xref: /openbmc/linux/net/core/skbuff.c (revision 60eb644b)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *	Routines having to do with the 'struct sk_buff' memory handlers.
4  *
5  *	Authors:	Alan Cox <alan@lxorguk.ukuu.org.uk>
6  *			Florian La Roche <rzsfl@rz.uni-sb.de>
7  *
8  *	Fixes:
9  *		Alan Cox	:	Fixed the worst of the load
10  *					balancer bugs.
11  *		Dave Platt	:	Interrupt stacking fix.
12  *	Richard Kooijman	:	Timestamp fixes.
13  *		Alan Cox	:	Changed buffer format.
14  *		Alan Cox	:	destructor hook for AF_UNIX etc.
15  *		Linus Torvalds	:	Better skb_clone.
16  *		Alan Cox	:	Added skb_copy.
17  *		Alan Cox	:	Added all the changed routines Linus
18  *					only put in the headers
19  *		Ray VanTassle	:	Fixed --skb->lock in free
20  *		Alan Cox	:	skb_copy copy arp field
21  *		Andi Kleen	:	slabified it.
22  *		Robert Olsson	:	Removed skb_head_pool
23  *
24  *	NOTE:
25  *		The __skb_ routines should be called with interrupts
26  *	disabled, or you better be *real* sure that the operation is atomic
27  *	with respect to whatever list is being frobbed (e.g. via lock_sock()
28  *	or via disabling bottom half handlers, etc).
29  */
30 
31 /*
32  *	The functions in this file will not compile correctly with gcc 2.4.x
33  */
34 
35 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
36 
37 #include <linux/module.h>
38 #include <linux/types.h>
39 #include <linux/kernel.h>
40 #include <linux/mm.h>
41 #include <linux/interrupt.h>
42 #include <linux/in.h>
43 #include <linux/inet.h>
44 #include <linux/slab.h>
45 #include <linux/tcp.h>
46 #include <linux/udp.h>
47 #include <linux/sctp.h>
48 #include <linux/netdevice.h>
49 #ifdef CONFIG_NET_CLS_ACT
50 #include <net/pkt_sched.h>
51 #endif
52 #include <linux/string.h>
53 #include <linux/skbuff.h>
54 #include <linux/splice.h>
55 #include <linux/cache.h>
56 #include <linux/rtnetlink.h>
57 #include <linux/init.h>
58 #include <linux/scatterlist.h>
59 #include <linux/errqueue.h>
60 #include <linux/prefetch.h>
61 #include <linux/bitfield.h>
62 #include <linux/if_vlan.h>
63 #include <linux/mpls.h>
64 #include <linux/kcov.h>
65 
66 #include <net/protocol.h>
67 #include <net/dst.h>
68 #include <net/sock.h>
69 #include <net/checksum.h>
70 #include <net/ip6_checksum.h>
71 #include <net/xfrm.h>
72 #include <net/mpls.h>
73 #include <net/mptcp.h>
74 #include <net/mctp.h>
75 #include <net/page_pool.h>
76 #include <net/dropreason.h>
77 
78 #include <linux/uaccess.h>
79 #include <trace/events/skb.h>
80 #include <linux/highmem.h>
81 #include <linux/capability.h>
82 #include <linux/user_namespace.h>
83 #include <linux/indirect_call_wrapper.h>
84 #include <linux/textsearch.h>
85 
86 #include "dev.h"
87 #include "sock_destructor.h"
88 
89 struct kmem_cache *skbuff_cache __ro_after_init;
90 static struct kmem_cache *skbuff_fclone_cache __ro_after_init;
91 #ifdef CONFIG_SKB_EXTENSIONS
92 static struct kmem_cache *skbuff_ext_cache __ro_after_init;
93 #endif
94 
95 /* skb_small_head_cache and related code is only supported
96  * for CONFIG_SLAB and CONFIG_SLUB.
97  * As soon as SLOB is removed from the kernel, we can clean up this.
98  */
99 #if !defined(CONFIG_SLOB)
100 # define HAVE_SKB_SMALL_HEAD_CACHE 1
101 #endif
102 
103 #ifdef HAVE_SKB_SMALL_HEAD_CACHE
104 static struct kmem_cache *skb_small_head_cache __ro_after_init;
105 
106 #define SKB_SMALL_HEAD_SIZE SKB_HEAD_ALIGN(MAX_TCP_HEADER)
107 
108 /* We want SKB_SMALL_HEAD_CACHE_SIZE to not be a power of two.
109  * This should ensure that SKB_SMALL_HEAD_HEADROOM is a unique
110  * size, and we can differentiate heads from skb_small_head_cache
111  * vs system slabs by looking at their size (skb_end_offset()).
112  */
113 #define SKB_SMALL_HEAD_CACHE_SIZE					\
114 	(is_power_of_2(SKB_SMALL_HEAD_SIZE) ?			\
115 		(SKB_SMALL_HEAD_SIZE + L1_CACHE_BYTES) :	\
116 		SKB_SMALL_HEAD_SIZE)
117 
118 #define SKB_SMALL_HEAD_HEADROOM						\
119 	SKB_WITH_OVERHEAD(SKB_SMALL_HEAD_CACHE_SIZE)
120 #endif /* HAVE_SKB_SMALL_HEAD_CACHE */
121 
122 int sysctl_max_skb_frags __read_mostly = MAX_SKB_FRAGS;
123 EXPORT_SYMBOL(sysctl_max_skb_frags);
124 
125 #undef FN
126 #define FN(reason) [SKB_DROP_REASON_##reason] = #reason,
127 static const char * const drop_reasons[] = {
128 	[SKB_CONSUMED] = "CONSUMED",
129 	DEFINE_DROP_REASON(FN, FN)
130 };
131 
132 static const struct drop_reason_list drop_reasons_core = {
133 	.reasons = drop_reasons,
134 	.n_reasons = ARRAY_SIZE(drop_reasons),
135 };
136 
137 const struct drop_reason_list __rcu *
138 drop_reasons_by_subsys[SKB_DROP_REASON_SUBSYS_NUM] = {
139 	[SKB_DROP_REASON_SUBSYS_CORE] = RCU_INITIALIZER(&drop_reasons_core),
140 };
141 EXPORT_SYMBOL(drop_reasons_by_subsys);
142 
143 /**
144  * drop_reasons_register_subsys - register another drop reason subsystem
145  * @subsys: the subsystem to register, must not be the core
146  * @list: the list of drop reasons within the subsystem, must point to
147  *	a statically initialized list
148  */
149 void drop_reasons_register_subsys(enum skb_drop_reason_subsys subsys,
150 				  const struct drop_reason_list *list)
151 {
152 	if (WARN(subsys <= SKB_DROP_REASON_SUBSYS_CORE ||
153 		 subsys >= ARRAY_SIZE(drop_reasons_by_subsys),
154 		 "invalid subsystem %d\n", subsys))
155 		return;
156 
157 	/* must point to statically allocated memory, so INIT is OK */
158 	RCU_INIT_POINTER(drop_reasons_by_subsys[subsys], list);
159 }
160 EXPORT_SYMBOL_GPL(drop_reasons_register_subsys);
161 
162 /**
163  * drop_reasons_unregister_subsys - unregister a drop reason subsystem
164  * @subsys: the subsystem to remove, must not be the core
165  *
166  * Note: This will synchronize_rcu() to ensure no users when it returns.
167  */
168 void drop_reasons_unregister_subsys(enum skb_drop_reason_subsys subsys)
169 {
170 	if (WARN(subsys <= SKB_DROP_REASON_SUBSYS_CORE ||
171 		 subsys >= ARRAY_SIZE(drop_reasons_by_subsys),
172 		 "invalid subsystem %d\n", subsys))
173 		return;
174 
175 	RCU_INIT_POINTER(drop_reasons_by_subsys[subsys], NULL);
176 
177 	synchronize_rcu();
178 }
179 EXPORT_SYMBOL_GPL(drop_reasons_unregister_subsys);
180 
181 /**
182  *	skb_panic - private function for out-of-line support
183  *	@skb:	buffer
184  *	@sz:	size
185  *	@addr:	address
186  *	@msg:	skb_over_panic or skb_under_panic
187  *
188  *	Out-of-line support for skb_put() and skb_push().
189  *	Called via the wrapper skb_over_panic() or skb_under_panic().
190  *	Keep out of line to prevent kernel bloat.
191  *	__builtin_return_address is not used because it is not always reliable.
192  */
193 static void skb_panic(struct sk_buff *skb, unsigned int sz, void *addr,
194 		      const char msg[])
195 {
196 	pr_emerg("%s: text:%px len:%d put:%d head:%px data:%px tail:%#lx end:%#lx dev:%s\n",
197 		 msg, addr, skb->len, sz, skb->head, skb->data,
198 		 (unsigned long)skb->tail, (unsigned long)skb->end,
199 		 skb->dev ? skb->dev->name : "<NULL>");
200 	BUG();
201 }
202 
203 static void skb_over_panic(struct sk_buff *skb, unsigned int sz, void *addr)
204 {
205 	skb_panic(skb, sz, addr, __func__);
206 }
207 
208 static void skb_under_panic(struct sk_buff *skb, unsigned int sz, void *addr)
209 {
210 	skb_panic(skb, sz, addr, __func__);
211 }
212 
213 #define NAPI_SKB_CACHE_SIZE	64
214 #define NAPI_SKB_CACHE_BULK	16
215 #define NAPI_SKB_CACHE_HALF	(NAPI_SKB_CACHE_SIZE / 2)
216 
217 #if PAGE_SIZE == SZ_4K
218 
219 #define NAPI_HAS_SMALL_PAGE_FRAG	1
220 #define NAPI_SMALL_PAGE_PFMEMALLOC(nc)	((nc).pfmemalloc)
221 
222 /* specialized page frag allocator using a single order 0 page
223  * and slicing it into 1K sized fragment. Constrained to systems
224  * with a very limited amount of 1K fragments fitting a single
225  * page - to avoid excessive truesize underestimation
226  */
227 
228 struct page_frag_1k {
229 	void *va;
230 	u16 offset;
231 	bool pfmemalloc;
232 };
233 
234 static void *page_frag_alloc_1k(struct page_frag_1k *nc, gfp_t gfp)
235 {
236 	struct page *page;
237 	int offset;
238 
239 	offset = nc->offset - SZ_1K;
240 	if (likely(offset >= 0))
241 		goto use_frag;
242 
243 	page = alloc_pages_node(NUMA_NO_NODE, gfp, 0);
244 	if (!page)
245 		return NULL;
246 
247 	nc->va = page_address(page);
248 	nc->pfmemalloc = page_is_pfmemalloc(page);
249 	offset = PAGE_SIZE - SZ_1K;
250 	page_ref_add(page, offset / SZ_1K);
251 
252 use_frag:
253 	nc->offset = offset;
254 	return nc->va + offset;
255 }
256 #else
257 
258 /* the small page is actually unused in this build; add dummy helpers
259  * to please the compiler and avoid later preprocessor's conditionals
260  */
261 #define NAPI_HAS_SMALL_PAGE_FRAG	0
262 #define NAPI_SMALL_PAGE_PFMEMALLOC(nc)	false
263 
264 struct page_frag_1k {
265 };
266 
267 static void *page_frag_alloc_1k(struct page_frag_1k *nc, gfp_t gfp_mask)
268 {
269 	return NULL;
270 }
271 
272 #endif
273 
274 struct napi_alloc_cache {
275 	struct page_frag_cache page;
276 	struct page_frag_1k page_small;
277 	unsigned int skb_count;
278 	void *skb_cache[NAPI_SKB_CACHE_SIZE];
279 };
280 
281 static DEFINE_PER_CPU(struct page_frag_cache, netdev_alloc_cache);
282 static DEFINE_PER_CPU(struct napi_alloc_cache, napi_alloc_cache);
283 
284 /* Double check that napi_get_frags() allocates skbs with
285  * skb->head being backed by slab, not a page fragment.
286  * This is to make sure bug fixed in 3226b158e67c
287  * ("net: avoid 32 x truesize under-estimation for tiny skbs")
288  * does not accidentally come back.
289  */
290 void napi_get_frags_check(struct napi_struct *napi)
291 {
292 	struct sk_buff *skb;
293 
294 	local_bh_disable();
295 	skb = napi_get_frags(napi);
296 	WARN_ON_ONCE(!NAPI_HAS_SMALL_PAGE_FRAG && skb && skb->head_frag);
297 	napi_free_frags(napi);
298 	local_bh_enable();
299 }
300 
301 void *__napi_alloc_frag_align(unsigned int fragsz, unsigned int align_mask)
302 {
303 	struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
304 
305 	fragsz = SKB_DATA_ALIGN(fragsz);
306 
307 	return page_frag_alloc_align(&nc->page, fragsz, GFP_ATOMIC, align_mask);
308 }
309 EXPORT_SYMBOL(__napi_alloc_frag_align);
310 
311 void *__netdev_alloc_frag_align(unsigned int fragsz, unsigned int align_mask)
312 {
313 	void *data;
314 
315 	fragsz = SKB_DATA_ALIGN(fragsz);
316 	if (in_hardirq() || irqs_disabled()) {
317 		struct page_frag_cache *nc = this_cpu_ptr(&netdev_alloc_cache);
318 
319 		data = page_frag_alloc_align(nc, fragsz, GFP_ATOMIC, align_mask);
320 	} else {
321 		struct napi_alloc_cache *nc;
322 
323 		local_bh_disable();
324 		nc = this_cpu_ptr(&napi_alloc_cache);
325 		data = page_frag_alloc_align(&nc->page, fragsz, GFP_ATOMIC, align_mask);
326 		local_bh_enable();
327 	}
328 	return data;
329 }
330 EXPORT_SYMBOL(__netdev_alloc_frag_align);
331 
332 static struct sk_buff *napi_skb_cache_get(void)
333 {
334 	struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
335 	struct sk_buff *skb;
336 
337 	if (unlikely(!nc->skb_count)) {
338 		nc->skb_count = kmem_cache_alloc_bulk(skbuff_cache,
339 						      GFP_ATOMIC,
340 						      NAPI_SKB_CACHE_BULK,
341 						      nc->skb_cache);
342 		if (unlikely(!nc->skb_count))
343 			return NULL;
344 	}
345 
346 	skb = nc->skb_cache[--nc->skb_count];
347 	kasan_unpoison_object_data(skbuff_cache, skb);
348 
349 	return skb;
350 }
351 
352 static inline void __finalize_skb_around(struct sk_buff *skb, void *data,
353 					 unsigned int size)
354 {
355 	struct skb_shared_info *shinfo;
356 
357 	size -= SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
358 
359 	/* Assumes caller memset cleared SKB */
360 	skb->truesize = SKB_TRUESIZE(size);
361 	refcount_set(&skb->users, 1);
362 	skb->head = data;
363 	skb->data = data;
364 	skb_reset_tail_pointer(skb);
365 	skb_set_end_offset(skb, size);
366 	skb->mac_header = (typeof(skb->mac_header))~0U;
367 	skb->transport_header = (typeof(skb->transport_header))~0U;
368 	skb->alloc_cpu = raw_smp_processor_id();
369 	/* make sure we initialize shinfo sequentially */
370 	shinfo = skb_shinfo(skb);
371 	memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
372 	atomic_set(&shinfo->dataref, 1);
373 
374 	skb_set_kcov_handle(skb, kcov_common_handle());
375 }
376 
377 static inline void *__slab_build_skb(struct sk_buff *skb, void *data,
378 				     unsigned int *size)
379 {
380 	void *resized;
381 
382 	/* Must find the allocation size (and grow it to match). */
383 	*size = ksize(data);
384 	/* krealloc() will immediately return "data" when
385 	 * "ksize(data)" is requested: it is the existing upper
386 	 * bounds. As a result, GFP_ATOMIC will be ignored. Note
387 	 * that this "new" pointer needs to be passed back to the
388 	 * caller for use so the __alloc_size hinting will be
389 	 * tracked correctly.
390 	 */
391 	resized = krealloc(data, *size, GFP_ATOMIC);
392 	WARN_ON_ONCE(resized != data);
393 	return resized;
394 }
395 
396 /* build_skb() variant which can operate on slab buffers.
397  * Note that this should be used sparingly as slab buffers
398  * cannot be combined efficiently by GRO!
399  */
400 struct sk_buff *slab_build_skb(void *data)
401 {
402 	struct sk_buff *skb;
403 	unsigned int size;
404 
405 	skb = kmem_cache_alloc(skbuff_cache, GFP_ATOMIC);
406 	if (unlikely(!skb))
407 		return NULL;
408 
409 	memset(skb, 0, offsetof(struct sk_buff, tail));
410 	data = __slab_build_skb(skb, data, &size);
411 	__finalize_skb_around(skb, data, size);
412 
413 	return skb;
414 }
415 EXPORT_SYMBOL(slab_build_skb);
416 
417 /* Caller must provide SKB that is memset cleared */
418 static void __build_skb_around(struct sk_buff *skb, void *data,
419 			       unsigned int frag_size)
420 {
421 	unsigned int size = frag_size;
422 
423 	/* frag_size == 0 is considered deprecated now. Callers
424 	 * using slab buffer should use slab_build_skb() instead.
425 	 */
426 	if (WARN_ONCE(size == 0, "Use slab_build_skb() instead"))
427 		data = __slab_build_skb(skb, data, &size);
428 
429 	__finalize_skb_around(skb, data, size);
430 }
431 
432 /**
433  * __build_skb - build a network buffer
434  * @data: data buffer provided by caller
435  * @frag_size: size of data (must not be 0)
436  *
437  * Allocate a new &sk_buff. Caller provides space holding head and
438  * skb_shared_info. @data must have been allocated from the page
439  * allocator or vmalloc(). (A @frag_size of 0 to indicate a kmalloc()
440  * allocation is deprecated, and callers should use slab_build_skb()
441  * instead.)
442  * The return is the new skb buffer.
443  * On a failure the return is %NULL, and @data is not freed.
444  * Notes :
445  *  Before IO, driver allocates only data buffer where NIC put incoming frame
446  *  Driver should add room at head (NET_SKB_PAD) and
447  *  MUST add room at tail (SKB_DATA_ALIGN(skb_shared_info))
448  *  After IO, driver calls build_skb(), to allocate sk_buff and populate it
449  *  before giving packet to stack.
450  *  RX rings only contains data buffers, not full skbs.
451  */
452 struct sk_buff *__build_skb(void *data, unsigned int frag_size)
453 {
454 	struct sk_buff *skb;
455 
456 	skb = kmem_cache_alloc(skbuff_cache, GFP_ATOMIC);
457 	if (unlikely(!skb))
458 		return NULL;
459 
460 	memset(skb, 0, offsetof(struct sk_buff, tail));
461 	__build_skb_around(skb, data, frag_size);
462 
463 	return skb;
464 }
465 
466 /* build_skb() is wrapper over __build_skb(), that specifically
467  * takes care of skb->head and skb->pfmemalloc
468  */
469 struct sk_buff *build_skb(void *data, unsigned int frag_size)
470 {
471 	struct sk_buff *skb = __build_skb(data, frag_size);
472 
473 	if (likely(skb && frag_size)) {
474 		skb->head_frag = 1;
475 		skb_propagate_pfmemalloc(virt_to_head_page(data), skb);
476 	}
477 	return skb;
478 }
479 EXPORT_SYMBOL(build_skb);
480 
481 /**
482  * build_skb_around - build a network buffer around provided skb
483  * @skb: sk_buff provide by caller, must be memset cleared
484  * @data: data buffer provided by caller
485  * @frag_size: size of data
486  */
487 struct sk_buff *build_skb_around(struct sk_buff *skb,
488 				 void *data, unsigned int frag_size)
489 {
490 	if (unlikely(!skb))
491 		return NULL;
492 
493 	__build_skb_around(skb, data, frag_size);
494 
495 	if (frag_size) {
496 		skb->head_frag = 1;
497 		skb_propagate_pfmemalloc(virt_to_head_page(data), skb);
498 	}
499 	return skb;
500 }
501 EXPORT_SYMBOL(build_skb_around);
502 
503 /**
504  * __napi_build_skb - build a network buffer
505  * @data: data buffer provided by caller
506  * @frag_size: size of data
507  *
508  * Version of __build_skb() that uses NAPI percpu caches to obtain
509  * skbuff_head instead of inplace allocation.
510  *
511  * Returns a new &sk_buff on success, %NULL on allocation failure.
512  */
513 static struct sk_buff *__napi_build_skb(void *data, unsigned int frag_size)
514 {
515 	struct sk_buff *skb;
516 
517 	skb = napi_skb_cache_get();
518 	if (unlikely(!skb))
519 		return NULL;
520 
521 	memset(skb, 0, offsetof(struct sk_buff, tail));
522 	__build_skb_around(skb, data, frag_size);
523 
524 	return skb;
525 }
526 
527 /**
528  * napi_build_skb - build a network buffer
529  * @data: data buffer provided by caller
530  * @frag_size: size of data
531  *
532  * Version of __napi_build_skb() that takes care of skb->head_frag
533  * and skb->pfmemalloc when the data is a page or page fragment.
534  *
535  * Returns a new &sk_buff on success, %NULL on allocation failure.
536  */
537 struct sk_buff *napi_build_skb(void *data, unsigned int frag_size)
538 {
539 	struct sk_buff *skb = __napi_build_skb(data, frag_size);
540 
541 	if (likely(skb) && frag_size) {
542 		skb->head_frag = 1;
543 		skb_propagate_pfmemalloc(virt_to_head_page(data), skb);
544 	}
545 
546 	return skb;
547 }
548 EXPORT_SYMBOL(napi_build_skb);
549 
550 /*
551  * kmalloc_reserve is a wrapper around kmalloc_node_track_caller that tells
552  * the caller if emergency pfmemalloc reserves are being used. If it is and
553  * the socket is later found to be SOCK_MEMALLOC then PFMEMALLOC reserves
554  * may be used. Otherwise, the packet data may be discarded until enough
555  * memory is free
556  */
557 static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,
558 			     bool *pfmemalloc)
559 {
560 	bool ret_pfmemalloc = false;
561 	unsigned int obj_size;
562 	void *obj;
563 
564 	obj_size = SKB_HEAD_ALIGN(*size);
565 #ifdef HAVE_SKB_SMALL_HEAD_CACHE
566 	if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE &&
567 	    !(flags & KMALLOC_NOT_NORMAL_BITS)) {
568 		obj = kmem_cache_alloc_node(skb_small_head_cache,
569 				flags | __GFP_NOMEMALLOC | __GFP_NOWARN,
570 				node);
571 		*size = SKB_SMALL_HEAD_CACHE_SIZE;
572 		if (obj || !(gfp_pfmemalloc_allowed(flags)))
573 			goto out;
574 		/* Try again but now we are using pfmemalloc reserves */
575 		ret_pfmemalloc = true;
576 		obj = kmem_cache_alloc_node(skb_small_head_cache, flags, node);
577 		goto out;
578 	}
579 #endif
580 	*size = obj_size = kmalloc_size_roundup(obj_size);
581 	/*
582 	 * Try a regular allocation, when that fails and we're not entitled
583 	 * to the reserves, fail.
584 	 */
585 	obj = kmalloc_node_track_caller(obj_size,
586 					flags | __GFP_NOMEMALLOC | __GFP_NOWARN,
587 					node);
588 	if (obj || !(gfp_pfmemalloc_allowed(flags)))
589 		goto out;
590 
591 	/* Try again but now we are using pfmemalloc reserves */
592 	ret_pfmemalloc = true;
593 	obj = kmalloc_node_track_caller(obj_size, flags, node);
594 
595 out:
596 	if (pfmemalloc)
597 		*pfmemalloc = ret_pfmemalloc;
598 
599 	return obj;
600 }
601 
602 /* 	Allocate a new skbuff. We do this ourselves so we can fill in a few
603  *	'private' fields and also do memory statistics to find all the
604  *	[BEEP] leaks.
605  *
606  */
607 
608 /**
609  *	__alloc_skb	-	allocate a network buffer
610  *	@size: size to allocate
611  *	@gfp_mask: allocation mask
612  *	@flags: If SKB_ALLOC_FCLONE is set, allocate from fclone cache
613  *		instead of head cache and allocate a cloned (child) skb.
614  *		If SKB_ALLOC_RX is set, __GFP_MEMALLOC will be used for
615  *		allocations in case the data is required for writeback
616  *	@node: numa node to allocate memory on
617  *
618  *	Allocate a new &sk_buff. The returned buffer has no headroom and a
619  *	tail room of at least size bytes. The object has a reference count
620  *	of one. The return is the buffer. On a failure the return is %NULL.
