1 /* 2 * Routines having to do with the 'struct sk_buff' memory handlers. 3 * 4 * Authors: Alan Cox <iiitac@pyr.swan.ac.uk> 5 * Florian La Roche <rzsfl@rz.uni-sb.de> 6 * 7 * Fixes: 8 * Alan Cox : Fixed the worst of the load 9 * balancer bugs. 10 * Dave Platt : Interrupt stacking fix. 11 * Richard Kooijman : Timestamp fixes. 12 * Alan Cox : Changed buffer format. 13 * Alan Cox : destructor hook for AF_UNIX etc. 14 * Linus Torvalds : Better skb_clone. 15 * Alan Cox : Added skb_copy. 16 * Alan Cox : Added all the changed routines Linus 17 * only put in the headers 18 * Ray VanTassle : Fixed --skb->lock in free 19 * Alan Cox : skb_copy copy arp field 20 * Andi Kleen : slabified it. 21 * Robert Olsson : Removed skb_head_pool 22 * 23 * NOTE: 24 * The __skb_ routines should be called with interrupts 25 * disabled, or you better be *real* sure that the operation is atomic 26 * with respect to whatever list is being frobbed (e.g. via lock_sock() 27 * or via disabling bottom half handlers, etc). 28 * 29 * This program is free software; you can redistribute it and/or 30 * modify it under the terms of the GNU General Public License 31 * as published by the Free Software Foundation; either version 32 * 2 of the License, or (at your option) any later version. 33 */ 34 35 /* 36 * The functions in this file will not compile correctly with gcc 2.4.x 37 */ 38 39 #include <linux/module.h> 40 #include <linux/types.h> 41 #include <linux/kernel.h> 42 #include <linux/mm.h> 43 #include <linux/interrupt.h> 44 #include <linux/in.h> 45 #include <linux/inet.h> 46 #include <linux/slab.h> 47 #include <linux/netdevice.h> 48 #ifdef CONFIG_NET_CLS_ACT 49 #include <net/pkt_sched.h> 50 #endif 51 #include <linux/string.h> 52 #include <linux/skbuff.h> 53 #include <linux/splice.h> 54 #include <linux/cache.h> 55 #include <linux/rtnetlink.h> 56 #include <linux/init.h> 57 #include <linux/scatterlist.h> 58 59 #include <net/protocol.h> 60 #include <net/dst.h> 61 #include <net/sock.h> 62 #include <net/checksum.h> 63 #include <net/xfrm.h> 64 65 #include <asm/uaccess.h> 66 #include <asm/system.h> 67 68 #include "kmap_skb.h" 69 70 static struct kmem_cache *skbuff_head_cache __read_mostly; 71 static struct kmem_cache *skbuff_fclone_cache __read_mostly; 72 73 static void sock_pipe_buf_release(struct pipe_inode_info *pipe, 74 struct pipe_buffer *buf) 75 { 76 struct sk_buff *skb = (struct sk_buff *) buf->private; 77 78 kfree_skb(skb); 79 } 80 81 static void sock_pipe_buf_get(struct pipe_inode_info *pipe, 82 struct pipe_buffer *buf) 83 { 84 struct sk_buff *skb = (struct sk_buff *) buf->private; 85 86 skb_get(skb); 87 } 88 89 static int sock_pipe_buf_steal(struct pipe_inode_info *pipe, 90 struct pipe_buffer *buf) 91 { 92 return 1; 93 } 94 95 96 /* Pipe buffer operations for a socket. */ 97 static struct pipe_buf_operations sock_pipe_buf_ops = { 98 .can_merge = 0, 99 .map = generic_pipe_buf_map, 100 .unmap = generic_pipe_buf_unmap, 101 .confirm = generic_pipe_buf_confirm, 102 .release = sock_pipe_buf_release, 103 .steal = sock_pipe_buf_steal, 104 .get = sock_pipe_buf_get, 105 }; 106 107 /* 108 * Keep out-of-line to prevent kernel bloat. 109 * __builtin_return_address is not used because it is not always 110 * reliable. 111 */ 112 113 /** 114 * skb_over_panic - private function 115 * @skb: buffer 116 * @sz: size 117 * @here: address 118 * 119 * Out of line support code for skb_put(). Not user callable. 120 */ 121 void skb_over_panic(struct sk_buff *skb, int sz, void *here) 122 { 123 printk(KERN_EMERG "skb_over_panic: text:%p len:%d put:%d head:%p " 124 "data:%p tail:%#lx end:%#lx dev:%s\n", 125 here, skb->len, sz, skb->head, skb->data, 126 (unsigned long)skb->tail, (unsigned long)skb->end, 127 skb->dev ? skb->dev->name : "<NULL>"); 128 BUG(); 129 } 130 131 /** 132 * skb_under_panic - private function 133 * @skb: buffer 134 * @sz: size 135 * @here: address 136 * 137 * Out of line support code for skb_push(). Not user callable. 138 */ 139 140 void skb_under_panic(struct sk_buff *skb, int sz, void *here) 141 { 142 printk(KERN_EMERG "skb_under_panic: text:%p len:%d put:%d head:%p " 143 "data:%p tail:%#lx end:%#lx dev:%s\n", 144 here, skb->len, sz, skb->head, skb->data, 145 (unsigned long)skb->tail, (unsigned long)skb->end, 146 skb->dev ? skb->dev->name : "<NULL>"); 147 BUG(); 148 } 149 150 void skb_truesize_bug(struct sk_buff *skb) 151 { 152 printk(KERN_ERR "SKB BUG: Invalid truesize (%u) " 153 "len=%u, sizeof(sk_buff)=%Zd\n", 154 skb->truesize, skb->len, sizeof(struct sk_buff)); 155 } 156 EXPORT_SYMBOL(skb_truesize_bug); 157 158 /* Allocate a new skbuff. We do this ourselves so we can fill in a few 159 * 'private' fields and also do memory statistics to find all the 160 * [BEEP] leaks. 161 * 162 */ 163 164 /** 165 * __alloc_skb - allocate a network buffer 166 * @size: size to allocate 167 * @gfp_mask: allocation mask 168 * @fclone: allocate from fclone cache instead of head cache 169 * and allocate a cloned (child) skb 170 * @node: numa node to allocate memory on 171 * 172 * Allocate a new &sk_buff. The returned buffer has no headroom and a 173 * tail room of size bytes. The object has a reference count of one. 174 * The return is the buffer. On a failure the return is %NULL. 175 * 176 * Buffers may only be allocated from interrupts using a @gfp_mask of 177 * %GFP_ATOMIC. 178 */ 179 struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask, 180 int fclone, int node) 181 { 182 struct kmem_cache *cache; 183 struct skb_shared_info *shinfo; 184 struct sk_buff *skb; 185 u8 *data; 186 187 cache = fclone ? skbuff_fclone_cache : skbuff_head_cache; 188 189 /* Get the HEAD */ 190 skb = kmem_cache_alloc_node(cache, gfp_mask & ~__GFP_DMA, node); 191 if (!skb) 192 goto out; 193 194 size = SKB_DATA_ALIGN(size); 195 data = kmalloc_node_track_caller(size + sizeof(struct skb_shared_info), 196 gfp_mask, node); 197 if (!data) 198 goto nodata; 199 200 /* 201 * Only clear those fields we need to clear, not those that we will 202 * actually initialise below. Hence, don't put any more fields after 203 * the tail pointer in struct sk_buff! 204 */ 205 memset(skb, 0, offsetof(struct sk_buff, tail)); 206 skb->truesize = size + sizeof(struct sk_buff); 207 atomic_set(&skb->users, 1); 208 skb->head = data; 209 skb->data = data; 210 skb_reset_tail_pointer(skb); 211 skb->end = skb->tail + size; 212 /* make sure we initialize shinfo sequentially */ 213 shinfo = skb_shinfo(skb); 214 atomic_set(&shinfo->dataref, 1); 215 shinfo->nr_frags = 0; 216 shinfo->gso_size = 0; 217 shinfo->gso_segs = 0; 218 shinfo->gso_type = 0; 219 shinfo->ip6_frag_id = 0; 220 shinfo->frag_list = NULL; 221 222 if (fclone) { 223 struct sk_buff *child = skb + 1; 224 atomic_t *fclone_ref = (atomic_t *) (child + 1); 225 226 skb->fclone = SKB_FCLONE_ORIG; 227 atomic_set(fclone_ref, 1); 228 229 child->fclone = SKB_FCLONE_UNAVAILABLE; 230 } 231 out: 232 return skb; 233 nodata: 234 kmem_cache_free(cache, skb); 235 skb = NULL; 236 goto out; 237 } 238 239 /** 240 * __netdev_alloc_skb - allocate an skbuff for rx on a specific device 241 * @dev: network device to receive on 242 * @length: length to allocate 243 * @gfp_mask: get_free_pages mask, passed to alloc_skb 244 * 245 * Allocate a new &sk_buff and assign it a usage count of one. The 246 * buffer has unspecified headroom built in. Users should allocate 247 * the headroom they think they need without accounting for the 248 * built in space. The built in space is used for optimisations. 249 * 250 * %NULL is returned if there is no free memory. 251 */ 252 struct sk_buff *__netdev_alloc_skb(struct net_device *dev, 253 unsigned int length, gfp_t gfp_mask) 254 { 255 int node = dev->dev.parent ? dev_to_node(dev->dev.parent) : -1; 256 struct sk_buff *skb; 257 258 skb = __alloc_skb(length + NET_SKB_PAD, gfp_mask, 0, node); 259 if (likely(skb)) { 260 skb_reserve(skb, NET_SKB_PAD); 261 skb->dev = dev; 262 } 263 return skb; 264 } 265 266 struct page *__netdev_alloc_page(struct net_device *dev, gfp_t gfp_mask) 267 { 268 int node = dev->dev.parent ? dev_to_node(dev->dev.parent) : -1; 269 struct page *page; 270 271 page = alloc_pages_node(node, gfp_mask, 0); 272 return page; 273 } 274 EXPORT_SYMBOL(__netdev_alloc_page); 275 276 void skb_add_rx_frag(struct sk_buff *skb, int i, struct page *page, int off, 277 int size) 278 { 279 skb_fill_page_desc(skb, i, page, off, size); 280 skb->len += size; 281 skb->data_len += size; 282 skb->truesize += size; 283 } 284 EXPORT_SYMBOL(skb_add_rx_frag); 285 286 /** 287 * dev_alloc_skb - allocate an skbuff for receiving 288 * @length: length to allocate 289 * 290 * Allocate a new &sk_buff and assign it a usage count of one. The 291 * buffer has unspecified headroom built in. Users should allocate 292 * the headroom they think they need without accounting for the 293 * built in space. The built in space is used for optimisations. 294 * 295 * %NULL is returned if there is no free memory. Although this function 296 * allocates memory it can be called from an interrupt. 