_add(fragto, skb_frag_size(fragfrom));
3458 __skb_frag_unref(fragfrom);
3459 }
3460
3461 /* Reposition in the original skb */
3462 to = 0;
3463 while (from < skb_shinfo(skb)->nr_frags)
3464 skb_shinfo(skb)->frags[to++] = skb_shinfo(skb)->frags[from++];
3465 skb_shinfo(skb)->nr_frags = to;
3466
3467 BUG_ON(todo > 0 && !skb_shinfo(skb)->nr_frags);
3468
3469 onlymerged:
3470 /* Most likely the tgt won't ever need its checksum anymore, skb on
3471 * the other hand might need it if it needs to be resent
3472 */
3473 tgt->ip_summed = CHECKSUM_PARTIAL;
3474 skb->ip_summed = CHECKSUM_PARTIAL;
3475
3476 /* Yak, is it really working this way? Some helper please? */
3477 skb->len -= shiftlen;
3478 skb->data_len -= shiftlen;
3479 skb->truesize -= shiftlen;
3480 tgt->len += shiftlen;
3481 tgt->data_len += shiftlen;
3482 tgt->truesize += shiftlen;
3483
3484 return shiftlen;
3485 }
3486
3487 /**
3488 * skb_prepare_seq_read - Prepare a sequential read of skb data
3489 * @skb: the buffer to read
3490 * @from: lower offset of data to be read
3491 * @to: upper offset of data to be read
3492 * @st: state variable
3493 *
3494 * Initializes the specified state variable. Must be called before
3495 * invoking skb_seq_read() for the first time.
3496 */
skb_prepare_seq_read(struct sk_buff * skb,unsigned int from,unsigned int to,struct skb_seq_state * st)3497 void skb_prepare_seq_read(struct sk_buff *skb, unsigned int from,
3498 unsigned int to, struct skb_seq_state *st)
3499 {
3500 st->lower_offset = from;
3501 st->upper_offset = to;
3502 st->root_skb = st->cur_skb = skb;
3503 st->frag_idx = st->stepped_offset = 0;
3504 st->frag_data = NULL;
3505 }
3506 EXPORT_SYMBOL(skb_prepare_seq_read);
3507
3508 /**
3509 * skb_seq_read - Sequentially read skb data
3510 * @consumed: number of bytes consumed by the caller so far
3511 * @data: destination pointer for data to be returned
3512 * @st: state variable
3513 *
3514 * Reads a block of skb data at @consumed relative to the
3515 * lower offset specified to skb_prepare_seq_read(). Assigns
3516 * the head of the data block to @data and returns the length
3517 * of the block or 0 if the end of the skb data or the upper
3518 * offset has been reached.
3519 *
3520 * The caller is not required to consume all of the data
3521 * returned, i.e. @consumed is typically set to the number
3522 * of bytes already consumed and the next call to
3523 * skb_seq_read() will return the remaining part of the block.
3524 *
3525 * Note 1: The size of each block of data returned can be arbitrary,
3526 * this limitation is the cost for zerocopy sequential
3527 * reads of potentially non linear data.
3528 *
3529 * Note 2: Fragment lists within fragments are not implemented
3530 * at the moment, state->root_skb could be replaced with
3531 * a stack for this purpose.
3532 */
skb_seq_read(unsigned int consumed,const u8 ** data,struct skb_seq_state * st)3533 unsigned int skb_seq_read(unsigned int consumed, const u8 **data,
3534 struct skb_seq_state *st)
3535 {
3536 unsigned int block_limit, abs_offset = consumed + st->lower_offset;
3537 skb_frag_t *frag;
3538
3539 if (unlikely(abs_offset >= st->upper_offset)) {
3540 if (st->frag_data) {
3541 kunmap_atomic(st->frag_data);
3542 st->frag_data = NULL;
3543 }
3544 return 0;
3545 }
3546
3547 next_skb:
3548 block_limit = skb_headlen(st->cur_skb) + st->stepped_offset;
3549
3550 if (abs_offset < block_limit && !st->frag_data) {
3551 *data = st->cur_skb->data + (abs_offset - st->stepped_offset);
3552 return block_limit - abs_offset;
3553 }
3554
3555 if (st->frag_idx == 0 && !st->frag_data)
3556 st->stepped_offset += skb_headlen(st->cur_skb);
3557
3558 while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) {
3559 frag = &skb_shinfo(st->cur_skb)->frags[st->frag_idx];
3560 block_limit = skb_frag_size(frag) + st->stepped_offset;
3561
3562 if (abs_offset < block_limit) {
3563 if (!st->frag_data)
3564 st->frag_data = kmap_atomic(skb_frag_page(frag));
3565
3566 *data = (u8 *) st->frag_data + skb_frag_off(frag) +
3567 (abs_offset - st->stepped_offset);
3568
3569 return block_limit - abs_offset;
3570 }
3571
3572 if (st->frag_data) {
3573 kunmap_atomic(st->frag_data);
3574 st->frag_data = NULL;
3575 }
3576
3577 st->frag_idx++;
3578 st->stepped_offset += skb_frag_size(frag);
3579 }
3580
3581 if (st->frag_data) {
3582 kunmap_atomic(st->frag_data);
3583 st->frag_data = NULL;
3584 }
3585
3586 if (st->root_skb == st->cur_skb && skb_has_frag_list(st->root_skb)) {
3587 st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
3588 st->frag_idx = 0;
3589 goto next_skb;
3590 } else if (st->cur_skb->next) {
3591 st->cur_skb = st->cur_skb->next;
3592 st->frag_idx = 0;
3593 goto next_skb;
3594 }
3595
3596 return 0;
3597 }
3598 EXPORT_SYMBOL(skb_seq_read);
3599
3600 /**
3601 * skb_abort_seq_read - Abort a sequential read of skb data
3602 * @st: state variable
3603 *
3604 * Must be called if skb_seq_read() was not called until it
3605 * returned 0.
3606 */
skb_abort_seq_read(struct skb_seq_state * st)3607 void skb_abort_seq_read(struct skb_seq_state *st)
3608 {
3609 if (st->frag_data)
3610 kunmap_atomic(st->frag_data);
3611 }
3612 EXPORT_SYMBOL(skb_abort_seq_read);
3613
3614 #define TS_SKB_CB(state) ((struct skb_seq_state *) &((state)->cb))
3615
skb_ts_get_next_block(unsigned int offset,const u8 ** text,struct ts_config * conf,struct ts_state * state)3616 static unsigned int skb_ts_get_next_block(unsigned int offset, const u8 **text,
3617 struct ts_config *conf,
3618 struct ts_state *state)
3619 {
3620 return skb_seq_read(offset, text, TS_SKB_CB(state));
3621 }
3622
skb_ts_finish(struct ts_config * conf,struct ts_state * state)3623 static void skb_ts_finish(struct ts_config *conf, struct ts_state *state)
3624 {
3625 skb_abort_seq_read(TS_SKB_CB(state));
3626 }
3627
3628 /**
3629 * skb_find_text - Find a text pattern in skb data
3630 * @skb: the buffer to look in
3631 * @from: search offset
3632 * @to: search limit
3633 * @config: textsearch configuration
3634 *
3635 * Finds a pattern in the skb data according to the specified
3636 * textsearch configuration. Use textsearch_next() to retrieve
3637 * subsequent occurrences of the pattern. Returns the offset
3638 * to the first occurrence or UINT_MAX if no match was found.
3639 */
skb_find_text(struct sk_buff * skb,unsigned int from,unsigned int to,struct ts_config * config)3640 unsigned int skb_find_text(struct sk_buff *skb, unsigned int from,
3641 unsigned int to, struct ts_config *config)
3642 {
3643 struct ts_state state;
3644 unsigned int ret;
3645
3646 config->get_next_block = skb_ts_get_next_block;
3647 config->finish = skb_ts_finish;
3648
3649 skb_prepare_seq_read(skb, from, to, TS_SKB_CB(&state));
3650
3651 ret = textsearch_find(config, &state);
3652 return (ret <= to - from ? ret : UINT_MAX);
3653 }
3654 EXPORT_SYMBOL(skb_find_text);
3655
skb_append_pagefrags(struct sk_buff * skb,struct page * page,int offset,size_t size)3656 int skb_append_pagefrags(struct sk_buff *skb, struct page *page,
3657 int offset, size_t size)
3658 {
3659 int i = skb_shinfo(skb)->nr_frags;
3660
3661 if (skb_can_coalesce(skb, i, page, offset)) {
3662 skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], size);
3663 } else if (i < MAX_SKB_FRAGS) {
3664 get_page(page);
3665 skb_fill_page_desc(skb, i, page, offset, size);
3666 } else {
3667 return -EMSGSIZE;
3668 }
3669
3670 return 0;
3671 }
3672 EXPORT_SYMBOL_GPL(skb_append_pagefrags);
3673
3674 /**
3675 * skb_pull_rcsum - pull skb and update receive checksum
3676 * @skb: buffer to update
3677 * @len: length of data pulled
3678 *
3679 * This function performs an skb_pull on the packet and updates
3680 * the CHECKSUM_COMPLETE checksum. It should be used on
3681 * receive path processing instead of skb_pull unless you know
3682 * that the checksum difference is zero (e.g., a valid IP header)
3683 * or you are setting ip_summed to CHECKSUM_NONE.
3684 */
skb_pull_rcsum(struct sk_buff * skb,unsigned int len)3685 void *skb_pull_rcsum(struct sk_buff *skb, unsigned int len)
3686 {
3687 unsigned char *data = skb->data;
3688
3689 BUG_ON(len > skb->len);
3690 __skb_pull(skb, len);
3691 skb_postpull_rcsum(skb, data, len);
3692 return skb->data;
3693 }
3694 EXPORT_SYMBOL_GPL(skb_pull_rcsum);
3695
skb_head_frag_to_page_desc(struct sk_buff * frag_skb)3696 static inline skb_frag_t skb_head_frag_to_page_desc(struct sk_buff *frag_skb)
3697 {
3698 skb_frag_t head_frag;
3699 struct page *page;
3700
3701 page = virt_to_head_page(frag_skb->head);
3702 __skb_frag_set_page(&head_frag, page);
3703 skb_frag_off_set(&head_frag, frag_skb->data -
3704 (unsigned char *)page_address(page));
3705 skb_frag_size_set(&head_frag, skb_headlen(frag_skb));
3706 return head_frag;
3707 }
3708
skb_segment_list(struct sk_buff * skb,netdev_features_t features,unsigned int offset)3709 struct sk_buff *skb_segment_list(struct sk_buff *skb,
3710 netdev_features_t features,
3711 unsigned int offset)
3712 {
3713 struct sk_buff *list_skb = skb_shinfo(skb)->frag_list;
3714 unsigned int tnl_hlen = skb_tnl_header_len(skb);
3715 unsigned int delta_truesize = 0;
3716 unsigned int delta_len = 0;
3717 struct sk_buff *tail = NULL;
3718 struct sk_buff *nskb, *tmp;
3719 int err;
3720
3721 skb_push(skb, -skb_network_offset(skb) + offset);
3722
3723 /* Ensure the head is writeable before touching the shared info */
3724 err = skb_unclone(skb, GFP_ATOMIC);
3725 if (err)
3726 goto err_linearize;
3727
3728 skb_shinfo(skb)->frag_list = NULL;
3729
3730 while (list_skb) {
3731 nskb = list_skb;
3732 list_skb = list_skb->next;
3733
3734 err = 0;
3735 delta_truesize += nskb->truesize;
3736 if (skb_shared(nskb)) {
3737 tmp = skb_clone(nskb, GFP_ATOMIC);
3738 if (tmp) {
3739 consume_skb(nskb);
3740 nskb = tmp;
3741 err = skb_unclone(nskb, GFP_ATOMIC);
3742 } else {
3743 err = -ENOMEM;
3744 }
3745 }
3746
3747 if (!tail)
3748 skb->next = nskb;
3749 else
3750 tail->next = nskb;
3751
3752 if (unlikely(err)) {
3753 nskb->next = list_skb;
3754 goto err_linearize;
3755 }
3756
3757 tail = nskb;
3758
3759 delta_len += nskb->len;
3760
3761 skb_push(nskb, -skb_network_offset(nskb) + offset);
3762
3763 skb_release_head_state(nskb);
3764 __copy_skb_header(nskb, skb);
3765
3766 skb_headers_offset_update(nskb, skb_headroom(nskb) - skb_headroom(skb));
3767 skb_copy_from_linear_data_offset(skb, -tnl_hlen,
3768 nskb->data - tnl_hlen,
3769 offset + tnl_hlen);
3770
3771 if (skb_needs_linearize(nskb, features) &&
3772 __skb_linearize(nskb))
3773 goto err_linearize;
3774 }
3775
3776 skb->truesize = skb->truesize - delta_truesize;
3777 skb->data_len = skb->data_len - delta_len;
3778 skb->len = skb->len - delta_len;
3779
3780 skb_gso_reset(skb);
3781
3782 skb->prev = tail;
3783
3784 if (skb_needs_linearize(skb, features) &&
3785 __skb_linearize(skb))
3786 goto err_linearize;
3787
3788 skb_get(skb);
3789
3790 return skb;
3791
3792 err_linearize:
3793 kfree_skb_list(skb->next);
3794 skb->next = NULL;
3795 return ERR_PTR(-ENOMEM);
3796 }
3797 EXPORT_SYMBOL_GPL(skb_segment_list);
3798
skb_gro_receive_list(struct sk_buff * p,struct sk_buff * skb)3799 int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
3800 {
3801 if (unlikely(p->len + skb->len >= 65536))
3802 return -E2BIG;
3803
3804 if (NAPI_GRO_CB(p)->last == p)
3805 skb_shinfo(p)->frag_list = skb;
3806 else
3807 NAPI_GRO_CB(p)->last->next = skb;
3808
3809 skb_pull(skb, skb_gro_offset(skb));
3810
3811 NAPI_GRO_CB(p)->last = skb;
3812 NAPI_GRO_CB(p)->count++;
3813 p->data_len += skb->len;
3814 p->truesize += skb->truesize;
3815 p->len += skb->len;
3816
3817 NAPI_GRO_CB(skb)->same_flow = 1;
3818
3819 return 0;
3820 }
3821
3822 /**
3823 * skb_segment - Perform protocol segmentation on skb.