621  *
622  *	Buffers may only be allocated from interrupts using a @gfp_mask of
623  *	%GFP_ATOMIC.
624  */
625 struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
626 			    int flags, int node)
627 {
628 	struct kmem_cache *cache;
629 	struct sk_buff *skb;
630 	bool pfmemalloc;
631 	u8 *data;
632 
633 	cache = (flags & SKB_ALLOC_FCLONE)
634 		? skbuff_fclone_cache : skbuff_cache;
635 
636 	if (sk_memalloc_socks() && (flags & SKB_ALLOC_RX))
637 		gfp_mask |= __GFP_MEMALLOC;
638 
639 	/* Get the HEAD */
640 	if ((flags & (SKB_ALLOC_FCLONE | SKB_ALLOC_NAPI)) == SKB_ALLOC_NAPI &&
641 	    likely(node == NUMA_NO_NODE || node == numa_mem_id()))
642 		skb = napi_skb_cache_get();
643 	else
644 		skb = kmem_cache_alloc_node(cache, gfp_mask & ~GFP_DMA, node);
645 	if (unlikely(!skb))
646 		return NULL;
647 	prefetchw(skb);
648 
649 	/* We do our best to align skb_shared_info on a separate cache
650 	 * line. It usually works because kmalloc(X > SMP_CACHE_BYTES) gives
651 	 * aligned memory blocks, unless SLUB/SLAB debug is enabled.
652 	 * Both skb->head and skb_shared_info are cache line aligned.
653 	 */
654 	data = kmalloc_reserve(&size, gfp_mask, node, &pfmemalloc);
655 	if (unlikely(!data))
656 		goto nodata;
657 	/* kmalloc_size_roundup() might give us more room than requested.
658 	 * Put skb_shared_info exactly at the end of allocated zone,
659 	 * to allow max possible filling before reallocation.
660 	 */
661 	prefetchw(data + SKB_WITH_OVERHEAD(size));
662 
663 	/*
664 	 * Only clear those fields we need to clear, not those that we will
665 	 * actually initialise below. Hence, don't put any more fields after
666 	 * the tail pointer in struct sk_buff!
667 	 */
668 	memset(skb, 0, offsetof(struct sk_buff, tail));
669 	__build_skb_around(skb, data, size);
670 	skb->pfmemalloc = pfmemalloc;
671 
672 	if (flags & SKB_ALLOC_FCLONE) {
673 		struct sk_buff_fclones *fclones;
674 
675 		fclones = container_of(skb, struct sk_buff_fclones, skb1);
676 
677 		skb->fclone = SKB_FCLONE_ORIG;
678 		refcount_set(&fclones->fclone_ref, 1);
679 	}
680 
681 	return skb;
682 
683 nodata:
684 	kmem_cache_free(cache, skb);
685 	return NULL;
686 }
687 EXPORT_SYMBOL(__alloc_skb);
688 
689 /**
690  *	__netdev_alloc_skb - allocate an skbuff for rx on a specific device
691  *	@dev: network device to receive on
692  *	@len: length to allocate
693  *	@gfp_mask: get_free_pages mask, passed to alloc_skb
694  *
695  *	Allocate a new &sk_buff and assign it a usage count of one. The
696  *	buffer has NET_SKB_PAD headroom built in. Users should allocate
697  *	the headroom they think they need without accounting for the
698  *	built in space. The built in space is used for optimisations.
699  *
700  *	%NULL is returned if there is no free memory.
701  */
702 struct sk_buff *__netdev_alloc_skb(struct net_device *dev, unsigned int len,
703 				   gfp_t gfp_mask)
704 {
705 	struct page_frag_cache *nc;
706 	struct sk_buff *skb;
707 	bool pfmemalloc;
708 	void *data;
709 
710 	len += NET_SKB_PAD;
711 
712 	/* If requested length is either too small or too big,
713 	 * we use kmalloc() for skb->head allocation.
714 	 */
715 	if (len <= SKB_WITH_OVERHEAD(1024) ||
716 	    len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
717 	    (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
718 		skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
719 		if (!skb)
720 			goto skb_fail;
721 		goto skb_success;
722 	}
723 
724 	len = SKB_HEAD_ALIGN(len);
725 
726 	if (sk_memalloc_socks())
727 		gfp_mask |= __GFP_MEMALLOC;
728 
729 	if (in_hardirq() || irqs_disabled()) {
730 		nc = this_cpu_ptr(&netdev_alloc_cache);
731 		data = page_frag_alloc(nc, len, gfp_mask);
732 		pfmemalloc = nc->pfmemalloc;
733 	} else {
734 		local_bh_disable();
735 		nc = this_cpu_ptr(&napi_alloc_cache.page);
736 		data = page_frag_alloc(nc, len, gfp_mask);
737 		pfmemalloc = nc->pfmemalloc;
738 		local_bh_enable();
739 	}
740 
741 	if (unlikely(!data))
742 		return NULL;
743 
744 	skb = __build_skb(data, len);
745 	if (unlikely(!skb)) {
746 		skb_free_frag(data);
747 		return NULL;
748 	}
749 
750 	if (pfmemalloc)
751 		skb->pfmemalloc = 1;
752 	skb->head_frag = 1;
753 
754 skb_success:
755 	skb_reserve(skb, NET_SKB_PAD);
756 	skb->dev = dev;
757 
758 skb_fail:
759 	return skb;
760 }
761 EXPORT_SYMBOL(__netdev_alloc_skb);
762 
763 /**
764  *	__napi_alloc_skb - allocate skbuff for rx in a specific NAPI instance
765  *	@napi: napi instance this buffer was allocated for
766  *	@len: length to allocate
767  *	@gfp_mask: get_free_pages mask, passed to alloc_skb and alloc_pages
768  *
769  *	Allocate a new sk_buff for use in NAPI receive.  This buffer will
770  *	attempt to allocate the head from a special reserved region used
771  *	only for NAPI Rx allocation.  By doing this we can save several
772  *	CPU cycles by avoiding having to disable and re-enable IRQs.
773  *
774  *	%NULL is returned if there is no free memory.
775  */
776 struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len,
777 				 gfp_t gfp_mask)
778 {
779 	struct napi_alloc_cache *nc;
780 	struct sk_buff *skb;
781 	bool pfmemalloc;
782 	void *data;
783 
784 	DEBUG_NET_WARN_ON_ONCE(!in_softirq());
785 	len += NET_SKB_PAD + NET_IP_ALIGN;
786 
787 	/* If requested length is either too small or too big,
788 	 * we use kmalloc() for skb->head allocation.
789 	 * When the small frag allocator is available, prefer it over kmalloc
790 	 * for small fragments
791 	 */
792 	if ((!NAPI_HAS_SMALL_PAGE_FRAG && len <= SKB_WITH_OVERHEAD(1024)) ||
793 	    len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
794 	    (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
795 		skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX | SKB_ALLOC_NAPI,
796 				  NUMA_NO_NODE);
797 		if (!skb)
798 			goto skb_fail;
799 		goto skb_success;
800 	}
801 
802 	nc = this_cpu_ptr(&napi_alloc_cache);
803 
804 	if (sk_memalloc_socks())
805 		gfp_mask |= __GFP_MEMALLOC;
806 
807 	if (NAPI_HAS_SMALL_PAGE_FRAG && len <= SKB_WITH_OVERHEAD(1024)) {
808 		/* we are artificially inflating the allocation size, but
809 		 * that is not as bad as it may look like, as:
810 		 * - 'len' less than GRO_MAX_HEAD makes little sense
811 		 * - On most systems, larger 'len' values lead to fragment
812 		 *   size above 512 bytes
813 		 * - kmalloc would use the kmalloc-1k slab for such values
814 		 * - Builds with smaller GRO_MAX_HEAD will very likely do
815 		 *   little networking, as that implies no WiFi and no
816 		 *   tunnels support, and 32 bits arches.
817 		 */
818 		len = SZ_1K;
819 
820 		data = page_frag_alloc_1k(&nc->page_small, gfp_mask);
821 		pfmemalloc = NAPI_SMALL_PAGE_PFMEMALLOC(nc->page_small);
822 	} else {
823 		len = SKB_HEAD_ALIGN(len);
824 
825 		data = page_frag_alloc(&nc->page, len, gfp_mask);
826 		pfmemalloc = nc->page.pfmemalloc;
827 	}
828 
829 	if (unlikely(!data))
830 		return NULL;
831 
832 	skb = __napi_build_skb(data, len);
833 	if (unlikely(!skb)) {
834 		skb_free_frag(data);
835 		return NULL;
836 	}
837 
838 	if (pfmemalloc)
839 		skb->pfmemalloc = 1;
840 	skb->head_frag = 1;
841 
842 skb_success:
843 	skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
844 	skb->dev = napi->dev;
845 
846 skb_fail:
847 	return skb;
848 }
849 EXPORT_SYMBOL(__napi_alloc_skb);
850 
851 void skb_add_rx_frag(struct sk_buff *skb, int i, struct page *page, int off,
852 		     int size, unsigned int truesize)
853 {
854 	skb_fill_page_desc(skb, i, page, off, size);
855 	skb->len += size;
856 	skb->data_len += size;
857 	skb->truesize += truesize;
858 }
859 EXPORT_SYMBOL(skb_add_rx_frag);
860 
861 void skb_coalesce_rx_frag(struct sk_buff *skb, int i, int size,
862 			  unsigned int truesize)
863 {
864 	skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
865 
866 	skb_frag_size_add(frag, size);
867 	skb->len += size;
868 	skb->data_len += size;
869 	skb->truesize += truesize;
870 }
871 EXPORT_SYMBOL(skb_coalesce_rx_frag);
872 
873 static void skb_drop_list(struct sk_buff **listp)
874 {
875 	kfree_skb_list(*listp);
876 	*listp = NULL;
877 }
878 
879 static inline void skb_drop_fraglist(struct sk_buff *skb)
880 {
881 	skb_drop_list(&skb_shinfo(skb)->frag_list);
882 }
883 
884 static void skb_clone_fraglist(struct sk_buff *skb)
885 {
886 	struct sk_buff *list;
887 
888 	skb_walk_frags(skb, list)
889 		skb_get(list);
890 }
891 
892 static bool skb_pp_recycle(struct sk_buff *skb, void *data, bool napi_safe)
893 {
894 	if (!IS_ENABLED(CONFIG_PAGE_POOL) || !skb->pp_recycle)
895 		return false;
896 	return page_pool_return_skb_page(virt_to_page(data), napi_safe);
897 }
898 
899 static void skb_kfree_head(void *head, unsigned int end_offset)
900 {
901 #ifdef HAVE_SKB_SMALL_HEAD_CACHE
902 	if (end_offset == SKB_SMALL_HEAD_HEADROOM)
903 		kmem_cache_free(skb_small_head_cache, head);
904 	else
905 #endif
906 		kfree(head);
907 }
908 
909 static void skb_free_head(struct sk_buff *skb, bool napi_safe)
910 {
911 	unsigned char *head = skb->head;
912 
913 	if (skb->head_frag) {
914 		if (skb_pp_recycle(skb, head, napi_safe))
915 			return;
916 		skb_free_frag(head);
917 	} else {
918 		skb_kfree_head(head, skb_end_offset(skb));
919 	}
920 }
921 
922 static void skb_release_data(struct sk_buff *skb, enum skb_drop_reason reason,
923 			     bool napi_safe)
924 {
925 	struct skb_shared_info *shinfo = skb_shinfo(skb);
926 	int i;
927 
928 	if (skb->cloned &&
929 	    atomic_sub_return(skb->nohdr ? (1 << SKB_DATAREF_SHIFT) + 1 : 1,
930 			      &shinfo->dataref))
931 		goto exit;
932 
933 	if (skb_zcopy(skb)) {
934 		bool skip_unref = shinfo->flags & SKBFL_MANAGED_FRAG_REFS;
935 
936 		skb_zcopy_clear(skb, true);
937 		if (skip_unref)
938 			goto free_head;
939 	}
940 
941 	for (i = 0; i < shinfo->nr_frags; i++)
942 		napi_frag_unref(&shinfo->frags[i], skb->pp_recycle, napi_safe);
943 
944 free_head:
945 	if (shinfo->frag_list)
946 		kfree_skb_list_reason(shinfo->frag_list, reason);
947 
948 	skb_free_head(skb, napi_safe);
949 exit:
950 	/* When we clone an SKB we copy the reycling bit. The pp_recycle
951 	 * bit is only set on the head though, so in order to avoid races
952 	 * while trying to recycle fragments on __skb_frag_unref() we need
953 	 * to make one SKB responsible for triggering the recycle path.
954 	 * So disable the recycling bit if an SKB is cloned and we have
955 	 * additional references to the fragmented part of the SKB.
956 	 * Eventually the last SKB will have the recycling bit set and it's
957 	 * dataref set to 0, which will trigger the recycling
958 	 */
959 	skb->pp_recycle = 0;
960 }
961 
962 /*
963  *	Free an skbuff by memory without cleaning the state.
964  */
965 static void kfree_skbmem(struct sk_buff *skb)
966 {
967 	struct sk_buff_fclones *fclones;
968 
969 	switch (skb->fclone) {
970 	case SKB_FCLONE_UNAVAILABLE:
971 		kmem_cache_free(skbuff_cache, skb);
972 		return;
973 
974 	case SKB_FCLONE_ORIG:
975 		fclones = container_of(skb, struct sk_buff_fclones, skb1);
976 
977 		/* We usually free the clone (TX completion) before original skb
978 		 * This test would have no chance to be true for the clone,
979 		 * while here, branch prediction will be good.
980 		 */
981 		if (refcount_read(&fclones->fclone_ref) == 1)
982 			goto fastpath;
983 		break;
984 
985 	default: /* SKB_FCLONE_CLONE */
986 		fclones = container_of(skb, struct sk_buff_fclones, skb2);
987 		break;
988 	}
989 	if (!refcount_dec_and_test(&fclones->fclone_ref))
990 		return;
991 fastpath:
992 	kmem_cache_free(skbuff_fclone_cache, fclones);
993 }
994 
995 void skb_release_head_state(struct sk_buff *skb)
996 {
997 	skb_dst_drop(skb);
998 	if (skb->destructor) {
999 		DEBUG_NET_WARN_ON_ONCE(in_hardirq());
1000 		skb->destructor(skb);
1001 	}
1002 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
1003 	nf_conntrack_put(skb_nfct(skb));
1004 #endif
1005 	skb_ext_put(skb);
1006 }
1007 
1008 /* Free everything but the sk_buff shell. */
1009 static void skb_release_all(struct sk_buff *skb, enum skb_drop_reason reason,
1010 			    bool napi_safe)
1011 {
1012 	skb_release_head_state(skb);
1013 	if (likely(skb->head))
1014 		skb_release_data(skb, reason, napi_safe);
1015 }
1016 
1017 /**
1018  *	__kfree_skb - private function
1019  *	@skb: buffer
1020  *
1021  *	Free an sk_buff. Release anything attached to the buffer.
1022  *	Clean the state. This is an internal helper function. Users should
1023  *	always call kfree_skb
1024  */
1025 
1026 void __kfree_skb(struct sk_buff *skb)
1027 {
1028 	skb_release_all(skb, SKB_DROP_REASON_NOT_SPECIFIED, false);
1029 	kfree_skbmem(skb);
1030 }
1031 EXPORT_SYMBOL(__kfree_skb);
1032 
1033 static __always_inline
1034 bool __kfree_skb_reason(struct sk_buff *skb, enum skb_drop_reason reason)
1035 {
1036 	if (unlikely(!skb_unref(skb)))
1037 		return false;
1038 
1039 	DEBUG_NET_WARN_ON_ONCE(reason == SKB_NOT_DROPPED_YET ||
1040 			       u32_get_bits(reason,
1041 					    SKB_DROP_REASON_SUBSYS_MASK) >=
1042 				SKB_DROP_REASON_SUBSYS_NUM);
1043 
1044 	if (reason == SKB_CONSUMED)
1045 		trace_consume_skb(skb, __builtin_return_address(0));
1046 	else
1047 		trace_kfree_skb(skb, __builtin_return_address(0), reason);
1048 	return true;
1049 }
1050 
1051 /**
1052  *	kfree_skb_reason - free an sk_buff with special reason
1053  *	@skb: buffer to free
1054  *	@reason: reason why this skb is dropped
1055  *
1056  *	Drop a reference to the buffer and free it if the usage count has
1057  *	hit zero. Meanwhile, pass the drop reason to 'kfree_skb'
1058  *	tracepoint.
1059  */
1060 void __fix_address
1061 kfree_skb_reason(struct sk_buff *skb, enum skb_drop_reason reason)
1062 {
1063 	if (__kfree_skb_reason(skb, reason))
1064 		__kfree_skb(skb);
1065 }
1066 EXPORT_SYMBOL(kfree_skb_reason);
1067 
1068 #define KFREE_SKB_BULK_SIZE	16
1069 
1070 struct skb_free_array {
1071 	unsigned int skb_count;
1072 	void *skb_array[KFREE_SKB_BULK_SIZE];
1073 };
1074 
1075 static void kfree_skb_add_bulk(struct sk_buff *skb,
1076 			       struct skb_free_array *sa,
1077 			       enum skb_drop_reason reason)
1078 {
1079 	/* if SKB is a clone, don't handle this case */
1080 	if (unlikely(skb->fclone != SKB_FCLONE_UNAVAILABLE)) {
1081 		__kfree_skb(skb);
1082 		return;
1083 	}
1084 
1085 	skb_release_all(skb, reason, false);
1086 	sa->skb_array[sa->skb_count++] = skb;
1087 
1088 	if (unlikely(sa->skb_count == KFREE_SKB_BULK_SIZE)) {
1089 		kmem_cache_free_bulk(skbuff_cache, KFREE_SKB_BULK_SIZE,
1090 				     sa->skb_array);
1091 		sa->skb_count = 0;
1092 	}
1093 }
1094 
1095 void __fix_address
1096 kfree_skb_list_reason(struct sk_buff *segs, enum skb_drop_reason reason)
1097 {
1098 	struct skb_free_array sa;
1099 
1100 	sa.skb_count = 0;
1101 
1102 	while (segs) {
1103 		struct sk_buff *next = segs->next;
1104 
1105 		if (__kfree_skb_reason(segs, reason)) {
1106 			skb_poison_list(segs);
1107 			kfree_skb_add_bulk(segs, &sa, reason);
1108 		}
1109 
1110 		segs = next;
1111 	}
1112 
1113 	if (sa.skb_count)
1114 		kmem_cache_free_bulk(skbuff_cache, sa.skb_count, sa.skb_array);
1115 }
1116 EXPORT_SYMBOL(kfree_skb_list_reason);
1117 
1118 /* Dump skb information and contents.
1119  *
1120  * Must only be called from net_ratelimit()-ed paths.
1121  *
1122  * Dumps whole packets if full_pkt, only headers otherwise.
1123  */
1124 void skb_dump(const char *level, const struct sk_buff *skb, bool full_pkt)
1125 {
1126 	struct skb_shared_info *sh = skb_shinfo(skb);
1127 	struct net_device *dev = skb->dev;
1128 	struct sock *sk = skb->sk;
1129 	struct sk_buff *list_skb;
1130 	bool has_mac, has_trans;
1131 	int headroom, tailroom;
1132 	int i, len, seg_len;
1133 
1134 	if (full_pkt)
1135 		len = skb->len;
1136 	else
1137 		len = min_t(int, skb->len, MAX_HEADER + 128);
1138 
1139 	headroom = skb_headroom(skb);
1140 	tailroom = skb_tailroom(skb);
1141 
1142 	has_mac = skb_mac_header_was_set(skb);
1143 	has_trans = skb_transport_header_was_set(skb);
1144 
1145 	printk("%sskb len=%u headroom=%u headlen=%u tailroom=%u\n"
1146 	       "mac=(%d,%d) net=(%d,%d) trans=%d\n"
1147 	       "shinfo(txflags=%u nr_frags=%u gso(size=%hu type=%u segs=%hu))\n"
1148 	       "csum(0x%x ip_summed=%u complete_sw=%u valid=%u level=%u)\n"
1149 	       "hash(0x%x sw=%u l4=%u) proto=0x%04x pkttype=%u iif=%d\n",
1150 	       level, skb->len, headroom, skb_headlen(skb), tailroom,
1151 	       has_mac ? skb->mac_header : -1,
1152 	       has_mac ? skb_mac_header_len(skb) : -1,
1153 	       skb->network_header,
1154 	       has_trans ? skb_network_header_len(skb) : -1,
1155 	       has_trans ? skb->transport_header : -1,
1156 	       sh->tx_flags, sh->nr_frags,
1157 	       sh->gso_size, sh->gso_type, sh->gso_segs,
1158 	       skb->csum, skb->ip_summed, skb->csum_complete_sw,
1159 	       skb->csum_valid, skb->csum_level,
1160 	       skb->hash, skb->sw_hash, skb->l4_hash,
1161 	       ntohs(skb->protocol), skb->pkt_type, skb->skb_iif);
1162 
1163 	if (dev)
1164 		printk("%sdev name=%s feat=%pNF\n",
1165 		       level, dev->name, &dev->features);
1166 	if (sk)
1167 		printk("%ssk family=%hu type=%u proto=%u\n",
1168 		       level, sk->sk_family, sk->sk_type, sk->sk_protocol);
1169 
1170 	if (full_pkt && headroom)
1171 		print_hex_dump(level, "skb headroom: ", DUMP_PREFIX_OFFSET,
1172 			       16, 1, skb->head, headroom, false);
1173 
1174 	seg_len = min_t(int, skb_headlen(skb), len);
1175 	if (seg_len)
1176 		print_hex_dump(level, "skb linear:   ", DUMP_PREFIX_OFFSET,
1177 			       16, 1, skb->data, seg_len, false);
1178 	len -= seg_len;
1179 
1180 	if (full_pkt && tailroom)
1181 		print_hex_dump(level, "skb tailroom: ", DUMP_PREFIX_OFFSET,
1182 			       16, 1, skb_tail_pointer(skb), tailroom, false);
1183 
1184 	for (i = 0; len && i < skb_shinfo(skb)->nr_frags; i++) {
1185 		skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
1186 		u32 p_off, p_len, copied;
1187 		struct page *p;
1188 		u8 *vaddr;
1189 
1190 		skb_frag_foreach_page(frag, skb_frag_off(frag),
1191 				      skb_frag_size(frag), p, p_off, p_len,
1192 				      copied) {
1193 			seg_len = min_t(int, p_len, len);
1194 			vaddr = kmap_atomic(p);
1195 			print_hex_dump(level, "skb frag:     ",
1196 				       DUMP_PREFIX_OFFSET,
1197 				       16, 1, vaddr + p_off, seg_len, false);
1198 			kunmap_atomic(vaddr);
1199 			len -= seg_len;
1200 			if (!len)
1201 				break;
1202 		}
1203 	}
1204 
1205 	if (full_pkt && skb_has_frag_list(skb)) {
1206 		printk("skb fraglist:\n");
1207 		skb_walk_frags(skb, list_skb)
1208 			skb_dump(level, list_skb, true);
1209 	}
1210 }
1211 EXPORT_SYMBOL(skb_dump);
1212 
1213 /**
1214  *	skb_tx_error - report an sk_buff xmit error
1215  *	@skb: buffer that triggered an error
1216  *
1217  *	Report xmit error if a device callback is tracking this skb.
1218  *	skb must be freed afterwards.