297 */ 298 struct sk_buff *dev_alloc_skb(unsigned int length) 299 { 300 /* 301 * There is more code here than it seems: 302 * __dev_alloc_skb is an inline 303 */ 304 return __dev_alloc_skb(length, GFP_ATOMIC); 305 } 306 EXPORT_SYMBOL(dev_alloc_skb); 307 308 static void skb_drop_list(struct sk_buff **listp) 309 { 310 struct sk_buff *list = *listp; 311 312 *listp = NULL; 313 314 do { 315 struct sk_buff *this = list; 316 list = list->next; 317 kfree_skb(this); 318 } while (list); 319 } 320 321 static inline void skb_drop_fraglist(struct sk_buff *skb) 322 { 323 skb_drop_list(&skb_shinfo(skb)->frag_list); 324 } 325 326 static void skb_clone_fraglist(struct sk_buff *skb) 327 { 328 struct sk_buff *list; 329 330 for (list = skb_shinfo(skb)->frag_list; list; list = list->next) 331 skb_get(list); 332 } 333 334 static void skb_release_data(struct sk_buff *skb) 335 { 336 if (!skb->cloned || 337 !atomic_sub_return(skb->nohdr ? (1 << SKB_DATAREF_SHIFT) + 1 : 1, 338 &skb_shinfo(skb)->dataref)) { 339 if (skb_shinfo(skb)->nr_frags) { 340 int i; 341 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) 342 put_page(skb_shinfo(skb)->frags[i].page); 343 } 344 345 if (skb_shinfo(skb)->frag_list) 346 skb_drop_fraglist(skb); 347 348 kfree(skb->head); 349 } 350 } 351 352 /* 353 * Free an skbuff by memory without cleaning the state. 354 */ 355 static void kfree_skbmem(struct sk_buff *skb) 356 { 357 struct sk_buff *other; 358 atomic_t *fclone_ref; 359 360 switch (skb->fclone) { 361 case SKB_FCLONE_UNAVAILABLE: 362 kmem_cache_free(skbuff_head_cache, skb); 363 break; 364 365 case SKB_FCLONE_ORIG: 366 fclone_ref = (atomic_t *) (skb + 2); 367 if (atomic_dec_and_test(fclone_ref)) 368 kmem_cache_free(skbuff_fclone_cache, skb); 369 break; 370 371 case SKB_FCLONE_CLONE: 372 fclone_ref = (atomic_t *) (skb + 1); 373 other = skb - 1; 374 375 /* The clone portion is available for 376 * fast-cloning again. 377 */ 378 skb->fclone = SKB_FCLONE_UNAVAILABLE; 379 380 if (atomic_dec_and_test(fclone_ref)) 381 kmem_cache_free(skbuff_fclone_cache, other); 382 break; 383 } 384 } 385 386 static void skb_release_head_state(struct sk_buff *skb) 387 { 388 dst_release(skb->dst); 389 #ifdef CONFIG_XFRM 390 secpath_put(skb->sp); 391 #endif 392 if (skb->destructor) { 393 WARN_ON(in_irq()); 394 skb->destructor(skb); 395 } 396 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 397 nf_conntrack_put(skb->nfct); 398 nf_conntrack_put_reasm(skb->nfct_reasm); 399 #endif 400 #ifdef CONFIG_BRIDGE_NETFILTER 401 nf_bridge_put(skb->nf_bridge); 402 #endif 403 /* XXX: IS this still necessary? - JHS */ 404 #ifdef CONFIG_NET_SCHED 405 skb->tc_index = 0; 406 #ifdef CONFIG_NET_CLS_ACT 407 skb->tc_verd = 0; 408 #endif 409 #endif 410 } 411 412 /* Free everything but the sk_buff shell. */ 413 static void skb_release_all(struct sk_buff *skb) 414 { 415 skb_release_head_state(skb); 416 skb_release_data(skb); 417 } 418 419 /** 420 * __kfree_skb - private function 421 * @skb: buffer 422 * 423 * Free an sk_buff. Release anything attached to the buffer. 424 * Clean the state. This is an internal helper function. Users should 425 * always call kfree_skb 426 */ 427 428 void __kfree_skb(struct sk_buff *skb) 429 { 430 skb_release_all(skb); 431 kfree_skbmem(skb); 432 } 433 434 /** 435 * kfree_skb - free an sk_buff 436 * @skb: buffer to free 437 * 438 * Drop a reference to the buffer and free it if the usage count has 439 * hit zero. 440 */ 441 void kfree_skb(struct sk_buff *skb) 442 { 443 if (unlikely(!skb)) 444 return; 445 if (likely(atomic_read(&skb->users) == 1)) 446 smp_rmb(); 447 else if (likely(!atomic_dec_and_test(&skb->users))) 448 return; 449 __kfree_skb(skb); 450 } 451 452 int skb_recycle_check(struct sk_buff *skb, int skb_size) 453 { 454 struct skb_shared_info *shinfo; 455 456 if (skb_is_nonlinear(skb) || skb->fclone != SKB_FCLONE_UNAVAILABLE) 457 return 0; 458 459 skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD); 460 if (skb_end_pointer(skb) - skb->head < skb_size) 461 return 0; 462 463 if (skb_shared(skb) || skb_cloned(skb)) 464 return 0; 465 466 skb_release_head_state(skb); 467 shinfo = skb_shinfo(skb); 468 atomic_set(&shinfo->dataref, 1); 469 shinfo->nr_frags = 0; 470 shinfo->gso_size = 0; 471 shinfo->gso_segs = 0; 472 shinfo->gso_type = 0; 473 shinfo->ip6_frag_id = 0; 474 shinfo->frag_list = NULL; 475 476 memset(skb, 0, offsetof(struct sk_buff, tail)); 477 skb_reset_tail_pointer(skb); 478 skb->data = skb->head + NET_SKB_PAD; 479 480 return 1; 481 } 482 EXPORT_SYMBOL(skb_recycle_check); 483 484 static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old) 485 { 486 new->tstamp = old->tstamp; 487 new->dev = old->dev; 488 new->transport_header = old->transport_header; 489 new->network_header = old->network_header; 490 new->mac_header = old->mac_header; 491 new->dst = dst_clone(old->dst); 492 #ifdef CONFIG_INET 493 new->sp = secpath_get(old->sp); 494 #endif 495 memcpy(new->cb, old->cb, sizeof(old->cb)); 496 new->csum_start = old->csum_start; 497 new->csum_offset = old->csum_offset; 498 new->local_df = old->local_df; 499 new->pkt_type = old->pkt_type; 500 new->ip_summed = old->ip_summed; 501 skb_copy_queue_mapping(new, old); 502 new->priority = old->priority; 503 #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) 504 new->ipvs_property = old->ipvs_property; 505 #endif 506 new->protocol = old->protocol; 507 new->mark = old->mark; 508 __nf_copy(new, old); 509 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ 510 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) 511 new->nf_trace = old->nf_trace; 512 #endif 513 #ifdef CONFIG_NET_SCHED 514 new->tc_index = old->tc_index; 515 #ifdef CONFIG_NET_CLS_ACT 516 new->tc_verd = old->tc_verd; 517 #endif 518 #endif 519 new->vlan_tci = old->vlan_tci; 520 521 skb_copy_secmark(new, old); 522 } 523 524 static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) 525 { 526 #define C(x) n->x = skb->x 527 528 n->next = n->prev = NULL; 529 n->sk = NULL; 530 __copy_skb_header(n, skb); 531 532 C(len); 533 C(data_len); 534 C(mac_len); 535 n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; 536 n->cloned = 1; 537 n->nohdr = 0; 538 n->destructor = NULL; 539 C(iif); 540 C(tail); 541 C(end); 542 C(head); 543 C(data); 544 C(truesize); 545 #if defined(CONFIG_MAC80211) || defined(CONFIG_MAC80211_MODULE) 546 C(do_not_encrypt); 547 #endif 548 atomic_set(&n->users, 1); 549 550 atomic_inc(&(skb_shinfo(skb)->dataref)); 551 skb->cloned = 1; 552 553 return n; 554 #undef C 555 } 556 557 /** 558 * skb_morph - morph one skb into another 559 * @dst: the skb to receive the contents 560 * @src: the skb to supply the contents 561 * 562 * This is identical to skb_clone except that the target skb is 563 * supplied by the user. 564 * 565 * The target skb is returned upon exit. 566 */ 567 struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src) 568 { 569 skb_release_all(dst); 570 return __skb_clone(dst, src); 571 } 572 EXPORT_SYMBOL_GPL(skb_morph); 573 574 /** 575 * skb_clone - duplicate an sk_buff 576 * @skb: buffer to clone 577 * @gfp_mask: allocation priority 578 * 579 * Duplicate an &sk_buff. The new one is not owned by a socket. Both 580 * copies share the same packet data but not structure. The new 581 * buffer has a reference count of 1. If the allocation fails the 582 * function returns %NULL otherwise the new buffer is returned. 583 * 584 * If this function is called from an interrupt gfp_mask() must be 585 * %GFP_ATOMIC. 586 */ 587 588 struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask) 589 { 590 struct sk_buff *n; 591 592 n = skb + 1; 593 if (skb->fclone == SKB_FCLONE_ORIG && 594 n->fclone == SKB_FCLONE_UNAVAILABLE) { 595 atomic_t *fclone_ref = (atomic_t *) (n + 1); 596 n->fclone = SKB_FCLONE_CLONE; 597 atomic_inc(fclone_ref); 598 } else { 599 n = kmem_cache_alloc(skbuff_head_cache, gfp_mask); 600 if (!n) 601 return NULL; 602 n->fclone = SKB_FCLONE_UNAVAILABLE; 603 } 604 605 return __skb_clone(n, skb); 606 } 607 608 static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old) 609 { 610 #ifndef NET_SKBUFF_DATA_USES_OFFSET 611 /* 612 * Shift between the two data areas in bytes 613 */ 614 unsigned long offset = new->data - old->data; 615 #endif 616 617 __copy_skb_header(new, old); 618 619 #ifndef NET_SKBUFF_DATA_USES_OFFSET 620 /* {transport,network,mac}_header are relative to skb->head */ 621 new->transport_header += offset; 622 new->network_header += offset; 623 new->mac_header += offset; 624 #endif 625 skb_shinfo(new)->gso_size = skb_shinfo(old)->gso_size; 626 skb_shinfo(new)->gso_segs = skb_shinfo(old)->gso_segs; 627 skb_shinfo(new)->gso_type = skb_shinfo(old)->gso_type; 628 } 629 630 /** 631 * skb_copy - create private copy of an sk_buff 632 * @skb: buffer to copy 633 * @gfp_mask: allocation priority 634 * 635 * Make a copy of both an &sk_buff and its data. This is used when the 636 * caller wishes to modify the data and needs a private copy of the 637 * data to alter. Returns %NULL on failure or the pointer to the buffer 638 * on success. The returned buffer has a reference count of 1. 639 * 640 * As by-product this function converts non-linear &sk_buff to linear 641 * one, so that &sk_buff becomes completely private and caller is allowed 642 * to modify all the data of returned buffer. This means that this 643 * function is not recommended for use in circumstances when only 644 * header is going to be modified. Use pskb_copy() instead. 