3824 * @head_skb: buffer to segment
3825 * @features: features for the output path (see dev->features)
3826 *
3827 * This function performs segmentation on the given skb. It returns
3828 * a pointer to the first in a list of new skbs for the segments.
3829 * In case of error it returns ERR_PTR(err).
3830 */
skb_segment(struct sk_buff * head_skb,netdev_features_t features)3831 struct sk_buff *skb_segment(struct sk_buff *head_skb,
3832 netdev_features_t features)
3833 {
3834 struct sk_buff *segs = NULL;
3835 struct sk_buff *tail = NULL;
3836 struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list;
3837 unsigned int mss = skb_shinfo(head_skb)->gso_size;
3838 unsigned int doffset = head_skb->data - skb_mac_header(head_skb);
3839 unsigned int offset = doffset;
3840 unsigned int tnl_hlen = skb_tnl_header_len(head_skb);
3841 unsigned int partial_segs = 0;
3842 unsigned int headroom;
3843 unsigned int len = head_skb->len;
3844 struct sk_buff *frag_skb;
3845 skb_frag_t *frag;
3846 __be16 proto;
3847 bool csum, sg;
3848 int err = -ENOMEM;
3849 int i = 0;
3850 int nfrags, pos;
3851
3852 if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
3853 mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
3854 struct sk_buff *check_skb;
3855
3856 for (check_skb = list_skb; check_skb; check_skb = check_skb->next) {
3857 if (skb_headlen(check_skb) && !check_skb->head_frag) {
3858 /* gso_size is untrusted, and we have a frag_list with
3859 * a linear non head_frag item.
3860 *
3861 * If head_skb's headlen does not fit requested gso_size,
3862 * it means that the frag_list members do NOT terminate
3863 * on exact gso_size boundaries. Hence we cannot perform
3864 * skb_frag_t page sharing. Therefore we must fallback to
3865 * copying the frag_list skbs; we do so by disabling SG.
3866 */
3867 features &= ~NETIF_F_SG;
3868 break;
3869 }
3870 }
3871 }
3872
3873 __skb_push(head_skb, doffset);
3874 proto = skb_network_protocol(head_skb, NULL);
3875 if (unlikely(!proto))
3876 return ERR_PTR(-EINVAL);
3877
3878 sg = !!(features & NETIF_F_SG);
3879 csum = !!can_checksum_protocol(features, proto);
3880
3881 if (sg && csum && (mss != GSO_BY_FRAGS)) {
3882 if (!(features & NETIF_F_GSO_PARTIAL)) {
3883 struct sk_buff *iter;
3884 unsigned int frag_len;
3885
3886 if (!list_skb ||
3887 !net_gso_ok(features, skb_shinfo(head_skb)->gso_type))
3888 goto normal;
3889
3890 /* If we get here then all the required
3891 * GSO features except frag_list are supported.
3892 * Try to split the SKB to multiple GSO SKBs
3893 * with no frag_list.
3894 * Currently we can do that only when the buffers don't
3895 * have a linear part and all the buffers except
3896 * the last are of the same length.
3897 */
3898 frag_len = list_skb->len;
3899 skb_walk_frags(head_skb, iter) {
3900 if (frag_len != iter->len && iter->next)
3901 goto normal;
3902 if (skb_headlen(iter) && !iter->head_frag)
3903 goto normal;
3904
3905 len -= iter->len;
3906 }
3907
3908 if (len != frag_len)
3909 goto normal;
3910 }
3911
3912 /* GSO partial only requires that we trim off any excess that
3913 * doesn't fit into an MSS sized block, so take care of that
3914 * now.
3915 * Cap len to not accidentally hit GSO_BY_FRAGS.
3916 */
3917 partial_segs = min(len, GSO_BY_FRAGS - 1U) / mss;
3918 if (partial_segs > 1)
3919 mss *= partial_segs;
3920 else
3921 partial_segs = 0;
3922 }
3923
3924 normal:
3925 headroom = skb_headroom(head_skb);
3926 pos = skb_headlen(head_skb);
3927
3928 if (skb_orphan_frags(head_skb, GFP_ATOMIC))
3929 return ERR_PTR(-ENOMEM);
3930
3931 nfrags = skb_shinfo(head_skb)->nr_frags;
3932 frag = skb_shinfo(head_skb)->frags;
3933 frag_skb = head_skb;
3934
3935 do {
3936 struct sk_buff *nskb;
3937 skb_frag_t *nskb_frag;
3938 int hsize;
3939 int size;
3940
3941 if (unlikely(mss == GSO_BY_FRAGS)) {
3942 len = list_skb->len;
3943 } else {
3944 len = head_skb->len - offset;
3945 if (len > mss)
3946 len = mss;
3947 }
3948
3949 hsize = skb_headlen(head_skb) - offset;
3950 if (hsize < 0)
3951 hsize = 0;
3952 if (hsize > len || !sg)
3953 hsize = len;
3954
3955 if (!hsize && i >= nfrags && skb_headlen(list_skb) &&
3956 (skb_headlen(list_skb) == len || sg)) {
3957 BUG_ON(skb_headlen(list_skb) > len);
3958
3959 nskb = skb_clone(list_skb, GFP_ATOMIC);
3960 if (unlikely(!nskb))
3961 goto err;
3962
3963 i = 0;
3964 nfrags = skb_shinfo(list_skb)->nr_frags;
3965 frag = skb_shinfo(list_skb)->frags;
3966 frag_skb = list_skb;
3967 pos += skb_headlen(list_skb);
3968
3969 while (pos < offset + len) {
3970 BUG_ON(i >= nfrags);
3971
3972 size = skb_frag_size(frag);
3973 if (pos + size > offset + len)
3974 break;
3975
3976 i++;
3977 pos += size;
3978 frag++;
3979 }
3980
3981 list_skb = list_skb->next;
3982
3983 if (unlikely(pskb_trim(nskb, len))) {
3984 kfree_skb(nskb);
3985 goto err;
3986 }
3987
3988 hsize = skb_end_offset(nskb);
3989 if (skb_cow_head(nskb, doffset + headroom)) {
3990 kfree_skb(nskb);
3991 goto err;
3992 }
3993
3994 nskb->truesize += skb_end_offset(nskb) - hsize;
3995 skb_release_head_state(nskb);
3996 __skb_push(nskb, doffset);
3997 } else {
3998 nskb = __alloc_skb(hsize + doffset + headroom,
3999 GFP_ATOMIC, skb_alloc_rx_flag(head_skb),
4000 NUMA_NO_NODE);
4001
4002 if (unlikely(!nskb))
4003 goto err;
4004
4005 skb_reserve(nskb, headroom);
4006 __skb_put(nskb, doffset);
4007 }
4008
4009 if (segs)
4010 tail->next = nskb;
4011 else
4012 segs = nskb;
4013 tail = nskb;
4014
4015 __copy_skb_header(nskb, head_skb);
4016
4017 skb_headers_offset_update(nskb, skb_headroom(nskb) - headroom);
4018 skb_reset_mac_len(nskb);
4019
4020 skb_copy_from_linear_data_offset(head_skb, -tnl_hlen,
4021 nskb->data - tnl_hlen,
4022 doffset + tnl_hlen);
4023
4024 if (nskb->len == len + doffset)
4025 goto perform_csum_check;
4026
4027 if (!sg) {
4028 if (!csum) {
4029 if (!nskb->remcsum_offload)
4030 nskb->ip_summed = CHECKSUM_NONE;
4031 SKB_GSO_CB(nskb)->csum =
4032 skb_copy_and_csum_bits(head_skb, offset,
4033 skb_put(nskb,
4034 len),
4035 len);
4036 SKB_GSO_CB(nskb)->csum_start =
4037 skb_headroom(nskb) + doffset;
4038 } else {
4039 if (skb_copy_bits(head_skb, offset, skb_put(nskb, len), len))
4040 goto err;
4041 }
4042 continue;
4043 }
4044
4045 nskb_frag = skb_shinfo(nskb)->frags;
4046
4047 skb_copy_from_linear_data_offset(head_skb, offset,
4048 skb_put(nskb, hsize), hsize);
4049
4050 skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
4051 SKBTX_SHARED_FRAG;
4052
4053 if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
4054 goto err;
4055
4056 while (pos < offset + len) {
4057 if (i >= nfrags) {
4058 if (skb_orphan_frags(list_skb, GFP_ATOMIC) ||
4059 skb_zerocopy_clone(nskb, list_skb,
4060 GFP_ATOMIC))
4061 goto err;
4062
4063 i = 0;
4064 nfrags = skb_shinfo(list_skb)->nr_frags;
4065 frag = skb_shinfo(list_skb)->frags;
4066 frag_skb = list_skb;
4067 if (!skb_headlen(list_skb)) {
4068 BUG_ON(!nfrags);
4069 } else {
4070 BUG_ON(!list_skb->head_frag);
4071
4072 /* to make room for head_frag. */
4073 i--;
4074 frag--;
4075 }
4076
4077 list_skb = list_skb->next;
4078 }
4079
4080 if (unlikely(skb_shinfo(nskb)->nr_frags >=
4081 MAX_SKB_FRAGS)) {
4082 net_warn_ratelimited(
4083 "skb_segment: too many frags: %u %u\n",
4084 pos, mss);
4085 err = -EINVAL;
4086 goto err;
4087 }
4088
4089 *nskb_frag = (i < 0) ? skb_head_frag_to_page_desc(frag_skb) : *frag;
4090 __skb_frag_ref(nskb_frag);
4091 size = skb_frag_size(nskb_frag);
4092
4093 if (pos < offset) {
4094 skb_frag_off_add(nskb_frag, offset - pos);
4095 skb_frag_size_sub(nskb_frag, offset - pos);
4096 }
4097
4098 skb_shinfo(nskb)->nr_frags++;
4099
4100 if (pos + size <= offset + len) {
4101 i++;
4102 frag++;
4103 pos += size;
4104 } else {
4105 skb_frag_size_sub(nskb_frag, pos + size - (offset + len));
4106 goto skip_fraglist;
4107 }
4108
4109 nskb_frag++;
4110 }
4111
4112 skip_fraglist:
4113 nskb->data_len = len - hsize;
4114 nskb->len += nskb->data_len;
4115 nskb->truesize += nskb->data_len;
4116
4117 perform_csum_check:
4118 if (!csum) {
4119 if (skb_has_shared_frag(nskb) &&
4120 __skb_linearize(nskb))
4121 goto err;
4122
4123 if (!nskb->remcsum_offload)
4124 nskb->ip_summed = CHECKSUM_NONE;
4125 SKB_GSO_CB(nskb)->csum =
4126 skb_checksum(nskb, doffset,
4127 nskb->len - doffset, 0);
4128 SKB_GSO_CB(nskb)->csum_start =
4129 skb_headroom(nskb) + doffset;
4130 }
4131 } while ((offset += len) < head_skb->len);
4132
4133 /* Some callers want to get the end of the list.
4134 * Put it in segs->prev to avoid walking the list.
4135 * (see validate_xmit_skb_list() for example)
4136 */
4137 segs->prev = tail;
4138
4139 if (partial_segs) {
4140 struct sk_buff *iter;
4141 int type = skb_shinfo(head_skb)->gso_type;
4142 unsigned short gso_size = skb_shinfo(head_skb)->gso_size;
4143
4144 /* Update type to add partial and then remove dodgy if set */
4145 type |= (features & NETIF_F_GSO_PARTIAL) / NETIF_F_GSO_PARTIAL * SKB_GSO_PARTIAL;
4146 type &= ~SKB_GSO_DODGY;
4147
4148 /* Update GSO info and prepare to start updating headers on
4149 * our way back down the stack of protocols.
4150 */
4151 for (iter = segs; iter; iter = iter->next) {
4152 skb_shinfo(iter)->gso_size = gso_size;
4153 skb_shinfo(iter)->gso_segs = partial_segs;
4154 skb_shinfo(iter)->gso_type = type;
4155 SKB_GSO_CB(iter)->data_offset = skb_headroom(iter) + doffset;
4156 }
4157
4158 if (tail->len - doffset <= gso_size)
4159 skb_shinfo(tail)->gso_size = 0;
4160 else if (tail != segs)
4161 skb_shinfo(tail)->gso_segs = DIV_ROUND_UP(tail->len - doffset, gso_size);
4162 }
4163
4164 /* Following permits correct backpressure, for protocols
4165 * using skb_set_owner_w().
4166 * Idea is to tranfert ownership from head_skb to last segment.