1219  */
1220 void skb_tx_error(struct sk_buff *skb)
1221 {
1222 	if (skb) {
1223 		skb_zcopy_downgrade_managed(skb);
1224 		skb_zcopy_clear(skb, true);
1225 	}
1226 }
1227 EXPORT_SYMBOL(skb_tx_error);
1228 
1229 #ifdef CONFIG_TRACEPOINTS
1230 /**
1231  *	consume_skb - free an skbuff
1232  *	@skb: buffer to free
1233  *
1234  *	Drop a ref to the buffer and free it if the usage count has hit zero
1235  *	Functions identically to kfree_skb, but kfree_skb assumes that the frame
1236  *	is being dropped after a failure and notes that
1237  */
1238 void consume_skb(struct sk_buff *skb)
1239 {
1240 	if (!skb_unref(skb))
1241 		return;
1242 
1243 	trace_consume_skb(skb, __builtin_return_address(0));
1244 	__kfree_skb(skb);
1245 }
1246 EXPORT_SYMBOL(consume_skb);
1247 #endif
1248 
1249 /**
1250  *	__consume_stateless_skb - free an skbuff, assuming it is stateless
1251  *	@skb: buffer to free
1252  *
1253  *	Alike consume_skb(), but this variant assumes that this is the last
1254  *	skb reference and all the head states have been already dropped
1255  */
1256 void __consume_stateless_skb(struct sk_buff *skb)
1257 {
1258 	trace_consume_skb(skb, __builtin_return_address(0));
1259 	skb_release_data(skb, SKB_CONSUMED, false);
1260 	kfree_skbmem(skb);
1261 }
1262 
1263 static void napi_skb_cache_put(struct sk_buff *skb)
1264 {
1265 	struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
1266 	u32 i;
1267 
1268 	kasan_poison_object_data(skbuff_cache, skb);
1269 	nc->skb_cache[nc->skb_count++] = skb;
1270 
1271 	if (unlikely(nc->skb_count == NAPI_SKB_CACHE_SIZE)) {
1272 		for (i = NAPI_SKB_CACHE_HALF; i < NAPI_SKB_CACHE_SIZE; i++)
1273 			kasan_unpoison_object_data(skbuff_cache,
1274 						   nc->skb_cache[i]);
1275 
1276 		kmem_cache_free_bulk(skbuff_cache, NAPI_SKB_CACHE_HALF,
1277 				     nc->skb_cache + NAPI_SKB_CACHE_HALF);
1278 		nc->skb_count = NAPI_SKB_CACHE_HALF;
1279 	}
1280 }
1281 
1282 void __napi_kfree_skb(struct sk_buff *skb, enum skb_drop_reason reason)
1283 {
1284 	skb_release_all(skb, reason, true);
1285 	napi_skb_cache_put(skb);
1286 }
1287 
1288 void napi_skb_free_stolen_head(struct sk_buff *skb)
1289 {
1290 	if (unlikely(skb->slow_gro)) {
1291 		nf_reset_ct(skb);
1292 		skb_dst_drop(skb);
1293 		skb_ext_put(skb);
1294 		skb_orphan(skb);
1295 		skb->slow_gro = 0;
1296 	}
1297 	napi_skb_cache_put(skb);
1298 }
1299 
1300 void napi_consume_skb(struct sk_buff *skb, int budget)
1301 {
1302 	/* Zero budget indicate non-NAPI context called us, like netpoll */
1303 	if (unlikely(!budget)) {
1304 		dev_consume_skb_any(skb);
1305 		return;
1306 	}
1307 
1308 	DEBUG_NET_WARN_ON_ONCE(!in_softirq());
1309 
1310 	if (!skb_unref(skb))
1311 		return;
1312 
1313 	/* if reaching here SKB is ready to free */
1314 	trace_consume_skb(skb, __builtin_return_address(0));
1315 
1316 	/* if SKB is a clone, don't handle this case */
1317 	if (skb->fclone != SKB_FCLONE_UNAVAILABLE) {
1318 		__kfree_skb(skb);
1319 		return;
1320 	}
1321 
1322 	skb_release_all(skb, SKB_CONSUMED, !!budget);
1323 	napi_skb_cache_put(skb);
1324 }
1325 EXPORT_SYMBOL(napi_consume_skb);
1326 
1327 /* Make sure a field is contained by headers group */
1328 #define CHECK_SKB_FIELD(field) \
1329 	BUILD_BUG_ON(offsetof(struct sk_buff, field) !=		\
1330 		     offsetof(struct sk_buff, headers.field));	\
1331 
1332 static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
1333 {
1334 	new->tstamp		= old->tstamp;
1335 	/* We do not copy old->sk */
1336 	new->dev		= old->dev;
1337 	memcpy(new->cb, old->cb, sizeof(old->cb));
1338 	skb_dst_copy(new, old);
1339 	__skb_ext_copy(new, old);
1340 	__nf_copy(new, old, false);
1341 
1342 	/* Note : this field could be in the headers group.
1343 	 * It is not yet because we do not want to have a 16 bit hole
1344 	 */
1345 	new->queue_mapping = old->queue_mapping;
1346 
1347 	memcpy(&new->headers, &old->headers, sizeof(new->headers));
1348 	CHECK_SKB_FIELD(protocol);
1349 	CHECK_SKB_FIELD(csum);
1350 	CHECK_SKB_FIELD(hash);
1351 	CHECK_SKB_FIELD(priority);
1352 	CHECK_SKB_FIELD(skb_iif);
1353 	CHECK_SKB_FIELD(vlan_proto);
1354 	CHECK_SKB_FIELD(vlan_tci);
1355 	CHECK_SKB_FIELD(transport_header);
1356 	CHECK_SKB_FIELD(network_header);
1357 	CHECK_SKB_FIELD(mac_header);
1358 	CHECK_SKB_FIELD(inner_protocol);
1359 	CHECK_SKB_FIELD(inner_transport_header);
1360 	CHECK_SKB_FIELD(inner_network_header);
1361 	CHECK_SKB_FIELD(inner_mac_header);
1362 	CHECK_SKB_FIELD(mark);
1363 #ifdef CONFIG_NETWORK_SECMARK
1364 	CHECK_SKB_FIELD(secmark);
1365 #endif
1366 #ifdef CONFIG_NET_RX_BUSY_POLL
1367 	CHECK_SKB_FIELD(napi_id);
1368 #endif
1369 	CHECK_SKB_FIELD(alloc_cpu);
1370 #ifdef CONFIG_XPS
1371 	CHECK_SKB_FIELD(sender_cpu);
1372 #endif
1373 #ifdef CONFIG_NET_SCHED
1374 	CHECK_SKB_FIELD(tc_index);
1375 #endif
1376 
1377 }
1378 
1379 /*
1380  * You should not add any new code to this function.  Add it to
1381  * __copy_skb_header above instead.
1382  */
1383 static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
1384 {
1385 #define C(x) n->x = skb->x
1386 
1387 	n->next = n->prev = NULL;
1388 	n->sk = NULL;
1389 	__copy_skb_header(n, skb);
1390 
1391 	C(len);
1392 	C(data_len);
1393 	C(mac_len);
1394 	n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
1395 	n->cloned = 1;
1396 	n->nohdr = 0;
1397 	n->peeked = 0;
1398 	C(pfmemalloc);
1399 	C(pp_recycle);
1400 	n->destructor = NULL;
1401 	C(tail);
1402 	C(end);
1403 	C(head);
1404 	C(head_frag);
1405 	C(data);
1406 	C(truesize);
1407 	refcount_set(&n->users, 1);
1408 
1409 	atomic_inc(&(skb_shinfo(skb)->dataref));
1410 	skb->cloned = 1;
1411 
1412 	return n;
1413 #undef C
1414 }
1415 
1416 /**
1417  * alloc_skb_for_msg() - allocate sk_buff to wrap frag list forming a msg
1418  * @first: first sk_buff of the msg
1419  */
1420 struct sk_buff *alloc_skb_for_msg(struct sk_buff *first)
1421 {
1422 	struct sk_buff *n;
1423 
1424 	n = alloc_skb(0, GFP_ATOMIC);
1425 	if (!n)
1426 		return NULL;
1427 
1428 	n->len = first->len;
1429 	n->data_len = first->len;
1430 	n->truesize = first->truesize;
1431 
1432 	skb_shinfo(n)->frag_list = first;
1433 
1434 	__copy_skb_header(n, first);
1435 	n->destructor = NULL;
1436 
1437 	return n;
1438 }
1439 EXPORT_SYMBOL_GPL(alloc_skb_for_msg);
1440 
1441 /**
1442  *	skb_morph	-	morph one skb into another
1443  *	@dst: the skb to receive the contents
1444  *	@src: the skb to supply the contents
1445  *
1446  *	This is identical to skb_clone except that the target skb is
1447  *	supplied by the user.
1448  *
1449  *	The target skb is returned upon exit.
1450  */
1451 struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src)
1452 {
1453 	skb_release_all(dst, SKB_CONSUMED, false);
1454 	return __skb_clone(dst, src);
1455 }
1456 EXPORT_SYMBOL_GPL(skb_morph);
1457 
1458 int mm_account_pinned_pages(struct mmpin *mmp, size_t size)
1459 {
1460 	unsigned long max_pg, num_pg, new_pg, old_pg, rlim;
1461 	struct user_struct *user;
1462 
1463 	if (capable(CAP_IPC_LOCK) || !size)
1464 		return 0;
1465 
1466 	rlim = rlimit(RLIMIT_MEMLOCK);
1467 	if (rlim == RLIM_INFINITY)
1468 		return 0;
1469 
1470 	num_pg = (size >> PAGE_SHIFT) + 2;	/* worst case */
1471 	max_pg = rlim >> PAGE_SHIFT;
1472 	user = mmp->user ? : current_user();
1473 
1474 	old_pg = atomic_long_read(&user->locked_vm);
1475 	do {
1476 		new_pg = old_pg + num_pg;
1477 		if (new_pg > max_pg)
1478 			return -ENOBUFS;
1479 	} while (!atomic_long_try_cmpxchg(&user->locked_vm, &old_pg, new_pg));
1480 
1481 	if (!mmp->user) {
1482 		mmp->user = get_uid(user);
1483 		mmp->num_pg = num_pg;
1484 	} else {
1485 		mmp->num_pg += num_pg;
1486 	}
1487 
1488 	return 0;
1489 }
1490 EXPORT_SYMBOL_GPL(mm_account_pinned_pages);
1491 
1492 void mm_unaccount_pinned_pages(struct mmpin *mmp)
1493 {
1494 	if (mmp->user) {
1495 		atomic_long_sub(mmp->num_pg, &mmp->user->locked_vm);
1496 		free_uid(mmp->user);
1497 	}
1498 }
1499 EXPORT_SYMBOL_GPL(mm_unaccount_pinned_pages);
1500 
1501 static struct ubuf_info *msg_zerocopy_alloc(struct sock *sk, size_t size)
1502 {
1503 	struct ubuf_info_msgzc *uarg;
1504 	struct sk_buff *skb;
1505 
1506 	WARN_ON_ONCE(!in_task());
1507 
1508 	skb = sock_omalloc(sk, 0, GFP_KERNEL);
1509 	if (!skb)
1510 		return NULL;
1511 
1512 	BUILD_BUG_ON(sizeof(*uarg) > sizeof(skb->cb));
1513 	uarg = (void *)skb->cb;
1514 	uarg->mmp.user = NULL;
1515 
1516 	if (mm_account_pinned_pages(&uarg->mmp, size)) {
1517 		kfree_skb(skb);
1518 		return NULL;
1519 	}
1520 
1521 	uarg->ubuf.callback = msg_zerocopy_callback;
1522 	uarg->id = ((u32)atomic_inc_return(&sk->sk_zckey)) - 1;
1523 	uarg->len = 1;
1524 	uarg->bytelen = size;
1525 	uarg->zerocopy = 1;
1526 	uarg->ubuf.flags = SKBFL_ZEROCOPY_FRAG | SKBFL_DONT_ORPHAN;
1527 	refcount_set(&uarg->ubuf.refcnt, 1);
1528 	sock_hold(sk);
1529 
1530 	return &uarg->ubuf;
1531 }
1532 
1533 static inline struct sk_buff *skb_from_uarg(struct ubuf_info_msgzc *uarg)
1534 {
1535 	return container_of((void *)uarg, struct sk_buff, cb);
1536 }
1537 
1538 struct ubuf_info *msg_zerocopy_realloc(struct sock *sk, size_t size,
1539 				       struct ubuf_info *uarg)
1540 {
1541 	if (uarg) {
1542 		struct ubuf_info_msgzc *uarg_zc;
1543 		const u32 byte_limit = 1 << 19;		/* limit to a few TSO */
1544 		u32 bytelen, next;
1545 
1546 		/* there might be non MSG_ZEROCOPY users */
1547 		if (uarg->callback != msg_zerocopy_callback)
1548 			return NULL;
1549 
1550 		/* realloc only when socket is locked (TCP, UDP cork),
1551 		 * so uarg->len and sk_zckey access is serialized
1552 		 */
1553 		if (!sock_owned_by_user(sk)) {
1554 			WARN_ON_ONCE(1);
1555 			return NULL;
1556 		}
1557 
1558 		uarg_zc = uarg_to_msgzc(uarg);
1559 		bytelen = uarg_zc->bytelen + size;
1560 		if (uarg_zc->len == USHRT_MAX - 1 || bytelen > byte_limit) {
1561 			/* TCP can create new skb to attach new uarg */
1562 			if (sk->sk_type == SOCK_STREAM)
1563 				goto new_alloc;
1564 			return NULL;
1565 		}
1566 
1567 		next = (u32)atomic_read(&sk->sk_zckey);
1568 		if ((u32)(uarg_zc->id + uarg_zc->len) == next) {
1569 			if (mm_account_pinned_pages(&uarg_zc->mmp, size))
1570 				return NULL;
1571 			uarg_zc->len++;
1572 			uarg_zc->bytelen = bytelen;
1573 			atomic_set(&sk->sk_zckey, ++next);
1574 
1575 			/* no extra ref when appending to datagram (MSG_MORE) */
1576 			if (sk->sk_type == SOCK_STREAM)
1577 				net_zcopy_get(uarg);
1578 
1579 			return uarg;
1580 		}
1581 	}
1582 
1583 new_alloc:
1584 	return msg_zerocopy_alloc(sk, size);
1585 }
1586 EXPORT_SYMBOL_GPL(msg_zerocopy_realloc);
1587 
1588 static bool skb_zerocopy_notify_extend(struct sk_buff *skb, u32 lo, u16 len)
1589 {
1590 	struct sock_exterr_skb *serr = SKB_EXT_ERR(skb);
1591 	u32 old_lo, old_hi;
1592 	u64 sum_len;
1593 
1594 	old_lo = serr->ee.ee_info;
1595 	old_hi = serr->ee.ee_data;
1596 	sum_len = old_hi - old_lo + 1ULL + len;
1597 
1598 	if (sum_len >= (1ULL << 32))
1599 		return false;
1600 
1601 	if (lo != old_hi + 1)
1602 		return false;
1603 
1604 	serr->ee.ee_data += len;
1605 	return true;
1606 }
1607 
1608 static void __msg_zerocopy_callback(struct ubuf_info_msgzc *uarg)
1609 {
1610 	struct sk_buff *tail, *skb = skb_from_uarg(uarg);
1611 	struct sock_exterr_skb *serr;
1612 	struct sock *sk = skb->sk;
1613 	struct sk_buff_head *q;
1614 	unsigned long flags;
1615 	bool is_zerocopy;
1616 	u32 lo, hi;
1617 	u16 len;
1618 
1619 	mm_unaccount_pinned_pages(&uarg->mmp);
1620 
1621 	/* if !len, there was only 1 call, and it was aborted
1622 	 * so do not queue a completion notification
1623 	 */
1624 	if (!uarg->len || sock_flag(sk, SOCK_DEAD))
1625 		goto release;
1626 
1627 	len = uarg->len;
1628 	lo = uarg->id;
1629 	hi = uarg->id + len - 1;
1630 	is_zerocopy = uarg->zerocopy;
1631 
1632 	serr = SKB_EXT_ERR(skb);
1633 	memset(serr, 0, sizeof(*serr));
1634 	serr->ee.ee_errno = 0;
1635 	serr->ee.ee_origin = SO_EE_ORIGIN_ZEROCOPY;
1636 	serr->ee.ee_data = hi;
1637 	serr->ee.ee_info = lo;
1638 	if (!is_zerocopy)
1639 		serr->ee.ee_code |= SO_EE_CODE_ZEROCOPY_COPIED;
1640 
1641 	q = &sk->sk_error_queue;
1642 	spin_lock_irqsave(&q->lock, flags);
1643 	tail = skb_peek_tail(q);
1644 	if (!tail || SKB_EXT_ERR(tail)->ee.ee_origin != SO_EE_ORIGIN_ZEROCOPY ||
1645 	    !skb_zerocopy_notify_extend(tail, lo, len)) {
1646 		__skb_queue_tail(q, skb);
1647 		skb = NULL;
1648 	}
1649 	spin_unlock_irqrestore(&q->lock, flags);
1650 
1651 	sk_error_report(sk);
1652 
1653 release:
1654 	consume_skb(skb);
1655 	sock_put(sk);
1656 }
1657 
1658 void msg_zerocopy_callback(struct sk_buff *skb, struct ubuf_info *uarg,
1659 			   bool success)
1660 {
1661 	struct ubuf_info_msgzc *uarg_zc = uarg_to_msgzc(uarg);
1662 
1663 	uarg_zc->zerocopy = uarg_zc->zerocopy & success;
1664 
1665 	if (refcount_dec_and_test(&uarg->refcnt))
1666 		__msg_zerocopy_callback(uarg_zc);
1667 }
1668 EXPORT_SYMBOL_GPL(msg_zerocopy_callback);
1669 
1670 void msg_zerocopy_put_abort(struct ubuf_info *uarg, bool have_uref)
1671 {
1672 	struct sock *sk = skb_from_uarg(uarg_to_msgzc(uarg))->sk;
1673 
1674 	atomic_dec(&sk->sk_zckey);
1675 	uarg_to_msgzc(uarg)->len--;
1676 
1677 	if (have_uref)
1678 		msg_zerocopy_callback(NULL, uarg, true);
1679 }
1680 EXPORT_SYMBOL_GPL(msg_zerocopy_put_abort);
1681 
1682 int skb_zerocopy_iter_stream(struct sock *sk, struct sk_buff *skb,
1683 			     struct msghdr *msg, int len,
1684 			     struct ubuf_info *uarg)
1685 {
1686 	struct ubuf_info *orig_uarg = skb_zcopy(skb);
1687 	int err, orig_len = skb->len;
1688 
1689 	/* An skb can only point to one uarg. This edge case happens when
1690 	 * TCP appends to an skb, but zerocopy_realloc triggered a new alloc.
1691 	 */
1692 	if (orig_uarg && uarg != orig_uarg)
1693 		return -EEXIST;
1694 
1695 	err = __zerocopy_sg_from_iter(msg, sk, skb, &msg->msg_iter, len);
1696 	if (err == -EFAULT || (err == -EMSGSIZE && skb->len == orig_len)) {
1697 		struct sock *save_sk = skb->sk;
1698 
1699 		/* Streams do not free skb on error. Reset to prev state. */
1700 		iov_iter_revert(&msg->msg_iter, skb->len - orig_len);
1701 		skb->sk = sk;
1702 		___pskb_trim(skb, orig_len);
1703 		skb->sk = save_sk;
1704 		return err;
1705 	}
1706 
1707 	skb_zcopy_set(skb, uarg, NULL);
1708 	return skb->len - orig_len;
1709 }
1710 EXPORT_SYMBOL_GPL(skb_zerocopy_iter_stream);
1711 
1712 void __skb_zcopy_downgrade_managed(struct sk_buff *skb)
1713 {
1714 	int i;
1715 
1716 	skb_shinfo(skb)->flags &= ~SKBFL_MANAGED_FRAG_REFS;
1717 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
1718 		skb_frag_ref(skb, i);
1719 }
1720 EXPORT_SYMBOL_GPL(__skb_zcopy_downgrade_managed);
1721 
1722 static int skb_zerocopy_clone(struct sk_buff *nskb, struct sk_buff *orig,
1723 			      gfp_t gfp_mask)
1724 {
1725 	if (skb_zcopy(orig)) {
1726 		if (skb_zcopy(nskb)) {
1727 			/* !gfp_mask callers are verified to !skb_zcopy(nskb) */
1728 			if (!gfp_mask) {
1729 				WARN_ON_ONCE(1);
1730 				return -ENOMEM;
1731 			}
1732 			if (skb_uarg(nskb) == skb_uarg(orig))
1733 				return 0;
1734 			if (skb_copy_ubufs(nskb, GFP_ATOMIC))
1735 				return -EIO;
1736 		}
1737 		skb_zcopy_set(nskb, skb_uarg(orig), NULL);
1738 	}
1739 	return 0;
1740 }
1741 
1742 /**
1743  *	skb_copy_ubufs	-	copy userspace skb frags buffers to kernel
1744  *	@skb: the skb to modify
1745  *	@gfp_mask: allocation priority
1746  *
1747  *	This must be called on skb with SKBFL_ZEROCOPY_ENABLE.
1748  *	It will copy all frags into kernel and drop the reference
1749  *	to userspace pages.
1750  *
1751  *	If this function is called from an interrupt gfp_mask() must be
1752  *	%GFP_ATOMIC.
1753  *
1754  *	Returns 0 on success or a negative error code on failure
1755  *	to allocate kernel memory to copy to.
1756  */
1757 int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
1758 {
1759 	int num_frags = skb_shinfo(skb)->nr_frags;
1760 	struct page *page, *head = NULL;
1761 	int i, order, psize, new_frags;
1762 	u32 d_off;
1763 
1764 	if (skb_shared(skb) || skb_unclone(skb, gfp_mask))
1765 		return -EINVAL;
1766 
1767 	if (!num_frags)
1768 		goto release;
1769 
1770 	/* We might have to allocate high order pages, so compute what minimum
1771 	 * page order is needed.
1772 	 */
1773 	order = 0;
1774 	while ((PAGE_SIZE << order) * MAX_SKB_FRAGS < __skb_pagelen(skb))
1775 		order++;
1776 	psize = (PAGE_SIZE << order);
1777 
1778 	new_frags = (__skb_pagelen(skb) + psize - 1) >> (PAGE_SHIFT + order);
1779 	for (i = 0; i < new_frags; i++) {
1780 		page = alloc_pages(gfp_mask | __GFP_COMP, order);
1781 		if (!page) {
1782 			while (head) {
1783 				struct page *next = (struct page *)page_private(head);
1784 				put_page(head);
1785 				head = next;
1786 			}
1787 			return -ENOMEM;
1788 		}
1789 		set_page_private(page, (unsigned long)head);
1790 		head = page;
1791 	}
1792 
1793 	page = head;
1794 	d_off = 0;
1795 	for (i = 0; i < num_frags; i++) {
1796 		skb_frag_t *f = &skb_shinfo(skb)->frags[i];
1797 		u32 p_off, p_len, copied;
1798 		struct page *p;
1799 		u8 *vaddr;
1800 
1801 		skb_frag_foreach_page(f, skb_frag_off(f), skb_frag_size(f),
1802 				      p, p_off, p_len, copied) {
1803 			u32 copy, done = 0;
1804 			vaddr = kmap_atomic(p);
1805 
1806 			while (done < p_len) {
1807 				if (d_off == psize) {
1808 					d_off = 0;
1809 					page = (struct page *)page_private(page);
1810 				}
1811 				copy = min_t(u32, psize - d_off, p_len - done);
1812 				memcpy(page_address(page) + d_off,
1813 				       vaddr + p_off + done, copy);
1814 				done += copy;
1815 				d_off += copy;
1816 			}
1817 			kunmap_atomic(vaddr);
1818 		}
1819 	}
1820 
1821 	/* skb frags release userspace buffers */
1822 	for (i = 0; i < num_frags; i++)
1823 		skb_frag_unref(skb, i);
1824 
1825 	/* skb frags point to kernel buffers */
1826 	for (i = 0; i < new_frags - 1; i++) {
1827 		__skb_fill_page_desc(skb, i, head, 0, psize);
1828 		head = (struct page *)page_private(head);
1829 	}
1830 	__skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off);
1831 	skb_shinfo(skb)->nr_frags = new_frags;
1832 
1833 release:
1834 	skb_zcopy_clear(skb, false);
1835 	return 0;
1836 }
1837 EXPORT_SYMBOL_GPL(skb_copy_ubufs);
1838 
1839 /**
1840  *	skb_clone	-	duplicate an sk_buff
1841  *	@skb: buffer to clone
1842  *	@gfp_mask: allocation priority
1843  *
1844  *	Duplicate an &sk_buff. The new one is not owned by a socket. Both
1845  *	copies share the same packet data but not structure. The new
1846  *	buffer has a reference count of 1. If the allocation fails the
1847  *	function returns %NULL otherwise the new buffer is returned.
1848  *
1849  *	If this function is called from an interrupt gfp_mask() must be
1850  *	%GFP_ATOMIC.