645 */ 646 647 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask) 648 { 649 int headerlen = skb->data - skb->head; 650 /* 651 * Allocate the copy buffer 652 */ 653 struct sk_buff *n; 654 #ifdef NET_SKBUFF_DATA_USES_OFFSET 655 n = alloc_skb(skb->end + skb->data_len, gfp_mask); 656 #else 657 n = alloc_skb(skb->end - skb->head + skb->data_len, gfp_mask); 658 #endif 659 if (!n) 660 return NULL; 661 662 /* Set the data pointer */ 663 skb_reserve(n, headerlen); 664 /* Set the tail pointer and length */ 665 skb_put(n, skb->len); 666 667 if (skb_copy_bits(skb, -headerlen, n->head, headerlen + skb->len)) 668 BUG(); 669 670 copy_skb_header(n, skb); 671 return n; 672 } 673 674 675 /** 676 * pskb_copy - create copy of an sk_buff with private head. 677 * @skb: buffer to copy 678 * @gfp_mask: allocation priority 679 * 680 * Make a copy of both an &sk_buff and part of its data, located 681 * in header. Fragmented data remain shared. This is used when 682 * the caller wishes to modify only header of &sk_buff and needs 683 * private copy of the header to alter. Returns %NULL on failure 684 * or the pointer to the buffer on success. 685 * The returned buffer has a reference count of 1. 686 */ 687 688 struct sk_buff *pskb_copy(struct sk_buff *skb, gfp_t gfp_mask) 689 { 690 /* 691 * Allocate the copy buffer 692 */ 693 struct sk_buff *n; 694 #ifdef NET_SKBUFF_DATA_USES_OFFSET 695 n = alloc_skb(skb->end, gfp_mask); 696 #else 697 n = alloc_skb(skb->end - skb->head, gfp_mask); 698 #endif 699 if (!n) 700 goto out; 701 702 /* Set the data pointer */ 703 skb_reserve(n, skb->data - skb->head); 704 /* Set the tail pointer and length */ 705 skb_put(n, skb_headlen(skb)); 706 /* Copy the bytes */ 707 skb_copy_from_linear_data(skb, n->data, n->len); 708 709 n->truesize += skb->data_len; 710 n->data_len = skb->data_len; 711 n->len = skb->len; 712 713 if (skb_shinfo(skb)->nr_frags) { 714 int i; 715 716 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 717 skb_shinfo(n)->frags[i] = skb_shinfo(skb)->frags[i]; 718 get_page(skb_shinfo(n)->frags[i].page); 719 } 720 skb_shinfo(n)->nr_frags = i; 721 } 722 723 if (skb_shinfo(skb)->frag_list) { 724 skb_shinfo(n)->frag_list = skb_shinfo(skb)->frag_list; 725 skb_clone_fraglist(n); 726 } 727 728 copy_skb_header(n, skb); 729 out: 730 return n; 731 } 732 733 /** 734 * pskb_expand_head - reallocate header of &sk_buff 735 * @skb: buffer to reallocate 736 * @nhead: room to add at head 737 * @ntail: room to add at tail 738 * @gfp_mask: allocation priority 739 * 740 * Expands (or creates identical copy, if &nhead and &ntail are zero) 741 * header of skb. &sk_buff itself is not changed. &sk_buff MUST have 742 * reference count of 1. Returns zero in the case of success or error, 743 * if expansion failed. In the last case, &sk_buff is not changed. 744 * 745 * All the pointers pointing into skb header may change and must be 746 * reloaded after call to this function. 747 */ 748 749 int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, 750 gfp_t gfp_mask) 751 { 752 int i; 753 u8 *data; 754 #ifdef NET_SKBUFF_DATA_USES_OFFSET 755 int size = nhead + skb->end + ntail; 756 #else 757 int size = nhead + (skb->end - skb->head) + ntail; 758 #endif 759 long off; 760 761 BUG_ON(nhead < 0); 762 763 if (skb_shared(skb)) 764 BUG(); 765 766 size = SKB_DATA_ALIGN(size); 767 768 data = kmalloc(size + sizeof(struct skb_shared_info), gfp_mask); 769 if (!data) 770 goto nodata; 771 772 /* Copy only real data... and, alas, header. This should be 773 * optimized for the cases when header is void. */ 774 #ifdef NET_SKBUFF_DATA_USES_OFFSET 775 memcpy(data + nhead, skb->head, skb->tail); 776 #else 777 memcpy(data + nhead, skb->head, skb->tail - skb->head); 778 #endif 779 memcpy(data + size, skb_end_pointer(skb), 780 sizeof(struct skb_shared_info)); 781 782 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) 783 get_page(skb_shinfo(skb)->frags[i].page); 784 785 if (skb_shinfo(skb)->frag_list) 786 skb_clone_fraglist(skb); 787 788 skb_release_data(skb); 789 790 off = (data + nhead) - skb->head; 791 792 skb->head = data; 793 skb->data += off; 794 #ifdef NET_SKBUFF_DATA_USES_OFFSET 795 skb->end = size; 796 off = nhead; 797 #else 798 skb->end = skb->head + size; 799 #endif 800 /* {transport,network,mac}_header and tail are relative to skb->head */ 801 skb->tail += off; 802 skb->transport_header += off; 803 skb->network_header += off; 804 skb->mac_header += off; 805 skb->csum_start += nhead; 806 skb->cloned = 0; 807 skb->hdr_len = 0; 808 skb->nohdr = 0; 809 atomic_set(&skb_shinfo(skb)->dataref, 1); 810 return 0; 811 812 nodata: 813 return -ENOMEM; 814 } 815 816 /* Make private copy of skb with writable head and some headroom */ 817 818 struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom) 819 { 820 struct sk_buff *skb2; 821 int delta = headroom - skb_headroom(skb); 822 823 if (delta <= 0) 824 skb2 = pskb_copy(skb, GFP_ATOMIC); 825 else { 826 skb2 = skb_clone(skb, GFP_ATOMIC); 827 if (skb2 && pskb_expand_head(skb2, SKB_DATA_ALIGN(delta), 0, 828 GFP_ATOMIC)) { 829 kfree_skb(skb2); 830 skb2 = NULL; 831 } 832 } 833 return skb2; 834 } 835 836 837 /** 838 * skb_copy_expand - copy and expand sk_buff 839 * @skb: buffer to copy 840 * @newheadroom: new free bytes at head 841 * @newtailroom: new free bytes at tail 842 * @gfp_mask: allocation priority 843 * 844 * Make a copy of both an &sk_buff and its data and while doing so 845 * allocate additional space. 846 * 847 * This is used when the caller wishes to modify the data and needs a 848 * private copy of the data to alter as well as more space for new fields. 849 * Returns %NULL on failure or the pointer to the buffer 850 * on success. The returned buffer has a reference count of 1. 851 * 852 * You must pass %GFP_ATOMIC as the allocation priority if this function 853 * is called from an interrupt. 854 */ 855 struct sk_buff *skb_copy_expand(const struct sk_buff *skb, 856 int newheadroom, int newtailroom, 857 gfp_t gfp_mask) 858 { 859 /* 860 * Allocate the copy buffer 861 */ 862 struct sk_buff *n = alloc_skb(newheadroom + skb->len + newtailroom, 863 gfp_mask); 864 int oldheadroom = skb_headroom(skb); 865 int head_copy_len, head_copy_off; 866 int off; 867 868 if (!n) 869 return NULL; 870 871 skb_reserve(n, newheadroom); 872 873 /* Set the tail pointer and length */ 874 skb_put(n, skb->len); 875 876 head_copy_len = oldheadroom; 877 head_copy_off = 0; 878 if (newheadroom <= head_copy_len) 879 head_copy_len = newheadroom; 880 else 881 head_copy_off = newheadroom - head_copy_len; 882 883 /* Copy the linear header and data. */ 884 if (skb_copy_bits(skb, -head_copy_len, n->head + head_copy_off, 885 skb->len + head_copy_len)) 886 BUG(); 887 888 copy_skb_header(n, skb); 889 890 off = newheadroom - oldheadroom; 891 n->csum_start += off; 892 #ifdef NET_SKBUFF_DATA_USES_OFFSET 893 n->transport_header += off; 894 n->network_header += off; 895 n->mac_header += off; 896 #endif 897 898 return n; 899 } 900 901 /** 902 * skb_pad - zero pad the tail of an skb 903 * @skb: buffer to pad 904 * @pad: space to pad 905 * 906 * Ensure that a buffer is followed by a padding area that is zero 907 * filled. Used by network drivers which may DMA or transfer data 908 * beyond the buffer end onto the wire. 909 * 910 * May return error in out of memory cases. The skb is freed on error. 911 */ 912 913 int skb_pad(struct sk_buff *skb, int pad) 914 { 915 int err; 916 int ntail; 917 918 /* If the skbuff is non linear tailroom is always zero.. */ 919 if (!skb_cloned(skb) && skb_tailroom(skb) >= pad) { 920 memset(skb->data+skb->len, 0, pad); 921 return 0; 922 } 923 924 ntail = skb->data_len + pad - (skb->end - skb->tail); 925 if (likely(skb_cloned(skb) || ntail > 0)) { 926 err = pskb_expand_head(skb, 0, ntail, GFP_ATOMIC); 927 if (unlikely(err)) 928 goto free_skb; 929 } 930 931 /* FIXME: The use of this function with non-linear skb's really needs 932 * to be audited. 933 */ 934 err = skb_linearize(skb); 935 if (unlikely(err)) 936 goto free_skb; 937 938 memset(skb->data + skb->len, 0, pad); 939 return 0; 940 941 free_skb: 942 kfree_skb(skb); 943 return err; 944 } 945 946 /** 947 * skb_put - add data to a buffer 948 * @skb: buffer to use 949 * @len: amount of data to add 950 * 951 * This function extends the used data area of the buffer. If this would 952 * exceed the total buffer size the kernel will panic. A pointer to the 953 * first byte of the extra data is returned. 954 */ 955 unsigned char *skb_put(struct sk_buff *skb, unsigned int len) 956 { 957 unsigned char *tmp = skb_tail_pointer(skb); 958 SKB_LINEAR_ASSERT(skb); 959 skb->tail += len; 960 skb->len += len; 961 if (unlikely(skb->tail > skb->end)) 962 skb_over_panic(skb, len, __builtin_return_address(0)); 963 return tmp; 964 } 965 EXPORT_SYMBOL(skb_put); 966 967 /** 968 * skb_push - add data to the start of a buffer 969 * @skb: buffer to use 970 * @len: amount of data to add 971 * 972 * This function extends the used data area of the buffer at the buffer 973 * start. If this would exceed the total buffer headroom the kernel will 974 * panic. A pointer to the first byte of the extra data is returned. 