4167 */
4168 if (head_skb->destructor == sock_wfree) {
4169 swap(tail->truesize, head_skb->truesize);
4170 swap(tail->destructor, head_skb->destructor);
4171 swap(tail->sk, head_skb->sk);
4172 }
4173 return segs;
4174
4175 err:
4176 kfree_skb_list(segs);
4177 return ERR_PTR(err);
4178 }
4179 EXPORT_SYMBOL_GPL(skb_segment);
4180
skb_gro_receive(struct sk_buff * p,struct sk_buff * skb)4181 int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
4182 {
4183 struct skb_shared_info *pinfo, *skbinfo = skb_shinfo(skb);
4184 unsigned int offset = skb_gro_offset(skb);
4185 unsigned int headlen = skb_headlen(skb);
4186 unsigned int len = skb_gro_len(skb);
4187 unsigned int delta_truesize;
4188 struct sk_buff *lp;
4189
4190 if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
4191 return -E2BIG;
4192
4193 lp = NAPI_GRO_CB(p)->last;
4194 pinfo = skb_shinfo(lp);
4195
4196 if (headlen <= offset) {
4197 skb_frag_t *frag;
4198 skb_frag_t *frag2;
4199 int i = skbinfo->nr_frags;
4200 int nr_frags = pinfo->nr_frags + i;
4201
4202 if (nr_frags > MAX_SKB_FRAGS)
4203 goto merge;
4204
4205 offset -= headlen;
4206 pinfo->nr_frags = nr_frags;
4207 skbinfo->nr_frags = 0;
4208
4209 frag = pinfo->frags + nr_frags;
4210 frag2 = skbinfo->frags + i;
4211 do {
4212 *--frag = *--frag2;
4213 } while (--i);
4214
4215 skb_frag_off_add(frag, offset);
4216 skb_frag_size_sub(frag, offset);
4217
4218 /* all fragments truesize : remove (head size + sk_buff) */
4219 delta_truesize = skb->truesize -
4220 SKB_TRUESIZE(skb_end_offset(skb));
4221
4222 skb->truesize -= skb->data_len;
4223 skb->len -= skb->data_len;
4224 skb->data_len = 0;
4225
4226 NAPI_GRO_CB(skb)->free = NAPI_GRO_FREE;
4227 goto done;
4228 } else if (skb->head_frag) {
4229 int nr_frags = pinfo->nr_frags;
4230 skb_frag_t *frag = pinfo->frags + nr_frags;
4231 struct page *page = virt_to_head_page(skb->head);
4232 unsigned int first_size = headlen - offset;
4233 unsigned int first_offset;
4234
4235 if (nr_frags + 1 + skbinfo->nr_frags > MAX_SKB_FRAGS)
4236 goto merge;
4237
4238 first_offset = skb->data -
4239 (unsigned char *)page_address(page) +
4240 offset;
4241
4242 pinfo->nr_frags = nr_frags + 1 + skbinfo->nr_frags;
4243
4244 __skb_frag_set_page(frag, page);
4245 skb_frag_off_set(frag, first_offset);
4246 skb_frag_size_set(frag, first_size);
4247
4248 memcpy(frag + 1, skbinfo->frags, sizeof(*frag) * skbinfo->nr_frags);
4249 /* We dont need to clear skbinfo->nr_frags here */
4250
4251 delta_truesize = skb->truesize - SKB_DATA_ALIGN(sizeof(struct sk_buff));
4252 NAPI_GRO_CB(skb)->free = NAPI_GRO_FREE_STOLEN_HEAD;
4253 goto done;
4254 }
4255
4256 merge:
4257 delta_truesize = skb->truesize;
4258 if (offset > headlen) {
4259 unsigned int eat = offset - headlen;
4260
4261 skb_frag_off_add(&skbinfo->frags[0], eat);
4262 skb_frag_size_sub(&skbinfo->frags[0], eat);
4263 skb->data_len -= eat;
4264 skb->len -= eat;
4265 offset = headlen;
4266 }
4267
4268 __skb_pull(skb, offset);
4269
4270 if (NAPI_GRO_CB(p)->last == p)
4271 skb_shinfo(p)->frag_list = skb;
4272 else
4273 NAPI_GRO_CB(p)->last->next = skb;
4274 NAPI_GRO_CB(p)->last = skb;
4275 __skb_header_release(skb);
4276 lp = p;
4277
4278 done:
4279 NAPI_GRO_CB(p)->count++;
4280 p->data_len += len;
4281 p->truesize += delta_truesize;
4282 p->len += len;
4283 if (lp != p) {
4284 lp->data_len += len;
4285 lp->truesize += delta_truesize;
4286 lp->len += len;
4287 }
4288 NAPI_GRO_CB(skb)->same_flow = 1;
4289 return 0;
4290 }
4291
4292 #ifdef CONFIG_SKB_EXTENSIONS
4293 #define SKB_EXT_ALIGN_VALUE 8
4294 #define SKB_EXT_CHUNKSIZEOF(x) (ALIGN((sizeof(x)), SKB_EXT_ALIGN_VALUE) / SKB_EXT_ALIGN_VALUE)
4295
4296 static const u8 skb_ext_type_len[] = {
4297 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
4298 [SKB_EXT_BRIDGE_NF] = SKB_EXT_CHUNKSIZEOF(struct nf_bridge_info),
4299 #endif
4300 #ifdef CONFIG_XFRM
4301 [SKB_EXT_SEC_PATH] = SKB_EXT_CHUNKSIZEOF(struct sec_path),
4302 #endif
4303 #if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
4304 [TC_SKB_EXT] = SKB_EXT_CHUNKSIZEOF(struct tc_skb_ext),
4305 #endif
4306 #if IS_ENABLED(CONFIG_MPTCP)
4307 [SKB_EXT_MPTCP] = SKB_EXT_CHUNKSIZEOF(struct mptcp_ext),
4308 #endif
4309 };
4310
skb_ext_total_length(void)4311 static __always_inline unsigned int skb_ext_total_length(void)
4312 {
4313 return SKB_EXT_CHUNKSIZEOF(struct skb_ext) +
4314 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
4315 skb_ext_type_len[SKB_EXT_BRIDGE_NF] +
4316 #endif
4317 #ifdef CONFIG_XFRM
4318 skb_ext_type_len[SKB_EXT_SEC_PATH] +
4319 #endif
4320 #if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
4321 skb_ext_type_len[TC_SKB_EXT] +
4322 #endif
4323 #if IS_ENABLED(CONFIG_MPTCP)
4324 skb_ext_type_len[SKB_EXT_MPTCP] +
4325 #endif
4326 0;
4327 }
4328
skb_extensions_init(void)4329 static void skb_extensions_init(void)
4330 {
4331 BUILD_BUG_ON(SKB_EXT_NUM >= 8);
4332 BUILD_BUG_ON(skb_ext_total_length() > 255);
4333
4334 skbuff_ext_cache = kmem_cache_create("skbuff_ext_cache",
4335 SKB_EXT_ALIGN_VALUE * skb_ext_total_length(),
4336 0,
4337 SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4338 NULL);
4339 }
4340 #else
skb_extensions_init(void)4341 static void skb_extensions_init(void) {}
4342 #endif
4343
skb_init(void)4344 void __init skb_init(void)
4345 {
4346 skbuff_head_cache = kmem_cache_create_usercopy("skbuff_head_cache",
4347 sizeof(struct sk_buff),
4348 0,
4349 SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4350 offsetof(struct sk_buff, cb),
4351 sizeof_field(struct sk_buff, cb),
4352 NULL);
4353 skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
4354 sizeof(struct sk_buff_fclones),
4355 0,
4356 SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4357 NULL);
4358 skb_extensions_init();
4359 }
4360
4361 static int
__skb_to_sgvec(struct sk_buff * skb,struct scatterlist * sg,int offset,int len,unsigned int recursion_level)4362 __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
4363 unsigned int recursion_level)
4364 {
4365 int start = skb_headlen(skb);
4366 int i, copy = start - offset;
4367 struct sk_buff *frag_iter;
4368 int elt = 0;
4369
4370 if (unlikely(recursion_level >= 24))
4371 return -EMSGSIZE;
4372
4373 if (copy > 0) {
4374 if (copy > len)
4375 copy = len;
4376 sg_set_buf(sg, skb->data + offset, copy);
4377 elt++;
4378 if ((len -= copy) == 0)
4379 return elt;
4380 offset += copy;
4381 }
4382
4383 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
4384 int end;
4385
4386 WARN_ON(start > offset + len);
4387
4388 end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
4389 if ((copy = end - offset) > 0) {
4390 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
4391 if (unlikely(elt && sg_is_last(&sg[elt - 1])))
4392 return -EMSGSIZE;
4393
4394 if (copy > len)
4395 copy = len;
4396 sg_set_page(&sg[elt], skb_frag_page(frag), copy,
4397 skb_frag_off(frag) + offset - start);
4398 elt++;
4399 if (!(len -= copy))
4400 return elt;
4401 offset += copy;
4402 }
4403 start = end;
4404 }
4405
4406 skb_walk_frags(skb, frag_iter) {
4407 int end, ret;
4408
4409 WARN_ON(start > offset + len);
4410
4411 end = start + frag_iter->len;
4412 if ((copy = end - offset) > 0) {
4413 if (unlikely(elt && sg_is_last(&sg[elt - 1])))
4414 return -EMSGSIZE;
4415
4416 if (copy > len)
4417 copy = len;
4418 ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
4419 copy, recursion_level + 1);
4420 if (unlikely(ret < 0))
4421 return ret;
4422 elt += ret;
4423 if ((len -= copy) == 0)
4424 return elt;
4425 offset += copy;
4426 }
4427 start = end;
4428 }
4429 BUG_ON(len);
4430 return elt;
4431 }
4432
4433 /**
4434 * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
4435 * @skb: Socket buffer containing the buffers to be mapped
4436 * @sg: The scatter-gather list to map into
4437 * @offset: The offset into the buffer's contents to start mapping
4438 * @len: Length of buffer space to be mapped
4439 *
4440 * Fill the specified scatter-gather list with mappings/pointers into a
4441 * region of the buffer space attached to a socket buffer. Returns either
4442 * the number of scatterlist items used, or -EMSGSIZE if the contents
4443 * could not fit.
4444 */
skb_to_sgvec(struct sk_buff * skb,struct scatterlist * sg,int offset,int len)4445 int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
4446 {
4447 int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
4448
4449 if (nsg <= 0)
4450 return nsg;
4451
4452 sg_mark_end(&sg[nsg - 1]);
4453
4454 return nsg;
4455 }
4456 EXPORT_SYMBOL_GPL(skb_to_sgvec);
4457
4458 /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
4459 * sglist without mark the sg which contain last skb data as the end.
4460 * So the caller can mannipulate sg list as will when padding new data after
4461 * the first call without calling sg_unmark_end to expend sg list.
4462 *
4463 * Scenario to use skb_to_sgvec_nomark:
4464 * 1. sg_init_table
4465 * 2. skb_to_sgvec_nomark(payload1)
4466 * 3. skb_to_sgvec_nomark(payload2)
4467 *
4468 * This is equivalent to:
4469 * 1. sg_init_table
4470 * 2. skb_to_sgvec(payload1)
4471 * 3. sg_unmark_end
4472 * 4. skb_to_sgvec(payload2)
4473 *
4474 * When mapping mutilple payload conditionally, skb_to_sgvec_nomark
4475 * is more preferable.
4476 */
skb_to_sgvec_nomark(struct sk_buff * skb,struct scatterlist * sg,int offset,int len)4477 int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
4478 int offset, int len)
4479 {
4480 return __skb_to_sgvec(skb, sg, offset, len, 0);
4481 }
4482 EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
4483
4484
4485
4486 /**
4487 * skb_cow_data - Check that a socket buffer's data buffers are writable
4488 * @skb: The socket buffer to check.
4489 * @tailbits: Amount of trailing space to be added
4490 * @trailer: Returned pointer to the skb where the @tailbits space begins
4491 *
4492 * Make sure that the data buffers attached to a socket buffer are
4493 * writable. If they are not, private copies are made of the data buffers
4494 * and the socket buffer is set to use these instead.
4495 *
4496 * If @tailbits is given, make sure that there is space to write @tailbits
4497 * bytes of data beyond current end of socket buffer. @trailer will be
4498 * set to point to the skb in which this space begins.
4499 *
4500 * The number of scatterlist elements required to completely map the
4501 * COW'd and extended socket buffer will be returned.
4502 */
skb_cow_data(struct sk_buff * skb,int tailbits,struct sk_buff ** trailer)4503 int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
4504 {
4505 int copyflag;
4506 int elt;
4507 struct sk_buff *skb1, **skb_p;
4508
4509 /* If skb is cloned or its head is paged, reallocate
4510 * head pulling out all the pages (pages are considered not writable
4511 * at the moment even if they are anonymous).
4512 */
4513 if ((skb_cloned(skb) || skb_shinfo(skb)->nr_frags) &&
4514 !__pskb_pull_tail(skb, __skb_pagelen(skb)))
4515 return -ENOMEM;
4516
4517 /* Easy case. Most of packets will go this way. */
4518 if (!skb_has_frag_list(skb)) {
4519 /* A little of trouble, not enough of space for trailer.
4520 * This should not happen, when stack is tuned to generate
4521 * good frames. OK, on miss we reallocate and reserve even more
4522 * space, 128 bytes is fair. */
4523
4524 if (skb_tailroom(skb) < tailbits &&
4525 pskb_expand_head(skb, 0, tailbits-skb_tailroom(skb)+128, GFP_ATOMIC))
4526 return -ENOMEM;
4527
4528 /* Voila! */
4529 *trailer = skb;
4530 return 1;
4531 }
4532
4533 /* Misery. We are in troubles, going to mincer fragments... */
4534
4535 elt = 1;
4536 skb_p = &skb_shinfo(skb)->frag_list;
4537 copyflag = 0;
4538
4539 while ((skb1 = *skb_p) != NULL) {
4540 int ntail = 0;
4541
4542 /* The fragment is partially pulled by someone,
4543 * this can happen on input. Copy it and everything
4544 * after it. */
4545
4546 if (skb_shared(skb1))
4547 copyflag = 1;
4548
4549 /* If the skb is the last, worry about trailer. */
4550
4551 if (skb1->next == NULL && tailbits) {
4552 if (skb_shinfo(skb1)->nr_frags ||
4553 skb_has_frag_list(skb1) ||
4554 skb_tailroom(skb1) < tailbits)
4555 ntail = tailbits + 128;
4556 }
4557
4558 if (copyflag ||
4559 skb_cloned(skb1) ||
4560 ntail ||
4561 skb_shinfo(skb1)->nr_frags ||
4562 skb_has_frag_list(skb1)) {
4563 struct sk_buff *skb2;
4564
4565 /* Fuck, we are miserable poor guys... */
4566 if (ntail == 0)
4567 skb2 = skb_copy(skb1, GFP_ATOMIC);
4568 else
4569 skb2 = skb_copy_expand(skb1,
4570 skb_headroom(skb1),
4571 ntail,
4572 GFP_ATOMIC);
4573 if (unlikely(skb2 == NULL))
4574 return -ENOMEM;
4575
4576 if (skb1->sk)
4577 skb_set_owner_w(skb2, skb1->sk);
4578
4579 /* Looking around. Are we still alive?