1851  */
1852 
1853 struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
1854 {
1855 	struct sk_buff_fclones *fclones = container_of(skb,
1856 						       struct sk_buff_fclones,
1857 						       skb1);
1858 	struct sk_buff *n;
1859 
1860 	if (skb_orphan_frags(skb, gfp_mask))
1861 		return NULL;
1862 
1863 	if (skb->fclone == SKB_FCLONE_ORIG &&
1864 	    refcount_read(&fclones->fclone_ref) == 1) {
1865 		n = &fclones->skb2;
1866 		refcount_set(&fclones->fclone_ref, 2);
1867 		n->fclone = SKB_FCLONE_CLONE;
1868 	} else {
1869 		if (skb_pfmemalloc(skb))
1870 			gfp_mask |= __GFP_MEMALLOC;
1871 
1872 		n = kmem_cache_alloc(skbuff_cache, gfp_mask);
1873 		if (!n)
1874 			return NULL;
1875 
1876 		n->fclone = SKB_FCLONE_UNAVAILABLE;
1877 	}
1878 
1879 	return __skb_clone(n, skb);
1880 }
1881 EXPORT_SYMBOL(skb_clone);
1882 
1883 void skb_headers_offset_update(struct sk_buff *skb, int off)
1884 {
1885 	/* Only adjust this if it actually is csum_start rather than csum */
1886 	if (skb->ip_summed == CHECKSUM_PARTIAL)
1887 		skb->csum_start += off;
1888 	/* {transport,network,mac}_header and tail are relative to skb->head */
1889 	skb->transport_header += off;
1890 	skb->network_header   += off;
1891 	if (skb_mac_header_was_set(skb))
1892 		skb->mac_header += off;
1893 	skb->inner_transport_header += off;
1894 	skb->inner_network_header += off;
1895 	skb->inner_mac_header += off;
1896 }
1897 EXPORT_SYMBOL(skb_headers_offset_update);
1898 
1899 void skb_copy_header(struct sk_buff *new, const struct sk_buff *old)
1900 {
1901 	__copy_skb_header(new, old);
1902 
1903 	skb_shinfo(new)->gso_size = skb_shinfo(old)->gso_size;
1904 	skb_shinfo(new)->gso_segs = skb_shinfo(old)->gso_segs;
1905 	skb_shinfo(new)->gso_type = skb_shinfo(old)->gso_type;
1906 }
1907 EXPORT_SYMBOL(skb_copy_header);
1908 
1909 static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
1910 {
1911 	if (skb_pfmemalloc(skb))
1912 		return SKB_ALLOC_RX;
1913 	return 0;
1914 }
1915 
1916 /**
1917  *	skb_copy	-	create private copy of an sk_buff
1918  *	@skb: buffer to copy
1919  *	@gfp_mask: allocation priority
1920  *
1921  *	Make a copy of both an &sk_buff and its data. This is used when the
1922  *	caller wishes to modify the data and needs a private copy of the
1923  *	data to alter. Returns %NULL on failure or the pointer to the buffer
1924  *	on success. The returned buffer has a reference count of 1.
1925  *
1926  *	As by-product this function converts non-linear &sk_buff to linear
1927  *	one, so that &sk_buff becomes completely private and caller is allowed
1928  *	to modify all the data of returned buffer. This means that this
1929  *	function is not recommended for use in circumstances when only
1930  *	header is going to be modified. Use pskb_copy() instead.
1931  */
1932 
1933 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
1934 {
1935 	int headerlen = skb_headroom(skb);
1936 	unsigned int size = skb_end_offset(skb) + skb->data_len;
1937 	struct sk_buff *n = __alloc_skb(size, gfp_mask,
1938 					skb_alloc_rx_flag(skb), NUMA_NO_NODE);
1939 
1940 	if (!n)
1941 		return NULL;
1942 
1943 	/* Set the data pointer */
1944 	skb_reserve(n, headerlen);
1945 	/* Set the tail pointer and length */
1946 	skb_put(n, skb->len);
1947 
1948 	BUG_ON(skb_copy_bits(skb, -headerlen, n->head, headerlen + skb->len));
1949 
1950 	skb_copy_header(n, skb);
1951 	return n;
1952 }
1953 EXPORT_SYMBOL(skb_copy);
1954 
1955 /**
1956  *	__pskb_copy_fclone	-  create copy of an sk_buff with private head.
1957  *	@skb: buffer to copy
1958  *	@headroom: headroom of new skb
1959  *	@gfp_mask: allocation priority
1960  *	@fclone: if true allocate the copy of the skb from the fclone
1961  *	cache instead of the head cache; it is recommended to set this
1962  *	to true for the cases where the copy will likely be cloned
1963  *
1964  *	Make a copy of both an &sk_buff and part of its data, located
1965  *	in header. Fragmented data remain shared. This is used when
1966  *	the caller wishes to modify only header of &sk_buff and needs
1967  *	private copy of the header to alter. Returns %NULL on failure
1968  *	or the pointer to the buffer on success.
1969  *	The returned buffer has a reference count of 1.
1970  */
1971 
1972 struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
1973 				   gfp_t gfp_mask, bool fclone)
1974 {
1975 	unsigned int size = skb_headlen(skb) + headroom;
1976 	int flags = skb_alloc_rx_flag(skb) | (fclone ? SKB_ALLOC_FCLONE : 0);
1977 	struct sk_buff *n = __alloc_skb(size, gfp_mask, flags, NUMA_NO_NODE);
1978 
1979 	if (!n)
1980 		goto out;
1981 
1982 	/* Set the data pointer */
1983 	skb_reserve(n, headroom);
1984 	/* Set the tail pointer and length */
1985 	skb_put(n, skb_headlen(skb));
1986 	/* Copy the bytes */
1987 	skb_copy_from_linear_data(skb, n->data, n->len);
1988 
1989 	n->truesize += skb->data_len;
1990 	n->data_len  = skb->data_len;
1991 	n->len	     = skb->len;
1992 
1993 	if (skb_shinfo(skb)->nr_frags) {
1994 		int i;
1995 
1996 		if (skb_orphan_frags(skb, gfp_mask) ||
1997 		    skb_zerocopy_clone(n, skb, gfp_mask)) {
1998 			kfree_skb(n);
1999 			n = NULL;
2000 			goto out;
2001 		}
2002 		for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2003 			skb_shinfo(n)->frags[i] = skb_shinfo(skb)->frags[i];
2004 			skb_frag_ref(skb, i);
2005 		}
2006 		skb_shinfo(n)->nr_frags = i;
2007 	}
2008 
2009 	if (skb_has_frag_list(skb)) {
2010 		skb_shinfo(n)->frag_list = skb_shinfo(skb)->frag_list;
2011 		skb_clone_fraglist(n);
2012 	}
2013 
2014 	skb_copy_header(n, skb);
2015 out:
2016 	return n;
2017 }
2018 EXPORT_SYMBOL(__pskb_copy_fclone);
2019 
2020 /**
2021  *	pskb_expand_head - reallocate header of &sk_buff
2022  *	@skb: buffer to reallocate
2023  *	@nhead: room to add at head
2024  *	@ntail: room to add at tail
2025  *	@gfp_mask: allocation priority
2026  *
2027  *	Expands (or creates identical copy, if @nhead and @ntail are zero)
2028  *	header of @skb. &sk_buff itself is not changed. &sk_buff MUST have
2029  *	reference count of 1. Returns zero in the case of success or error,
2030  *	if expansion failed. In the last case, &sk_buff is not changed.
2031  *
2032  *	All the pointers pointing into skb header may change and must be
2033  *	reloaded after call to this function.
2034  */
2035 
2036 int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
2037 		     gfp_t gfp_mask)
2038 {
2039 	unsigned int osize = skb_end_offset(skb);
2040 	unsigned int size = osize + nhead + ntail;
2041 	long off;
2042 	u8 *data;
2043 	int i;
2044 
2045 	BUG_ON(nhead < 0);
2046 
2047 	BUG_ON(skb_shared(skb));
2048 
2049 	skb_zcopy_downgrade_managed(skb);
2050 
2051 	if (skb_pfmemalloc(skb))
2052 		gfp_mask |= __GFP_MEMALLOC;
2053 
2054 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
2055 	if (!data)
2056 		goto nodata;
2057 	size = SKB_WITH_OVERHEAD(size);
2058 
2059 	/* Copy only real data... and, alas, header. This should be
2060 	 * optimized for the cases when header is void.
2061 	 */
2062 	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
2063 
2064 	memcpy((struct skb_shared_info *)(data + size),
2065 	       skb_shinfo(skb),
2066 	       offsetof(struct skb_shared_info, frags[skb_shinfo(skb)->nr_frags]));
2067 
2068 	/*
2069 	 * if shinfo is shared we must drop the old head gracefully, but if it
2070 	 * is not we can just drop the old head and let the existing refcount
2071 	 * be since all we did is relocate the values
2072 	 */
2073 	if (skb_cloned(skb)) {
2074 		if (skb_orphan_frags(skb, gfp_mask))
2075 			goto nofrags;
2076 		if (skb_zcopy(skb))
2077 			refcount_inc(&skb_uarg(skb)->refcnt);
2078 		for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
2079 			skb_frag_ref(skb, i);
2080 
2081 		if (skb_has_frag_list(skb))
2082 			skb_clone_fraglist(skb);
2083 
2084 		skb_release_data(skb, SKB_CONSUMED, false);
2085 	} else {
2086 		skb_free_head(skb, false);
2087 	}
2088 	off = (data + nhead) - skb->head;
2089 
2090 	skb->head     = data;
2091 	skb->head_frag = 0;
2092 	skb->data    += off;
2093 
2094 	skb_set_end_offset(skb, size);
2095 #ifdef NET_SKBUFF_DATA_USES_OFFSET
2096 	off           = nhead;
2097 #endif
2098 	skb->tail	      += off;
2099 	skb_headers_offset_update(skb, nhead);
2100 	skb->cloned   = 0;
2101 	skb->hdr_len  = 0;
2102 	skb->nohdr    = 0;
2103 	atomic_set(&skb_shinfo(skb)->dataref, 1);
2104 
2105 	skb_metadata_clear(skb);
2106 
2107 	/* It is not generally safe to change skb->truesize.
2108 	 * For the moment, we really care of rx path, or
2109 	 * when skb is orphaned (not attached to a socket).
2110 	 */
2111 	if (!skb->sk || skb->destructor == sock_edemux)
2112 		skb->truesize += size - osize;
2113 
2114 	return 0;
2115 
2116 nofrags:
2117 	skb_kfree_head(data, size);
2118 nodata:
2119 	return -ENOMEM;
2120 }
2121 EXPORT_SYMBOL(pskb_expand_head);
2122 
2123 /* Make private copy of skb with writable head and some headroom */
2124 
2125 struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
2126 {
2127 	struct sk_buff *skb2;
2128 	int delta = headroom - skb_headroom(skb);
2129 
2130 	if (delta <= 0)
2131 		skb2 = pskb_copy(skb, GFP_ATOMIC);
2132 	else {
2133 		skb2 = skb_clone(skb, GFP_ATOMIC);
2134 		if (skb2 && pskb_expand_head(skb2, SKB_DATA_ALIGN(delta), 0,
2135 					     GFP_ATOMIC)) {
2136 			kfree_skb(skb2);
2137 			skb2 = NULL;
2138 		}
2139 	}
2140 	return skb2;
2141 }
2142 EXPORT_SYMBOL(skb_realloc_headroom);
2143 
2144 /* Note: We plan to rework this in linux-6.4 */
2145 int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri)
2146 {
2147 	unsigned int saved_end_offset, saved_truesize;
2148 	struct skb_shared_info *shinfo;
2149 	int res;
2150 
2151 	saved_end_offset = skb_end_offset(skb);
2152 	saved_truesize = skb->truesize;
2153 
2154 	res = pskb_expand_head(skb, 0, 0, pri);
2155 	if (res)
2156 		return res;
2157 
2158 	skb->truesize = saved_truesize;
2159 
2160 	if (likely(skb_end_offset(skb) == saved_end_offset))
2161 		return 0;
2162 
2163 #ifdef HAVE_SKB_SMALL_HEAD_CACHE
2164 	/* We can not change skb->end if the original or new value
2165 	 * is SKB_SMALL_HEAD_HEADROOM, as it might break skb_kfree_head().
2166 	 */
2167 	if (saved_end_offset == SKB_SMALL_HEAD_HEADROOM ||
2168 	    skb_end_offset(skb) == SKB_SMALL_HEAD_HEADROOM) {
2169 		/* We think this path should not be taken.
2170 		 * Add a temporary trace to warn us just in case.
2171 		 */
2172 		pr_err_once("__skb_unclone_keeptruesize() skb_end_offset() %u -> %u\n",
2173 			    saved_end_offset, skb_end_offset(skb));
2174 		WARN_ON_ONCE(1);
2175 		return 0;
2176 	}
2177 #endif
2178 
2179 	shinfo = skb_shinfo(skb);
2180 
2181 	/* We are about to change back skb->end,
2182 	 * we need to move skb_shinfo() to its new location.
2183 	 */
2184 	memmove(skb->head + saved_end_offset,
2185 		shinfo,
2186 		offsetof(struct skb_shared_info, frags[shinfo->nr_frags]));
2187 
2188 	skb_set_end_offset(skb, saved_end_offset);
2189 
2190 	return 0;
2191 }
2192 
2193 /**
2194  *	skb_expand_head - reallocate header of &sk_buff
2195  *	@skb: buffer to reallocate
2196  *	@headroom: needed headroom
2197  *
2198  *	Unlike skb_realloc_headroom, this one does not allocate a new skb
2199  *	if possible; copies skb->sk to new skb as needed
2200  *	and frees original skb in case of failures.
2201  *
2202  *	It expect increased headroom and generates warning otherwise.
2203  */
2204 
2205 struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)
2206 {
2207 	int delta = headroom - skb_headroom(skb);
2208 	int osize = skb_end_offset(skb);
2209 	struct sock *sk = skb->sk;
2210 
2211 	if (WARN_ONCE(delta <= 0,
2212 		      "%s is expecting an increase in the headroom", __func__))
2213 		return skb;
2214 
2215 	delta = SKB_DATA_ALIGN(delta);
2216 	/* pskb_expand_head() might crash, if skb is shared. */
2217 	if (skb_shared(skb) || !is_skb_wmem(skb)) {
2218 		struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
2219 
2220 		if (unlikely(!nskb))
2221 			goto fail;
2222 
2223 		if (sk)
2224 			skb_set_owner_w(nskb, sk);
2225 		consume_skb(skb);
2226 		skb = nskb;
2227 	}
2228 	if (pskb_expand_head(skb, delta, 0, GFP_ATOMIC))
2229 		goto fail;
2230 
2231 	if (sk && is_skb_wmem(skb)) {
2232 		delta = skb_end_offset(skb) - osize;
2233 		refcount_add(delta, &sk->sk_wmem_alloc);
2234 		skb->truesize += delta;
2235 	}
2236 	return skb;
2237 
2238 fail:
2239 	kfree_skb(skb);
2240 	return NULL;
2241 }
2242 EXPORT_SYMBOL(skb_expand_head);
2243 
2244 /**
2245  *	skb_copy_expand	-	copy and expand sk_buff
2246  *	@skb: buffer to copy
2247  *	@newheadroom: new free bytes at head
2248  *	@newtailroom: new free bytes at tail
2249  *	@gfp_mask: allocation priority
2250  *
2251  *	Make a copy of both an &sk_buff and its data and while doing so
2252  *	allocate additional space.
2253  *
2254  *	This is used when the caller wishes to modify the data and needs a
2255  *	private copy of the data to alter as well as more space for new fields.
2256  *	Returns %NULL on failure or the pointer to the buffer
2257  *	on success. The returned buffer has a reference count of 1.
2258  *
2259  *	You must pass %GFP_ATOMIC as the allocation priority if this function
2260  *	is called from an interrupt.
2261  */
2262 struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
2263 				int newheadroom, int newtailroom,
2264 				gfp_t gfp_mask)
2265 {
2266 	/*
2267 	 *	Allocate the copy buffer
2268 	 */
2269 	struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
2270 					gfp_mask, skb_alloc_rx_flag(skb),
2271 					NUMA_NO_NODE);
2272 	int oldheadroom = skb_headroom(skb);
2273 	int head_copy_len, head_copy_off;
2274 
2275 	if (!n)
2276 		return NULL;
2277 
2278 	skb_reserve(n, newheadroom);
2279 
2280 	/* Set the tail pointer and length */
2281 	skb_put(n, skb->len);
2282 
2283 	head_copy_len = oldheadroom;
2284 	head_copy_off = 0;
2285 	if (newheadroom <= head_copy_len)
2286 		head_copy_len = newheadroom;
2287 	else
2288 		head_copy_off = newheadroom - head_copy_len;
2289 
2290 	/* Copy the linear header and data. */
2291 	BUG_ON(skb_copy_bits(skb, -head_copy_len, n->head + head_copy_off,
2292 			     skb->len + head_copy_len));
2293 
2294 	skb_copy_header(n, skb);
2295 
2296 	skb_headers_offset_update(n, newheadroom - oldheadroom);
2297 
2298 	return n;
2299 }
2300 EXPORT_SYMBOL(skb_copy_expand);
2301 
2302 /**
2303  *	__skb_pad		-	zero pad the tail of an skb
2304  *	@skb: buffer to pad
2305  *	@pad: space to pad
2306  *	@free_on_error: free buffer on error
2307  *
2308  *	Ensure that a buffer is followed by a padding area that is zero
2309  *	filled. Used by network drivers which may DMA or transfer data
2310  *	beyond the buffer end onto the wire.
2311  *
2312  *	May return error in out of memory cases. The skb is freed on error
2313  *	if @free_on_error is true.
2314  */
2315 
2316 int __skb_pad(struct sk_buff *skb, int pad, bool free_on_error)
2317 {
2318 	int err;
2319 	int ntail;
2320 
2321 	/* If the skbuff is non linear tailroom is always zero.. */
2322 	if (!skb_cloned(skb) && skb_tailroom(skb) >= pad) {
2323 		memset(skb->data+skb->len, 0, pad);
2324 		return 0;
2325 	}
2326 
2327 	ntail = skb->data_len + pad - (skb->end - skb->tail);
2328 	if (likely(skb_cloned(skb) || ntail > 0)) {
2329 		err = pskb_expand_head(skb, 0, ntail, GFP_ATOMIC);
2330 		if (unlikely(err))
2331 			goto free_skb;
2332 	}
2333 
2334 	/* FIXME: The use of this function with non-linear skb's really needs
2335 	 * to be audited.
2336 	 */
2337 	err = skb_linearize(skb);
2338 	if (unlikely(err))
2339 		goto free_skb;
2340 
2341 	memset(skb->data + skb->len, 0, pad);
2342 	return 0;
2343 
2344 free_skb:
2345 	if (free_on_error)
2346 		kfree_skb(skb);
2347 	return err;
2348 }
2349 EXPORT_SYMBOL(__skb_pad);
2350 
2351 /**
2352  *	pskb_put - add data to the tail of a potentially fragmented buffer
2353  *	@skb: start of the buffer to use
2354  *	@tail: tail fragment of the buffer to use
2355  *	@len: amount of data to add
2356  *
2357  *	This function extends the used data area of the potentially
2358  *	fragmented buffer. @tail must be the last fragment of @skb -- or
2359  *	@skb itself. If this would exceed the total buffer size the kernel
2360  *	will panic. A pointer to the first byte of the extra data is
2361  *	returned.
2362  */
2363 
2364 void *pskb_put(struct sk_buff *skb, struct sk_buff *tail, int len)
2365 {
2366 	if (tail != skb) {
2367 		skb->data_len += len;
2368 		skb->len += len;
2369 	}
2370 	return skb_put(tail, len);
2371 }
2372 EXPORT_SYMBOL_GPL(pskb_put);
2373 
2374 /**
2375  *	skb_put - add data to a buffer
2376  *	@skb: buffer to use
2377  *	@len: amount of data to add
2378  *
2379  *	This function extends the used data area of the buffer. If this would
2380  *	exceed the total buffer size the kernel will panic. A pointer to the
2381  *	first byte of the extra data is returned.
2382  */
2383 void *skb_put(struct sk_buff *skb, unsigned int len)
2384 {
2385 	void *tmp = skb_tail_pointer(skb);
2386 	SKB_LINEAR_ASSERT(skb);
2387 	skb->tail += len;
2388 	skb->len  += len;
2389 	if (unlikely(skb->tail > skb->end))
2390 		skb_over_panic(skb, len, __builtin_return_address(0));
2391 	return tmp;
2392 }
2393 EXPORT_SYMBOL(skb_put);
2394 
2395 /**
2396  *	skb_push - add data to the start of a buffer
2397  *	@skb: buffer to use
2398  *	@len: amount of data to add
2399  *
2400  *	This function extends the used data area of the buffer at the buffer
2401  *	start. If this would exceed the total buffer headroom the kernel will
2402  *	panic. A pointer to the first byte of the extra data is returned.
2403  */
2404 void *skb_push(struct sk_buff *skb, unsigned int len)
2405 {
2406 	skb->data -= len;
2407 	skb->len  += len;
2408 	if (unlikely(skb->data < skb->head))
2409 		skb_under_panic(skb, len, __builtin_return_address(0));
2410 	return skb->data;
2411 }
2412 EXPORT_SYMBOL(skb_push);
2413 
2414 /**
2415  *	skb_pull - remove data from the start of a buffer
2416  *	@skb: buffer to use
2417  *	@len: amount of data to remove
2418  *
2419  *	This function removes data from the start of a buffer, returning
2420  *	the memory to the headroom. A pointer to the next data in the buffer
2421  *	is returned. Once the data has been pulled future pushes will overwrite
2422  *	the old data.
2423  */
2424 void *skb_pull(struct sk_buff *skb, unsigned int len)
2425 {
2426 	return skb_pull_inline(skb, len);
2427 }
2428 EXPORT_SYMBOL(skb_pull);
2429 
2430 /**
2431  *	skb_pull_data - remove data from the start of a buffer returning its
2432  *	original position.
2433  *	@skb: buffer to use
2434  *	@len: amount of data to remove
2435  *
2436  *	This function removes data from the start of a buffer, returning
2437  *	the memory to the headroom. A pointer to the original data in the buffer
2438  *	is returned after checking if there is enough data to pull. Once the
2439  *	data has been pulled future pushes will overwrite the old data.
2440  */
2441 void *skb_pull_data(struct sk_buff *skb, size_t len)
2442 {
2443 	void *data = skb->data;
2444 
2445 	if (skb->len < len)
2446 		return NULL;
2447 
2448 	skb_pull(skb, len);
2449 
2450 	return data;
2451 }
2452 EXPORT_SYMBOL(skb_pull_data);
2453 
2454 /**
2455  *	skb_trim - remove end from a buffer
2456  *	@skb: buffer to alter
2457  *	@len: new length
2458  *
2459  *	Cut the length of a buffer down by removing data from the tail. If
2460  *	the buffer is already under the length specified it is not modified.
2461  *	The skb must be linear.
2462  */
2463 void skb_trim(struct sk_buff *skb, unsigned int len)
2464 {
2465 	if (skb->len > len)
2466 		__skb_trim(skb, len);
2467 }
2468 EXPORT_SYMBOL(skb_trim);
2469 
2470 /* Trims skb to length len. It can change skb pointers.