975 */ 976 unsigned char *skb_push(struct sk_buff *skb, unsigned int len) 977 { 978 skb->data -= len; 979 skb->len += len; 980 if (unlikely(skb->data<skb->head)) 981 skb_under_panic(skb, len, __builtin_return_address(0)); 982 return skb->data; 983 } 984 EXPORT_SYMBOL(skb_push); 985 986 /** 987 * skb_pull - remove data from the start of a buffer 988 * @skb: buffer to use 989 * @len: amount of data to remove 990 * 991 * This function removes data from the start of a buffer, returning 992 * the memory to the headroom. A pointer to the next data in the buffer 993 * is returned. Once the data has been pulled future pushes will overwrite 994 * the old data. 995 */ 996 unsigned char *skb_pull(struct sk_buff *skb, unsigned int len) 997 { 998 return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len); 999 } 1000 EXPORT_SYMBOL(skb_pull); 1001 1002 /** 1003 * skb_trim - remove end from a buffer 1004 * @skb: buffer to alter 1005 * @len: new length 1006 * 1007 * Cut the length of a buffer down by removing data from the tail. If 1008 * the buffer is already under the length specified it is not modified. 1009 * The skb must be linear. 1010 */ 1011 void skb_trim(struct sk_buff *skb, unsigned int len) 1012 { 1013 if (skb->len > len) 1014 __skb_trim(skb, len); 1015 } 1016 EXPORT_SYMBOL(skb_trim); 1017 1018 /* Trims skb to length len. It can change skb pointers. 1019 */ 1020 1021 int ___pskb_trim(struct sk_buff *skb, unsigned int len) 1022 { 1023 struct sk_buff **fragp; 1024 struct sk_buff *frag; 1025 int offset = skb_headlen(skb); 1026 int nfrags = skb_shinfo(skb)->nr_frags; 1027 int i; 1028 int err; 1029 1030 if (skb_cloned(skb) && 1031 unlikely((err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))) 1032 return err; 1033 1034 i = 0; 1035 if (offset >= len) 1036 goto drop_pages; 1037 1038 for (; i < nfrags; i++) { 1039 int end = offset + skb_shinfo(skb)->frags[i].size; 1040 1041 if (end < len) { 1042 offset = end; 1043 continue; 1044 } 1045 1046 skb_shinfo(skb)->frags[i++].size = len - offset; 1047 1048 drop_pages: 1049 skb_shinfo(skb)->nr_frags = i; 1050 1051 for (; i < nfrags; i++) 1052 put_page(skb_shinfo(skb)->frags[i].page); 1053 1054 if (skb_shinfo(skb)->frag_list) 1055 skb_drop_fraglist(skb); 1056 goto done; 1057 } 1058 1059 for (fragp = &skb_shinfo(skb)->frag_list; (frag = *fragp); 1060 fragp = &frag->next) { 1061 int end = offset + frag->len; 1062 1063 if (skb_shared(frag)) { 1064 struct sk_buff *nfrag; 1065 1066 nfrag = skb_clone(frag, GFP_ATOMIC); 1067 if (unlikely(!nfrag)) 1068 return -ENOMEM; 1069 1070 nfrag->next = frag->next; 1071 kfree_skb(frag); 1072 frag = nfrag; 1073 *fragp = frag; 1074 } 1075 1076 if (end < len) { 1077 offset = end; 1078 continue; 1079 } 1080 1081 if (end > len && 1082 unlikely((err = pskb_trim(frag, len - offset)))) 1083 return err; 1084 1085 if (frag->next) 1086 skb_drop_list(&frag->next); 1087 break; 1088 } 1089 1090 done: 1091 if (len > skb_headlen(skb)) { 1092 skb->data_len -= skb->len - len; 1093 skb->len = len; 1094 } else { 1095 skb->len = len; 1096 skb->data_len = 0; 1097 skb_set_tail_pointer(skb, len); 1098 } 1099 1100 return 0; 1101 } 1102 1103 /** 1104 * __pskb_pull_tail - advance tail of skb header 1105 * @skb: buffer to reallocate 1106 * @delta: number of bytes to advance tail 1107 * 1108 * The function makes a sense only on a fragmented &sk_buff, 1109 * it expands header moving its tail forward and copying necessary 1110 * data from fragmented part. 1111 * 1112 * &sk_buff MUST have reference count of 1. 1113 * 1114 * Returns %NULL (and &sk_buff does not change) if pull failed 1115 * or value of new tail of skb in the case of success. 1116 * 1117 * All the pointers pointing into skb header may change and must be 1118 * reloaded after call to this function. 1119 */ 1120 1121 /* Moves tail of skb head forward, copying data from fragmented part, 1122 * when it is necessary. 1123 * 1. It may fail due to malloc failure. 1124 * 2. It may change skb pointers. 1125 * 1126 * It is pretty complicated. Luckily, it is called only in exceptional cases. 1127 */ 1128 unsigned char *__pskb_pull_tail(struct sk_buff *skb, int delta) 1129 { 1130 /* If skb has not enough free space at tail, get new one 1131 * plus 128 bytes for future expansions. If we have enough 1132 * room at tail, reallocate without expansion only if skb is cloned. 1133 */ 1134 int i, k, eat = (skb->tail + delta) - skb->end; 1135 1136 if (eat > 0 || skb_cloned(skb)) { 1137 if (pskb_expand_head(skb, 0, eat > 0 ? eat + 128 : 0, 1138 GFP_ATOMIC)) 1139 return NULL; 1140 } 1141 1142 if (skb_copy_bits(skb, skb_headlen(skb), skb_tail_pointer(skb), delta)) 1143 BUG(); 1144 1145 /* Optimization: no fragments, no reasons to preestimate 1146 * size of pulled pages. Superb. 1147 */ 1148 if (!skb_shinfo(skb)->frag_list) 1149 goto pull_pages; 1150 1151 /* Estimate size of pulled pages. */ 1152 eat = delta; 1153 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 1154 if (skb_shinfo(skb)->frags[i].size >= eat) 1155 goto pull_pages; 1156 eat -= skb_shinfo(skb)->frags[i].size; 1157 } 1158 1159 /* If we need update frag list, we are in troubles. 1160 * Certainly, it possible to add an offset to skb data, 1161 * but taking into account that pulling is expected to 1162 * be very rare operation, it is worth to fight against 1163 * further bloating skb head and crucify ourselves here instead. 1164 * Pure masohism, indeed. 8)8) 1165 */ 1166 if (eat) { 1167 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1168 struct sk_buff *clone = NULL; 1169 struct sk_buff *insp = NULL; 1170 1171 do { 1172 BUG_ON(!list); 1173 1174 if (list->len <= eat) { 1175 /* Eaten as whole. */ 1176 eat -= list->len; 1177 list = list->next; 1178 insp = list; 1179 } else { 1180 /* Eaten partially. */ 1181 1182 if (skb_shared(list)) { 1183 /* Sucks! We need to fork list. :-( */ 1184 clone = skb_clone(list, GFP_ATOMIC); 1185 if (!clone) 1186 return NULL; 1187 insp = list->next; 1188 list = clone; 1189 } else { 1190 /* This may be pulled without 1191 * problems. */ 1192 insp = list; 1193 } 1194 if (!pskb_pull(list, eat)) { 1195 if (clone) 1196 kfree_skb(clone); 1197 return NULL; 1198 } 1199 break; 1200 } 1201 } while (eat); 1202 1203 /* Free pulled out fragments. */ 1204 while ((list = skb_shinfo(skb)->frag_list) != insp) { 1205 skb_shinfo(skb)->frag_list = list->next; 1206 kfree_skb(list); 1207 } 1208 /* And insert new clone at head. */ 1209 if (clone) { 1210 clone->next = list; 1211 skb_shinfo(skb)->frag_list = clone; 1212 } 1213 } 1214 /* Success! Now we may commit changes to skb data. */ 1215 1216 pull_pages: 1217 eat = delta; 1218 k = 0; 1219 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 1220 if (skb_shinfo(skb)->frags[i].size <= eat) { 1221 put_page(skb_shinfo(skb)->frags[i].page); 1222 eat -= skb_shinfo(skb)->frags[i].size; 1223 } else { 1224 skb_shinfo(skb)->frags[k] = skb_shinfo(skb)->frags[i]; 1225 if (eat) { 1226 skb_shinfo(skb)->frags[k].page_offset += eat; 1227 skb_shinfo(skb)->frags[k].size -= eat; 1228 eat = 0; 1229 } 1230 k++; 1231 } 1232 } 1233 skb_shinfo(skb)->nr_frags = k; 1234 1235 skb->tail += delta; 1236 skb->data_len -= delta; 1237 1238 return skb_tail_pointer(skb); 1239 } 1240 1241 /* Copy some data bits from skb to kernel buffer. */ 1242 1243 int skb_copy_bits(const struct sk_buff *skb, int offset, void *to, int len) 1244 { 1245 int i, copy; 1246 int start = skb_headlen(skb); 1247 1248 if (offset > (int)skb->len - len) 1249 goto fault; 1250 1251 /* Copy header. */ 1252 if ((copy = start - offset) > 0) { 1253 if (copy > len) 1254 copy = len; 1255 skb_copy_from_linear_data_offset(skb, offset, to, copy); 1256 if ((len -= copy) == 0) 1257 return 0; 1258 offset += copy; 1259 to += copy; 1260 } 1261 1262 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 1263 int end; 1264 1265 WARN_ON(start > offset + len); 1266 1267 end = start + skb_shinfo(skb)->frags[i].size; 1268 if ((copy = end - offset) > 0) { 1269 u8 *vaddr; 1270 1271 if (copy > len) 1272 copy = len; 1273 1274 vaddr = kmap_skb_frag(&skb_shinfo(skb)->frags[i]); 1275 memcpy(to, 1276 vaddr + skb_shinfo(skb)->frags[i].page_offset+ 1277 offset - start, copy); 1278 kunmap_skb_frag(vaddr); 1279 1280 if ((len -= copy) == 0) 1281 return 0; 1282 offset += copy; 1283 to += copy; 1284 } 1285 start = end; 1286 } 1287 1288 if (skb_shinfo(skb)->frag_list) { 1289 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1290 1291 for (; list; list = list->next) { 1292 int end; 1293 1294 WARN_ON(start > offset + len); 1295 1296 end = start + list->len; 1297 if ((copy = end - offset) > 0) { 1298 if (copy > len) 1299 copy = len; 1300 if (skb_copy_bits(list, offset - start, 1301 to, copy)) 1302 goto fault; 1303 if ((len -= copy) == 0) 1304 return 0; 1305 offset += copy; 1306 to += copy; 1307 } 1308 start = end; 1309 } 1310 } 1311 if (!len) 1312 return 0; 1313 1314 fault: 1315 return -EFAULT; 1316 } 1317 1318 /* 1319 * Callback from splice_to_pipe(), if we need to release some pages 1320 * at the end of the spd in case we error'ed out in filling the pipe. 1321 */ 1322 static void sock_spd_release(struct splice_pipe_desc *spd, unsigned int i) 1323 { 1324 struct sk_buff *skb = (struct sk_buff *) spd->partial[i].private; 1325 1326 kfree_skb(skb); 1327 } 1328 1329 /* 1330 * Fill page/offset/length into spd, if it can hold more pages. 1331 */ 1332 static inline int spd_fill_page(struct splice_pipe_desc *spd, struct page *page, 1333 unsigned int len, unsigned int offset, 1334 struct sk_buff *skb) 1335 { 1336 if (unlikely(spd->nr_pages == PIPE_BUFFERS)) 1337 return 1; 1338 1339 spd->pages[spd->nr_pages] = page; 1340 spd->partial[spd->nr_pages].len = len; 1341 spd->partial[spd->nr_pages].offset = offset; 1342 spd->partial[spd->nr_pages].private = (unsigned long) skb_get(skb); 1343 spd->nr_pages++; 1344 return 0; 1345 } 1346 1347 static inline void __segment_seek(struct page **page, unsigned int *poff, 1348 unsigned int *plen, unsigned int off) 1349 { 1350 *poff += off; 1351 *page += *poff / PAGE_SIZE; 1352 *poff = *poff % PAGE_SIZE; 1353 *plen -= off; 1354 } 1355 1356 static inline int __splice_segment(struct page *page, unsigned int poff, 1357 unsigned int plen, unsigned int *off, 1358 unsigned int *len, struct sk_buff *skb, 1359 struct splice_pipe_desc *spd) 1360 { 1361 if (!