4580 * OK, link new skb, drop old one */
4581
4582 skb2->next = skb1->next;
4583 *skb_p = skb2;
4584 kfree_skb(skb1);
4585 skb1 = skb2;
4586 }
4587 elt++;
4588 *trailer = skb1;
4589 skb_p = &skb1->next;
4590 }
4591
4592 return elt;
4593 }
4594 EXPORT_SYMBOL_GPL(skb_cow_data);
4595
sock_rmem_free(struct sk_buff * skb)4596 static void sock_rmem_free(struct sk_buff *skb)
4597 {
4598 struct sock *sk = skb->sk;
4599
4600 atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
4601 }
4602
skb_set_err_queue(struct sk_buff * skb)4603 static void skb_set_err_queue(struct sk_buff *skb)
4604 {
4605 /* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
4606 * So, it is safe to (mis)use it to mark skbs on the error queue.
4607 */
4608 skb->pkt_type = PACKET_OUTGOING;
4609 BUILD_BUG_ON(PACKET_OUTGOING == 0);
4610 }
4611
4612 /*
4613 * Note: We dont mem charge error packets (no sk_forward_alloc changes)
4614 */
sock_queue_err_skb(struct sock * sk,struct sk_buff * skb)4615 int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
4616 {
4617 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
4618 (unsigned int)READ_ONCE(sk->sk_rcvbuf))
4619 return -ENOMEM;
4620
4621 skb_orphan(skb);
4622 skb->sk = sk;
4623 skb->destructor = sock_rmem_free;
4624 atomic_add(skb->truesize, &sk->sk_rmem_alloc);
4625 skb_set_err_queue(skb);
4626
4627 /* before exiting rcu section, make sure dst is refcounted */
4628 skb_dst_force(skb);
4629
4630 skb_queue_tail(&sk->sk_error_queue, skb);
4631 if (!sock_flag(sk, SOCK_DEAD))
4632 sk->sk_error_report(sk);
4633 return 0;
4634 }
4635 EXPORT_SYMBOL(sock_queue_err_skb);
4636
is_icmp_err_skb(const struct sk_buff * skb)4637 static bool is_icmp_err_skb(const struct sk_buff *skb)
4638 {
4639 return skb && (SKB_EXT_ERR(skb)->ee.ee_origin == SO_EE_ORIGIN_ICMP ||
4640 SKB_EXT_ERR(skb)->ee.ee_origin == SO_EE_ORIGIN_ICMP6);
4641 }
4642
sock_dequeue_err_skb(struct sock * sk)4643 struct sk_buff *sock_dequeue_err_skb(struct sock *sk)
4644 {
4645 struct sk_buff_head *q = &sk->sk_error_queue;
4646 struct sk_buff *skb, *skb_next = NULL;
4647 bool icmp_next = false;
4648 unsigned long flags;
4649
4650 spin_lock_irqsave(&q->lock, flags);
4651 skb = __skb_dequeue(q);
4652 if (skb && (skb_next = skb_peek(q))) {
4653 icmp_next = is_icmp_err_skb(skb_next);
4654 if (icmp_next)
4655 sk->sk_err = SKB_EXT_ERR(skb_next)->ee.ee_errno;
4656 }
4657 spin_unlock_irqrestore(&q->lock, flags);
4658
4659 if (is_icmp_err_skb(skb) && !icmp_next)
4660 sk->sk_err = 0;
4661
4662 if (skb_next)
4663 sk->sk_error_report(sk);
4664
4665 return skb;
4666 }
4667 EXPORT_SYMBOL(sock_dequeue_err_skb);
4668
4669 /**
4670 * skb_clone_sk - create clone of skb, and take reference to socket
4671 * @skb: the skb to clone
4672 *
4673 * This function creates a clone of a buffer that holds a reference on
4674 * sk_refcnt. Buffers created via this function are meant to be
4675 * returned using sock_queue_err_skb, or free via kfree_skb.
4676 *
4677 * When passing buffers allocated with this function to sock_queue_err_skb
4678 * it is necessary to wrap the call with sock_hold/sock_put in order to
4679 * prevent the socket from being released prior to being enqueued on
4680 * the sk_error_queue.
4681 */
skb_clone_sk(struct sk_buff * skb)4682 struct sk_buff *skb_clone_sk(struct sk_buff *skb)
4683 {
4684 struct sock *sk = skb->sk;
4685 struct sk_buff *clone;
4686
4687 if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
4688 return NULL;
4689
4690 clone = skb_clone(skb, GFP_ATOMIC);
4691 if (!clone) {
4692 sock_put(sk);
4693 return NULL;
4694 }
4695
4696 clone->sk = sk;
4697 clone->destructor = sock_efree;
4698
4699 return clone;
4700 }
4701 EXPORT_SYMBOL(skb_clone_sk);
4702
__skb_complete_tx_timestamp(struct sk_buff * skb,struct sock * sk,int tstype,bool opt_stats)4703 static void __skb_complete_tx_timestamp(struct sk_buff *skb,
4704 struct sock *sk,
4705 int tstype,
4706 bool opt_stats)
4707 {
4708 struct sock_exterr_skb *serr;
4709 int err;
4710
4711 BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
4712
4713 serr = SKB_EXT_ERR(skb);
4714 memset(serr, 0, sizeof(*serr));
4715 serr->ee.ee_errno = ENOMSG;
4716 serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
4717 serr->ee.ee_info = tstype;
4718 serr->opt_stats = opt_stats;
4719 serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0;
4720 if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
4721 serr->ee.ee_data = skb_shinfo(skb)->tskey;
4722 if (sk->sk_protocol == IPPROTO_TCP &&
4723 sk->sk_type == SOCK_STREAM)
4724 serr->ee.ee_data -= sk->sk_tskey;
4725 }
4726
4727 err = sock_queue_err_skb(sk, skb);
4728
4729 if (err)
4730 kfree_skb(skb);
4731 }
4732
skb_may_tx_timestamp(struct sock * sk,bool tsonly)4733 static bool skb_may_tx_timestamp(struct sock *sk, bool tsonly)
4734 {
4735 bool ret;
4736
4737 if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly))
4738 return true;
4739
4740 read_lock_bh(&sk->sk_callback_lock);
4741 ret = sk->sk_socket && sk->sk_socket->file &&
4742 file_ns_capable(sk->sk_socket->file, &init_user_ns, CAP_NET_RAW);
4743 read_unlock_bh(&sk->sk_callback_lock);
4744 return ret;
4745 }
4746
skb_complete_tx_timestamp(struct sk_buff * skb,struct skb_shared_hwtstamps * hwtstamps)4747 void skb_complete_tx_timestamp(struct sk_buff *skb,
4748 struct skb_shared_hwtstamps *hwtstamps)
4749 {
4750 struct sock *sk = skb->sk;
4751
4752 if (!skb_may_tx_timestamp(sk, false))
4753 goto err;
4754
4755 /* Take a reference to prevent skb_orphan() from freeing the socket,
4756 * but only if the socket refcount is not zero.
4757 */
4758 if (likely(refcount_inc_not_zero(&sk->sk_refcnt))) {
4759 *skb_hwtstamps(skb) = *hwtstamps;
4760 __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
4761 sock_put(sk);
4762 return;
4763 }
4764
4765 err:
4766 kfree_skb(skb);
4767 }
4768 EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
4769
__skb_tstamp_tx(struct sk_buff * orig_skb,struct skb_shared_hwtstamps * hwtstamps,struct sock * sk,int tstype)4770 void __skb_tstamp_tx(struct sk_buff *orig_skb,
4771 struct skb_shared_hwtstamps *hwtstamps,
4772 struct sock *sk, int tstype)
4773 {
4774 struct sk_buff *skb;
4775 bool tsonly, opt_stats = false;
4776
4777 if (!sk)
4778 return;
4779
4780 if (!hwtstamps && !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_TX_SWHW) &&
4781 skb_shinfo(orig_skb)->tx_flags & SKBTX_IN_PROGRESS)
4782 return;
4783
4784 tsonly = sk->sk_tsflags & SOF_TIMESTAMPING_OPT_TSONLY;
4785 if (!skb_may_tx_timestamp(sk, tsonly))
4786 return;
4787
4788 if (tsonly) {
4789 #ifdef CONFIG_INET
4790 if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
4791 sk->sk_protocol == IPPROTO_TCP &&
4792 sk->sk_type == SOCK_STREAM) {
4793 skb = tcp_get_timestamping_opt_stats(sk, orig_skb);
4794 opt_stats = true;
4795 } else
4796 #endif
4797 skb = alloc_skb(0, GFP_ATOMIC);
4798 } else {
4799 skb = skb_clone(orig_skb, GFP_ATOMIC);
4800
4801 if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
4802 kfree_skb(skb);
4803 return;
4804 }
4805 }
4806 if (!skb)
4807 return;
4808
4809 if (tsonly) {
4810 skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags &
4811 SKBTX_ANY_TSTAMP;
4812 skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey;
4813 }
4814
4815 if (hwtstamps)
4816 *skb_hwtstamps(skb) = *hwtstamps;
4817 else
4818 skb->tstamp = ktime_get_real();
4819
4820 __skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
4821 }
4822 EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
4823
skb_tstamp_tx(struct sk_buff * orig_skb,struct skb_shared_hwtstamps * hwtstamps)4824 void skb_tstamp_tx(struct sk_buff *orig_skb,
4825 struct skb_shared_hwtstamps *hwtstamps)
4826 {
4827 return __skb_tstamp_tx(orig_skb, hwtstamps, orig_skb->sk,
4828 SCM_TSTAMP_SND);
4829 }
4830 EXPORT_SYMBOL_GPL(skb_tstamp_tx);
4831
skb_complete_wifi_ack(struct sk_buff * skb,bool acked)4832 void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
4833 {
4834 struct sock *sk = skb->sk;
4835 struct sock_exterr_skb *serr;
4836 int err = 1;
4837
4838 skb->wifi_acked_valid = 1;
4839 skb->wifi_acked = acked;
4840
4841 serr = SKB_EXT_ERR(skb);
4842 memset(serr, 0, sizeof(*serr));
4843 serr->ee.ee_errno = ENOMSG;
4844 serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
4845
4846 /* Take a reference to prevent skb_orphan() from freeing the socket,
4847 * but only if the socket refcount is not zero.
4848 */
4849 if (likely(refcount_inc_not_zero(&sk->sk_refcnt))) {
4850 err = sock_queue_err_skb(sk, skb);
4851 sock_put(sk);
4852 }
4853 if (err)
4854 kfree_skb(skb);
4855 }
4856 EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
4857
4858 /**
4859 * skb_partial_csum_set - set up and verify partial csum values for packet
4860 * @skb: the skb to set
4861 * @start: the number of bytes after skb->data to start checksumming.
4862 * @off: the offset from start to place the checksum.
4863 *
4864 * For untrusted partially-checksummed packets, we need to make sure the values
4865 * for skb->csum_start and skb->csum_offset are valid so we don't oops.
4866 *
4867 * This function checks and sets those values and skb->ip_summed: if this
4868 * returns false you should drop the packet.
4869 */
skb_partial_csum_set(struct sk_buff * skb,u16 start,u16 off)4870 bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off)
4871 {
4872 u32 csum_end = (u32)start + (u32)off + sizeof(__sum16);
4873 u32 csum_start = skb_headroom(skb) + (u32)start;
4874
4875 if (unlikely(csum_start > U16_MAX || csum_end > skb_headlen(skb))) {
4876 net_warn_ratelimited("bad partial csum: csum=%u/%u headroom=%u headlen=%u\n",
4877 start, off, skb_headroom(skb), skb_headlen(skb));
4878 return false;
4879 }
4880 skb->ip_summed = CHECKSUM_PARTIAL;
4881 skb->csum_start = csum_start;
4882 skb->csum_offset = off;
4883 skb_set_transport_header(skb, start);
4884 return true;
4885 }
4886 EXPORT_SYMBOL_GPL(skb_partial_csum_set);
4887
skb_maybe_pull_tail(struct sk_buff * skb,unsigned int len,unsigned int max)4888 static int skb_maybe_pull_tail(struct sk_buff *skb, unsigned int len,
4889 unsigned int max)
4890 {
4891 if (skb_headlen(skb) >= len)
4892 return 0;
4893
4894 /* If we need to pullup then pullup to the max, so we
4895 * won't need to do it again.
4896 */
4897 if (max > skb->len)
4898 max = skb->len;
4899
4900 if (__pskb_pull_tail(skb, max - skb_headlen(skb)) == NULL)
4901 return -ENOMEM;
4902
4903 if (skb_headlen(skb) < len)
4904 return -EPROTO;
4905
4906 return 0;
4907 }
4908
4909 #define MAX_TCP_HDR_LEN (15 * 4)
4910
skb_checksum_setup_ip(struct sk_buff * skb,typeof(IPPROTO_IP) proto,unsigned int off)4911 static __sum16 *skb_checksum_setup_ip(struct sk_buff *skb,
4912 typeof(IPPROTO_IP) proto,
4913 unsigned int off)
4914 {
4915 int err;
4916
4917 switch (proto) {
4918 case IPPROTO_TCP:
4919 err = skb_maybe_pull_tail(skb, off + sizeof(struct tcphdr),
4920 off + MAX_TCP_HDR_LEN);
4921 if (!err && !skb_partial_csum_set(skb, off,
4922 offsetof(struct tcphdr,
4923 check)))
4924 err = -EPROTO;
4925 return err ? ERR_PTR(err) : &tcp_hdr(skb)->check;
4926
4927 case IPPROTO_UDP:
4928 err = skb_maybe_pull_tail(skb, off + sizeof(struct udphdr),
4929 off + sizeof(struct udphdr));
4930 if (!err && !skb_partial_csum_set(skb, off,
4931 offsetof(struct udphdr,
4932 check)))
4933 err = -EPROTO;
4934 return err ? ERR_PTR(err) : &udp_hdr(skb)->check;
4935 }
4936
4937 return ERR_PTR(-EPROTO);
4938 }
4939
4940 /* This value should be large enough to cover a tagged ethernet header plus
4941 * maximally sized IP and TCP or UDP headers.