2471  */
2472 
2473 int ___pskb_trim(struct sk_buff *skb, unsigned int len)
2474 {
2475 	struct sk_buff **fragp;
2476 	struct sk_buff *frag;
2477 	int offset = skb_headlen(skb);
2478 	int nfrags = skb_shinfo(skb)->nr_frags;
2479 	int i;
2480 	int err;
2481 
2482 	if (skb_cloned(skb) &&
2483 	    unlikely((err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC))))
2484 		return err;
2485 
2486 	i = 0;
2487 	if (offset >= len)
2488 		goto drop_pages;
2489 
2490 	for (; i < nfrags; i++) {
2491 		int end = offset + skb_frag_size(&skb_shinfo(skb)->frags[i]);
2492 
2493 		if (end < len) {
2494 			offset = end;
2495 			continue;
2496 		}
2497 
2498 		skb_frag_size_set(&skb_shinfo(skb)->frags[i++], len - offset);
2499 
2500 drop_pages:
2501 		skb_shinfo(skb)->nr_frags = i;
2502 
2503 		for (; i < nfrags; i++)
2504 			skb_frag_unref(skb, i);
2505 
2506 		if (skb_has_frag_list(skb))
2507 			skb_drop_fraglist(skb);
2508 		goto done;
2509 	}
2510 
2511 	for (fragp = &skb_shinfo(skb)->frag_list; (frag = *fragp);
2512 	     fragp = &frag->next) {
2513 		int end = offset + frag->len;
2514 
2515 		if (skb_shared(frag)) {
2516 			struct sk_buff *nfrag;
2517 
2518 			nfrag = skb_clone(frag, GFP_ATOMIC);
2519 			if (unlikely(!nfrag))
2520 				return -ENOMEM;
2521 
2522 			nfrag->next = frag->next;
2523 			consume_skb(frag);
2524 			frag = nfrag;
2525 			*fragp = frag;
2526 		}
2527 
2528 		if (end < len) {
2529 			offset = end;
2530 			continue;
2531 		}
2532 
2533 		if (end > len &&
2534 		    unlikely((err = pskb_trim(frag, len - offset))))
2535 			return err;
2536 
2537 		if (frag->next)
2538 			skb_drop_list(&frag->next);
2539 		break;
2540 	}
2541 
2542 done:
2543 	if (len > skb_headlen(skb)) {
2544 		skb->data_len -= skb->len - len;
2545 		skb->len       = len;
2546 	} else {
2547 		skb->len       = len;
2548 		skb->data_len  = 0;
2549 		skb_set_tail_pointer(skb, len);
2550 	}
2551 
2552 	if (!skb->sk || skb->destructor == sock_edemux)
2553 		skb_condense(skb);
2554 	return 0;
2555 }
2556 EXPORT_SYMBOL(___pskb_trim);
2557 
2558 /* Note : use pskb_trim_rcsum() instead of calling this directly
2559  */
2560 int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len)
2561 {
2562 	if (skb->ip_summed == CHECKSUM_COMPLETE) {
2563 		int delta = skb->len - len;
2564 
2565 		skb->csum = csum_block_sub(skb->csum,
2566 					   skb_checksum(skb, len, delta, 0),
2567 					   len);
2568 	} else if (skb->ip_summed == CHECKSUM_PARTIAL) {
2569 		int hdlen = (len > skb_headlen(skb)) ? skb_headlen(skb) : len;
2570 		int offset = skb_checksum_start_offset(skb) + skb->csum_offset;
2571 
2572 		if (offset + sizeof(__sum16) > hdlen)
2573 			return -EINVAL;
2574 	}
2575 	return __pskb_trim(skb, len);
2576 }
2577 EXPORT_SYMBOL(pskb_trim_rcsum_slow);
2578 
2579 /**
2580  *	__pskb_pull_tail - advance tail of skb header
2581  *	@skb: buffer to reallocate
2582  *	@delta: number of bytes to advance tail
2583  *
2584  *	The function makes a sense only on a fragmented &sk_buff,
2585  *	it expands header moving its tail forward and copying necessary
2586  *	data from fragmented part.
2587  *
2588  *	&sk_buff MUST have reference count of 1.
2589  *
2590  *	Returns %NULL (and &sk_buff does not change) if pull failed
2591  *	or value of new tail of skb in the case of success.
2592  *
2593  *	All the pointers pointing into skb header may change and must be
2594  *	reloaded after call to this function.
2595  */
2596 
2597 /* Moves tail of skb head forward, copying data from fragmented part,
2598  * when it is necessary.
2599  * 1. It may fail due to malloc failure.
2600  * 2. It may change skb pointers.
2601  *
2602  * It is pretty complicated. Luckily, it is called only in exceptional cases.
2603  */
2604 void *__pskb_pull_tail(struct sk_buff *skb, int delta)
2605 {
2606 	/* If skb has not enough free space at tail, get new one
2607 	 * plus 128 bytes for future expansions. If we have enough
2608 	 * room at tail, reallocate without expansion only if skb is cloned.
2609 	 */
2610 	int i, k, eat = (skb->tail + delta) - skb->end;
2611 
2612 	if (eat > 0 || skb_cloned(skb)) {
2613 		if (pskb_expand_head(skb, 0, eat > 0 ? eat + 128 : 0,
2614 				     GFP_ATOMIC))
2615 			return NULL;
2616 	}
2617 
2618 	BUG_ON(skb_copy_bits(skb, skb_headlen(skb),
2619 			     skb_tail_pointer(skb), delta));
2620 
2621 	/* Optimization: no fragments, no reasons to preestimate
2622 	 * size of pulled pages. Superb.
2623 	 */
2624 	if (!skb_has_frag_list(skb))
2625 		goto pull_pages;
2626 
2627 	/* Estimate size of pulled pages. */
2628 	eat = delta;
2629 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2630 		int size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
2631 
2632 		if (size >= eat)
2633 			goto pull_pages;
2634 		eat -= size;
2635 	}
2636 
2637 	/* If we need update frag list, we are in troubles.
2638 	 * Certainly, it is possible to add an offset to skb data,
2639 	 * but taking into account that pulling is expected to
2640 	 * be very rare operation, it is worth to fight against
2641 	 * further bloating skb head and crucify ourselves here instead.
2642 	 * Pure masohism, indeed. 8)8)
2643 	 */
2644 	if (eat) {
2645 		struct sk_buff *list = skb_shinfo(skb)->frag_list;
2646 		struct sk_buff *clone = NULL;
2647 		struct sk_buff *insp = NULL;
2648 
2649 		do {
2650 			if (list->len <= eat) {
2651 				/* Eaten as whole. */
2652 				eat -= list->len;
2653 				list = list->next;
2654 				insp = list;
2655 			} else {
2656 				/* Eaten partially. */
2657 				if (skb_is_gso(skb) && !list->head_frag &&
2658 				    skb_headlen(list))
2659 					skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
2660 
2661 				if (skb_shared(list)) {
2662 					/* Sucks! We need to fork list. :-( */
2663 					clone = skb_clone(list, GFP_ATOMIC);
2664 					if (!clone)
2665 						return NULL;
2666 					insp = list->next;
2667 					list = clone;
2668 				} else {
2669 					/* This may be pulled without
2670 					 * problems. */
2671 					insp = list;
2672 				}
2673 				if (!pskb_pull(list, eat)) {
2674 					kfree_skb(clone);
2675 					return NULL;
2676 				}
2677 				break;
2678 			}
2679 		} while (eat);
2680 
2681 		/* Free pulled out fragments. */
2682 		while ((list = skb_shinfo(skb)->frag_list) != insp) {
2683 			skb_shinfo(skb)->frag_list = list->next;
2684 			consume_skb(list);
2685 		}
2686 		/* And insert new clone at head. */
2687 		if (clone) {
2688 			clone->next = list;
2689 			skb_shinfo(skb)->frag_list = clone;
2690 		}
2691 	}
2692 	/* Success! Now we may commit changes to skb data. */
2693 
2694 pull_pages:
2695 	eat = delta;
2696 	k = 0;
2697 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2698 		int size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
2699 
2700 		if (size <= eat) {
2701 			skb_frag_unref(skb, i);
2702 			eat -= size;
2703 		} else {
2704 			skb_frag_t *frag = &skb_shinfo(skb)->frags[k];
2705 
2706 			*frag = skb_shinfo(skb)->frags[i];
2707 			if (eat) {
2708 				skb_frag_off_add(frag, eat);
2709 				skb_frag_size_sub(frag, eat);
2710 				if (!i)
2711 					goto end;
2712 				eat = 0;
2713 			}
2714 			k++;
2715 		}
2716 	}
2717 	skb_shinfo(skb)->nr_frags = k;
2718 
2719 end:
2720 	skb->tail     += delta;
2721 	skb->data_len -= delta;
2722 
2723 	if (!skb->data_len)
2724 		skb_zcopy_clear(skb, false);
2725 
2726 	return skb_tail_pointer(skb);
2727 }
2728 EXPORT_SYMBOL(__pskb_pull_tail);
2729 
2730 /**
2731  *	skb_copy_bits - copy bits from skb to kernel buffer
2732  *	@skb: source skb
2733  *	@offset: offset in source
2734  *	@to: destination buffer
2735  *	@len: number of bytes to copy
2736  *
2737  *	Copy the specified number of bytes from the source skb to the
2738  *	destination buffer.
2739  *
2740  *	CAUTION ! :
2741  *		If its prototype is ever changed,
2742  *		check arch/{*}/net/{*}.S files,
2743  *		since it is called from BPF assembly code.
2744  */
2745 int skb_copy_bits(const struct sk_buff *skb, int offset, void *to, int len)
2746 {
2747 	int start = skb_headlen(skb);
2748 	struct sk_buff *frag_iter;
2749 	int i, copy;
2750 
2751 	if (offset > (int)skb->len - len)
2752 		goto fault;
2753 
2754 	/* Copy header. */
2755 	if ((copy = start - offset) > 0) {
2756 		if (copy > len)
2757 			copy = len;
2758 		skb_copy_from_linear_data_offset(skb, offset, to, copy);
2759 		if ((len -= copy) == 0)
2760 			return 0;
2761 		offset += copy;
2762 		to     += copy;
2763 	}
2764 
2765 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
2766 		int end;
2767 		skb_frag_t *f = &skb_shinfo(skb)->frags[i];
2768 
2769 		WARN_ON(start > offset + len);
2770 
2771 		end = start + skb_frag_size(f);
2772 		if ((copy = end - offset) > 0) {
2773 			u32 p_off, p_len, copied;
2774 			struct page *p;
2775 			u8 *vaddr;
2776 
2777 			if (copy > len)
2778 				copy = len;
2779 
2780 			skb_frag_foreach_page(f,
2781 					      skb_frag_off(f) + offset - start,
2782 					      copy, p, p_off, p_len, copied) {
2783 				vaddr = kmap_atomic(p);
2784 				memcpy(to + copied, vaddr + p_off, p_len);
2785 				kunmap_atomic(vaddr);
2786 			}
2787 
2788 			if ((len -= copy) == 0)
2789 				return 0;
2790 			offset += copy;
2791 			to     += copy;
2792 		}
2793 		start = end;
2794 	}
2795 
2796 	skb_walk_frags(skb, frag_iter) {
2797 		int end;
2798 
2799 		WARN_ON(start > offset + len);
2800 
2801 		end = start + frag_iter->len;
2802 		if ((copy = end - offset) > 0) {
2803 			if (copy > len)
2804 				copy = len;
2805 			if (skb_copy_bits(frag_iter, offset - start, to, copy))
2806 				goto fault;
2807 			if ((len -= copy) == 0)
2808 				return 0;
2809 			offset += copy;
2810 			to     += copy;
2811 		}
2812 		start = end;
2813 	}
2814 
2815 	if (!len)
2816 		return 0;
2817 
2818 fault:
2819 	return -EFAULT;
2820 }
2821 EXPORT_SYMBOL(skb_copy_bits);
2822 
2823 /*
2824  * Callback from splice_to_pipe(), if we need to release some pages
2825  * at the end of the spd in case we error'ed out in filling the pipe.
2826  */
2827 static void sock_spd_release(struct splice_pipe_desc *spd, unsigned int i)
2828 {
2829 	put_page(spd->pages[i]);
2830 }
2831 
2832 static struct page *linear_to_page(struct page *page, unsigned int *len,
2833 				   unsigned int *offset,
2834 				   struct sock *sk)
2835 {
2836 	struct page_frag *pfrag = sk_page_frag(sk);
2837 
2838 	if (!sk_page_frag_refill(sk, pfrag))
2839 		return NULL;
2840 
2841 	*len = min_t(unsigned int, *len, pfrag->size - pfrag->offset);
2842 
2843 	memcpy(page_address(pfrag->page) + pfrag->offset,
2844 	       page_address(page) + *offset, *len);
2845 	*offset = pfrag->offset;
2846 	pfrag->offset += *len;
2847 
2848 	return pfrag->page;
2849 }
2850 
2851 static bool spd_can_coalesce(const struct splice_pipe_desc *spd,
2852 			     struct page *page,
2853 			     unsigned int offset)
2854 {
2855 	return	spd->nr_pages &&
2856 		spd->pages[spd->nr_pages - 1] == page &&
2857 		(spd->partial[spd->nr_pages - 1].offset +
2858 		 spd->partial[spd->nr_pages - 1].len == offset);
2859 }
2860 
2861 /*
2862  * Fill page/offset/length into spd, if it can hold more pages.
2863  */
2864 static bool spd_fill_page(struct splice_pipe_desc *spd,
2865 			  struct pipe_inode_info *pipe, struct page *page,
2866 			  unsigned int *len, unsigned int offset,
2867 			  bool linear,
2868 			  struct sock *sk)
2869 {
2870 	if (unlikely(spd->nr_pages == MAX_SKB_FRAGS))
2871 		return true;
2872 
2873 	if (linear) {
2874 		page = linear_to_page(page, len, &offset, sk);
2875 		if (!page)
2876 			return true;
2877 	}
2878 	if (spd_can_coalesce(spd, page, offset)) {
2879 		spd->partial[spd->nr_pages - 1].len += *len;
2880 		return false;
2881 	}
2882 	get_page(page);
2883 	spd->pages[spd->nr_pages] = page;
2884 	spd->partial[spd->nr_pages].len = *len;
2885 	spd->partial[spd->nr_pages].offset = offset;
2886 	spd->nr_pages++;
2887 
2888 	return false;
2889 }
2890 
2891 static bool __splice_segment(struct page *page, unsigned int poff,
2892 			     unsigned int plen, unsigned int *off,
2893 			     unsigned int *len,
2894 			     struct splice_pipe_desc *spd, bool linear,
2895 			     struct sock *sk,
2896 			     struct pipe_inode_info *pipe)
2897 {
2898 	if (!*len)
2899 		return true;
2900 
2901 	/* skip this segment if already processed */
2902 	if (*off >= plen) {
2903 		*off -= plen;
2904 		return false;
2905 	}
2906 
2907 	/* ignore any bits we already processed */
2908 	poff += *off;
2909 	plen -= *off;
2910 	*off = 0;
2911 
2912 	do {
2913 		unsigned int flen = min(*len, plen);
2914 
2915 		if (spd_fill_page(spd, pipe, page, &flen, poff,
2916 				  linear, sk))
2917 			return true;
2918 		poff += flen;
2919 		plen -= flen;
2920 		*len -= flen;
2921 	} while (*len && plen);
2922 
2923 	return false;
2924 }
2925 
2926 /*
2927  * Map linear and fragment data from the skb to spd. It reports true if the
2928  * pipe is full or if we already spliced the requested length.
2929  */
2930 static bool __skb_splice_bits(struct sk_buff *skb, struct pipe_inode_info *pipe,
2931 			      unsigned int *offset, unsigned int *len,
2932 			      struct splice_pipe_desc *spd, struct sock *sk)
2933 {
2934 	int seg;
2935 	struct sk_buff *iter;
2936 
2937 	/* map the linear part :
2938 	 * If skb->head_frag is set, this 'linear' part is backed by a
2939 	 * fragment, and if the head is not shared with any clones then
2940 	 * we can avoid a copy since we own the head portion of this page.
2941 	 */
2942 	if (__splice_segment(virt_to_page(skb->data),
2943 			     (unsigned long) skb->data & (PAGE_SIZE - 1),
2944 			     skb_headlen(skb),
2945 			     offset, len, spd,
2946 			     skb_head_is_locked(skb),
2947 			     sk, pipe))
2948 		return true;
2949 
2950 	/*
2951 	 * then map the fragments
2952 	 */
2953 	for (seg = 0; seg < skb_shinfo(skb)->nr_frags; seg++) {
2954 		const skb_frag_t *f = &skb_shinfo(skb)->frags[seg];
2955 
2956 		if (__splice_segment(skb_frag_page(f),
2957 				     skb_frag_off(f), skb_frag_size(f),
2958 				     offset, len, spd, false, sk, pipe))
2959 			return true;
2960 	}
2961 
2962 	skb_walk_frags(skb, iter) {
2963 		if (*offset >= iter->len) {
2964 			*offset -= iter->len;
2965 			continue;
2966 		}
2967 		/* __skb_splice_bits() only fails if the output has no room
2968 		 * left, so no point in going over the frag_list for the error
2969 		 * case.
2970 		 */
2971 		if (__skb_splice_bits(iter, pipe, offset, len, spd, sk))
2972 			return true;
2973 	}
2974 
2975 	return false;
2976 }
2977 
2978 /*
2979  * Map data from the skb to a pipe. Should handle both the linear part,
2980  * the fragments, and the frag list.
2981  */
2982 int skb_splice_bits(struct sk_buff *skb, struct sock *sk, unsigned int offset,
2983 		    struct pipe_inode_info *pipe, unsigned int tlen,
2984 		    unsigned int flags)
2985 {
2986 	struct partial_page partial[MAX_SKB_FRAGS];
2987 	struct page *pages[MAX_SKB_FRAGS];
2988 	struct splice_pipe_desc spd = {
2989 		.pages = pages,
2990 		.partial = partial,
2991 		.nr_pages_max = MAX_SKB_FRAGS,
2992 		.ops = &nosteal_pipe_buf_ops,
2993 		.spd_release = sock_spd_release,
2994 	};
2995 	int ret = 0;
2996 
2997 	__skb_splice_bits(skb, pipe, &offset, &tlen, &spd, sk);
2998 
2999 	if (spd.nr_pages)
3000 		ret = splice_to_pipe(pipe, &spd);
3001 
3002 	return ret;
3003 }
3004 EXPORT_SYMBOL_GPL(skb_splice_bits);
3005 
3006 static int sendmsg_unlocked(struct sock *sk, struct msghdr *msg,
3007 			    struct kvec *vec, size_t num, size_t size)
3008 {
3009 	struct socket *sock = sk->sk_socket;
3010 
3011 	if (!sock)
3012 		return -EINVAL;
3013 	return kernel_sendmsg(sock, msg, vec, num, size);
3014 }
3015 
3016 static int sendpage_unlocked(struct sock *sk, struct page *page, int offset,
3017 			     size_t size, int flags)
3018 {
3019 	struct socket *sock = sk->sk_socket;
3020 
3021 	if (!sock)
3022 		return -EINVAL;
3023 	return kernel_sendpage(sock, page, offset, size, flags);
3024 }
3025 
3026 typedef int (*sendmsg_func)(struct sock *sk, struct msghdr *msg,
3027 			    struct kvec *vec, size_t num, size_t size);
3028 typedef int (*sendpage_func)(struct sock *sk, struct page *page, int offset,
3029 			     size_t size, int flags);
3030 static int __skb_send_sock(struct sock *sk, struct sk_buff *skb, int offset,
3031 			   int len, sendmsg_func sendmsg, sendpage_func sendpage)
3032 {
3033 	unsigned int orig_len = len;
3034 	struct sk_buff *head = skb;
3035 	unsigned short fragidx;
3036 	int slen, ret;
3037 
3038 do_frag_list:
3039 
3040 	/* Deal with head data */
3041 	while (offset < skb_headlen(skb) && len) {
3042 		struct kvec kv;
3043 		struct msghdr msg;
3044 
3045 		slen = min_t(int, len, skb_headlen(skb) - offset);
3046 		kv.iov_base = skb->data + offset;
3047 		kv.iov_len = slen;
3048 		memset(&msg, 0, sizeof(msg));
3049 		msg.msg_flags = MSG_DONTWAIT;
3050 
3051 		ret = INDIRECT_CALL_2(sendmsg, kernel_sendmsg_locked,
3052 				      sendmsg_unlocked, sk, &msg, &kv, 1, slen);
3053 		if (ret <= 0)
3054 			goto error;
3055 
3056 		offset += ret;
3057 		len -= ret;
3058 	}
3059 
3060 	/* All the data was skb head? */
3061 	if (!len)
3062 		goto out;
3063 
3064 	/* Make offset relative to start of frags */
3065 	offset -= skb_headlen(skb);
3066 
3067 	/* Find where we are in frag list */
3068 	for (fragidx = 0; fragidx < skb_shinfo(skb)->nr_frags; fragidx++) {
3069 		skb_frag_t *frag  = &skb_shinfo(skb)->frags[fragidx];
3070 
3071 		if (offset < skb_frag_size(frag))
3072 			break;
3073 
3074 		offset -= skb_frag_size(frag);
3075 	}
3076 
3077 	for (; len && fragidx < skb_shinfo(skb)->nr_frags; fragidx++) {
3078 		skb_frag_t *frag  = &skb_shinfo(skb)->frags[fragidx];
3079 
3080 		slen = min_t(size_t, len, skb_frag_size(frag) - offset);
3081 
3082 		while (slen) {
3083 			ret = INDIRECT_CALL_2(sendpage, kernel_sendpage_locked,
3084 					      sendpage_unlocked, sk,
3085 					      skb_frag_page(frag),
3086 					      skb_frag_off(frag) + offset,
3087 					      slen, MSG_DONTWAIT);
3088 			if (ret <= 0)
3089 				goto error;
3090 
3091 			len -= ret;
3092 			offset += ret;
3093 			slen -= ret;
3094 		}
3095 
3096 		offset = 0;
3097 	}
3098 
3099 	if (len) {
3100 		/* Process any frag lists */
3101 
3102 		if (skb == head) {
3103 			if (skb_has_frag_list(skb)) {
3104 				skb = skb_shinfo(skb)->frag_list;
3105 				goto do_frag_list;
3106 			}
3107 		} else if (skb->next) {
3108 			skb = skb->next;
3109 			goto do_frag_list;
3110 		}
3111 	}
3112 
3113 out:
3114 	return orig_len - len;
3115 
3116 error:
3117 	return orig_len == len ? ret : orig_len - len;
3118 }
3119 
3120 /* Send skb data on a socket. Socket must be locked. */
3121 int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
3122 			 int len)
3123 {
3124 	return __skb_send_sock(sk, skb, offset, len, kernel_sendmsg_locked,
3125 			       kernel_sendpage_locked);
3126 }
3127 EXPORT_SYMBOL_GPL(skb_send_sock_locked);
3128 
3129 /* Send skb data on a socket. Socket must be unlocked. */
3130 int skb_send_sock(struct sock *sk, struct sk_buff *skb, int offset, int len)
3131 {
3132 	return __skb_send_sock(sk, skb, offset, len, sendmsg_unlocked,
3133 			       sendpage_unlocked);
3134 }
3135 
3136 /**
3137  *	skb_store_bits - store bits from kernel buffer to skb
3138  *	@skb: destination buffer
3139  *	@offset: offset in destination
3140  *	@from: source buffer
3141  *	@len: number of bytes to copy
3142  *
3143  *	Copy the specified number of bytes from the source buffer to the
3144  *	destination skb.  This function handles all the messy bits of
3145  *	traversing fragment lists and such.