*len) 1362 return 1; 1363 1364 /* skip this segment if already processed */ 1365 if (*off >= plen) { 1366 *off -= plen; 1367 return 0; 1368 } 1369 1370 /* ignore any bits we already processed */ 1371 if (*off) { 1372 __segment_seek(&page, &poff, &plen, *off); 1373 *off = 0; 1374 } 1375 1376 do { 1377 unsigned int flen = min(*len, plen); 1378 1379 /* the linear region may spread across several pages */ 1380 flen = min_t(unsigned int, flen, PAGE_SIZE - poff); 1381 1382 if (spd_fill_page(spd, page, flen, poff, skb)) 1383 return 1; 1384 1385 __segment_seek(&page, &poff, &plen, flen); 1386 *len -= flen; 1387 1388 } while (*len && plen); 1389 1390 return 0; 1391 } 1392 1393 /* 1394 * Map linear and fragment data from the skb to spd. It reports failure if the 1395 * pipe is full or if we already spliced the requested length. 1396 */ 1397 static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, 1398 unsigned int *len, 1399 struct splice_pipe_desc *spd) 1400 { 1401 int seg; 1402 1403 /* 1404 * map the linear part 1405 */ 1406 if (__splice_segment(virt_to_page(skb->data), 1407 (unsigned long) skb->data & (PAGE_SIZE - 1), 1408 skb_headlen(skb), 1409 offset, len, skb, spd)) 1410 return 1; 1411 1412 /* 1413 * then map the fragments 1414 */ 1415 for (seg = 0; seg < skb_shinfo(skb)->nr_frags; seg++) { 1416 const skb_frag_t *f = &skb_shinfo(skb)->frags[seg]; 1417 1418 if (__splice_segment(f->page, f->page_offset, f->size, 1419 offset, len, skb, spd)) 1420 return 1; 1421 } 1422 1423 return 0; 1424 } 1425 1426 /* 1427 * Map data from the skb to a pipe. Should handle both the linear part, 1428 * the fragments, and the frag list. It does NOT handle frag lists within 1429 * the frag list, if such a thing exists. We'd probably need to recurse to 1430 * handle that cleanly. 1431 */ 1432 int skb_splice_bits(struct sk_buff *__skb, unsigned int offset, 1433 struct pipe_inode_info *pipe, unsigned int tlen, 1434 unsigned int flags) 1435 { 1436 struct partial_page partial[PIPE_BUFFERS]; 1437 struct page *pages[PIPE_BUFFERS]; 1438 struct splice_pipe_desc spd = { 1439 .pages = pages, 1440 .partial = partial, 1441 .flags = flags, 1442 .ops = &sock_pipe_buf_ops, 1443 .spd_release = sock_spd_release, 1444 }; 1445 struct sk_buff *skb; 1446 1447 /* 1448 * I'd love to avoid the clone here, but tcp_read_sock() 1449 * ignores reference counts and unconditonally kills the sk_buff 1450 * on return from the actor. 1451 */ 1452 skb = skb_clone(__skb, GFP_KERNEL); 1453 if (unlikely(!skb)) 1454 return -ENOMEM; 1455 1456 /* 1457 * __skb_splice_bits() only fails if the output has no room left, 1458 * so no point in going over the frag_list for the error case. 1459 */ 1460 if (__skb_splice_bits(skb, &offset, &tlen, &spd)) 1461 goto done; 1462 else if (!tlen) 1463 goto done; 1464 1465 /* 1466 * now see if we have a frag_list to map 1467 */ 1468 if (skb_shinfo(skb)->frag_list) { 1469 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1470 1471 for (; list && tlen; list = list->next) { 1472 if (__skb_splice_bits(list, &offset, &tlen, &spd)) 1473 break; 1474 } 1475 } 1476 1477 done: 1478 /* 1479 * drop our reference to the clone, the pipe consumption will 1480 * drop the rest. 1481 */ 1482 kfree_skb(skb); 1483 1484 if (spd.nr_pages) { 1485 int ret; 1486 struct sock *sk = __skb->sk; 1487 1488 /* 1489 * Drop the socket lock, otherwise we have reverse 1490 * locking dependencies between sk_lock and i_mutex 1491 * here as compared to sendfile(). We enter here 1492 * with the socket lock held, and splice_to_pipe() will 1493 * grab the pipe inode lock. For sendfile() emulation, 1494 * we call into ->sendpage() with the i_mutex lock held 1495 * and networking will grab the socket lock. 1496 */ 1497 release_sock(sk); 1498 ret = splice_to_pipe(pipe, &spd); 1499 lock_sock(sk); 1500 return ret; 1501 } 1502 1503 return 0; 1504 } 1505 1506 /** 1507 * skb_store_bits - store bits from kernel buffer to skb 1508 * @skb: destination buffer 1509 * @offset: offset in destination 1510 * @from: source buffer 1511 * @len: number of bytes to copy 1512 * 1513 * Copy the specified number of bytes from the source buffer to the 1514 * destination skb. This function handles all the messy bits of 1515 * traversing fragment lists and such. 1516 */ 1517 1518 int skb_store_bits(struct sk_buff *skb, int offset, const void *from, int len) 1519 { 1520 int i, copy; 1521 int start = skb_headlen(skb); 1522 1523 if (offset > (int)skb->len - len) 1524 goto fault; 1525 1526 if ((copy = start - offset) > 0) { 1527 if (copy > len) 1528 copy = len; 1529 skb_copy_to_linear_data_offset(skb, offset, from, copy); 1530 if ((len -= copy) == 0) 1531 return 0; 1532 offset += copy; 1533 from += copy; 1534 } 1535 1536 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 1537 skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; 1538 int end; 1539 1540 WARN_ON(start > offset + len); 1541 1542 end = start + frag->size; 1543 if ((copy = end - offset) > 0) { 1544 u8 *vaddr; 1545 1546 if (copy > len) 1547 copy = len; 1548 1549 vaddr = kmap_skb_frag(frag); 1550 memcpy(vaddr + frag->page_offset + offset - start, 1551 from, copy); 1552 kunmap_skb_frag(vaddr); 1553 1554 if ((len -= copy) == 0) 1555 return 0; 1556 offset += copy; 1557 from += copy; 1558 } 1559 start = end; 1560 } 1561 1562 if (skb_shinfo(skb)->frag_list) { 1563 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1564 1565 for (; list; list = list->next) { 1566 int end; 1567 1568 WARN_ON(start > offset + len); 1569 1570 end = start + list->len; 1571 if ((copy = end - offset) > 0) { 1572 if (copy > len) 1573 copy = len; 1574 if (skb_store_bits(list, offset - start, 1575 from, copy)) 1576 goto fault; 1577 if ((len -= copy) == 0) 1578 return 0; 1579 offset += copy; 1580 from += copy; 1581 } 1582 start = end; 1583 } 1584 } 1585 if (!len) 1586 return 0; 1587 1588 fault: 1589 return -EFAULT; 1590 } 1591 1592 EXPORT_SYMBOL(skb_store_bits); 1593 1594 /* Checksum skb data. */ 1595 1596 __wsum skb_checksum(const struct sk_buff *skb, int offset, 1597 int len, __wsum csum) 1598 { 1599 int start = skb_headlen(skb); 1600 int i, copy = start - offset; 1601 int pos = 0; 1602 1603 /* Checksum header. */ 1604 if (copy > 0) { 1605 if (copy > len) 1606 copy = len; 1607 csum = csum_partial(skb->data + offset, copy, csum); 1608 if ((len -= copy) == 0) 1609 return csum; 1610 offset += copy; 1611 pos = copy; 1612 } 1613 1614 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 1615 int end; 1616 1617 WARN_ON(start > offset + len); 1618 1619 end = start + skb_shinfo(skb)->frags[i].size; 1620 if ((copy = end - offset) > 0) { 1621 __wsum csum2; 1622 u8 *vaddr; 1623 skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; 1624 1625 if (copy > len) 1626 copy = len; 1627 vaddr = kmap_skb_frag(frag); 1628 csum2 = csum_partial(vaddr + frag->page_offset + 1629 offset - start, copy, 0); 1630 kunmap_skb_frag(vaddr); 1631 csum = csum_block_add(csum, csum2, pos); 1632 if (!(len -= copy)) 1633 return csum; 1634 offset += copy; 1635 pos += copy; 1636 } 1637 start = end; 1638 } 1639 1640 if (skb_shinfo(skb)->frag_list) { 1641 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1642 1643 for (; list; list = list->next) { 1644 int end; 1645 1646 WARN_ON(start > offset + len); 1647 1648 end = start + list->len; 1649 if ((copy = end - offset) > 0) { 1650 __wsum csum2; 1651 if (copy > len) 1652 copy = len; 1653 csum2 = skb_checksum(list, offset - start, 1654 copy, 0); 1655 csum = csum_block_add(csum, csum2, pos); 1656 if ((len -= copy) == 0) 1657 return csum; 1658 offset += copy; 1659 pos += copy; 1660 } 1661 start = end; 1662 } 1663 } 1664 BUG_ON(len); 1665 1666 return csum; 1667 } 1668 1669 /* Both of above in one bottle. */ 1670 1671 __wsum skb_copy_and_csum_bits(const struct sk_buff *skb, int offset, 1672 u8 *to, int len, __wsum csum) 1673 { 1674 int start = skb_headlen(skb); 1675 int i, copy = start - offset; 1676 int pos = 0; 1677 1678 /* Copy header. */ 1679 if (copy > 0) { 1680 if (copy > len) 1681 copy = len; 1682 csum = csum_partial_copy_nocheck(skb->data + offset, to, 1683 copy, csum); 1684 if ((len -= copy) == 0) 1685 return csum; 1686 offset += copy; 1687 to += copy; 1688 pos = copy; 1689 } 1690 1691 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 1692 int end; 1693 1694 WARN_ON(start > offset + len); 1695 1696 end = start + skb_shinfo(skb)->frags[i].size; 1697 if ((copy = end - offset) > 0) { 1698 __wsum csum2; 1699 u8 *vaddr; 1700 skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; 1701 1702 if (copy > len) 1703 copy = len; 1704 vaddr = kmap_skb_frag(frag); 1705 csum2 = csum_partial_copy_nocheck(vaddr + 1706 frag->page_offset + 1707 offset - start, to, 1708 copy, 0); 1709 kunmap_skb_frag(vaddr); 1710 csum = csum_block_add(csum, csum2, pos); 1711 if (!