4942 */
4943 #define MAX_IP_HDR_LEN 128
4944
skb_checksum_setup_ipv4(struct sk_buff * skb,bool recalculate)4945 static int skb_checksum_setup_ipv4(struct sk_buff *skb, bool recalculate)
4946 {
4947 unsigned int off;
4948 bool fragment;
4949 __sum16 *csum;
4950 int err;
4951
4952 fragment = false;
4953
4954 err = skb_maybe_pull_tail(skb,
4955 sizeof(struct iphdr),
4956 MAX_IP_HDR_LEN);
4957 if (err < 0)
4958 goto out;
4959
4960 if (ip_is_fragment(ip_hdr(skb)))
4961 fragment = true;
4962
4963 off = ip_hdrlen(skb);
4964
4965 err = -EPROTO;
4966
4967 if (fragment)
4968 goto out;
4969
4970 csum = skb_checksum_setup_ip(skb, ip_hdr(skb)->protocol, off);
4971 if (IS_ERR(csum))
4972 return PTR_ERR(csum);
4973
4974 if (recalculate)
4975 *csum = ~csum_tcpudp_magic(ip_hdr(skb)->saddr,
4976 ip_hdr(skb)->daddr,
4977 skb->len - off,
4978 ip_hdr(skb)->protocol, 0);
4979 err = 0;
4980
4981 out:
4982 return err;
4983 }
4984
4985 /* This value should be large enough to cover a tagged ethernet header plus
4986 * an IPv6 header, all options, and a maximal TCP or UDP header.
4987 */
4988 #define MAX_IPV6_HDR_LEN 256
4989
4990 #define OPT_HDR(type, skb, off) \
4991 (type *)(skb_network_header(skb) + (off))
4992
skb_checksum_setup_ipv6(struct sk_buff * skb,bool recalculate)4993 static int skb_checksum_setup_ipv6(struct sk_buff *skb, bool recalculate)
4994 {
4995 int err;
4996 u8 nexthdr;
4997 unsigned int off;
4998 unsigned int len;
4999 bool fragment;
5000 bool done;
5001 __sum16 *csum;
5002
5003 fragment = false;
5004 done = false;
5005
5006 off = sizeof(struct ipv6hdr);
5007
5008 err = skb_maybe_pull_tail(skb, off, MAX_IPV6_HDR_LEN);
5009 if (err < 0)
5010 goto out;
5011
5012 nexthdr = ipv6_hdr(skb)->nexthdr;
5013
5014 len = sizeof(struct ipv6hdr) + ntohs(ipv6_hdr(skb)->payload_len);
5015 while (off <= len && !done) {
5016 switch (nexthdr) {
5017 case IPPROTO_DSTOPTS:
5018 case IPPROTO_HOPOPTS:
5019 case IPPROTO_ROUTING: {
5020 struct ipv6_opt_hdr *hp;
5021
5022 err = skb_maybe_pull_tail(skb,
5023 off +
5024 sizeof(struct ipv6_opt_hdr),
5025 MAX_IPV6_HDR_LEN);
5026 if (err < 0)
5027 goto out;
5028
5029 hp = OPT_HDR(struct ipv6_opt_hdr, skb, off);
5030 nexthdr = hp->nexthdr;
5031 off += ipv6_optlen(hp);
5032 break;
5033 }
5034 case IPPROTO_AH: {
5035 struct ip_auth_hdr *hp;
5036
5037 err = skb_maybe_pull_tail(skb,
5038 off +
5039 sizeof(struct ip_auth_hdr),
5040 MAX_IPV6_HDR_LEN);
5041 if (err < 0)
5042 goto out;
5043
5044 hp = OPT_HDR(struct ip_auth_hdr, skb, off);
5045 nexthdr = hp->nexthdr;
5046 off += ipv6_authlen(hp);
5047 break;
5048 }
5049 case IPPROTO_FRAGMENT: {
5050 struct frag_hdr *hp;
5051
5052 err = skb_maybe_pull_tail(skb,
5053 off +
5054 sizeof(struct frag_hdr),
5055 MAX_IPV6_HDR_LEN);
5056 if (err < 0)
5057 goto out;
5058
5059 hp = OPT_HDR(struct frag_hdr, skb, off);
5060
5061 if (hp->frag_off & htons(IP6_OFFSET | IP6_MF))
5062 fragment = true;
5063
5064 nexthdr = hp->nexthdr;
5065 off += sizeof(struct frag_hdr);
5066 break;
5067 }
5068 default:
5069 done = true;
5070 break;
5071 }
5072 }
5073
5074 err = -EPROTO;
5075
5076 if (!done || fragment)
5077 goto out;
5078
5079 csum = skb_checksum_setup_ip(skb, nexthdr, off);
5080 if (IS_ERR(csum))
5081 return PTR_ERR(csum);
5082
5083 if (recalculate)
5084 *csum = ~csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
5085 &ipv6_hdr(skb)->daddr,
5086 skb->len - off, nexthdr, 0);
5087 err = 0;
5088
5089 out:
5090 return err;
5091 }
5092
5093 /**
5094 * skb_checksum_setup - set up partial checksum offset
5095 * @skb: the skb to set up
5096 * @recalculate: if true the pseudo-header checksum will be recalculated
5097 */
skb_checksum_setup(struct sk_buff * skb,bool recalculate)5098 int skb_checksum_setup(struct sk_buff *skb, bool recalculate)
5099 {
5100 int err;
5101
5102 switch (skb->protocol) {
5103 case htons(ETH_P_IP):
5104 err = skb_checksum_setup_ipv4(skb, recalculate);
5105 break;
5106
5107 case htons(ETH_P_IPV6):
5108 err = skb_checksum_setup_ipv6(skb, recalculate);
5109 break;
5110
5111 default:
5112 err = -EPROTO;
5113 break;
5114 }
5115
5116 return err;
5117 }
5118 EXPORT_SYMBOL(skb_checksum_setup);
5119
5120 /**
5121 * skb_checksum_maybe_trim - maybe trims the given skb
5122 * @skb: the skb to check
5123 * @transport_len: the data length beyond the network header
5124 *
5125 * Checks whether the given skb has data beyond the given transport length.
5126 * If so, returns a cloned skb trimmed to this transport length.
5127 * Otherwise returns the provided skb. Returns NULL in error cases
5128 * (e.g. transport_len exceeds skb length or out-of-memory).
5129 *
5130 * Caller needs to set the skb transport header and free any returned skb if it
5131 * differs from the provided skb.
5132 */
skb_checksum_maybe_trim(struct sk_buff * skb,unsigned int transport_len)5133 static struct sk_buff *skb_checksum_maybe_trim(struct sk_buff *skb,
5134 unsigned int transport_len)
5135 {
5136 struct sk_buff *skb_chk;
5137 unsigned int len = skb_transport_offset(skb) + transport_len;
5138 int ret;
5139
5140 if (skb->len < len)
5141 return NULL;
5142 else if (skb->len == len)
5143 return skb;
5144
5145 skb_chk = skb_clone(skb, GFP_ATOMIC);
5146 if (!skb_chk)
5147 return NULL;
5148
5149 ret = pskb_trim_rcsum(skb_chk, len);
5150 if (ret) {
5151 kfree_skb(skb_chk);
5152 return NULL;
5153 }
5154
5155 return skb_chk;
5156 }
5157
5158 /**
5159 * skb_checksum_trimmed - validate checksum of an skb
5160 * @skb: the skb to check
5161 * @transport_len: the data length beyond the network header
5162 * @skb_chkf: checksum function to use
5163 *
5164 * Applies the given checksum function skb_chkf to the provided skb.
5165 * Returns a checked and maybe trimmed skb. Returns NULL on error.
5166 *
5167 * If the skb has data beyond the given transport length, then a
5168 * trimmed & cloned skb is checked and returned.
5169 *
5170 * Caller needs to set the skb transport header and free any returned skb if it
5171 * differs from the provided skb.
5172 */
skb_checksum_trimmed(struct sk_buff * skb,unsigned int transport_len,__sum16 (* skb_chkf)(struct sk_buff * skb))5173 struct sk_buff *skb_checksum_trimmed(struct sk_buff *skb,
5174 unsigned int transport_len,
5175 __sum16(*skb_chkf)(struct sk_buff *skb))
5176 {
5177 struct sk_buff *skb_chk;
5178 unsigned int offset = skb_transport_offset(skb);
5179 __sum16 ret;
5180
5181 skb_chk = skb_checksum_maybe_trim(skb, transport_len);
5182 if (!skb_chk)
5183 goto err;
5184
5185 if (!pskb_may_pull(skb_chk, offset))
5186 goto err;
5187
5188 skb_pull_rcsum(skb_chk, offset);
5189 ret = skb_chkf(skb_chk);
5190 skb_push_rcsum(skb_chk, offset);
5191
5192 if (ret)
5193 goto err;
5194
5195 return skb_chk;
5196
5197 err:
5198 if (skb_chk && skb_chk != skb)
5199 kfree_skb(skb_chk);
5200
5201 return NULL;
5202
5203 }
5204 EXPORT_SYMBOL(skb_checksum_trimmed);
5205
__skb_warn_lro_forwarding(const struct sk_buff * skb)5206 void __skb_warn_lro_forwarding(const struct sk_buff *skb)
5207 {
5208 net_warn_ratelimited("%s: received packets cannot be forwarded while LRO is enabled\n",
5209 skb->dev->name);
5210 }
5211 EXPORT_SYMBOL(__skb_warn_lro_forwarding);
5212
kfree_skb_partial(struct sk_buff * skb,bool head_stolen)5213 void kfree_skb_partial(struct sk_buff *skb, bool head_stolen)
5214 {
5215 if (head_stolen) {
5216 skb_release_head_state(skb);
5217 kmem_cache_free(skbuff_head_cache, skb);
5218 } else {
5219 __kfree_skb(skb);
5220 }
5221 }
5222 EXPORT_SYMBOL(kfree_skb_partial);
5223
5224 /**
5225 * skb_try_coalesce - try to merge skb to prior one
5226 * @to: prior buffer
5227 * @from: buffer to add
5228 * @fragstolen: pointer to boolean
5229 * @delta_truesize: how much more was allocated than was requested
5230 */
skb_try_coalesce(struct sk_buff * to,struct sk_buff * from,bool * fragstolen,int * delta_truesize)5231 bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
5232 bool *fragstolen, int *delta_truesize)
5233 {
5234 struct skb_shared_info *to_shinfo, *from_shinfo;
5235 int i, delta, len = from->len;
5236
5237 *fragstolen = false;
5238
5239 if (skb_cloned(to))
5240 return false;
5241
5242 if (len <= skb_tailroom(to)) {
5243 if (len)
5244 BUG_ON(skb_copy_bits(from, 0, skb_put(to, len), len));
5245 *delta_truesize = 0;
5246 return true;
5247 }
5248
5249 to_shinfo = skb_shinfo(to);
5250 from_shinfo = skb_shinfo(from);
5251 if (to_shinfo->frag_list || from_shinfo->frag_list)
5252 return false;
5253 if (skb_zcopy(to) || skb_zcopy(from))
5254 return false;
5255
5256 if (skb_headlen(from) != 0) {
5257 struct page *page;
5258 unsigned int offset;
5259
5260 if (to_shinfo->nr_frags +
5261 from_shinfo->nr_frags >= MAX_SKB_FRAGS)
5262 return false;
5263
5264 if (skb_head_is_locked(from))
5265 return false;
5266
5267 delta = from->truesize - SKB_DATA_ALIGN(sizeof(struct sk_buff));
5268
5269 page = virt_to_head_page(from->head);
5270 offset = from->data - (unsigned char *)page_address(page);
5271
5272 skb_fill_page_desc(to, to_shinfo->nr_frags,
5273 page, offset, skb_headlen(from));
5274 *fragstolen = true;
5275 } else {
5276 if (to_shinfo->nr_frags +
5277 from_shinfo->nr_frags > MAX_SKB_FRAGS)
5278 return false;
5279
5280 delta = from->truesize - SKB_TRUESIZE(skb_end_offset(from));
5281 }
5282
5283 WARN_ON_ONCE(delta < len);
5284
5285 memcpy(to_shinfo->frags + to_shinfo->nr_frags,
5286 from_shinfo->frags,
5287 from_shinfo->nr_frags * sizeof(skb_frag_t));
5288 to_shinfo->nr_frags += from_shinfo->nr_frags;
5289
5290 if (!skb_cloned(from))
5291 from_shinfo->nr_frags = 0;
5292
5293 /* if the skb is not cloned this does nothing
5294 * since we set nr_frags to 0.
5295 */
5296 for (i = 0; i < from_shinfo->nr_frags; i++)
5297 __skb_frag_ref(&from_shinfo->frags[i]);
5298
5299 to->truesize += delta;
5300 to->len += len;
5301 to->data_len += len;
5302
5303 *delta_truesize = delta;
5304 return true;
5305 }
5306 EXPORT_SYMBOL(skb_try_coalesce);
5307
5308 /**
5309 * skb_scrub_packet - scrub an skb
5310 *
5311 * @skb: buffer to clean
5312 * @xnet: packet is crossing netns
5313 *
5314 * skb_scrub_packet can be used after encapsulating or decapsulting a packet
5315 * into/from a tunnel. Some information have to be cleared during these
5316 * operations.
5317 * skb_scrub_packet can also be used to clean a skb before injecting it in
5318 * another namespace (@xnet == true). We have to clear all information in the
5319 * skb that could impact namespace isolation.