3146  */
3147 
3148 int skb_store_bits(struct sk_buff *skb, int offset, const void *from, int len)
3149 {
3150 	int start = skb_headlen(skb);
3151 	struct sk_buff *frag_iter;
3152 	int i, copy;
3153 
3154 	if (offset > (int)skb->len - len)
3155 		goto fault;
3156 
3157 	if ((copy = start - offset) > 0) {
3158 		if (copy > len)
3159 			copy = len;
3160 		skb_copy_to_linear_data_offset(skb, offset, from, copy);
3161 		if ((len -= copy) == 0)
3162 			return 0;
3163 		offset += copy;
3164 		from += copy;
3165 	}
3166 
3167 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
3168 		skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
3169 		int end;
3170 
3171 		WARN_ON(start > offset + len);
3172 
3173 		end = start + skb_frag_size(frag);
3174 		if ((copy = end - offset) > 0) {
3175 			u32 p_off, p_len, copied;
3176 			struct page *p;
3177 			u8 *vaddr;
3178 
3179 			if (copy > len)
3180 				copy = len;
3181 
3182 			skb_frag_foreach_page(frag,
3183 					      skb_frag_off(frag) + offset - start,
3184 					      copy, p, p_off, p_len, copied) {
3185 				vaddr = kmap_atomic(p);
3186 				memcpy(vaddr + p_off, from + copied, p_len);
3187 				kunmap_atomic(vaddr);
3188 			}
3189 
3190 			if ((len -= copy) == 0)
3191 				return 0;
3192 			offset += copy;
3193 			from += copy;
3194 		}
3195 		start = end;
3196 	}
3197 
3198 	skb_walk_frags(skb, frag_iter) {
3199 		int end;
3200 
3201 		WARN_ON(start > offset + len);
3202 
3203 		end = start + frag_iter->len;
3204 		if ((copy = end - offset) > 0) {
3205 			if (copy > len)
3206 				copy = len;
3207 			if (skb_store_bits(frag_iter, offset - start,
3208 					   from, copy))
3209 				goto fault;
3210 			if ((len -= copy) == 0)
3211 				return 0;
3212 			offset += copy;
3213 			from += copy;
3214 		}
3215 		start = end;
3216 	}
3217 	if (!len)
3218 		return 0;
3219 
3220 fault:
3221 	return -EFAULT;
3222 }
3223 EXPORT_SYMBOL(skb_store_bits);
3224 
3225 /* Checksum skb data. */
3226 __wsum __skb_checksum(const struct sk_buff *skb, int offset, int len,
3227 		      __wsum csum, const struct skb_checksum_ops *ops)
3228 {
3229 	int start = skb_headlen(skb);
3230 	int i, copy = start - offset;
3231 	struct sk_buff *frag_iter;
3232 	int pos = 0;
3233 
3234 	/* Checksum header. */
3235 	if (copy > 0) {
3236 		if (copy > len)
3237 			copy = len;
3238 		csum = INDIRECT_CALL_1(ops->update, csum_partial_ext,
3239 				       skb->data + offset, copy, csum);
3240 		if ((len -= copy) == 0)
3241 			return csum;
3242 		offset += copy;
3243 		pos	= copy;
3244 	}
3245 
3246 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
3247 		int end;
3248 		skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
3249 
3250 		WARN_ON(start > offset + len);
3251 
3252 		end = start + skb_frag_size(frag);
3253 		if ((copy = end - offset) > 0) {
3254 			u32 p_off, p_len, copied;
3255 			struct page *p;
3256 			__wsum csum2;
3257 			u8 *vaddr;
3258 
3259 			if (copy > len)
3260 				copy = len;
3261 
3262 			skb_frag_foreach_page(frag,
3263 					      skb_frag_off(frag) + offset - start,
3264 					      copy, p, p_off, p_len, copied) {
3265 				vaddr = kmap_atomic(p);
3266 				csum2 = INDIRECT_CALL_1(ops->update,
3267 							csum_partial_ext,
3268 							vaddr + p_off, p_len, 0);
3269 				kunmap_atomic(vaddr);
3270 				csum = INDIRECT_CALL_1(ops->combine,
3271 						       csum_block_add_ext, csum,
3272 						       csum2, pos, p_len);
3273 				pos += p_len;
3274 			}
3275 
3276 			if (!(len -= copy))
3277 				return csum;
3278 			offset += copy;
3279 		}
3280 		start = end;
3281 	}
3282 
3283 	skb_walk_frags(skb, frag_iter) {
3284 		int end;
3285 
3286 		WARN_ON(start > offset + len);
3287 
3288 		end = start + frag_iter->len;
3289 		if ((copy = end - offset) > 0) {
3290 			__wsum csum2;
3291 			if (copy > len)
3292 				copy = len;
3293 			csum2 = __skb_checksum(frag_iter, offset - start,
3294 					       copy, 0, ops);
3295 			csum = INDIRECT_CALL_1(ops->combine, csum_block_add_ext,
3296 					       csum, csum2, pos, copy);
3297 			if ((len -= copy) == 0)
3298 				return csum;
3299 			offset += copy;
3300 			pos    += copy;
3301 		}
3302 		start = end;
3303 	}
3304 	BUG_ON(len);
3305 
3306 	return csum;
3307 }
3308 EXPORT_SYMBOL(__skb_checksum);
3309 
3310 __wsum skb_checksum(const struct sk_buff *skb, int offset,
3311 		    int len, __wsum csum)
3312 {
3313 	const struct skb_checksum_ops ops = {
3314 		.update  = csum_partial_ext,
3315 		.combine = csum_block_add_ext,
3316 	};
3317 
3318 	return __skb_checksum(skb, offset, len, csum, &ops);
3319 }
3320 EXPORT_SYMBOL(skb_checksum);
3321 
3322 /* Both of above in one bottle. */
3323 
3324 __wsum skb_copy_and_csum_bits(const struct sk_buff *skb, int offset,
3325 				    u8 *to, int len)
3326 {
3327 	int start = skb_headlen(skb);
3328 	int i, copy = start - offset;
3329 	struct sk_buff *frag_iter;
3330 	int pos = 0;
3331 	__wsum csum = 0;
3332 
3333 	/* Copy header. */
3334 	if (copy > 0) {
3335 		if (copy > len)
3336 			copy = len;
3337 		csum = csum_partial_copy_nocheck(skb->data + offset, to,
3338 						 copy);
3339 		if ((len -= copy) == 0)
3340 			return csum;
3341 		offset += copy;
3342 		to     += copy;
3343 		pos	= copy;
3344 	}
3345 
3346 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
3347 		int end;
3348 
3349 		WARN_ON(start > offset + len);
3350 
3351 		end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
3352 		if ((copy = end - offset) > 0) {
3353 			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
3354 			u32 p_off, p_len, copied;
3355 			struct page *p;
3356 			__wsum csum2;
3357 			u8 *vaddr;
3358 
3359 			if (copy > len)
3360 				copy = len;
3361 
3362 			skb_frag_foreach_page(frag,
3363 					      skb_frag_off(frag) + offset - start,
3364 					      copy, p, p_off, p_len, copied) {
3365 				vaddr = kmap_atomic(p);
3366 				csum2 = csum_partial_copy_nocheck(vaddr + p_off,
3367 								  to + copied,
3368 								  p_len);
3369 				kunmap_atomic(vaddr);
3370 				csum = csum_block_add(csum, csum2, pos);
3371 				pos += p_len;
3372 			}
3373 
3374 			if (!(len -= copy))
3375 				return csum;
3376 			offset += copy;
3377 			to     += copy;
3378 		}
3379 		start = end;
3380 	}
3381 
3382 	skb_walk_frags(skb, frag_iter) {
3383 		__wsum csum2;
3384 		int end;
3385 
3386 		WARN_ON(start > offset + len);
3387 
3388 		end = start + frag_iter->len;
3389 		if ((copy = end - offset) > 0) {
3390 			if (copy > len)
3391 				copy = len;
3392 			csum2 = skb_copy_and_csum_bits(frag_iter,
3393 						       offset - start,
3394 						       to, copy);
3395 			csum = csum_block_add(csum, csum2, pos);
3396 			if ((len -= copy) == 0)
3397 				return csum;
3398 			offset += copy;
3399 			to     += copy;
3400 			pos    += copy;
3401 		}
3402 		start = end;
3403 	}
3404 	BUG_ON(len);
3405 	return csum;
3406 }
3407 EXPORT_SYMBOL(skb_copy_and_csum_bits);
3408 
3409 __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len)
3410 {
3411 	__sum16 sum;
3412 
3413 	sum = csum_fold(skb_checksum(skb, 0, len, skb->csum));
3414 	/* See comments in __skb_checksum_complete(). */
3415 	if (likely(!sum)) {
3416 		if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) &&
3417 		    !skb->csum_complete_sw)
3418 			netdev_rx_csum_fault(skb->dev, skb);
3419 	}
3420 	if (!skb_shared(skb))
3421 		skb->csum_valid = !sum;
3422 	return sum;
3423 }
3424 EXPORT_SYMBOL(__skb_checksum_complete_head);
3425 
3426 /* This function assumes skb->csum already holds pseudo header's checksum,
3427  * which has been changed from the hardware checksum, for example, by
3428  * __skb_checksum_validate_complete(). And, the original skb->csum must
3429  * have been validated unsuccessfully for CHECKSUM_COMPLETE case.
3430  *
3431  * It returns non-zero if the recomputed checksum is still invalid, otherwise
3432  * zero. The new checksum is stored back into skb->csum unless the skb is
3433  * shared.
3434  */
3435 __sum16 __skb_checksum_complete(struct sk_buff *skb)
3436 {
3437 	__wsum csum;
3438 	__sum16 sum;
3439 
3440 	csum = skb_checksum(skb, 0, skb->len, 0);
3441 
3442 	sum = csum_fold(csum_add(skb->csum, csum));
3443 	/* This check is inverted, because we already knew the hardware
3444 	 * checksum is invalid before calling this function. So, if the
3445 	 * re-computed checksum is valid instead, then we have a mismatch
3446 	 * between the original skb->csum and skb_checksum(). This means either
3447 	 * the original hardware checksum is incorrect or we screw up skb->csum
3448 	 * when moving skb->data around.
3449 	 */
3450 	if (likely(!sum)) {
3451 		if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) &&
3452 		    !skb->csum_complete_sw)
3453 			netdev_rx_csum_fault(skb->dev, skb);
3454 	}
3455 
3456 	if (!skb_shared(skb)) {
3457 		/* Save full packet checksum */
3458 		skb->csum = csum;
3459 		skb->ip_summed = CHECKSUM_COMPLETE;
3460 		skb->csum_complete_sw = 1;
3461 		skb->csum_valid = !sum;
3462 	}
3463 
3464 	return sum;
3465 }
3466 EXPORT_SYMBOL(__skb_checksum_complete);
3467 
3468 static __wsum warn_crc32c_csum_update(const void *buff, int len, __wsum sum)
3469 {
3470 	net_warn_ratelimited(
3471 		"%s: attempt to compute crc32c without libcrc32c.ko\n",
3472 		__func__);
3473 	return 0;
3474 }
3475 
3476 static __wsum warn_crc32c_csum_combine(__wsum csum, __wsum csum2,
3477 				       int offset, int len)
3478 {
3479 	net_warn_ratelimited(
3480 		"%s: attempt to compute crc32c without libcrc32c.ko\n",
3481 		__func__);
3482 	return 0;
3483 }
3484 
3485 static const struct skb_checksum_ops default_crc32c_ops = {
3486 	.update  = warn_crc32c_csum_update,
3487 	.combine = warn_crc32c_csum_combine,
3488 };
3489 
3490 const struct skb_checksum_ops *crc32c_csum_stub __read_mostly =
3491 	&default_crc32c_ops;
3492 EXPORT_SYMBOL(crc32c_csum_stub);
3493 
3494  /**
3495  *	skb_zerocopy_headlen - Calculate headroom needed for skb_zerocopy()
3496  *	@from: source buffer
3497  *
3498  *	Calculates the amount of linear headroom needed in the 'to' skb passed
3499  *	into skb_zerocopy().
3500  */
3501 unsigned int
3502 skb_zerocopy_headlen(const struct sk_buff *from)
3503 {
3504 	unsigned int hlen = 0;
3505 
3506 	if (!from->head_frag ||
3507 	    skb_headlen(from) < L1_CACHE_BYTES ||
3508 	    skb_shinfo(from)->nr_frags >= MAX_SKB_FRAGS) {
3509 		hlen = skb_headlen(from);
3510 		if (!hlen)
3511 			hlen = from->len;
3512 	}
3513 
3514 	if (skb_has_frag_list(from))
3515 		hlen = from->len;
3516 
3517 	return hlen;
3518 }
3519 EXPORT_SYMBOL_GPL(skb_zerocopy_headlen);
3520 
3521 /**
3522  *	skb_zerocopy - Zero copy skb to skb
3523  *	@to: destination buffer
3524  *	@from: source buffer
3525  *	@len: number of bytes to copy from source buffer
3526  *	@hlen: size of linear headroom in destination buffer
3527  *
3528  *	Copies up to `len` bytes from `from` to `to` by creating references
3529  *	to the frags in the source buffer.
3530  *
3531  *	The `hlen` as calculated by skb_zerocopy_headlen() specifies the
3532  *	headroom in the `to` buffer.
3533  *
3534  *	Return value:
3535  *	0: everything is OK
3536  *	-ENOMEM: couldn't orphan frags of @from due to lack of memory
3537  *	-EFAULT: skb_copy_bits() found some problem with skb geometry
3538  */
3539 int
3540 skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen)
3541 {
3542 	int i, j = 0;
3543 	int plen = 0; /* length of skb->head fragment */
3544 	int ret;
3545 	struct page *page;
3546 	unsigned int offset;
3547 
3548 	BUG_ON(!from->head_frag && !hlen);
3549 
3550 	/* dont bother with small payloads */
3551 	if (len <= skb_tailroom(to))
3552 		return skb_copy_bits(from, 0, skb_put(to, len), len);
3553 
3554 	if (hlen) {
3555 		ret = skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
3556 		if (unlikely(ret))
3557 			return ret;
3558 		len -= hlen;
3559 	} else {
3560 		plen = min_t(int, skb_headlen(from), len);
3561 		if (plen) {
3562 			page = virt_to_head_page(from->head);
3563 			offset = from->data - (unsigned char *)page_address(page);
3564 			__skb_fill_page_desc(to, 0, page, offset, plen);
3565 			get_page(page);
3566 			j = 1;
3567 			len -= plen;
3568 		}
3569 	}
3570 
3571 	skb_len_add(to, len + plen);
3572 
3573 	if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
3574 		skb_tx_error(from);
3575 		return -ENOMEM;
3576 	}
3577 	skb_zerocopy_clone(to, from, GFP_ATOMIC);
3578 
3579 	for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
3580 		int size;
3581 
3582 		if (!len)
3583 			break;
3584 		skb_shinfo(to)->frags[j] = skb_shinfo(from)->frags[i];
3585 		size = min_t(int, skb_frag_size(&skb_shinfo(to)->frags[j]),
3586 					len);
3587 		skb_frag_size_set(&skb_shinfo(to)->frags[j], size);
3588 		len -= size;
3589 		skb_frag_ref(to, j);
3590 		j++;
3591 	}
3592 	skb_shinfo(to)->nr_frags = j;
3593 
3594 	return 0;
3595 }
3596 EXPORT_SYMBOL_GPL(skb_zerocopy);
3597 
3598 void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to)
3599 {
3600 	__wsum csum;
3601 	long csstart;
3602 
3603 	if (skb->ip_summed == CHECKSUM_PARTIAL)
3604 		csstart = skb_checksum_start_offset(skb);
3605 	else
3606 		csstart = skb_headlen(skb);
3607 
3608 	BUG_ON(csstart > skb_headlen(skb));
3609 
3610 	skb_copy_from_linear_data(skb, to, csstart);
3611 
3612 	csum = 0;
3613 	if (csstart != skb->len)
3614 		csum = skb_copy_and_csum_bits(skb, csstart, to + csstart,
3615 					      skb->len - csstart);
3616 
3617 	if (skb->ip_summed == CHECKSUM_PARTIAL) {
3618 		long csstuff = csstart + skb->csum_offset;
3619 
3620 		*((__sum16 *)(to + csstuff)) = csum_fold(csum);
3621 	}
3622 }
3623 EXPORT_SYMBOL(skb_copy_and_csum_dev);
3624 
3625 /**
3626  *	skb_dequeue - remove from the head of the queue
3627  *	@list: list to dequeue from
3628  *
3629  *	Remove the head of the list. The list lock is taken so the function
3630  *	may be used safely with other locking list functions. The head item is
3631  *	returned or %NULL if the list is empty.
3632  */
3633 
3634 struct sk_buff *skb_dequeue(struct sk_buff_head *list)
3635 {
3636 	unsigned long flags;
3637 	struct sk_buff *result;
3638 
3639 	spin_lock_irqsave(&list->lock, flags);
3640 	result = __skb_dequeue(list);
3641 	spin_unlock_irqrestore(&list->lock, flags);
3642 	return result;
3643 }
3644 EXPORT_SYMBOL(skb_dequeue);
3645 
3646 /**
3647  *	skb_dequeue_tail - remove from the tail of the queue
3648  *	@list: list to dequeue from
3649  *
3650  *	Remove the tail of the list. The list lock is taken so the function
3651  *	may be used safely with other locking list functions. The tail item is
3652  *	returned or %NULL if the list is empty.
3653  */
3654 struct sk_buff *skb_dequeue_tail(struct sk_buff_head *list)
3655 {
3656 	unsigned long flags;
3657 	struct sk_buff *result;
3658 
3659 	spin_lock_irqsave(&list->lock, flags);
3660 	result = __skb_dequeue_tail(list);
3661 	spin_unlock_irqrestore(&list->lock, flags);
3662 	return result;
3663 }
3664 EXPORT_SYMBOL(skb_dequeue_tail);
3665 
3666 /**
3667  *	skb_queue_purge - empty a list
3668  *	@list: list to empty
3669  *
3670  *	Delete all buffers on an &sk_buff list. Each buffer is removed from
3671  *	the list and one reference dropped. This function takes the list
3672  *	lock and is atomic with respect to other list locking functions.
3673  */
3674 void skb_queue_purge(struct sk_buff_head *list)
3675 {
3676 	struct sk_buff *skb;
3677 	while ((skb = skb_dequeue(list)) != NULL)
3678 		kfree_skb(skb);
3679 }
3680 EXPORT_SYMBOL(skb_queue_purge);
3681 
3682 /**
3683  *	skb_rbtree_purge - empty a skb rbtree
3684  *	@root: root of the rbtree to empty
3685  *	Return value: the sum of truesizes of all purged skbs.
3686  *
3687  *	Delete all buffers on an &sk_buff rbtree. Each buffer is removed from
3688  *	the list and one reference dropped. This function does not take
3689  *	any lock. Synchronization should be handled by the caller (e.g., TCP
3690  *	out-of-order queue is protected by the socket lock).
3691  */
3692 unsigned int skb_rbtree_purge(struct rb_root *root)
3693 {
3694 	struct rb_node *p = rb_first(root);
3695 	unsigned int sum = 0;
3696 
3697 	while (p) {
3698 		struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
3699 
3700 		p = rb_next(p);
3701 		rb_erase(&skb->rbnode, root);
3702 		sum += skb->truesize;
3703 		kfree_skb(skb);
3704 	}
3705 	return sum;
3706 }
3707 
3708 /**
3709  *	skb_queue_head - queue a buffer at the list head
3710  *	@list: list to use
3711  *	@newsk: buffer to queue
3712  *
3713  *	Queue a buffer at the start of the list. This function takes the
3714  *	list lock and can be used safely with other locking &sk_buff functions
3715  *	safely.
3716  *
3717  *	A buffer cannot be placed on two lists at the same time.
3718  */
3719 void skb_queue_head(struct sk_buff_head *list, struct sk_buff *newsk)
3720 {
3721 	unsigned long flags;
3722 
3723 	spin_lock_irqsave(&list->lock, flags);
3724 	__skb_queue_head(list, newsk);
3725 	spin_unlock_irqrestore(&list->lock, flags);
3726 }
3727 EXPORT_SYMBOL(skb_queue_head);
3728 
3729 /**
3730  *	skb_queue_tail - queue a buffer at the list tail
3731  *	@list: list to use
3732  *	@newsk: buffer to queue
3733  *
3734  *	Queue a buffer at the tail of the list. This function takes the
3735  *	list lock and can be used safely with other locking &sk_buff functions
3736  *	safely.
3737  *
3738  *	A buffer cannot be placed on two lists at the same time.
3739  */
3740 void skb_queue_tail(struct sk_buff_head *list, struct sk_buff *newsk)
3741 {
3742 	unsigned long flags;
3743 
3744 	spin_lock_irqsave(&list->lock, flags);
3745 	__skb_queue_tail(list, newsk);
3746 	spin_unlock_irqrestore(&list->lock, flags);
3747 }
3748 EXPORT_SYMBOL(skb_queue_tail);
3749 
3750 /**
3751  *	skb_unlink	-	remove a buffer from a list
3752  *	@skb: buffer to remove
3753  *	@list: list to use
3754  *
3755  *	Remove a packet from a list. The list locks are taken and this
3756  *	function is atomic with respect to other list locked calls
3757  *
3758  *	You must know what list the SKB is on.
3759  */
3760 void skb_unlink(struct sk_buff *skb, struct sk_buff_head *list)
3761 {
3762 	unsigned long flags;
3763 
3764 	spin_lock_irqsave(&list->lock, flags);
3765 	__skb_unlink(skb, list);
3766 	spin_unlock_irqrestore(&list->lock, flags);
3767 }
3768 EXPORT_SYMBOL(skb_unlink);
3769 
3770 /**
3771  *	skb_append	-	append a buffer
3772  *	@old: buffer to insert after
3773  *	@newsk: buffer to insert
3774  *	@list: list to use
3775  *
3776  *	Place a packet after a given packet in a list. The list locks are taken
3777  *	and this function is atomic with respect to other list locked calls.
3778  *	A buffer cannot be placed on two lists at the same time.
3779  */
3780 void skb_append(struct sk_buff *old, struct sk_buff *newsk, struct sk_buff_head *list)
3781 {
3782 	unsigned long flags;
3783 
3784 	spin_lock_irqsave(&list->lock, flags);
3785 	__skb_queue_after(list, old, newsk);
3786 	spin_unlock_irqrestore(&list->lock, flags);
3787 }
3788 EXPORT_SYMBOL(skb_append);
3789 
3790 static inline void skb_split_inside_header(struct sk_buff *skb,
3791 					   struct sk_buff* skb1,
3792 					   const u32 len, const int pos)
3793 {
3794 	int i;
3795 
3796 	skb_copy_from_linear_data_offset(skb, len, skb_put(skb1, pos - len),
3797 					 pos - len);
3798 	/* And move data appendix as is. */
3799 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
3800 		skb_shinfo(skb1)->frags[i] = skb_shinfo(skb)->frags[i];
3801 
3802 	skb_shinfo(skb1)->nr_frags = skb_shinfo(skb)->nr_frags;
3803 	skb_shinfo(skb)->nr_frags  = 0;
3804 	skb1->data_len		   = skb->data_len;
3805 	skb1->len		   += skb1->data_len;
3806 	skb->data_len		   = 0;
3807 	skb->len		   = len;
3808 	skb_set_tail_pointer(skb, len);
3809 }
3810 
3811 static inline void skb_split_no_header(struct sk_buff *skb,
3812 				       struct sk_buff* skb1,
3813 				       const u32 len, int pos)
3814 {
3815 	int i, k = 0;
3816 	const int nfrags = skb_shinfo(skb)->nr_frags;
3817 
3818 	skb_shinfo(skb)->nr_frags = 0;
3819 	skb1->len		  = skb1->data_len = skb->len - len;
3820 	skb->len		  = len;
3821 	skb->data_len		  = len - pos;
3822 
3823 	for (i = 0; i < nfrags; i++) {
3824 		int size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
3825 
3826 		if (pos + size > len) {
3827 			skb_shinfo(skb1)->frags[k] = skb_shinfo(skb)->frags[i];
3828 
3829 			if (pos < len) {
3830 				/* Split frag.
3831 				 * We have two variants in this case:
3832 				 * 1. Move all the frag to the second
3833 				 *    part, if it is possible. F.e.
3834 				 *    this approach is mandatory for TUX,
3835 				 *    where splitting is expensive.
3836 				 * 2. Split is accurately. We make this.
3837 				 */
3838 				skb_frag_ref(skb, i);
3839 				skb_frag_off_add(&skb_shinfo(skb1)->frags[0], len - pos);
3840 				skb_frag_size_sub(&skb_shinfo(skb1)->frags[0], len - pos);
3841 				skb_frag_size_set(&skb_shinfo(skb)->frags[i], len - pos);
3842 				skb_shinfo(skb)->nr_frags++;
3843 			}
3844 			k++;
3845 		} else
3846 			skb_shinfo(skb)->nr_frags++;
3847 		pos += size;
3848 	}
3849 	skb_shinfo(skb1)->nr_frags = k;
3850 }
3851 
3852 /**
3853  * skb_split - Split fragmented skb to two parts at length len.
3854  * @skb: the buffer to split
3855  * @skb1: the buffer to receive the second part
3856  * @len: new length for skb
3857  */
3858 void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len)
3859 {
3860 	int pos = skb_headlen(skb);
3861 	const int zc_flags = SKBFL_SHARED_FRAG | SKBFL_PURE_ZEROCOPY;
3862 
3863 	skb_zcopy_downgrade_managed(skb);
3864 
3865 	skb_shinfo(skb1)->flags |= skb_shinfo(skb)->flags & zc_flags;
3866 	skb_zerocopy_clone(skb1, skb, 0);
3867 	if (len < pos)	/* Split line is inside header. */
3868 		skb_split_inside_header(skb, skb1, len, pos);
3869 	else		/* Second chunk has no header, nothing to copy. */
3870 		skb_split_no_header(skb, skb1, len, pos);
3871 }
3872 EXPORT_SYMBOL(skb_split);
3873 
3874 /* Shifting from/to a cloned skb is a no-go.
3875  *
3876  * Caller cannot keep skb_shinfo related pointers past calling here!
3877  */
3878 static int skb_prepare_for_shift(struct sk_buff *skb)
3879 {
3880 	return skb_unclone_keeptruesize(skb, GFP_ATOMIC);
3881 }
3882 
3883 /**
3884  * skb_shift - Shifts paged data partially from skb to another
3885  * @tgt: buffer into which tail data gets added
3886  * @skb: buffer from which the paged data comes from
3887  * @shiftlen: shift up to this many bytes
3888  *
3889  * Attempts to shift up to shiftlen worth of bytes, which may be less than
3890  * the length of the skb, from skb to tgt. Returns number bytes shifted.
3891  * It's up to caller to free skb if everything was shifted.
3892  *
3893  * If @tgt runs out of frags, the whole operation is aborted.
3894  *
3895  * Skb cannot include anything else but paged data while tgt is allowed
3896  * to have non-paged data as well.
3897  *
3898  * TODO: full sized shift could be optimized but that would need
3899  * specialized skb free'er to handle frags without up-to-date nr_frags.