(len -= copy)) 1712 return csum; 1713 offset += copy; 1714 to += copy; 1715 pos += copy; 1716 } 1717 start = end; 1718 } 1719 1720 if (skb_shinfo(skb)->frag_list) { 1721 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1722 1723 for (; list; list = list->next) { 1724 __wsum csum2; 1725 int end; 1726 1727 WARN_ON(start > offset + len); 1728 1729 end = start + list->len; 1730 if ((copy = end - offset) > 0) { 1731 if (copy > len) 1732 copy = len; 1733 csum2 = skb_copy_and_csum_bits(list, 1734 offset - start, 1735 to, copy, 0); 1736 csum = csum_block_add(csum, csum2, pos); 1737 if ((len -= copy) == 0) 1738 return csum; 1739 offset += copy; 1740 to += copy; 1741 pos += copy; 1742 } 1743 start = end; 1744 } 1745 } 1746 BUG_ON(len); 1747 return csum; 1748 } 1749 1750 void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to) 1751 { 1752 __wsum csum; 1753 long csstart; 1754 1755 if (skb->ip_summed == CHECKSUM_PARTIAL) 1756 csstart = skb->csum_start - skb_headroom(skb); 1757 else 1758 csstart = skb_headlen(skb); 1759 1760 BUG_ON(csstart > skb_headlen(skb)); 1761 1762 skb_copy_from_linear_data(skb, to, csstart); 1763 1764 csum = 0; 1765 if (csstart != skb->len) 1766 csum = skb_copy_and_csum_bits(skb, csstart, to + csstart, 1767 skb->len - csstart, 0); 1768 1769 if (skb->ip_summed == CHECKSUM_PARTIAL) { 1770 long csstuff = csstart + skb->csum_offset; 1771 1772 *((__sum16 *)(to + csstuff)) = csum_fold(csum); 1773 } 1774 } 1775 1776 /** 1777 * skb_dequeue - remove from the head of the queue 1778 * @list: list to dequeue from 1779 * 1780 * Remove the head of the list. The list lock is taken so the function 1781 * may be used safely with other locking list functions. The head item is 1782 * returned or %NULL if the list is empty. 1783 */ 1784 1785 struct sk_buff *skb_dequeue(struct sk_buff_head *list) 1786 { 1787 unsigned long flags; 1788 struct sk_buff *result; 1789 1790 spin_lock_irqsave(&list->lock, flags); 1791 result = __skb_dequeue(list); 1792 spin_unlock_irqrestore(&list->lock, flags); 1793 return result; 1794 } 1795 1796 /** 1797 * skb_dequeue_tail - remove from the tail of the queue 1798 * @list: list to dequeue from 1799 * 1800 * Remove the tail of the list. The list lock is taken so the function 1801 * may be used safely with other locking list functions. The tail item is 1802 * returned or %NULL if the list is empty. 1803 */ 1804 struct sk_buff *skb_dequeue_tail(struct sk_buff_head *list) 1805 { 1806 unsigned long flags; 1807 struct sk_buff *result; 1808 1809 spin_lock_irqsave(&list->lock, flags); 1810 result = __skb_dequeue_tail(list); 1811 spin_unlock_irqrestore(&list->lock, flags); 1812 return result; 1813 } 1814 1815 /** 1816 * skb_queue_purge - empty a list 1817 * @list: list to empty 1818 * 1819 * Delete all buffers on an &sk_buff list. Each buffer is removed from 1820 * the list and one reference dropped. This function takes the list 1821 * lock and is atomic with respect to other list locking functions. 1822 */ 1823 void skb_queue_purge(struct sk_buff_head *list) 1824 { 1825 struct sk_buff *skb; 1826 while ((skb = skb_dequeue(list)) != NULL) 1827 kfree_skb(skb); 1828 } 1829 1830 /** 1831 * skb_queue_head - queue a buffer at the list head 1832 * @list: list to use 1833 * @newsk: buffer to queue 1834 * 1835 * Queue a buffer at the start of the list. This function takes the 1836 * list lock and can be used safely with other locking &sk_buff functions 1837 * safely. 1838 * 1839 * A buffer cannot be placed on two lists at the same time. 1840 */ 1841 void skb_queue_head(struct sk_buff_head *list, struct sk_buff *newsk) 1842 { 1843 unsigned long flags; 1844 1845 spin_lock_irqsave(&list->lock, flags); 1846 __skb_queue_head(list, newsk); 1847 spin_unlock_irqrestore(&list->lock, flags); 1848 } 1849 1850 /** 1851 * skb_queue_tail - queue a buffer at the list tail 1852 * @list: list to use 1853 * @newsk: buffer to queue 1854 * 1855 * Queue a buffer at the tail of the list. This function takes the 1856 * list lock and can be used safely with other locking &sk_buff functions 1857 * safely. 1858 * 1859 * A buffer cannot be placed on two lists at the same time. 1860 */ 1861 void skb_queue_tail(struct sk_buff_head *list, struct sk_buff *newsk) 1862 { 1863 unsigned long flags; 1864 1865 spin_lock_irqsave(&list->lock, flags); 1866 __skb_queue_tail(list, newsk); 1867 spin_unlock_irqrestore(&list->lock, flags); 1868 } 1869 1870 /** 1871 * skb_unlink - remove a buffer from a list 1872 * @skb: buffer to remove 1873 * @list: list to use 1874 * 1875 * Remove a packet from a list. The list locks are taken and this 1876 * function is atomic with respect to other list locked calls 1877 * 1878 * You must know what list the SKB is on. 1879 */ 1880 void skb_unlink(struct sk_buff *skb, struct sk_buff_head *list) 1881 { 1882 unsigned long flags; 1883 1884 spin_lock_irqsave(&list->lock, flags); 1885 __skb_unlink(skb, list); 1886 spin_unlock_irqrestore(&list->lock, flags); 1887 } 1888 1889 /** 1890 * skb_append - append a buffer 1891 * @old: buffer to insert after 1892 * @newsk: buffer to insert 1893 * @list: list to use 1894 * 1895 * Place a packet after a given packet in a list. The list locks are taken 1896 * and this function is atomic with respect to other list locked calls. 1897 * A buffer cannot be placed on two lists at the same time. 1898 */ 1899 void skb_append(struct sk_buff *old, struct sk_buff *newsk, struct sk_buff_head *list) 1900 { 1901 unsigned long flags; 1902 1903 spin_lock_irqsave(&list->lock, flags); 1904 __skb_queue_after(list, old, newsk); 1905 spin_unlock_irqrestore(&list->lock, flags); 1906 } 1907 1908 1909 /** 1910 * skb_insert - insert a buffer 1911 * @old: buffer to insert before 1912 * @newsk: buffer to insert 1913 * @list: list to use 1914 * 1915 * Place a packet before a given packet in a list. The list locks are 1916 * taken and this function is atomic with respect to other list locked 1917 * calls. 1918 * 1919 * A buffer cannot be placed on two lists at the same time. 1920 */ 1921 void skb_insert(struct sk_buff *old, struct sk_buff *newsk, struct sk_buff_head *list) 1922 { 1923 unsigned long flags; 1924 1925 spin_lock_irqsave(&list->lock, flags); 1926 __skb_insert(newsk, old->prev, old, list); 1927 spin_unlock_irqrestore(&list->lock, flags); 1928 } 1929 1930 static inline void skb_split_inside_header(struct sk_buff *skb, 1931 struct sk_buff* skb1, 1932 const u32 len, const int pos) 1933 { 1934 int i; 1935 1936 skb_copy_from_linear_data_offset(skb, len, skb_put(skb1, pos - len), 1937 pos - len); 1938 /* And move data appendix as is. */ 1939 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) 1940 skb_shinfo(skb1)->frags[i] = skb_shinfo(skb)->frags[i]; 1941 1942 skb_shinfo(skb1)->nr_frags = skb_shinfo(skb)->nr_frags; 1943 skb_shinfo(skb)->nr_frags = 0; 1944 skb1->data_len = skb->data_len; 1945 skb1->len += skb1->data_len; 1946 skb->data_len = 0; 1947 skb->len = len; 1948 skb_set_tail_pointer(skb, len); 1949 } 1950 1951 static inline void skb_split_no_header(struct sk_buff *skb, 1952 struct sk_buff* skb1, 1953 const u32 len, int pos) 1954 { 1955 int i, k = 0; 1956 const int nfrags = skb_shinfo(skb)->nr_frags; 1957 1958 skb_shinfo(skb)->nr_frags = 0; 1959 skb1->len = skb1->data_len = skb->len - len; 1960 skb->len = len; 1961 skb->data_len = len - pos; 1962 1963 for (i = 0; i < nfrags; i++) { 1964 int size = skb_shinfo(skb)->frags[i].size; 1965 1966 if (pos + size > len) { 1967 skb_shinfo(skb1)->frags[k] = skb_shinfo(skb)->frags[i]; 1968 1969 if (pos < len) { 1970 /* Split frag. 1971 * We have two variants in this case: 1972 * 1. Move all the frag to the second 1973 * part, if it is possible. F.e. 1974 * this approach is mandatory for TUX, 1975 * where splitting is expensive. 1976 * 2. Split is accurately. We make this. 1977 */ 1978 get_page(skb_shinfo(skb)->frags[i].page); 1979 skb_shinfo(skb1)->frags[0].page_offset += len - pos; 1980 skb_shinfo(skb1)->frags[0].size -= len - pos; 1981 skb_shinfo(skb)->frags[i].size = len - pos; 1982 skb_shinfo(skb)->nr_frags++; 1983 } 1984 k++; 1985 } else 1986 skb_shinfo(skb)->nr_frags++; 1987 pos += size; 1988 } 1989 skb_shinfo(skb1)->nr_frags = k; 1990 } 1991 1992 /** 1993 * skb_split - Split fragmented skb to two parts at length len. 1994 * @skb: the buffer to split 1995 * @skb1: the buffer to receive the second part 1996 * @len: new length for skb 1997 */ 1998 void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len) 1999 { 2000 int pos = skb_headlen(skb); 2001 2002 if (len < pos) /* Split line is inside header. */ 2003 skb_split_inside_header(skb, skb1, len, pos); 2004 else /* Second chunk has no header, nothing to copy. */ 2005 skb_split_no_header(skb, skb1, len, pos); 2006 } 2007 2008 /** 2009 * skb_prepare_seq_read - Prepare a sequential read of skb data 2010 * @skb: the buffer to read 2011 * @from: lower offset of data to be read 2012 * @to: upper offset of data to be read 2013 * @st: state variable 2014 * 2015 * Initializes the specified state variable. Must be called before 2016 * invoking skb_seq_read() for the first time. 2017 */ 2018 void skb_prepare_seq_read(struct sk_buff *skb, unsigned int from, 2019 unsigned int to, struct skb_seq_state *st) 2020 { 2021 st->lower_offset = from; 2022 st->upper_offset = to; 2023 st->root_skb = st->cur_skb = skb; 2024 st->frag_idx = st->stepped_offset = 0; 2025 st->frag_data = NULL; 2026 } 2027 2028 /** 2029 * skb_seq_read - Sequentially read skb data 2030 * @consumed: number of bytes consumed by the caller so far 2031 * @data: destination pointer for data to be returned 2032 * @st: state variable 2033 * 2034 * Reads a block of skb data at &consumed relative to the 2035 * lower offset specified to skb_prepare_seq_read(). Assigns 2036 * the head of the data block to &data and returns the length 2037 * of the block or 0 if the end of the skb data or the upper 2038 * offset has been reached. 