5320 */
skb_scrub_packet(struct sk_buff * skb,bool xnet)5321 void skb_scrub_packet(struct sk_buff *skb, bool xnet)
5322 {
5323 skb->pkt_type = PACKET_HOST;
5324 skb->skb_iif = 0;
5325 skb->ignore_df = 0;
5326 skb_dst_drop(skb);
5327 skb_ext_reset(skb);
5328 nf_reset_ct(skb);
5329 nf_reset_trace(skb);
5330
5331 #ifdef CONFIG_NET_SWITCHDEV
5332 skb->offload_fwd_mark = 0;
5333 skb->offload_l3_fwd_mark = 0;
5334 #endif
5335
5336 if (!xnet)
5337 return;
5338
5339 ipvs_reset(skb);
5340 skb->mark = 0;
5341 skb->tstamp = 0;
5342 }
5343 EXPORT_SYMBOL_GPL(skb_scrub_packet);
5344
5345 /**
5346 * skb_gso_transport_seglen - Return length of individual segments of a gso packet
5347 *
5348 * @skb: GSO skb
5349 *
5350 * skb_gso_transport_seglen is used to determine the real size of the
5351 * individual segments, including Layer4 headers (TCP/UDP).
5352 *
5353 * The MAC/L2 or network (IP, IPv6) headers are not accounted for.
5354 */
skb_gso_transport_seglen(const struct sk_buff * skb)5355 static unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
5356 {
5357 const struct skb_shared_info *shinfo = skb_shinfo(skb);
5358 unsigned int thlen = 0;
5359
5360 if (skb->encapsulation) {
5361 thlen = skb_inner_transport_header(skb) -
5362 skb_transport_header(skb);
5363
5364 if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
5365 thlen += inner_tcp_hdrlen(skb);
5366 } else if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
5367 thlen = tcp_hdrlen(skb);
5368 } else if (unlikely(skb_is_gso_sctp(skb))) {
5369 thlen = sizeof(struct sctphdr);
5370 } else if (shinfo->gso_type & SKB_GSO_UDP_L4) {
5371 thlen = sizeof(struct udphdr);
5372 }
5373 /* UFO sets gso_size to the size of the fragmentation
5374 * payload, i.e. the size of the L4 (UDP) header is already
5375 * accounted for.
5376 */
5377 return thlen + shinfo->gso_size;
5378 }
5379
5380 /**
5381 * skb_gso_network_seglen - Return length of individual segments of a gso packet
5382 *
5383 * @skb: GSO skb
5384 *
5385 * skb_gso_network_seglen is used to determine the real size of the
5386 * individual segments, including Layer3 (IP, IPv6) and L4 headers (TCP/UDP).
5387 *
5388 * The MAC/L2 header is not accounted for.
5389 */
skb_gso_network_seglen(const struct sk_buff * skb)5390 static unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
5391 {
5392 unsigned int hdr_len = skb_transport_header(skb) -
5393 skb_network_header(skb);
5394
5395 return hdr_len + skb_gso_transport_seglen(skb);
5396 }
5397
5398 /**
5399 * skb_gso_mac_seglen - Return length of individual segments of a gso packet
5400 *
5401 * @skb: GSO skb
5402 *
5403 * skb_gso_mac_seglen is used to determine the real size of the
5404 * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
5405 * headers (TCP/UDP).
5406 */
skb_gso_mac_seglen(const struct sk_buff * skb)5407 static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
5408 {
5409 unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
5410
5411 return hdr_len + skb_gso_transport_seglen(skb);
5412 }
5413
5414 /**
5415 * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS
5416 *
5417 * There are a couple of instances where we have a GSO skb, and we
5418 * want to determine what size it would be after it is segmented.
5419 *
5420 * We might want to check:
5421 * - L3+L4+payload size (e.g. IP forwarding)
5422 * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
5423 *
5424 * This is a helper to do that correctly considering GSO_BY_FRAGS.
5425 *
5426 * @skb: GSO skb
5427 *
5428 * @seg_len: The segmented length (from skb_gso_*_seglen). In the
5429 * GSO_BY_FRAGS case this will be [header sizes + GSO_BY_FRAGS].
5430 *
5431 * @max_len: The maximum permissible length.
5432 *
5433 * Returns true if the segmented length <= max length.
5434 */
skb_gso_size_check(const struct sk_buff * skb,unsigned int seg_len,unsigned int max_len)5435 static inline bool skb_gso_size_check(const struct sk_buff *skb,
5436 unsigned int seg_len,
5437 unsigned int max_len) {
5438 const struct skb_shared_info *shinfo = skb_shinfo(skb);
5439 const struct sk_buff *iter;
5440
5441 if (shinfo->gso_size != GSO_BY_FRAGS)
5442 return seg_len <= max_len;
5443
5444 /* Undo this so we can re-use header sizes */
5445 seg_len -= GSO_BY_FRAGS;
5446
5447 skb_walk_frags(skb, iter) {
5448 if (seg_len + skb_headlen(iter) > max_len)
5449 return false;
5450 }
5451
5452 return true;
5453 }
5454
5455 /**
5456 * skb_gso_validate_network_len - Will a split GSO skb fit into a given MTU?
5457 *
5458 * @skb: GSO skb
5459 * @mtu: MTU to validate against
5460 *
5461 * skb_gso_validate_network_len validates if a given skb will fit a
5462 * wanted MTU once split. It considers L3 headers, L4 headers, and the
5463 * payload.
5464 */
skb_gso_validate_network_len(const struct sk_buff * skb,unsigned int mtu)5465 bool skb_gso_validate_network_len(const struct sk_buff *skb, unsigned int mtu)
5466 {
5467 return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu);
5468 }
5469 EXPORT_SYMBOL_GPL(skb_gso_validate_network_len);
5470
5471 /**
5472 * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
5473 *
5474 * @skb: GSO skb
5475 * @len: length to validate against
5476 *
5477 * skb_gso_validate_mac_len validates if a given skb will fit a wanted
5478 * length once split, including L2, L3 and L4 headers and the payload.
5479 */
skb_gso_validate_mac_len(const struct sk_buff * skb,unsigned int len)5480 bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
5481 {
5482 return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
5483 }
5484 EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
5485
skb_reorder_vlan_header(struct sk_buff * skb)5486 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
5487 {
5488 int mac_len, meta_len;
5489 void *meta;
5490
5491 if (skb_cow(skb, skb_headroom(skb)) < 0) {
5492 kfree_skb(skb);
5493 return NULL;
5494 }
5495
5496 mac_len = skb->data - skb_mac_header(skb);
5497 if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
5498 memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
5499 mac_len - VLAN_HLEN - ETH_TLEN);
5500 }
5501
5502 meta_len = skb_metadata_len(skb);
5503 if (meta_len) {
5504 meta = skb_metadata_end(skb) - meta_len;
5505 memmove(meta + VLAN_HLEN, meta, meta_len);
5506 }
5507
5508 skb->mac_header += VLAN_HLEN;
5509 return skb;
5510 }
5511
skb_vlan_untag(struct sk_buff * skb)5512 struct sk_buff *skb_vlan_untag(struct sk_buff *skb)
5513 {
5514 struct vlan_hdr *vhdr;
5515 u16 vlan_tci;
5516
5517 if (unlikely(skb_vlan_tag_present(skb))) {
5518 /* vlan_tci is already set-up so leave this for another time */
5519 return skb;
5520 }
5521
5522 skb = skb_share_check(skb, GFP_ATOMIC);
5523 if (unlikely(!skb))
5524 goto err_free;
5525 /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
5526 if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
5527 goto err_free;
5528
5529 vhdr = (struct vlan_hdr *)skb->data;
5530 vlan_tci = ntohs(vhdr->h_vlan_TCI);
5531 __vlan_hwaccel_put_tag(skb, skb->protocol, vlan_tci);
5532
5533 skb_pull_rcsum(skb, VLAN_HLEN);
5534 vlan_set_encap_proto(skb, vhdr);
5535
5536 skb = skb_reorder_vlan_header(skb);
5537 if (unlikely(!skb))
5538 goto err_free;
5539
5540 skb_reset_network_header(skb);
5541 skb_reset_transport_header(skb);
5542 skb_reset_mac_len(skb);
5543
5544 return skb;
5545
5546 err_free:
5547 kfree_skb(skb);
5548 return NULL;
5549 }
5550 EXPORT_SYMBOL(skb_vlan_untag);
5551
skb_ensure_writable(struct sk_buff * skb,int write_len)5552 int skb_ensure_writable(struct sk_buff *skb, int write_len)
5553 {
5554 if (!pskb_may_pull(skb, write_len))
5555 return -ENOMEM;
5556
5557 if (!skb_cloned(skb) || skb_clone_writable(skb, write_len))
5558 return 0;
5559
5560 return pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
5561 }
5562 EXPORT_SYMBOL(skb_ensure_writable);
5563
5564 /* remove VLAN header from packet and update csum accordingly.
5565 * expects a non skb_vlan_tag_present skb with a vlan tag payload
5566 */
__skb_vlan_pop(struct sk_buff * skb,u16 * vlan_tci)5567 int __skb_vlan_pop(struct sk_buff *skb, u16 *vlan_tci)
5568 {
5569 struct vlan_hdr *vhdr;
5570 int offset = skb->data - skb_mac_header(skb);
5571 int err;
5572
5573 if (WARN_ONCE(offset,
5574 "__skb_vlan_pop got skb with skb->data not at mac header (offset %d)\n",
5575 offset)) {
5576 return -EINVAL;
5577 }
5578
5579 err = skb_ensure_writable(skb, VLAN_ETH_HLEN);
5580 if (unlikely(err))
5581 return err;
5582
5583 skb_postpull_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
5584
5585 vhdr = (struct vlan_hdr *)(skb->data + ETH_HLEN);
5586 *vlan_tci = ntohs(vhdr->h_vlan_TCI);
5587
5588 memmove(skb->data + VLAN_HLEN, skb->data, 2 * ETH_ALEN);
5589 __skb_pull(skb, VLAN_HLEN);
5590
5591 vlan_set_encap_proto(skb, vhdr);
5592 skb->mac_header += VLAN_HLEN;
5593
5594 if (skb_network_offset(skb) < ETH_HLEN)
5595 skb_set_network_header(skb, ETH_HLEN);
5596
5597 skb_reset_mac_len(skb);
5598
5599 return err;
5600 }
5601 EXPORT_SYMBOL(__skb_vlan_pop);
5602
5603 /* Pop a vlan tag either from hwaccel or from payload.
5604 * Expects skb->data at mac header.
5605 */
skb_vlan_pop(struct sk_buff * skb)5606 int skb_vlan_pop(struct sk_buff *skb)
5607 {
5608 u16 vlan_tci;
5609 __be16 vlan_proto;
5610 int err;
5611
5612 if (likely(skb_vlan_tag_present(skb))) {
5613 __vlan_hwaccel_clear_tag(skb);
5614 } else {
5615 if (unlikely(!eth_type_vlan(skb->protocol)))
5616 return 0;
5617
5618 err = __skb_vlan_pop(skb, &vlan_tci);
5619 if (err)
5620 return err;
5621 }
5622 /* move next vlan tag to hw accel tag */
5623 if (likely(!eth_type_vlan(skb->protocol)))
5624 return 0;
5625
5626 vlan_proto = skb->protocol;
5627 err = __skb_vlan_pop(skb, &vlan_tci);
5628 if (unlikely(err))
5629 return err;
5630
5631 __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
5632 return 0;
5633 }
5634 EXPORT_SYMBOL(skb_vlan_pop);
5635
5636 /* Push a vlan tag either into hwaccel or into payload (if hwaccel tag present).
5637 * Expects skb->data at mac header.
5638 */
skb_vlan_push(struct sk_buff * skb,__be16 vlan_proto,u16 vlan_tci)5639 int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci)
5640 {
5641 if (skb_vlan_tag_present(skb)) {
5642 int offset = skb->data - skb_mac_header(skb);
5643 int err;
5644
5645 if (WARN_ONCE(offset,
5646 "skb_vlan_push got skb with skb->data not at mac header (offset %d)\n",
5647 offset)) {
5648 return -EINVAL;
5649 }
5650
5651 err = __vlan_insert_tag(skb, skb->vlan_proto,
5652 skb_vlan_tag_get(skb));
5653 if (err)
5654 return err;
5655
5656 skb->protocol = skb->vlan_proto;
5657 skb->mac_len += VLAN_HLEN;
5658
5659 skb_postpush_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
5660 }
5661 __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
5662 return 0;
5663 }
5664 EXPORT_SYMBOL(skb_vlan_push);
5665
5666 /**
5667 * skb_eth_pop() - Drop the Ethernet header at the head of a packet
5668 *
5669 * @skb: Socket buffer to modify
5670 *
5671 * Drop the Ethernet header of @skb.
5672 *
5673 * Expects that skb->data points to the mac header and that no VLAN tags are
5674 * present.
5675 *
5676 * Returns 0 on success, -errno otherwise.
5677 */
skb_eth_pop(struct sk_buff * skb)5678 int skb_eth_pop(struct sk_buff *skb)
5679 {
5680 if (!pskb_may_pull(skb, ETH_HLEN) || skb_vlan_tagged(skb) ||
5681 skb_network_offset(skb) < ETH_HLEN)
5682 return -EPROTO;
5683
5684 skb_pull_rcsum(skb, ETH_HLEN);
5685 skb_reset_mac_header(skb);
5686 skb_reset_mac_len(skb);
5687
5688 return 0;
5689 }
5690 EXPORT_SYMBOL(skb_eth_pop);
5691
5692 /**
5693 * skb_eth_push() - Add a new Ethernet header at the head of a packet
5694 *
5695 * @skb: Socket buffer to modify
5696 * @dst: Destination MAC address of the new header
5697 * @src: Source MAC address of the new header
5698 *
5699 * Prepend @skb with a new Ethernet header.
5700 *
5701 * Expects that skb->data points to the mac header, which must be empty.
5702 *
5703 * Returns 0 on success, -errno otherwise.