3900  */
3901 int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
3902 {
3903 	int from, to, merge, todo;
3904 	skb_frag_t *fragfrom, *fragto;
3905 
3906 	BUG_ON(shiftlen > skb->len);
3907 
3908 	if (skb_headlen(skb))
3909 		return 0;
3910 	if (skb_zcopy(tgt) || skb_zcopy(skb))
3911 		return 0;
3912 
3913 	todo = shiftlen;
3914 	from = 0;
3915 	to = skb_shinfo(tgt)->nr_frags;
3916 	fragfrom = &skb_shinfo(skb)->frags[from];
3917 
3918 	/* Actual merge is delayed until the point when we know we can
3919 	 * commit all, so that we don't have to undo partial changes
3920 	 */
3921 	if (!to ||
3922 	    !skb_can_coalesce(tgt, to, skb_frag_page(fragfrom),
3923 			      skb_frag_off(fragfrom))) {
3924 		merge = -1;
3925 	} else {
3926 		merge = to - 1;
3927 
3928 		todo -= skb_frag_size(fragfrom);
3929 		if (todo < 0) {
3930 			if (skb_prepare_for_shift(skb) ||
3931 			    skb_prepare_for_shift(tgt))
3932 				return 0;
3933 
3934 			/* All previous frag pointers might be stale! */
3935 			fragfrom = &skb_shinfo(skb)->frags[from];
3936 			fragto = &skb_shinfo(tgt)->frags[merge];
3937 
3938 			skb_frag_size_add(fragto, shiftlen);
3939 			skb_frag_size_sub(fragfrom, shiftlen);
3940 			skb_frag_off_add(fragfrom, shiftlen);
3941 
3942 			goto onlymerged;
3943 		}
3944 
3945 		from++;
3946 	}
3947 
3948 	/* Skip full, not-fitting skb to avoid expensive operations */
3949 	if ((shiftlen == skb->len) &&
3950 	    (skb_shinfo(skb)->nr_frags - from) > (MAX_SKB_FRAGS - to))
3951 		return 0;
3952 
3953 	if (skb_prepare_for_shift(skb) || skb_prepare_for_shift(tgt))
3954 		return 0;
3955 
3956 	while ((todo > 0) && (from < skb_shinfo(skb)->nr_frags)) {
3957 		if (to == MAX_SKB_FRAGS)
3958 			return 0;
3959 
3960 		fragfrom = &skb_shinfo(skb)->frags[from];
3961 		fragto = &skb_shinfo(tgt)->frags[to];
3962 
3963 		if (todo >= skb_frag_size(fragfrom)) {
3964 			*fragto = *fragfrom;
3965 			todo -= skb_frag_size(fragfrom);
3966 			from++;
3967 			to++;
3968 
3969 		} else {
3970 			__skb_frag_ref(fragfrom);
3971 			skb_frag_page_copy(fragto, fragfrom);
3972 			skb_frag_off_copy(fragto, fragfrom);
3973 			skb_frag_size_set(fragto, todo);
3974 
3975 			skb_frag_off_add(fragfrom, todo);
3976 			skb_frag_size_sub(fragfrom, todo);
3977 			todo = 0;
3978 
3979 			to++;
3980 			break;
3981 		}
3982 	}
3983 
3984 	/* Ready to "commit" this state change to tgt */
3985 	skb_shinfo(tgt)->nr_frags = to;
3986 
3987 	if (merge >= 0) {
3988 		fragfrom = &skb_shinfo(skb)->frags[0];
3989 		fragto = &skb_shinfo(tgt)->frags[merge];
3990 
3991 		skb_frag_size_add(fragto, skb_frag_size(fragfrom));
3992 		__skb_frag_unref(fragfrom, skb->pp_recycle);
3993 	}
3994 
3995 	/* Reposition in the original skb */
3996 	to = 0;
3997 	while (from < skb_shinfo(skb)->nr_frags)
3998 		skb_shinfo(skb)->frags[to++] = skb_shinfo(skb)->frags[from++];
3999 	skb_shinfo(skb)->nr_frags = to;
4000 
4001 	BUG_ON(todo > 0 && !skb_shinfo(skb)->nr_frags);
4002 
4003 onlymerged:
4004 	/* Most likely the tgt won't ever need its checksum anymore, skb on
4005 	 * the other hand might need it if it needs to be resent
4006 	 */
4007 	tgt->ip_summed = CHECKSUM_PARTIAL;
4008 	skb->ip_summed = CHECKSUM_PARTIAL;
4009 
4010 	skb_len_add(skb, -shiftlen);
4011 	skb_len_add(tgt, shiftlen);
4012 
4013 	return shiftlen;
4014 }
4015 
4016 /**
4017  * skb_prepare_seq_read - Prepare a sequential read of skb data
4018  * @skb: the buffer to read
4019  * @from: lower offset of data to be read
4020  * @to: upper offset of data to be read
4021  * @st: state variable
4022  *
4023  * Initializes the specified state variable. Must be called before
4024  * invoking skb_seq_read() for the first time.
4025  */
4026 void skb_prepare_seq_read(struct sk_buff *skb, unsigned int from,
4027 			  unsigned int to, struct skb_seq_state *st)
4028 {
4029 	st->lower_offset = from;
4030 	st->upper_offset = to;
4031 	st->root_skb = st->cur_skb = skb;
4032 	st->frag_idx = st->stepped_offset = 0;
4033 	st->frag_data = NULL;
4034 	st->frag_off = 0;
4035 }
4036 EXPORT_SYMBOL(skb_prepare_seq_read);
4037 
4038 /**
4039  * skb_seq_read - Sequentially read skb data
4040  * @consumed: number of bytes consumed by the caller so far
4041  * @data: destination pointer for data to be returned
4042  * @st: state variable
4043  *
4044  * Reads a block of skb data at @consumed relative to the
4045  * lower offset specified to skb_prepare_seq_read(). Assigns
4046  * the head of the data block to @data and returns the length
4047  * of the block or 0 if the end of the skb data or the upper
4048  * offset has been reached.
4049  *
4050  * The caller is not required to consume all of the data
4051  * returned, i.e. @consumed is typically set to the number
4052  * of bytes already consumed and the next call to
4053  * skb_seq_read() will return the remaining part of the block.
4054  *
4055  * Note 1: The size of each block of data returned can be arbitrary,
4056  *       this limitation is the cost for zerocopy sequential
4057  *       reads of potentially non linear data.
4058  *
4059  * Note 2: Fragment lists within fragments are not implemented
4060  *       at the moment, state->root_skb could be replaced with
4061  *       a stack for this purpose.
4062  */
4063 unsigned int skb_seq_read(unsigned int consumed, const u8 **data,
4064 			  struct skb_seq_state *st)
4065 {
4066 	unsigned int block_limit, abs_offset = consumed + st->lower_offset;
4067 	skb_frag_t *frag;
4068 
4069 	if (unlikely(abs_offset >= st->upper_offset)) {
4070 		if (st->frag_data) {
4071 			kunmap_atomic(st->frag_data);
4072 			st->frag_data = NULL;
4073 		}
4074 		return 0;
4075 	}
4076 
4077 next_skb:
4078 	block_limit = skb_headlen(st->cur_skb) + st->stepped_offset;
4079 
4080 	if (abs_offset < block_limit && !st->frag_data) {
4081 		*data = st->cur_skb->data + (abs_offset - st->stepped_offset);
4082 		return block_limit - abs_offset;
4083 	}
4084 
4085 	if (st->frag_idx == 0 && !st->frag_data)
4086 		st->stepped_offset += skb_headlen(st->cur_skb);
4087 
4088 	while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) {
4089 		unsigned int pg_idx, pg_off, pg_sz;
4090 
4091 		frag = &skb_shinfo(st->cur_skb)->frags[st->frag_idx];
4092 
4093 		pg_idx = 0;
4094 		pg_off = skb_frag_off(frag);
4095 		pg_sz = skb_frag_size(frag);
4096 
4097 		if (skb_frag_must_loop(skb_frag_page(frag))) {
4098 			pg_idx = (pg_off + st->frag_off) >> PAGE_SHIFT;
4099 			pg_off = offset_in_page(pg_off + st->frag_off);
4100 			pg_sz = min_t(unsigned int, pg_sz - st->frag_off,
4101 						    PAGE_SIZE - pg_off);
4102 		}
4103 
4104 		block_limit = pg_sz + st->stepped_offset;
4105 		if (abs_offset < block_limit) {
4106 			if (!st->frag_data)
4107 				st->frag_data = kmap_atomic(skb_frag_page(frag) + pg_idx);
4108 
4109 			*data = (u8 *)st->frag_data + pg_off +
4110 				(abs_offset - st->stepped_offset);
4111 
4112 			return block_limit - abs_offset;
4113 		}
4114 
4115 		if (st->frag_data) {
4116 			kunmap_atomic(st->frag_data);
4117 			st->frag_data = NULL;
4118 		}
4119 
4120 		st->stepped_offset += pg_sz;
4121 		st->frag_off += pg_sz;
4122 		if (st->frag_off == skb_frag_size(frag)) {
4123 			st->frag_off = 0;
4124 			st->frag_idx++;
4125 		}
4126 	}
4127 
4128 	if (st->frag_data) {
4129 		kunmap_atomic(st->frag_data);
4130 		st->frag_data = NULL;
4131 	}
4132 
4133 	if (st->root_skb == st->cur_skb && skb_has_frag_list(st->root_skb)) {
4134 		st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
4135 		st->frag_idx = 0;
4136 		goto next_skb;
4137 	} else if (st->cur_skb->next) {
4138 		st->cur_skb = st->cur_skb->next;
4139 		st->frag_idx = 0;
4140 		goto next_skb;
4141 	}
4142 
4143 	return 0;
4144 }
4145 EXPORT_SYMBOL(skb_seq_read);
4146 
4147 /**
4148  * skb_abort_seq_read - Abort a sequential read of skb data
4149  * @st: state variable
4150  *
4151  * Must be called if skb_seq_read() was not called until it
4152  * returned 0.
4153  */
4154 void skb_abort_seq_read(struct skb_seq_state *st)
4155 {
4156 	if (st->frag_data)
4157 		kunmap_atomic(st->frag_data);
4158 }
4159 EXPORT_SYMBOL(skb_abort_seq_read);
4160 
4161 #define TS_SKB_CB(state)	((struct skb_seq_state *) &((state)->cb))
4162 
4163 static unsigned int skb_ts_get_next_block(unsigned int offset, const u8 **text,
4164 					  struct ts_config *conf,
4165 					  struct ts_state *state)
4166 {
4167 	return skb_seq_read(offset, text, TS_SKB_CB(state));
4168 }
4169 
4170 static void skb_ts_finish(struct ts_config *conf, struct ts_state *state)
4171 {
4172 	skb_abort_seq_read(TS_SKB_CB(state));
4173 }
4174 
4175 /**
4176  * skb_find_text - Find a text pattern in skb data
4177  * @skb: the buffer to look in
4178  * @from: search offset
4179  * @to: search limit
4180  * @config: textsearch configuration
4181  *
4182  * Finds a pattern in the skb data according to the specified
4183  * textsearch configuration. Use textsearch_next() to retrieve
4184  * subsequent occurrences of the pattern. Returns the offset
4185  * to the first occurrence or UINT_MAX if no match was found.
4186  */
4187 unsigned int skb_find_text(struct sk_buff *skb, unsigned int from,
4188 			   unsigned int to, struct ts_config *config)
4189 {
4190 	struct ts_state state;
4191 	unsigned int ret;
4192 
4193 	BUILD_BUG_ON(sizeof(struct skb_seq_state) > sizeof(state.cb));
4194 
4195 	config->get_next_block = skb_ts_get_next_block;
4196 	config->finish = skb_ts_finish;
4197 
4198 	skb_prepare_seq_read(skb, from, to, TS_SKB_CB(&state));
4199 
4200 	ret = textsearch_find(config, &state);
4201 	return (ret <= to - from ? ret : UINT_MAX);
4202 }
4203 EXPORT_SYMBOL(skb_find_text);
4204 
4205 int skb_append_pagefrags(struct sk_buff *skb, struct page *page,
4206 			 int offset, size_t size)
4207 {
4208 	int i = skb_shinfo(skb)->nr_frags;
4209 
4210 	if (skb_can_coalesce(skb, i, page, offset)) {
4211 		skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], size);
4212 	} else if (i < MAX_SKB_FRAGS) {
4213 		skb_zcopy_downgrade_managed(skb);
4214 		get_page(page);
4215 		skb_fill_page_desc_noacc(skb, i, page, offset, size);
4216 	} else {
4217 		return -EMSGSIZE;
4218 	}
4219 
4220 	return 0;
4221 }
4222 EXPORT_SYMBOL_GPL(skb_append_pagefrags);
4223 
4224 /**
4225  *	skb_pull_rcsum - pull skb and update receive checksum
4226  *	@skb: buffer to update
4227  *	@len: length of data pulled
4228  *
4229  *	This function performs an skb_pull on the packet and updates
4230  *	the CHECKSUM_COMPLETE checksum.  It should be used on
4231  *	receive path processing instead of skb_pull unless you know
4232  *	that the checksum difference is zero (e.g., a valid IP header)
4233  *	or you are setting ip_summed to CHECKSUM_NONE.
4234  */
4235 void *skb_pull_rcsum(struct sk_buff *skb, unsigned int len)
4236 {
4237 	unsigned char *data = skb->data;
4238 
4239 	BUG_ON(len > skb->len);
4240 	__skb_pull(skb, len);
4241 	skb_postpull_rcsum(skb, data, len);
4242 	return skb->data;
4243 }
4244 EXPORT_SYMBOL_GPL(skb_pull_rcsum);
4245 
4246 static inline skb_frag_t skb_head_frag_to_page_desc(struct sk_buff *frag_skb)
4247 {
4248 	skb_frag_t head_frag;
4249 	struct page *page;
4250 
4251 	page = virt_to_head_page(frag_skb->head);
4252 	__skb_frag_set_page(&head_frag, page);
4253 	skb_frag_off_set(&head_frag, frag_skb->data -
4254 			 (unsigned char *)page_address(page));
4255 	skb_frag_size_set(&head_frag, skb_headlen(frag_skb));
4256 	return head_frag;
4257 }
4258 
4259 struct sk_buff *skb_segment_list(struct sk_buff *skb,
4260 				 netdev_features_t features,
4261 				 unsigned int offset)
4262 {
4263 	struct sk_buff *list_skb = skb_shinfo(skb)->frag_list;
4264 	unsigned int tnl_hlen = skb_tnl_header_len(skb);
4265 	unsigned int delta_truesize = 0;
4266 	unsigned int delta_len = 0;
4267 	struct sk_buff *tail = NULL;
4268 	struct sk_buff *nskb, *tmp;
4269 	int len_diff, err;
4270 
4271 	skb_push(skb, -skb_network_offset(skb) + offset);
4272 
4273 	skb_shinfo(skb)->frag_list = NULL;
4274 
4275 	while (list_skb) {
4276 		nskb = list_skb;
4277 		list_skb = list_skb->next;
4278 
4279 		err = 0;
4280 		delta_truesize += nskb->truesize;
4281 		if (skb_shared(nskb)) {
4282 			tmp = skb_clone(nskb, GFP_ATOMIC);
4283 			if (tmp) {
4284 				consume_skb(nskb);
4285 				nskb = tmp;
4286 				err = skb_unclone(nskb, GFP_ATOMIC);
4287 			} else {
4288 				err = -ENOMEM;
4289 			}
4290 		}
4291 
4292 		if (!tail)
4293 			skb->next = nskb;
4294 		else
4295 			tail->next = nskb;
4296 
4297 		if (unlikely(err)) {
4298 			nskb->next = list_skb;
4299 			goto err_linearize;
4300 		}
4301 
4302 		tail = nskb;
4303 
4304 		delta_len += nskb->len;
4305 
4306 		skb_push(nskb, -skb_network_offset(nskb) + offset);
4307 
4308 		skb_release_head_state(nskb);
4309 		len_diff = skb_network_header_len(nskb) - skb_network_header_len(skb);
4310 		__copy_skb_header(nskb, skb);
4311 
4312 		skb_headers_offset_update(nskb, skb_headroom(nskb) - skb_headroom(skb));
4313 		nskb->transport_header += len_diff;
4314 		skb_copy_from_linear_data_offset(skb, -tnl_hlen,
4315 						 nskb->data - tnl_hlen,
4316 						 offset + tnl_hlen);
4317 
4318 		if (skb_needs_linearize(nskb, features) &&
4319 		    __skb_linearize(nskb))
4320 			goto err_linearize;
4321 	}
4322 
4323 	skb->truesize = skb->truesize - delta_truesize;
4324 	skb->data_len = skb->data_len - delta_len;
4325 	skb->len = skb->len - delta_len;
4326 
4327 	skb_gso_reset(skb);
4328 
4329 	skb->prev = tail;
4330 
4331 	if (skb_needs_linearize(skb, features) &&
4332 	    __skb_linearize(skb))
4333 		goto err_linearize;
4334 
4335 	skb_get(skb);
4336 
4337 	return skb;
4338 
4339 err_linearize:
4340 	kfree_skb_list(skb->next);
4341 	skb->next = NULL;
4342 	return ERR_PTR(-ENOMEM);
4343 }
4344 EXPORT_SYMBOL_GPL(skb_segment_list);
4345 
4346 /**
4347  *	skb_segment - Perform protocol segmentation on skb.
4348  *	@head_skb: buffer to segment
4349  *	@features: features for the output path (see dev->features)
4350  *
4351  *	This function performs segmentation on the given skb.  It returns
4352  *	a pointer to the first in a list of new skbs for the segments.
4353  *	In case of error it returns ERR_PTR(err).
4354  */
4355 struct sk_buff *skb_segment(struct sk_buff *head_skb,
4356 			    netdev_features_t features)
4357 {
4358 	struct sk_buff *segs = NULL;
4359 	struct sk_buff *tail = NULL;
4360 	struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list;
4361 	skb_frag_t *frag = skb_shinfo(head_skb)->frags;
4362 	unsigned int mss = skb_shinfo(head_skb)->gso_size;
4363 	unsigned int doffset = head_skb->data - skb_mac_header(head_skb);
4364 	struct sk_buff *frag_skb = head_skb;
4365 	unsigned int offset = doffset;
4366 	unsigned int tnl_hlen = skb_tnl_header_len(head_skb);
4367 	unsigned int partial_segs = 0;
4368 	unsigned int headroom;
4369 	unsigned int len = head_skb->len;
4370 	__be16 proto;
4371 	bool csum, sg;
4372 	int nfrags = skb_shinfo(head_skb)->nr_frags;
4373 	int err = -ENOMEM;
4374 	int i = 0;
4375 	int pos;
4376 
4377 	if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
4378 	    mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
4379 		struct sk_buff *check_skb;
4380 
4381 		for (check_skb = list_skb; check_skb; check_skb = check_skb->next) {
4382 			if (skb_headlen(check_skb) && !check_skb->head_frag) {
4383 				/* gso_size is untrusted, and we have a frag_list with
4384 				 * a linear non head_frag item.
4385 				 *
4386 				 * If head_skb's headlen does not fit requested gso_size,
4387 				 * it means that the frag_list members do NOT terminate
4388 				 * on exact gso_size boundaries. Hence we cannot perform
4389 				 * skb_frag_t page sharing. Therefore we must fallback to
4390 				 * copying the frag_list skbs; we do so by disabling SG.
4391 				 */
4392 				features &= ~NETIF_F_SG;
4393 				break;
4394 			}
4395 		}
4396 	}
4397 
4398 	__skb_push(head_skb, doffset);
4399 	proto = skb_network_protocol(head_skb, NULL);
4400 	if (unlikely(!proto))
4401 		return ERR_PTR(-EINVAL);
4402 
4403 	sg = !!(features & NETIF_F_SG);
4404 	csum = !!can_checksum_protocol(features, proto);
4405 
4406 	if (sg && csum && (mss != GSO_BY_FRAGS))  {
4407 		if (!(features & NETIF_F_GSO_PARTIAL)) {
4408 			struct sk_buff *iter;
4409 			unsigned int frag_len;
4410 
4411 			if (!list_skb ||
4412 			    !net_gso_ok(features, skb_shinfo(head_skb)->gso_type))
4413 				goto normal;
4414 
4415 			/* If we get here then all the required
4416 			 * GSO features except frag_list are supported.
4417 			 * Try to split the SKB to multiple GSO SKBs
4418 			 * with no frag_list.
4419 			 * Currently we can do that only when the buffers don't
4420 			 * have a linear part and all the buffers except
4421 			 * the last are of the same length.
4422 			 */
4423 			frag_len = list_skb->len;
4424 			skb_walk_frags(head_skb, iter) {
4425 				if (frag_len != iter->len && iter->next)
4426 					goto normal;
4427 				if (skb_headlen(iter) && !iter->head_frag)
4428 					goto normal;
4429 
4430 				len -= iter->len;
4431 			}
4432 
4433 			if (len != frag_len)
4434 				goto normal;
4435 		}
4436 
4437 		/* GSO partial only requires that we trim off any excess that
4438 		 * doesn't fit into an MSS sized block, so take care of that
4439 		 * now.