2039 * 2040 * The caller is not required to consume all of the data 2041 * returned, i.e. &consumed is typically set to the number 2042 * of bytes already consumed and the next call to 2043 * skb_seq_read() will return the remaining part of the block. 2044 * 2045 * Note 1: The size of each block of data returned can be arbitary, 2046 * this limitation is the cost for zerocopy seqeuental 2047 * reads of potentially non linear data. 2048 * 2049 * Note 2: Fragment lists within fragments are not implemented 2050 * at the moment, state->root_skb could be replaced with 2051 * a stack for this purpose. 2052 */ 2053 unsigned int skb_seq_read(unsigned int consumed, const u8 **data, 2054 struct skb_seq_state *st) 2055 { 2056 unsigned int block_limit, abs_offset = consumed + st->lower_offset; 2057 skb_frag_t *frag; 2058 2059 if (unlikely(abs_offset >= st->upper_offset)) 2060 return 0; 2061 2062 next_skb: 2063 block_limit = skb_headlen(st->cur_skb); 2064 2065 if (abs_offset < block_limit) { 2066 *data = st->cur_skb->data + abs_offset; 2067 return block_limit - abs_offset; 2068 } 2069 2070 if (st->frag_idx == 0 && !st->frag_data) 2071 st->stepped_offset += skb_headlen(st->cur_skb); 2072 2073 while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) { 2074 frag = &skb_shinfo(st->cur_skb)->frags[st->frag_idx]; 2075 block_limit = frag->size + st->stepped_offset; 2076 2077 if (abs_offset < block_limit) { 2078 if (!st->frag_data) 2079 st->frag_data = kmap_skb_frag(frag); 2080 2081 *data = (u8 *) st->frag_data + frag->page_offset + 2082 (abs_offset - st->stepped_offset); 2083 2084 return block_limit - abs_offset; 2085 } 2086 2087 if (st->frag_data) { 2088 kunmap_skb_frag(st->frag_data); 2089 st->frag_data = NULL; 2090 } 2091 2092 st->frag_idx++; 2093 st->stepped_offset += frag->size; 2094 } 2095 2096 if (st->frag_data) { 2097 kunmap_skb_frag(st->frag_data); 2098 st->frag_data = NULL; 2099 } 2100 2101 if (st->cur_skb->next) { 2102 st->cur_skb = st->cur_skb->next; 2103 st->frag_idx = 0; 2104 goto next_skb; 2105 } else if (st->root_skb == st->cur_skb && 2106 skb_shinfo(st->root_skb)->frag_list) { 2107 st->cur_skb = skb_shinfo(st->root_skb)->frag_list; 2108 goto next_skb; 2109 } 2110 2111 return 0; 2112 } 2113 2114 /** 2115 * skb_abort_seq_read - Abort a sequential read of skb data 2116 * @st: state variable 2117 * 2118 * Must be called if skb_seq_read() was not called until it 2119 * returned 0. 2120 */ 2121 void skb_abort_seq_read(struct skb_seq_state *st) 2122 { 2123 if (st->frag_data) 2124 kunmap_skb_frag(st->frag_data); 2125 } 2126 2127 #define TS_SKB_CB(state) ((struct skb_seq_state *) &((state)->cb)) 2128 2129 static unsigned int skb_ts_get_next_block(unsigned int offset, const u8 **text, 2130 struct ts_config *conf, 2131 struct ts_state *state) 2132 { 2133 return skb_seq_read(offset, text, TS_SKB_CB(state)); 2134 } 2135 2136 static void skb_ts_finish(struct ts_config *conf, struct ts_state *state) 2137 { 2138 skb_abort_seq_read(TS_SKB_CB(state)); 2139 } 2140 2141 /** 2142 * skb_find_text - Find a text pattern in skb data 2143 * @skb: the buffer to look in 2144 * @from: search offset 2145 * @to: search limit 2146 * @config: textsearch configuration 2147 * @state: uninitialized textsearch state variable 2148 * 2149 * Finds a pattern in the skb data according to the specified 2150 * textsearch configuration. Use textsearch_next() to retrieve 2151 * subsequent occurrences of the pattern. Returns the offset 2152 * to the first occurrence or UINT_MAX if no match was found. 2153 */ 2154 unsigned int skb_find_text(struct sk_buff *skb, unsigned int from, 2155 unsigned int to, struct ts_config *config, 2156 struct ts_state *state) 2157 { 2158 unsigned int ret; 2159 2160 config->get_next_block = skb_ts_get_next_block; 2161 config->finish = skb_ts_finish; 2162 2163 skb_prepare_seq_read(skb, from, to, TS_SKB_CB(state)); 2164 2165 ret = textsearch_find(config, state); 2166 return (ret <= to - from ? ret : UINT_MAX); 2167 } 2168 2169 /** 2170 * skb_append_datato_frags: - append the user data to a skb 2171 * @sk: sock structure 2172 * @skb: skb structure to be appened with user data. 2173 * @getfrag: call back function to be used for getting the user data 2174 * @from: pointer to user message iov 2175 * @length: length of the iov message 2176 * 2177 * Description: This procedure append the user data in the fragment part 2178 * of the skb if any page alloc fails user this procedure returns -ENOMEM 2179 */ 2180 int skb_append_datato_frags(struct sock *sk, struct sk_buff *skb, 2181 int (*getfrag)(void *from, char *to, int offset, 2182 int len, int odd, struct sk_buff *skb), 2183 void *from, int length) 2184 { 2185 int frg_cnt = 0; 2186 skb_frag_t *frag = NULL; 2187 struct page *page = NULL; 2188 int copy, left; 2189 int offset = 0; 2190 int ret; 2191 2192 do { 2193 /* Return error if we don't have space for new frag */ 2194 frg_cnt = skb_shinfo(skb)->nr_frags; 2195 if (frg_cnt >= MAX_SKB_FRAGS) 2196 return -EFAULT; 2197 2198 /* allocate a new page for next frag */ 2199 page = alloc_pages(sk->sk_allocation, 0); 2200 2201 /* If alloc_page fails just return failure and caller will 2202 * free previous allocated pages by doing kfree_skb() 2203 */ 2204 if (page == NULL) 2205 return -ENOMEM; 2206 2207 /* initialize the next frag */ 2208 sk->sk_sndmsg_page = page; 2209 sk->sk_sndmsg_off = 0; 2210 skb_fill_page_desc(skb, frg_cnt, page, 0, 0); 2211 skb->truesize += PAGE_SIZE; 2212 atomic_add(PAGE_SIZE, &sk->sk_wmem_alloc); 2213 2214 /* get the new initialized frag */ 2215 frg_cnt = skb_shinfo(skb)->nr_frags; 2216 frag = &skb_shinfo(skb)->frags[frg_cnt - 1]; 2217 2218 /* copy the user data to page */ 2219 left = PAGE_SIZE - frag->page_offset; 2220 copy = (length > left)? left : length; 2221 2222 ret = getfrag(from, (page_address(frag->page) + 2223 frag->page_offset + frag->size), 2224 offset, copy, 0, skb); 2225 if (ret < 0) 2226 return -EFAULT; 2227 2228 /* copy was successful so update the size parameters */ 2229 sk->sk_sndmsg_off += copy; 2230 frag->size += copy; 2231 skb->len += copy; 2232 skb->data_len += copy; 2233 offset += copy; 2234 length -= copy; 2235 2236 } while (length > 0); 2237 2238 return 0; 2239 } 2240 2241 /** 2242 * skb_pull_rcsum - pull skb and update receive checksum 2243 * @skb: buffer to update 2244 * @len: length of data pulled 2245 * 2246 * This function performs an skb_pull on the packet and updates 2247 * the CHECKSUM_COMPLETE checksum. It should be used on 2248 * receive path processing instead of skb_pull unless you know 2249 * that the checksum difference is zero (e.g., a valid IP header) 2250 * or you are setting ip_summed to CHECKSUM_NONE. 2251 */ 2252 unsigned char *skb_pull_rcsum(struct sk_buff *skb, unsigned int len) 2253 { 2254 BUG_ON(len > skb->len); 2255 skb->len -= len; 2256 BUG_ON(skb->len < skb->data_len); 2257 skb_postpull_rcsum(skb, skb->data, len); 2258 return skb->data += len; 2259 } 2260 2261 EXPORT_SYMBOL_GPL(skb_pull_rcsum); 2262 2263 /** 2264 * skb_segment - Perform protocol segmentation on skb. 2265 * @skb: buffer to segment 2266 * @features: features for the output path (see dev->features) 2267 * 2268 * This function performs segmentation on the given skb. It returns 2269 * a pointer to the first in a list of new skbs for the segments. 2270 * In case of error it returns ERR_PTR(err). 2271 */ 2272 struct sk_buff *skb_segment(struct sk_buff *skb, int features) 2273 { 2274 struct sk_buff *segs = NULL; 2275 struct sk_buff *tail = NULL; 2276 unsigned int mss = skb_shinfo(skb)->gso_size; 2277 unsigned int doffset = skb->data - skb_mac_header(skb); 2278 unsigned int offset = doffset; 2279 unsigned int headroom; 2280 unsigned int len; 2281 int sg = features & NETIF_F_SG; 2282 int nfrags = skb_shinfo(skb)->nr_frags; 2283 int err = -ENOMEM; 2284 int i = 0; 2285 int pos; 2286 2287 __skb_push(skb, doffset); 2288 headroom = skb_headroom(skb); 2289 pos = skb_headlen(skb); 2290 2291 do { 2292 struct sk_buff *nskb; 2293 skb_frag_t *frag; 2294 int hsize; 2295 int k; 2296 int size; 2297 2298 len = skb->len - offset; 2299 if (len > mss) 2300 len = mss; 2301 2302 hsize = skb_headlen(skb) - offset; 2303 if (hsize < 0) 2304 hsize = 0; 2305 if (hsize > len || !sg) 2306 hsize = len; 2307 2308 nskb = alloc_skb(hsize + doffset + headroom, GFP_ATOMIC); 2309 if (unlikely(!nskb)) 2310 goto err; 2311 2312 if (segs) 2313 tail->next = nskb; 2314 else 2315 segs = nskb; 2316 tail = nskb; 2317 2318 __copy_skb_header(nskb, skb); 2319 nskb->mac_len = skb->mac_len; 2320 2321 skb_reserve(nskb, headroom); 2322 skb_reset_mac_header(nskb); 2323 skb_set_network_header(nskb, skb->mac_len); 2324 nskb->transport_header = (nskb->network_header + 2325 skb_network_header_len(skb)); 2326 skb_copy_from_linear_data(skb, skb_put(nskb, doffset), 2327 doffset); 2328 if (!sg) { 2329 nskb->ip_summed = CHECKSUM_NONE; 2330 nskb->csum = skb_copy_and_csum_bits(skb, offset, 2331 skb_put(nskb, len), 2332 len, 0); 2333 continue; 2334 } 2335 2336 