5704 */
skb_eth_push(struct sk_buff * skb,const unsigned char * dst,const unsigned char * src)5705 int skb_eth_push(struct sk_buff *skb, const unsigned char *dst,
5706 const unsigned char *src)
5707 {
5708 struct ethhdr *eth;
5709 int err;
5710
5711 if (skb_network_offset(skb) || skb_vlan_tag_present(skb))
5712 return -EPROTO;
5713
5714 err = skb_cow_head(skb, sizeof(*eth));
5715 if (err < 0)
5716 return err;
5717
5718 skb_push(skb, sizeof(*eth));
5719 skb_reset_mac_header(skb);
5720 skb_reset_mac_len(skb);
5721
5722 eth = eth_hdr(skb);
5723 ether_addr_copy(eth->h_dest, dst);
5724 ether_addr_copy(eth->h_source, src);
5725 eth->h_proto = skb->protocol;
5726
5727 skb_postpush_rcsum(skb, eth, sizeof(*eth));
5728
5729 return 0;
5730 }
5731 EXPORT_SYMBOL(skb_eth_push);
5732
5733 /* Update the ethertype of hdr and the skb csum value if required. */
skb_mod_eth_type(struct sk_buff * skb,struct ethhdr * hdr,__be16 ethertype)5734 static void skb_mod_eth_type(struct sk_buff *skb, struct ethhdr *hdr,
5735 __be16 ethertype)
5736 {
5737 if (skb->ip_summed == CHECKSUM_COMPLETE) {
5738 __be16 diff[] = { ~hdr->h_proto, ethertype };
5739
5740 skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
5741 }
5742
5743 hdr->h_proto = ethertype;
5744 }
5745
5746 /**
5747 * skb_mpls_push() - push a new MPLS header after mac_len bytes from start of
5748 * the packet
5749 *
5750 * @skb: buffer
5751 * @mpls_lse: MPLS label stack entry to push
5752 * @mpls_proto: ethertype of the new MPLS header (expects 0x8847 or 0x8848)
5753 * @mac_len: length of the MAC header
5754 * @ethernet: flag to indicate if the resulting packet after skb_mpls_push is
5755 * ethernet
5756 *
5757 * Expects skb->data at mac header.
5758 *
5759 * Returns 0 on success, -errno otherwise.
5760 */
skb_mpls_push(struct sk_buff * skb,__be32 mpls_lse,__be16 mpls_proto,int mac_len,bool ethernet)5761 int skb_mpls_push(struct sk_buff *skb, __be32 mpls_lse, __be16 mpls_proto,
5762 int mac_len, bool ethernet)
5763 {
5764 struct mpls_shim_hdr *lse;
5765 int err;
5766
5767 if (unlikely(!eth_p_mpls(mpls_proto)))
5768 return -EINVAL;
5769
5770 /* Networking stack does not allow simultaneous Tunnel and MPLS GSO. */
5771 if (skb->encapsulation)
5772 return -EINVAL;
5773
5774 err = skb_cow_head(skb, MPLS_HLEN);
5775 if (unlikely(err))
5776 return err;
5777
5778 if (!skb->inner_protocol) {
5779 skb_set_inner_network_header(skb, skb_network_offset(skb));
5780 skb_set_inner_protocol(skb, skb->protocol);
5781 }
5782
5783 skb_push(skb, MPLS_HLEN);
5784 memmove(skb_mac_header(skb) - MPLS_HLEN, skb_mac_header(skb),
5785 mac_len);
5786 skb_reset_mac_header(skb);
5787 skb_set_network_header(skb, mac_len);
5788 skb_reset_mac_len(skb);
5789
5790 lse = mpls_hdr(skb);
5791 lse->label_stack_entry = mpls_lse;
5792 skb_postpush_rcsum(skb, lse, MPLS_HLEN);
5793
5794 if (ethernet && mac_len >= ETH_HLEN)
5795 skb_mod_eth_type(skb, eth_hdr(skb), mpls_proto);
5796 skb->protocol = mpls_proto;
5797
5798 return 0;
5799 }
5800 EXPORT_SYMBOL_GPL(skb_mpls_push);
5801
5802 /**
5803 * skb_mpls_pop() - pop the outermost MPLS header
5804 *
5805 * @skb: buffer
5806 * @next_proto: ethertype of header after popped MPLS header
5807 * @mac_len: length of the MAC header
5808 * @ethernet: flag to indicate if the packet is ethernet
5809 *
5810 * Expects skb->data at mac header.
5811 *
5812 * Returns 0 on success, -errno otherwise.
5813 */
skb_mpls_pop(struct sk_buff * skb,__be16 next_proto,int mac_len,bool ethernet)5814 int skb_mpls_pop(struct sk_buff *skb, __be16 next_proto, int mac_len,
5815 bool ethernet)
5816 {
5817 int err;
5818
5819 if (unlikely(!eth_p_mpls(skb->protocol)))
5820 return 0;
5821
5822 err = skb_ensure_writable(skb, mac_len + MPLS_HLEN);
5823 if (unlikely(err))
5824 return err;
5825
5826 skb_postpull_rcsum(skb, mpls_hdr(skb), MPLS_HLEN);
5827 memmove(skb_mac_header(skb) + MPLS_HLEN, skb_mac_header(skb),
5828 mac_len);
5829
5830 __skb_pull(skb, MPLS_HLEN);
5831 skb_reset_mac_header(skb);
5832 skb_set_network_header(skb, mac_len);
5833
5834 if (ethernet && mac_len >= ETH_HLEN) {
5835 struct ethhdr *hdr;
5836
5837 /* use mpls_hdr() to get ethertype to account for VLANs. */
5838 hdr = (struct ethhdr *)((void *)mpls_hdr(skb) - ETH_HLEN);
5839 skb_mod_eth_type(skb, hdr, next_proto);
5840 }
5841 skb->protocol = next_proto;
5842
5843 return 0;
5844 }
5845 EXPORT_SYMBOL_GPL(skb_mpls_pop);
5846
5847 /**
5848 * skb_mpls_update_lse() - modify outermost MPLS header and update csum
5849 *
5850 * @skb: buffer
5851 * @mpls_lse: new MPLS label stack entry to update to
5852 *
5853 * Expects skb->data at mac header.
5854 *
5855 * Returns 0 on success, -errno otherwise.
5856 */
skb_mpls_update_lse(struct sk_buff * skb,__be32 mpls_lse)5857 int skb_mpls_update_lse(struct sk_buff *skb, __be32 mpls_lse)
5858 {
5859 int err;
5860
5861 if (unlikely(!eth_p_mpls(skb->protocol)))
5862 return -EINVAL;
5863
5864 err = skb_ensure_writable(skb, skb->mac_len + MPLS_HLEN);
5865 if (unlikely(err))
5866 return err;
5867
5868 if (skb->ip_summed == CHECKSUM_COMPLETE) {
5869 __be32 diff[] = { ~mpls_hdr(skb)->label_stack_entry, mpls_lse };
5870
5871 skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
5872 }
5873
5874 mpls_hdr(skb)->label_stack_entry = mpls_lse;
5875
5876 return 0;
5877 }
5878 EXPORT_SYMBOL_GPL(skb_mpls_update_lse);
5879
5880 /**
5881 * skb_mpls_dec_ttl() - decrement the TTL of the outermost MPLS header
5882 *
5883 * @skb: buffer
5884 *
5885 * Expects skb->data at mac header.
5886 *
5887 * Returns 0 on success, -errno otherwise.
5888 */
skb_mpls_dec_ttl(struct sk_buff * skb)5889 int skb_mpls_dec_ttl(struct sk_buff *skb)
5890 {
5891 u32 lse;
5892 u8 ttl;
5893
5894 if (unlikely(!eth_p_mpls(skb->protocol)))
5895 return -EINVAL;
5896
5897 if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN))
5898 return -ENOMEM;
5899
5900 lse = be32_to_cpu(mpls_hdr(skb)->label_stack_entry);
5901 ttl = (lse & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
5902 if (!--ttl)
5903 return -EINVAL;
5904
5905 lse &= ~MPLS_LS_TTL_MASK;
5906 lse |= ttl << MPLS_LS_TTL_SHIFT;
5907
5908 return skb_mpls_update_lse(skb, cpu_to_be32(lse));
5909 }
5910 EXPORT_SYMBOL_GPL(skb_mpls_dec_ttl);
5911
5912 /**
5913 * alloc_skb_with_frags - allocate skb with page frags
5914 *
5915 * @header_len: size of linear part
5916 * @data_len: needed length in frags
5917 * @max_page_order: max page order desired.
5918 * @errcode: pointer to error code if any
5919 * @gfp_mask: allocation mask
5920 *
5921 * This can be used to allocate a paged skb, given a maximal order for frags.
5922 */
alloc_skb_with_frags(unsigned long header_len,unsigned long data_len,int max_page_order,int * errcode,gfp_t gfp_mask)5923 struct sk_buff *alloc_skb_with_frags(unsigned long header_len,
5924 unsigned long data_len,
5925 int max_page_order,
5926 int *errcode,
5927 gfp_t gfp_mask)
5928 {
5929 int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
5930 unsigned long chunk;
5931 struct sk_buff *skb;
5932 struct page *page;
5933 int i;
5934
5935 *errcode = -EMSGSIZE;
5936 /* Note this test could be relaxed, if we succeed to allocate
5937 * high order pages...
5938 */
5939 if (npages > MAX_SKB_FRAGS)
5940 return NULL;
5941
5942 *errcode = -ENOBUFS;
5943 skb = alloc_skb(header_len, gfp_mask);
5944 if (!skb)
5945 return NULL;
5946
5947 skb->truesize += npages << PAGE_SHIFT;
5948
5949 for (i = 0; npages > 0; i++) {
5950 int order = max_page_order;
5951
5952 while (order) {
5953 if (npages >= 1 << order) {
5954 page = alloc_pages((gfp_mask & ~__GFP_DIRECT_RECLAIM) |
5955 __GFP_COMP |
5956 __GFP_NOWARN,
5957 order);
5958 if (page)
5959 goto fill_page;
5960 /* Do not retry other high order allocations */
5961 order = 1;
5962 max_page_order = 0;
5963 }
5964 order--;
5965 }
5966 page = alloc_page(gfp_mask);
5967 if (!page)
5968 goto failure;
5969 fill_page:
5970 chunk = min_t(unsigned long, data_len,
5971 PAGE_SIZE << order);
5972 skb_fill_page_desc(skb, i, page, 0, chunk);
5973 data_len -= chunk;
5974 npages -= 1 << order;
5975 }
5976 return skb;
5977
5978 failure:
5979 kfree_skb(skb);
5980 return NULL;
5981 }
5982 EXPORT_SYMBOL(alloc_skb_with_frags);
5983
5984 /* carve out the first off bytes from skb when off < headlen */
pskb_carve_inside_header(struct sk_buff * skb,const u32 off,const int headlen,gfp_t gfp_mask)5985 static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
5986 const int headlen, gfp_t gfp_mask)
5987 {
5988 int i;
5989 int size = skb_end_offset(skb);
5990 int new_hlen = headlen - off;
5991 u8 *data;
5992
5993 size = SKB_DATA_ALIGN(size);
5994
5995 if (skb_pfmemalloc(skb))
5996 gfp_mask |= __GFP_MEMALLOC;
5997 data = kmalloc_reserve(size +
5998 SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
5999 gfp_mask, NUMA_NO_NODE, NULL);
6000 if (!data)
6001 return -ENOMEM;
6002
6003 size = SKB_WITH_OVERHEAD(ksize(data));
6004
6005 /* Copy real data, and all frags */
6006 skb_copy_from_linear_data_offset(skb, off, data, new_hlen);
6007 skb->len -= off;
6008
6009 memcpy((struct skb_shared_info *)(data + size),
6010 skb_shinfo(skb),
6011 offsetof(struct skb_shared_info,
6012 frags[skb_shinfo(skb)->nr_frags]));
6013 if (skb_cloned(skb)) {
6014 /* drop the old head gracefully */
6015 if (skb_orphan_frags(skb, gfp_mask)) {
6016 kfree(data);
6017 return -ENOMEM;
6018 }
6019 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
6020 skb_frag_ref(skb, i);
6021 if (skb_has_frag_list(skb))
6022 skb_clone_fraglist(skb);
6023 skb_release_data(skb);
6024 } else {
6025 /* we can reuse existing recount- all we did was
6026 * relocate values
6027 */
6028 skb_free_head(skb);
6029 }
6030
6031 skb->head = data;
6032 skb->data = data;
6033 skb->head_frag = 0;
6034 #ifdef NET_SKBUFF_DATA_USES_OFFSET
6035 skb->end = size;
6036 #else
6037 skb->end = skb->head + size;
6038 #endif
6039 skb_set_tail_pointer(skb, skb_headlen(skb));
6040 skb_headers_offset_update(skb, 0);
6041 skb->cloned = 0;
6042 skb->hdr_len = 0;
6043 skb->nohdr = 0;
6044 atomic_set(&skb_shinfo(skb)->dataref, 1);
6045
6046 return 0;
6047 }
6048
6049 static int pskb_carve(struct sk_buff *skb, const u32 off, gfp_t gfp);
6050
6051 /* carve out the first eat bytes from skb's frag_list. May recurse into
6052 * pskb_carve()
6053 */
pskb_carve_frag_list(struct sk_buff * skb,struct skb_shared_info * shinfo,int eat,gfp_t gfp_mask)6054 static int pskb_carve_frag_list(struct sk_buff *skb,
6055 struct skb_shared_info *shinfo, int eat,
6056 gfp_t gfp_mask)
6057 {
6058 struct sk_buff *list = shinfo->frag_list;
6059 struct sk_buff *clone = NULL;
6060 struct sk_buff *insp = NULL;
6061
6062 do {
6063 if (!list) {
6064 pr_err("Not enough bytes to eat. Want %d\n", eat);
6065 return -EFAULT;
6066 }
6067 if (list->len <= eat) {
6068 /* Eaten as whole. */
6069 eat -= list->len;
6070 list = list->next;
6071 insp = list;
6072 } else {
6073 /* Eaten partially. */
6074 if (skb_shared(list)) {
6075 clone = skb_clone(list, gfp_mask);
6076 if (!clone)
6077 return -ENOMEM;
6078 insp = list->next;
6079 list = clone;
6080 } else {
6081 /* This may be pulled without problems. */
6082 insp = list;
6083 }
6084 if (pskb_carve(list, eat, gfp_mask) < 0) {
6085 kfree_skb(clone);
6086 return -ENOMEM;
6087 }
6088 break;
6089 }
6090 } while (eat);
6091
6092 /* Free pulled out fragments. */
6093 while ((list = shinfo->frag_list) != insp) {
6094 shinfo->frag_list = list->next;
6095 consume_skb(list);
6096 }
6097 /* And insert new clone at head. */
6098 if (clone) {
6099 clone->next = list;
6100 shinfo->frag_list = clone;
6101 }
6102 return 0;
6103 }
6104
6105 /* carve off first len bytes from skb. Split line (off) is in the
6106 * non-linear part of skb
6107 */
pskb_carve_inside_nonlinear(struct sk_buff * skb,const u32 off,int pos,gfp_t gfp_mask)6108 static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
6109 int pos, gfp_t gfp_mask)
6110 {
6111 int i, k = 0;
6112 int size = skb_end_offset(skb);
6113 u8 *data;
6114 const int nfrags = skb_shinfo(skb)->nr_frags;
6115 struct skb_shared_info *shinfo;
6116
6117 size = SKB_DATA_ALIGN(size);
6118
6119 if (skb_pfmemalloc(skb))
6120 gfp_mask |= __GFP_MEMALLOC;
6121 data = kmalloc_reserve(size +
6122 SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
6123 gfp_mask, NUMA_NO_NODE, NULL);
6124 if (!data)
6125 return -ENOMEM;
6126
6127 size = SKB_WITH_OVERHEAD(ksize(data));
6128
6129 memcpy((struct skb_shared_info *)(data + size),
6130 skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
6131 if (skb_orphan_frags(skb, gfp_mask)) {
6132 kfree(data);
6133 return -ENOMEM;
6134 }
6135 shinfo = (struct skb_shared_info *)(data + size);
6136 for (i = 0; i < nfrags; i++) {
6137 int fsize = skb_frag_size(&skb_shinfo(skb)->frags[i]);
6138
6139 if (pos + fsize > off) {
6140 shinfo->frags[k] = skb_shinfo(skb)->frags[i];
6141
6142 if (pos < off) {
6143 /* Split frag.