frag = skb_shinfo(nskb)->frags; 2337 k = 0; 2338 2339 skb_copy_from_linear_data_offset(skb, offset, 2340 skb_put(nskb, hsize), hsize); 2341 2342 while (pos < offset + len) { 2343 BUG_ON(i >= nfrags); 2344 2345 *frag = skb_shinfo(skb)->frags[i]; 2346 get_page(frag->page); 2347 size = frag->size; 2348 2349 if (pos < offset) { 2350 frag->page_offset += offset - pos; 2351 frag->size -= offset - pos; 2352 } 2353 2354 k++; 2355 2356 if (pos + size <= offset + len) { 2357 i++; 2358 pos += size; 2359 } else { 2360 frag->size -= pos + size - (offset + len); 2361 break; 2362 } 2363 2364 frag++; 2365 } 2366 2367 skb_shinfo(nskb)->nr_frags = k; 2368 nskb->data_len = len - hsize; 2369 nskb->len += nskb->data_len; 2370 nskb->truesize += nskb->data_len; 2371 } while ((offset += len) < skb->len); 2372 2373 return segs; 2374 2375 err: 2376 while ((skb = segs)) { 2377 segs = skb->next; 2378 kfree_skb(skb); 2379 } 2380 return ERR_PTR(err); 2381 } 2382 2383 EXPORT_SYMBOL_GPL(skb_segment); 2384 2385 void __init skb_init(void) 2386 { 2387 skbuff_head_cache = kmem_cache_create("skbuff_head_cache", 2388 sizeof(struct sk_buff), 2389 0, 2390 SLAB_HWCACHE_ALIGN|SLAB_PANIC, 2391 NULL); 2392 skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache", 2393 (2*sizeof(struct sk_buff)) + 2394 sizeof(atomic_t), 2395 0, 2396 SLAB_HWCACHE_ALIGN|SLAB_PANIC, 2397 NULL); 2398 } 2399 2400 /** 2401 * skb_to_sgvec - Fill a scatter-gather list from a socket buffer 2402 * @skb: Socket buffer containing the buffers to be mapped 2403 * @sg: The scatter-gather list to map into 2404 * @offset: The offset into the buffer's contents to start mapping 2405 * @len: Length of buffer space to be mapped 2406 * 2407 * Fill the specified scatter-gather list with mappings/pointers into a 2408 * region of the buffer space attached to a socket buffer. 2409 */ 2410 static int 2411 __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) 2412 { 2413 int start = skb_headlen(skb); 2414 int i, copy = start - offset; 2415 int elt = 0; 2416 2417 if (copy > 0) { 2418 if (copy > len) 2419 copy = len; 2420 sg_set_buf(sg, skb->data + offset, copy); 2421 elt++; 2422 if ((len -= copy) == 0) 2423 return elt; 2424 offset += copy; 2425 } 2426 2427 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 2428 int end; 2429 2430 WARN_ON(start > offset + len); 2431 2432 end = start + skb_shinfo(skb)->frags[i].size; 2433 if ((copy = end - offset) > 0) { 2434 skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; 2435 2436 if (copy > len) 2437 copy = len; 2438 sg_set_page(&sg[elt], frag->page, copy, 2439 frag->page_offset+offset-start); 2440 elt++; 2441 if (!(len -= copy)) 2442 return elt; 2443 offset += copy; 2444 } 2445 start = end; 2446 } 2447 2448 if (skb_shinfo(skb)->frag_list) { 2449 struct sk_buff *list = skb_shinfo(skb)->frag_list; 2450 2451 for (; list; list = list->next) { 2452 int end; 2453 2454 WARN_ON(start > offset + len); 2455 2456 end = start + list->len; 2457 if ((copy = end - offset) > 0) { 2458 if (copy > len) 2459 copy = len; 2460 elt += __skb_to_sgvec(list, sg+elt, offset - start, 2461 copy); 2462 if ((len -= copy) == 0) 2463 return elt; 2464 offset += copy; 2465 } 2466 start = end; 2467 } 2468 } 2469 BUG_ON(len); 2470 return elt; 2471 } 2472 2473 int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) 2474 { 2475 int nsg = __skb_to_sgvec(skb, sg, offset, len); 2476 2477 sg_mark_end(&sg[nsg - 1]); 2478 2479 return nsg; 2480 } 2481 2482 /** 2483 * skb_cow_data - Check that a socket buffer's data buffers are writable 2484 * @skb: The socket buffer to check. 2485 * @tailbits: Amount of trailing space to be added 2486 * @trailer: Returned pointer to the skb where the @tailbits space begins 2487 * 2488 * Make sure that the data buffers attached to a socket buffer are 2489 * writable. If they are not, private copies are made of the data buffers 2490 * and the socket buffer is set to use these instead. 2491 * 2492 * If @tailbits is given, make sure that there is space to write @tailbits 2493 * bytes of data beyond current end of socket buffer. @trailer will be 2494 * set to point to the skb in which this space begins. 2495 * 2496 * The number of scatterlist elements required to completely map the 2497 * COW'd and extended socket buffer will be returned. 2498 */ 2499 int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer) 2500 { 2501 int copyflag; 2502 int elt; 2503 struct sk_buff *skb1, **skb_p; 2504 2505 /* If skb is cloned or its head is paged, reallocate 2506 * head pulling out all the pages (pages are considered not writable 2507 * at the moment even if they are anonymous). 2508 */ 2509 if ((skb_cloned(skb) || skb_shinfo(skb)->nr_frags) && 2510 __pskb_pull_tail(skb, skb_pagelen(skb)-skb_headlen(skb)) == NULL) 2511 return -ENOMEM; 2512 2513 /* Easy case. Most of packets will go this way. */ 2514 if (!skb_shinfo(skb)->frag_list) { 2515 /* A little of trouble, not enough of space for trailer. 2516 * This should not happen, when stack is tuned to generate 2517 * good frames. OK, on miss we reallocate and reserve even more 2518 * space, 128 bytes is fair. */ 2519 2520 if (skb_tailroom(skb) < tailbits && 2521 pskb_expand_head(skb, 0, tailbits-skb_tailroom(skb)+128, GFP_ATOMIC)) 2522 return -ENOMEM; 2523 2524 /* Voila! */ 2525 *trailer = skb; 2526 return 1; 2527 } 2528 2529 /* Misery. We are in troubles, going to mincer fragments... */ 2530 2531 elt = 1; 2532 skb_p = &skb_shinfo(skb)->frag_list; 2533 copyflag = 0; 2534 2535 while ((skb1 = *skb_p) != NULL) { 2536 int ntail = 0; 2537 2538 /* The fragment is partially pulled by someone, 2539 * this can happen on input. Copy it and everything 2540 * after it. */ 2541 2542 if (skb_shared(skb1)) 2543 copyflag = 1; 2544 2545 /* If the skb is the last, worry about trailer. */ 2546 2547 if (skb1->next == NULL && tailbits) { 2548 if (skb_shinfo(skb1)->nr_frags || 2549 skb_shinfo(skb1)->frag_list || 2550 skb_tailroom(skb1) < tailbits) 2551 ntail = tailbits + 128; 2552 } 2553 2554 if (copyflag || 2555 skb_cloned(skb1) || 2556 ntail || 2557 skb_shinfo(skb1)->nr_frags || 2558 skb_shinfo(skb1)->frag_list) { 2559 struct sk_buff *skb2; 2560 2561 /* Fuck, we are miserable poor guys... */ 2562 if (ntail == 0) 2563 skb2 = skb_copy(skb1, GFP_ATOMIC); 2564 else 2565 skb2 = skb_copy_expand(skb1, 2566 skb_headroom(skb1), 2567 ntail, 2568 GFP_ATOMIC); 2569 if (unlikely(skb2 == NULL)) 2570 return -ENOMEM; 2571 2572 if (skb1->sk) 2573 skb_set_owner_w(skb2, skb1->sk); 2574 2575 /* Looking around. Are we still alive? 2576 * OK, link new skb, drop old one */ 2577 2578 skb2->next = skb1->next; 2579 *skb_p = skb2; 2580 kfree_skb(skb1); 2581 skb1 = skb2; 2582 } 2583 elt++; 2584 *trailer = skb1; 2585 skb_p = &skb1->next; 2586 } 2587 2588 return elt; 2589 } 2590 2591 /** 2592 * skb_partial_csum_set - set up and verify partial csum values for packet 2593 * @skb: the skb to set 2594 * @start: the number of bytes after skb->data to start checksumming. 2595 * @off: the offset from start to place the checksum. 2596 * 2597 * For untrusted partially-checksummed packets, we need to make sure the values 2598 * for skb->csum_start and skb->csum_offset are valid so we don't oops. 2599 * 2600 * This function checks and sets those values and skb->ip_summed: if this 2601 * returns false you should drop the packet. 2602 */ 2603 bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off) 2604 { 2605 if (unlikely(start > skb->len - 2) || 2606 unlikely((int)start + off > skb->len - 2)) { 2607 if (net_ratelimit()) 2608 printk(KERN_WARNING 2609 "bad partial csum: csum=%u/%u len=%u\n", 2610 start, off, skb->len); 2611 return false; 2612 } 2613 skb->ip_summed = CHECKSUM_PARTIAL; 2614 skb->csum_start = skb_headroom(skb) + start; 2615 skb->csum_offset = off; 2616 return true; 2617 } 2618 2619 void __skb_warn_lro_forwarding(const struct sk_buff *skb) 2620 { 2621 if (net_ratelimit()) 2622 pr_warning("%s: received packets cannot be forwarded" 2623 " while LRO is enabled\n", skb->dev->name); 2624 } 2625 2626 EXPORT_SYMBOL(___pskb_trim); 2627 EXPORT_SYMBOL(__kfree_skb); 2628 EXPORT_SYMBOL(kfree_skb); 2629 EXPORT_SYMBOL(__pskb_pull_tail); 2630 EXPORT_SYMBOL(__alloc_skb); 2631 EXPORT_SYMBOL(__netdev_alloc_skb); 2632 EXPORT_SYMBOL(pskb_copy); 2633 EXPORT_SYMBOL(pskb_expand_head); 2634 EXPORT_SYMBOL(skb_checksum); 2635 EXPORT_SYMBOL(skb_clone); 2636 EXPORT_SYMBOL(skb_copy); 2637 EXPORT_SYMBOL(skb_copy_and_csum_bits); 2638 EXPORT_SYMBOL(skb_copy_and_csum_dev); 2639 EXPORT_SYMBOL(skb_copy_bits); 2640 EXPORT_SYMBOL(skb_copy_expand); 2641 EXPORT_SYMBOL(skb_over_panic); 2642 EXPORT_SYMBOL(skb_pad); 2643 EXPORT_SYMBOL(skb_realloc_headroom); 2644 EXPORT_SYMBOL(skb_under_panic); 2645 EXPORT_SYMBOL(skb_dequeue); 2646 EXPORT_SYMBOL(skb_dequeue_tail); 2647 EXPORT_SYMBOL(skb_insert); 2648 EXPORT_SYMBOL(skb_queue_purge); 2649 EXPORT_SYMBOL(skb_queue_head); 2650 EXPORT_SYMBOL(skb_queue_tail); 2651 EXPORT_SYMBOL(skb_unlink); 2652 EXPORT_SYMBOL(skb_append); 2653 EXPORT_SYMBOL(skb_split); 2654 EXPORT_SYMBOL(skb_prepare_seq_read); 2655 EXPORT_SYMBOL(skb_seq_read); 2656 EXPORT_SYMBOL(skb_abort_seq_read); 2657 EXPORT_SYMBOL(skb_find_text); 2658 EXPORT_SYMBOL(skb_append_datato_frags); 2659 EXPORT_SYMBOL(__skb_warn_lro_forwarding); 2660 2661 EXPORT_SYMBOL_GPL(skb_to_sgvec); 2662 EXPORT_SYMBOL_GPL(skb_cow_data); 2663 EXPORT_SYMBOL_GPL(skb_partial_csum_set); 2664