6144 * We have two variants in this case:
6145 * 1. Move all the frag to the second
6146 * part, if it is possible. F.e.
6147 * this approach is mandatory for TUX,
6148 * where splitting is expensive.
6149 * 2. Split is accurately. We make this.
6150 */
6151 skb_frag_off_add(&shinfo->frags[0], off - pos);
6152 skb_frag_size_sub(&shinfo->frags[0], off - pos);
6153 }
6154 skb_frag_ref(skb, i);
6155 k++;
6156 }
6157 pos += fsize;
6158 }
6159 shinfo->nr_frags = k;
6160 if (skb_has_frag_list(skb))
6161 skb_clone_fraglist(skb);
6162
6163 /* split line is in frag list */
6164 if (k == 0 && pskb_carve_frag_list(skb, shinfo, off - pos, gfp_mask)) {
6165 /* skb_frag_unref() is not needed here as shinfo->nr_frags = 0. */
6166 if (skb_has_frag_list(skb))
6167 kfree_skb_list(skb_shinfo(skb)->frag_list);
6168 kfree(data);
6169 return -ENOMEM;
6170 }
6171 skb_release_data(skb);
6172
6173 skb->head = data;
6174 skb->head_frag = 0;
6175 skb->data = data;
6176 #ifdef NET_SKBUFF_DATA_USES_OFFSET
6177 skb->end = size;
6178 #else
6179 skb->end = skb->head + size;
6180 #endif
6181 skb_reset_tail_pointer(skb);
6182 skb_headers_offset_update(skb, 0);
6183 skb->cloned = 0;
6184 skb->hdr_len = 0;
6185 skb->nohdr = 0;
6186 skb->len -= off;
6187 skb->data_len = skb->len;
6188 atomic_set(&skb_shinfo(skb)->dataref, 1);
6189 return 0;
6190 }
6191
6192 /* remove len bytes from the beginning of the skb */
pskb_carve(struct sk_buff * skb,const u32 len,gfp_t gfp)6193 static int pskb_carve(struct sk_buff *skb, const u32 len, gfp_t gfp)
6194 {
6195 int headlen = skb_headlen(skb);
6196
6197 if (len < headlen)
6198 return pskb_carve_inside_header(skb, len, headlen, gfp);
6199 else
6200 return pskb_carve_inside_nonlinear(skb, len, headlen, gfp);
6201 }
6202
6203 /* Extract to_copy bytes starting at off from skb, and return this in
6204 * a new skb
6205 */
pskb_extract(struct sk_buff * skb,int off,int to_copy,gfp_t gfp)6206 struct sk_buff *pskb_extract(struct sk_buff *skb, int off,
6207 int to_copy, gfp_t gfp)
6208 {
6209 struct sk_buff *clone = skb_clone(skb, gfp);
6210
6211 if (!clone)
6212 return NULL;
6213
6214 if (pskb_carve(clone, off, gfp) < 0 ||
6215 pskb_trim(clone, to_copy)) {
6216 kfree_skb(clone);
6217 return NULL;
6218 }
6219 return clone;
6220 }
6221 EXPORT_SYMBOL(pskb_extract);
6222
6223 /**
6224 * skb_condense - try to get rid of fragments/frag_list if possible
6225 * @skb: buffer
6226 *
6227 * Can be used to save memory before skb is added to a busy queue.
6228 * If packet has bytes in frags and enough tail room in skb->head,
6229 * pull all of them, so that we can free the frags right now and adjust
6230 * truesize.
6231 * Notes:
6232 * We do not reallocate skb->head thus can not fail.
6233 * Caller must re-evaluate skb->truesize if needed.
6234 */
skb_condense(struct sk_buff * skb)6235 void skb_condense(struct sk_buff *skb)
6236 {
6237 if (skb->data_len) {
6238 if (skb->data_len > skb->end - skb->tail ||
6239 skb_cloned(skb))
6240 return;
6241
6242 /* Nice, we can free page frag(s) right now */
6243 __pskb_pull_tail(skb, skb->data_len);
6244 }
6245 /* At this point, skb->truesize might be over estimated,
6246 * because skb had a fragment, and fragments do not tell
6247 * their truesize.
6248 * When we pulled its content into skb->head, fragment
6249 * was freed, but __pskb_pull_tail() could not possibly
6250 * adjust skb->truesize, not knowing the frag truesize.
6251 */
6252 skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
6253 }
6254
6255 #ifdef CONFIG_SKB_EXTENSIONS
skb_ext_get_ptr(struct skb_ext * ext,enum skb_ext_id id)6256 static void *skb_ext_get_ptr(struct skb_ext *ext, enum skb_ext_id id)
6257 {
6258 return (void *)ext + (ext->offset[id] * SKB_EXT_ALIGN_VALUE);
6259 }
6260
6261 /**
6262 * __skb_ext_alloc - allocate a new skb extensions storage
6263 *
6264 * @flags: See kmalloc().
6265 *
6266 * Returns the newly allocated pointer. The pointer can later attached to a
6267 * skb via __skb_ext_set().
6268 * Note: caller must handle the skb_ext as an opaque data.
6269 */
__skb_ext_alloc(gfp_t flags)6270 struct skb_ext *__skb_ext_alloc(gfp_t flags)
6271 {
6272 struct skb_ext *new = kmem_cache_alloc(skbuff_ext_cache, flags);
6273
6274 if (new) {
6275 memset(new->offset, 0, sizeof(new->offset));
6276 refcount_set(&new->refcnt, 1);
6277 }
6278
6279 return new;
6280 }
6281
skb_ext_maybe_cow(struct skb_ext * old,unsigned int old_active)6282 static struct skb_ext *skb_ext_maybe_cow(struct skb_ext *old,
6283 unsigned int old_active)
6284 {
6285 struct skb_ext *new;
6286
6287 if (refcount_read(&old->refcnt) == 1)
6288 return old;
6289
6290 new = kmem_cache_alloc(skbuff_ext_cache, GFP_ATOMIC);
6291 if (!new)
6292 return NULL;
6293
6294 memcpy(new, old, old->chunks * SKB_EXT_ALIGN_VALUE);
6295 refcount_set(&new->refcnt, 1);
6296
6297 #ifdef CONFIG_XFRM
6298 if (old_active & (1 << SKB_EXT_SEC_PATH)) {
6299 struct sec_path *sp = skb_ext_get_ptr(old, SKB_EXT_SEC_PATH);
6300 unsigned int i;
6301
6302 for (i = 0; i < sp->len; i++)
6303 xfrm_state_hold(sp->xvec[i]);
6304 }
6305 #endif
6306 __skb_ext_put(old);
6307 return new;
6308 }
6309
6310 /**
6311 * __skb_ext_set - attach the specified extension storage to this skb
6312 * @skb: buffer
6313 * @id: extension id
6314 * @ext: extension storage previously allocated via __skb_ext_alloc()
6315 *
6316 * Existing extensions, if any, are cleared.
6317 *
6318 * Returns the pointer to the extension.
6319 */
__skb_ext_set(struct sk_buff * skb,enum skb_ext_id id,struct skb_ext * ext)6320 void *__skb_ext_set(struct sk_buff *skb, enum skb_ext_id id,
6321 struct skb_ext *ext)
6322 {
6323 unsigned int newlen, newoff = SKB_EXT_CHUNKSIZEOF(*ext);
6324
6325 skb_ext_put(skb);
6326 newlen = newoff + skb_ext_type_len[id];
6327 ext->chunks = newlen;
6328 ext->offset[id] = newoff;
6329 skb->extensions = ext;
6330 skb->active_extensions = 1 << id;
6331 return skb_ext_get_ptr(ext, id);
6332 }
6333
6334 /**
6335 * skb_ext_add - allocate space for given extension, COW if needed
6336 * @skb: buffer
6337 * @id: extension to allocate space for
6338 *
6339 * Allocates enough space for the given extension.
6340 * If the extension is already present, a pointer to that extension
6341 * is returned.
6342 *
6343 * If the skb was cloned, COW applies and the returned memory can be
6344 * modified without changing the extension space of clones buffers.
6345 *
6346 * Returns pointer to the extension or NULL on allocation failure.
6347 */
skb_ext_add(struct sk_buff * skb,enum skb_ext_id id)6348 void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id)
6349 {
6350 struct skb_ext *new, *old = NULL;
6351 unsigned int newlen, newoff;
6352
6353 if (skb->active_extensions) {
6354 old = skb->extensions;
6355
6356 new = skb_ext_maybe_cow(old, skb->active_extensions);
6357 if (!new)
6358 return NULL;
6359
6360 if (__skb_ext_exist(new, id))
6361 goto set_active;
6362
6363 newoff = new->chunks;
6364 } else {
6365 newoff = SKB_EXT_CHUNKSIZEOF(*new);
6366
6367 new = __skb_ext_alloc(GFP_ATOMIC);
6368 if (!new)
6369 return NULL;
6370 }
6371
6372 newlen = newoff + skb_ext_type_len[id];
6373 new->chunks = newlen;
6374 new->offset[id] = newoff;
6375 set_active:
6376 skb->extensions = new;
6377 skb->active_extensions |= 1 << id;
6378 return skb_ext_get_ptr(new, id);
6379 }
6380 EXPORT_SYMBOL(skb_ext_add);
6381
6382 #ifdef CONFIG_XFRM
skb_ext_put_sp(struct sec_path * sp)6383 static void skb_ext_put_sp(struct sec_path *sp)
6384 {
6385 unsigned int i;
6386
6387 for (i = 0; i < sp->len; i++)
6388 xfrm_state_put(sp->xvec[i]);
6389 }
6390 #endif
6391
__skb_ext_del(struct sk_buff * skb,enum skb_ext_id id)6392 void __skb_ext_del(struct sk_buff *skb, enum skb_ext_id id)
6393 {
6394 struct skb_ext *ext = skb->extensions;
6395
6396 skb->active_extensions &= ~(1 << id);
6397 if (skb->active_extensions == 0) {
6398 skb->extensions = NULL;
6399 __skb_ext_put(ext);
6400 #ifdef CONFIG_XFRM
6401 } else if (id == SKB_EXT_SEC_PATH &&
6402 refcount_read(&ext->refcnt) == 1) {
6403 struct sec_path *sp = skb_ext_get_ptr(ext, SKB_EXT_SEC_PATH);
6404
6405 skb_ext_put_sp(sp);
6406 sp->len = 0;
6407 #endif
6408 }
6409 }
6410 EXPORT_SYMBOL(__skb_ext_del);
6411
__skb_ext_put(struct skb_ext * ext)6412 void __skb_ext_put(struct skb_ext *ext)
6413 {
6414 /* If this is last clone, nothing can increment
6415 * it after check passes. Avoids one atomic op.
6416 */
6417 if (refcount_read(&ext->refcnt) == 1)
6418 goto free_now;
6419
6420 if (!refcount_dec_and_test(&ext->refcnt))
6421 return;
6422 free_now:
6423 #ifdef CONFIG_XFRM
6424 if (__skb_ext_exist(ext, SKB_EXT_SEC_PATH))
6425 skb_ext_put_sp(skb_ext_get_ptr(ext, SKB_EXT_SEC_PATH));
6426 #endif
6427
6428 kmem_cache_free(skbuff_ext_cache, ext);
6429 }
6430 EXPORT_SYMBOL(__skb_ext_put);
6431 #endif /* CONFIG_SKB_EXTENSIONS */
6432