4440 		 */
4441 		partial_segs = len / mss;
4442 		if (partial_segs > 1)
4443 			mss *= partial_segs;
4444 		else
4445 			partial_segs = 0;
4446 	}
4447 
4448 normal:
4449 	headroom = skb_headroom(head_skb);
4450 	pos = skb_headlen(head_skb);
4451 
4452 	do {
4453 		struct sk_buff *nskb;
4454 		skb_frag_t *nskb_frag;
4455 		int hsize;
4456 		int size;
4457 
4458 		if (unlikely(mss == GSO_BY_FRAGS)) {
4459 			len = list_skb->len;
4460 		} else {
4461 			len = head_skb->len - offset;
4462 			if (len > mss)
4463 				len = mss;
4464 		}
4465 
4466 		hsize = skb_headlen(head_skb) - offset;
4467 
4468 		if (hsize <= 0 && i >= nfrags && skb_headlen(list_skb) &&
4469 		    (skb_headlen(list_skb) == len || sg)) {
4470 			BUG_ON(skb_headlen(list_skb) > len);
4471 
4472 			i = 0;
4473 			nfrags = skb_shinfo(list_skb)->nr_frags;
4474 			frag = skb_shinfo(list_skb)->frags;
4475 			frag_skb = list_skb;
4476 			pos += skb_headlen(list_skb);
4477 
4478 			while (pos < offset + len) {
4479 				BUG_ON(i >= nfrags);
4480 
4481 				size = skb_frag_size(frag);
4482 				if (pos + size > offset + len)
4483 					break;
4484 
4485 				i++;
4486 				pos += size;
4487 				frag++;
4488 			}
4489 
4490 			nskb = skb_clone(list_skb, GFP_ATOMIC);
4491 			list_skb = list_skb->next;
4492 
4493 			if (unlikely(!nskb))
4494 				goto err;
4495 
4496 			if (unlikely(pskb_trim(nskb, len))) {
4497 				kfree_skb(nskb);
4498 				goto err;
4499 			}
4500 
4501 			hsize = skb_end_offset(nskb);
4502 			if (skb_cow_head(nskb, doffset + headroom)) {
4503 				kfree_skb(nskb);
4504 				goto err;
4505 			}
4506 
4507 			nskb->truesize += skb_end_offset(nskb) - hsize;
4508 			skb_release_head_state(nskb);
4509 			__skb_push(nskb, doffset);
4510 		} else {
4511 			if (hsize < 0)
4512 				hsize = 0;
4513 			if (hsize > len || !sg)
4514 				hsize = len;
4515 
4516 			nskb = __alloc_skb(hsize + doffset + headroom,
4517 					   GFP_ATOMIC, skb_alloc_rx_flag(head_skb),
4518 					   NUMA_NO_NODE);
4519 
4520 			if (unlikely(!nskb))
4521 				goto err;
4522 
4523 			skb_reserve(nskb, headroom);
4524 			__skb_put(nskb, doffset);
4525 		}
4526 
4527 		if (segs)
4528 			tail->next = nskb;
4529 		else
4530 			segs = nskb;
4531 		tail = nskb;
4532 
4533 		__copy_skb_header(nskb, head_skb);
4534 
4535 		skb_headers_offset_update(nskb, skb_headroom(nskb) - headroom);
4536 		skb_reset_mac_len(nskb);
4537 
4538 		skb_copy_from_linear_data_offset(head_skb, -tnl_hlen,
4539 						 nskb->data - tnl_hlen,
4540 						 doffset + tnl_hlen);
4541 
4542 		if (nskb->len == len + doffset)
4543 			goto perform_csum_check;
4544 
4545 		if (!sg) {
4546 			if (!csum) {
4547 				if (!nskb->remcsum_offload)
4548 					nskb->ip_summed = CHECKSUM_NONE;
4549 				SKB_GSO_CB(nskb)->csum =
4550 					skb_copy_and_csum_bits(head_skb, offset,
4551 							       skb_put(nskb,
4552 								       len),
4553 							       len);
4554 				SKB_GSO_CB(nskb)->csum_start =
4555 					skb_headroom(nskb) + doffset;
4556 			} else {
4557 				if (skb_copy_bits(head_skb, offset, skb_put(nskb, len), len))
4558 					goto err;
4559 			}
4560 			continue;
4561 		}
4562 
4563 		nskb_frag = skb_shinfo(nskb)->frags;
4564 
4565 		skb_copy_from_linear_data_offset(head_skb, offset,
4566 						 skb_put(nskb, hsize), hsize);
4567 
4568 		skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags &
4569 					   SKBFL_SHARED_FRAG;
4570 
4571 		if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
4572 		    skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
4573 			goto err;
4574 
4575 		while (pos < offset + len) {
4576 			if (i >= nfrags) {
4577 				i = 0;
4578 				nfrags = skb_shinfo(list_skb)->nr_frags;
4579 				frag = skb_shinfo(list_skb)->frags;
4580 				frag_skb = list_skb;
4581 				if (!skb_headlen(list_skb)) {
4582 					BUG_ON(!nfrags);
4583 				} else {
4584 					BUG_ON(!list_skb->head_frag);
4585 
4586 					/* to make room for head_frag. */
4587 					i--;
4588 					frag--;
4589 				}
4590 				if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
4591 				    skb_zerocopy_clone(nskb, frag_skb,
4592 						       GFP_ATOMIC))
4593 					goto err;
4594 
4595 				list_skb = list_skb->next;
4596 			}
4597 
4598 			if (unlikely(skb_shinfo(nskb)->nr_frags >=
4599 				     MAX_SKB_FRAGS)) {
4600 				net_warn_ratelimited(
4601 					"skb_segment: too many frags: %u %u\n",
4602 					pos, mss);
4603 				err = -EINVAL;
4604 				goto err;
4605 			}
4606 
4607 			*nskb_frag = (i < 0) ? skb_head_frag_to_page_desc(frag_skb) : *frag;
4608 			__skb_frag_ref(nskb_frag);
4609 			size = skb_frag_size(nskb_frag);
4610 
4611 			if (pos < offset) {
4612 				skb_frag_off_add(nskb_frag, offset - pos);
4613 				skb_frag_size_sub(nskb_frag, offset - pos);
4614 			}
4615 
4616 			skb_shinfo(nskb)->nr_frags++;
4617 
4618 			if (pos + size <= offset + len) {
4619 				i++;
4620 				frag++;
4621 				pos += size;
4622 			} else {
4623 				skb_frag_size_sub(nskb_frag, pos + size - (offset + len));
4624 				goto skip_fraglist;
4625 			}
4626 
4627 			nskb_frag++;
4628 		}
4629 
4630 skip_fraglist:
4631 		nskb->data_len = len - hsize;
4632 		nskb->len += nskb->data_len;
4633 		nskb->truesize += nskb->data_len;
4634 
4635 perform_csum_check:
4636 		if (!csum) {
4637 			if (skb_has_shared_frag(nskb) &&
4638 			    __skb_linearize(nskb))
4639 				goto err;
4640 
4641 			if (!nskb->remcsum_offload)
4642 				nskb->ip_summed = CHECKSUM_NONE;
4643 			SKB_GSO_CB(nskb)->csum =
4644 				skb_checksum(nskb, doffset,
4645 					     nskb->len - doffset, 0);
4646 			SKB_GSO_CB(nskb)->csum_start =
4647 				skb_headroom(nskb) + doffset;
4648 		}
4649 	} while ((offset += len) < head_skb->len);
4650 
4651 	/* Some callers want to get the end of the list.
4652 	 * Put it in segs->prev to avoid walking the list.
4653 	 * (see validate_xmit_skb_list() for example)
4654 	 */
4655 	segs->prev = tail;
4656 
4657 	if (partial_segs) {
4658 		struct sk_buff *iter;
4659 		int type = skb_shinfo(head_skb)->gso_type;
4660 		unsigned short gso_size = skb_shinfo(head_skb)->gso_size;
4661 
4662 		/* Update type to add partial and then remove dodgy if set */
4663 		type |= (features & NETIF_F_GSO_PARTIAL) / NETIF_F_GSO_PARTIAL * SKB_GSO_PARTIAL;
4664 		type &= ~SKB_GSO_DODGY;
4665 
4666 		/* Update GSO info and prepare to start updating headers on
4667 		 * our way back down the stack of protocols.
4668 		 */
4669 		for (iter = segs; iter; iter = iter->next) {
4670 			skb_shinfo(iter)->gso_size = gso_size;
4671 			skb_shinfo(iter)->gso_segs = partial_segs;
4672 			skb_shinfo(iter)->gso_type = type;
4673 			SKB_GSO_CB(iter)->data_offset = skb_headroom(iter) + doffset;
4674 		}
4675 
4676 		if (tail->len - doffset <= gso_size)
4677 			skb_shinfo(tail)->gso_size = 0;
4678 		else if (tail != segs)
4679 			skb_shinfo(tail)->gso_segs = DIV_ROUND_UP(tail->len - doffset, gso_size);
4680 	}
4681 
4682 	/* Following permits correct backpressure, for protocols
4683 	 * using skb_set_owner_w().
4684 	 * Idea is to tranfert ownership from head_skb to last segment.
4685 	 */
4686 	if (head_skb->destructor == sock_wfree) {
4687 		swap(tail->truesize, head_skb->truesize);
4688 		swap(tail->destructor, head_skb->destructor);
4689 		swap(tail->sk, head_skb->sk);
4690 	}
4691 	return segs;
4692 
4693 err:
4694 	kfree_skb_list(segs);
4695 	return ERR_PTR(err);
4696 }
4697 EXPORT_SYMBOL_GPL(skb_segment);
4698 
4699 #ifdef CONFIG_SKB_EXTENSIONS
4700 #define SKB_EXT_ALIGN_VALUE	8
4701 #define SKB_EXT_CHUNKSIZEOF(x)	(ALIGN((sizeof(x)), SKB_EXT_ALIGN_VALUE) / SKB_EXT_ALIGN_VALUE)
4702 
4703 static const u8 skb_ext_type_len[] = {
4704 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
4705 	[SKB_EXT_BRIDGE_NF] = SKB_EXT_CHUNKSIZEOF(struct nf_bridge_info),
4706 #endif
4707 #ifdef CONFIG_XFRM
4708 	[SKB_EXT_SEC_PATH] = SKB_EXT_CHUNKSIZEOF(struct sec_path),
4709 #endif
4710 #if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
4711 	[TC_SKB_EXT] = SKB_EXT_CHUNKSIZEOF(struct tc_skb_ext),
4712 #endif
4713 #if IS_ENABLED(CONFIG_MPTCP)
4714 	[SKB_EXT_MPTCP] = SKB_EXT_CHUNKSIZEOF(struct mptcp_ext),
4715 #endif
4716 #if IS_ENABLED(CONFIG_MCTP_FLOWS)
4717 	[SKB_EXT_MCTP] = SKB_EXT_CHUNKSIZEOF(struct mctp_flow),
4718 #endif
4719 };
4720 
4721 static __always_inline unsigned int skb_ext_total_length(void)
4722 {
4723 	return SKB_EXT_CHUNKSIZEOF(struct skb_ext) +
4724 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
4725 		skb_ext_type_len[SKB_EXT_BRIDGE_NF] +
4726 #endif
4727 #ifdef CONFIG_XFRM
4728 		skb_ext_type_len[SKB_EXT_SEC_PATH] +
4729 #endif
4730 #if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
4731 		skb_ext_type_len[TC_SKB_EXT] +
4732 #endif
4733 #if IS_ENABLED(CONFIG_MPTCP)
4734 		skb_ext_type_len[SKB_EXT_MPTCP] +
4735 #endif
4736 #if IS_ENABLED(CONFIG_MCTP_FLOWS)
4737 		skb_ext_type_len[SKB_EXT_MCTP] +
4738 #endif
4739 		0;
4740 }
4741 
4742 static void skb_extensions_init(void)
4743 {
4744 	BUILD_BUG_ON(SKB_EXT_NUM >= 8);
4745 	BUILD_BUG_ON(skb_ext_total_length() > 255);
4746 
4747 	skbuff_ext_cache = kmem_cache_create("skbuff_ext_cache",
4748 					     SKB_EXT_ALIGN_VALUE * skb_ext_total_length(),
4749 					     0,
4750 					     SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4751 					     NULL);
4752 }
4753 #else
4754 static void skb_extensions_init(void) {}
4755 #endif
4756 
4757 void __init skb_init(void)
4758 {
4759 	skbuff_cache = kmem_cache_create_usercopy("skbuff_head_cache",
4760 					      sizeof(struct sk_buff),
4761 					      0,
4762 					      SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4763 					      offsetof(struct sk_buff, cb),
4764 					      sizeof_field(struct sk_buff, cb),
4765 					      NULL);
4766 	skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
4767 						sizeof(struct sk_buff_fclones),
4768 						0,
4769 						SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4770 						NULL);
4771 #ifdef HAVE_SKB_SMALL_HEAD_CACHE
4772 	/* usercopy should only access first SKB_SMALL_HEAD_HEADROOM bytes.
4773 	 * struct skb_shared_info is located at the end of skb->head,
4774 	 * and should not be copied to/from user.
4775 	 */
4776 	skb_small_head_cache = kmem_cache_create_usercopy("skbuff_small_head",
4777 						SKB_SMALL_HEAD_CACHE_SIZE,
4778 						0,
4779 						SLAB_HWCACHE_ALIGN | SLAB_PANIC,
4780 						0,
4781 						SKB_SMALL_HEAD_HEADROOM,
4782 						NULL);
4783 #endif
4784 	skb_extensions_init();
4785 }
4786 
4787 static int
4788 __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
4789 	       unsigned int recursion_level)
4790 {
4791 	int start = skb_headlen(skb);
4792 	int i, copy = start - offset;
4793 	struct sk_buff *frag_iter;
4794 	int elt = 0;
4795 
4796 	if (unlikely(recursion_level >= 24))
4797 		return -EMSGSIZE;
4798 
4799 	if (copy > 0) {
4800 		if (copy > len)
4801 			copy = len;
4802 		sg_set_buf(sg, skb->data + offset, copy);
4803 		elt++;
4804 		if ((len -= copy) == 0)
4805 			return elt;
4806 		offset += copy;
4807 	}
4808 
4809 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
4810 		int end;
4811 
4812 		WARN_ON(start > offset + len);
4813 
4814 		end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
4815 		if ((copy = end - offset) > 0) {
4816 			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
4817 			if (unlikely(elt && sg_is_last(&sg[elt - 1])))
4818 				return -EMSGSIZE;
4819 
4820 			if (copy > len)
4821 				copy = len;
4822 			sg_set_page(&sg[elt], skb_frag_page(frag), copy,
4823 				    skb_frag_off(frag) + offset - start);
4824 			elt++;
4825 			if (!(len -= copy))
4826 				return elt;
4827 			offset += copy;
4828 		}
4829 		start = end;
4830 	}
4831 
4832 	skb_walk_frags(skb, frag_iter) {
4833 		int end, ret;
4834 
4835 		WARN_ON(start > offset + len);
4836 
4837 		end = start + frag_iter->len;
4838 		if ((copy = end - offset) > 0) {
4839 			if (unlikely(elt && sg_is_last(&sg[elt - 1])))
4840 				return -EMSGSIZE;
4841 
4842 			if (copy > len)
4843 				copy = len;
4844 			ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
4845 					      copy, recursion_level + 1);
4846 			if (unlikely(ret < 0))
4847 				return ret;
4848 			elt += ret;
4849 			if ((len -= copy) == 0)
4850 				return elt;
4851 			offset += copy;
4852 		}
4853 		start = end;
4854 	}
4855 	BUG_ON(len);
4856 	return elt;
4857 }
4858 
4859 /**
4860  *	skb_to_sgvec - Fill a scatter-gather list from a socket buffer
4861  *	@skb: Socket buffer containing the buffers to be mapped
4862  *	@sg: The scatter-gather list to map into
4863  *	@offset: The offset into the buffer's contents to start mapping
4864  *	@len: Length of buffer space to be mapped
4865  *
4866  *	Fill the specified scatter-gather list with mappings/pointers into a
4867  *	region of the buffer space attached to a socket buffer. Returns either
4868  *	the number of scatterlist items used, or -EMSGSIZE if the contents
4869  *	could not fit.
4870  */
4871 int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
4872 {
4873 	int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
4874 
4875 	if (nsg <= 0)
4876 		return nsg;
4877 
4878 	sg_mark_end(&sg[nsg - 1]);
4879 
4880 	return nsg;
4881 }
4882 EXPORT_SYMBOL_GPL(skb_to_sgvec);
4883 
4884 /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
4885  * sglist without mark the sg which contain last skb data as the end.
4886  * So the caller can mannipulate sg list as will when padding new data after
4887  * the first call without calling sg_unmark_end to expend sg list.
4888  *
4889  * Scenario to use skb_to_sgvec_nomark:
4890  * 1. sg_init_table
4891  * 2. skb_to_sgvec_nomark(payload1)
4892  * 3. skb_to_sgvec_nomark(payload2)
4893  *
4894  * This is equivalent to:
4895  * 1. sg_init_table
4896  * 2. skb_to_sgvec(payload1)
4897  * 3. sg_unmark_end
4898  * 4. skb_to_sgvec(payload2)
4899  *
4900  * When mapping mutilple payload conditionally, skb_to_sgvec_nomark
4901  * is more preferable.
4902  */
4903 int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
4904 			int offset, int len)
4905 {
4906 	return __skb_to_sgvec(skb, sg, offset, len, 0);
4907 }
4908 EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
4909 
4910 
4911 
4912 /**
4913  *	skb_cow_data - Check that a socket buffer's data buffers are writable
4914  *	@skb: The socket buffer to check.
4915  *	@tailbits: Amount of trailing space to be added
4916  *	@trailer: Returned pointer to the skb where the @tailbits space begins
4917  *
4918  *	Make sure that the data buffers attached to a socket buffer are
4919  *	writable. If they are not, private copies are made of the data buffers
4920  *	and the socket buffer is set to use these instead.
4921  *
4922  *	If @tailbits is given, make sure that there is space to write @tailbits
4923  *	bytes of data beyond current end of socket buffer.  @trailer will be
4924  *	set to point to the skb in which this space begins.
4925  *
4926  *	The number of scatterlist elements required to completely map the
4927  *	COW'd and extended socket buffer will be returned.
4928  */
4929 int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
4930 {
4931 	int copyflag;
4932 	int elt;
4933 	struct sk_buff *skb1, **skb_p;
4934 
4935 	/* If skb is cloned or its head is paged, reallocate
4936 	 * head pulling out all the pages (pages are considered not writable
4937 	 * at the moment even if they are anonymous).
4938 	 */
4939 	if ((skb_cloned(skb) || skb_shinfo(skb)->nr_frags) &&
4940 	    !__pskb_pull_tail(skb, __skb_pagelen(skb)))
4941 		return -ENOMEM;
4942 
4943 	/* Easy case. Most of packets will go this way. */
4944 	if (!skb_has_frag_list(skb)) {
4945 		/* A little of trouble, not enough of space for trailer.
4946 		 * This should not happen, when stack is tuned to generate
4947 		 * good frames. OK, on miss we reallocate and reserve even more
4948 		 * space, 128 bytes is fair. */
4949 
4950 		if (skb_tailroom(skb) < tailbits &&
4951 		    pskb_expand_head(skb, 0, tailbits-skb_tailroom(skb)+128, GFP_ATOMIC))
4952 			return -ENOMEM;
4953 
4954 		/* Voila! */
4955 		*trailer = skb;
4956 		return 1;
4957 	}
4958 
4959 	/* Misery. We are in troubles, going to mincer fragments... */
4960 
4961 	elt = 1;
4962 	skb_p = &skb_shinfo(skb)->frag_list;
4963 	copyflag = 0;
4964 
4965 	while ((skb1 = *skb_p) != NULL) {
4966 		int ntail = 0;
4967 
4968 		/* The fragment is partially pulled by someone,
4969 		 * this can happen on input. Copy it and everything
4970 		 * after it. */
4971 
4972 		if (skb_shared(skb1))
4973 			copyflag = 1;
4974 
4975 		/* If the skb is the last, worry about trailer. */
4976 
4977 		if (skb1->next == NULL && tailbits) {
4978 			if (skb_shinfo(skb1)->nr_frags ||
4979 			    skb_has_frag_list(skb1) ||
4980 			    skb_tailroom(skb1) < tailbits)
4981 				ntail = tailbits + 128;
4982 		}
4983 
4984 		if (copyflag ||
4985 		    skb_cloned(skb1) ||
4986 		    ntail ||
4987 		    skb_shinfo(skb1)->nr_frags ||
4988 		    skb_has_frag_list(skb1)) {
4989 			struct sk_buff *skb2;
4990 
4991 			/* Fuck, we are miserable poor guys... */
4992 			if (ntail == 0)
4993 				skb2 = skb_copy(skb1, GFP_ATOMIC);
4994 			else
4995 				skb2 = skb_copy_expand(skb1,
4996 						       skb_headroom(skb1),
4997 						       ntail,
4998 						       GFP_ATOMIC);
4999 			if (unlikely(skb2 == NULL))
5000 				return -ENOMEM;
5001 
5002 			if (skb1->sk)
5003 				skb_set_owner_w(skb2, skb1->sk);
5004 
5005 			/* Looking around. Are we still alive?
5006 			 * OK, link new skb, drop old one */
5007 
5008 			skb2->next = skb1->next;
5009 			*skb_p = skb2;
5010 			kfree_skb(skb1);
5011 			skb1 = skb2;
5012 		}
5013 		elt++;
5014 		*trailer = skb1;
5015 		skb_p = &skb1->next;
5016 	}
5017 
5018 	return elt;
5019 }
5020 EXPORT_SYMBOL_GPL(skb_cow_data);
5021 
5022 static void sock_rmem_free(struct sk_buff *skb)
5023 {
5024 	struct sock *sk = skb->sk;
5025 
5026 	atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
5027 }
5028 
5029 static void skb_set_err_queue(struct sk_buff *skb)
5030 {
5031 	/* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
5032 	 * So, it is safe to (mis)use it to mark skbs on the error queue.
5033 	 */
5034 	skb->pkt_type = PACKET_OUTGOING;
5035 	BUILD_BUG_ON(PACKET_OUTGOING == 0);
5036 }
5037 
5038 /*
5039  * Note: We dont mem charge error packets (no sk_forward_alloc changes)
5040  */
5041 int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
5042 {
5043 	if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
5044 	    (unsigned int)READ_ONCE(sk->sk_rcvbuf))
5045 		return -ENOMEM;
5046 
5047 	skb_orphan(skb);
5048 	skb->sk = sk;
5049 	skb->destructor = sock_rmem_free;
5050 	atomic_add(skb->truesize, &sk->sk_rmem_alloc);
5051 	skb_set_err_queue(skb);
5052 
5053 	/* before exiting rcu section, make sure dst is refcounted */
5054 	skb_dst_force(skb);
5055 
5056 	skb_queue_tail(&sk->sk_error_queue, skb);
5057 	if (!sock_flag(sk, SOCK_DEAD))
5058 		sk_error_report(sk);
5059 	return 0;
5060 }
5061 EXPORT_SYMBOL(sock_queue_err_skb);
5062 
5063 static bool is_icmp_err_skb(const struct sk_buff *skb)
5064 {
5065 	return skb && (SKB_EXT_ERR(skb)->ee.ee_origin == SO_EE_ORIGIN_ICMP ||
5066 		       SKB_EXT_ERR(skb)->ee.ee_origin == SO_EE_ORIGIN_ICMP6);
5067 }
5068 
5069 struct sk_buff *sock_dequeue_err_skb(struct sock *sk)
5070 {
5071 	struct sk_buff_head *q = &sk->sk_error_queue;
5072 	struct sk_buff *skb, *skb_next = NULL;
5073 	bool icmp_next = false;
5074 	unsigned long flags;
5075 
5076 	spin_lock_irqsave(&q->lock, flags);
5077 	skb = __skb_dequeue(q);
5078 	if (skb && (skb_next = skb_peek(q))) {
5079 		icmp_next = is_icmp_err_skb(skb_next);
5080 		if (icmp_next)
5081 			sk->sk_err = SKB_EXT_ERR(skb_next)->ee.ee_errno;
5082 	}
5083 	spin_unlock_irqrestore(&q->lock, flags);
5084 
5085 	if (is_icmp_err_skb(skb) && !icmp_next)
5086 		sk->sk_err = 0;
5087 
5088 	if (skb_next)
5089 		sk_error_report(sk);
5090 
5091 	return skb;
5092 }
5093 EXPORT_SYMBOL(sock_dequeue_err_skb);
5094 
5095 /**
5096  * skb_clone_sk - create clone of skb, and take reference to socket
5097  * @skb: the skb to clone
5098  *
5099  * This function creates a clone of a buffer that holds a reference on
5100  * sk_refcnt.  Buffers created via this function are meant to be
5101  * returned using sock_queue_err_skb, or free via kfree_skb.
5102  *
5103  * When passing buffers allocated with this function to sock_queue_err_skb
5104  * it is necessary to wrap the call with sock_hold/sock_put in order to
5105  * prevent the socket from being released prior to being enqueued on
5106  * the sk_error_queue.
5107  */
5108 struct sk_buff *skb_clone_sk(struct sk_buff *skb)
5109 {
5110 	struct sock *sk = skb->sk;
5111 	struct sk_buff *clone;
5112 
5113 	if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
5114 		return NULL;
5115 
5116 	clone = skb_clone(skb, GFP_ATOMIC);
5117 	if (!clone) {
5118 		sock_put(sk);
5119 		return NULL;
5120 	}
5121 
5122 	clone->sk = sk;
5123 	clone->destructor = sock_efree;
5124 
5125 	return clone;
5126 }
5127 EXPORT_SYMBOL(skb_clone_sk);
5128 
5129 static void __skb_complete_tx_timestamp(struct sk_buff *skb,
5130 					struct sock *sk,
5131 					int tstype,
5132 					bool opt_stats)
5133 {
5134 	struct sock_exterr_skb *serr;
5135 	int err;
5136 
5137 	BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
5138 
5139 	serr = SKB_EXT_ERR(skb);
5140 	memset(serr, 0, sizeof(*serr));
5141 	serr->ee.ee_errno = ENOMSG;
5142 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
5143 	serr->ee.ee_info = tstype;
5144 	serr->opt_stats = opt_stats;
5145 	serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0;
5146 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
5147 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
5148 		if (sk_is_tcp(sk))
5149 			serr->ee.ee_data -= atomic_read(&sk->sk_tskey);
5150 	}
5151 
5152 	err = sock_queue_err_skb(sk, skb);
5153 
5154 	if (err)
5155 		kfree_skb(skb);
5156 }
5157 
5158 static bool skb_may_tx_timestamp(struct sock *sk, bool tsonly)
5159 {
5160 	bool ret;
5161 
5162 	if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly))
5163 		return true;
5164 
5165 	read_lock_bh(&sk->sk_callback_lock);
5166 	ret = sk->sk_socket && sk->sk_socket->file &&
5167 	      file_ns_capable(sk->sk_socket->file, &init_user_ns, CAP_NET_RAW);
5168 	read_unlock_bh(&sk->sk_callback_lock);
5169 	return ret;
5170 }
5171 
5172 void skb_complete_tx_timestamp(struct sk_buff *skb,
5173 			       struct skb_shared_hwtstamps *hwtstamps)
5174 {
5175 	struct sock *sk = skb->sk;
5176 
5177 	if (!skb_may_tx_timestamp(sk, false))
5178 		goto err;
5179 
5180 	/* Take a reference to prevent skb_orphan() from freeing the socket,
5181 	 * but only if the socket refcount is not zero.
5182 	 */
5183 	if (likely(refcount_inc_not_zero(&sk->sk_refcnt))) {
5184 		*skb_hwtstamps(skb) = *hwtstamps;
5185 		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
5186 		sock_put(sk);
5187 		return;
5188 	}
5189 
5190 err:
5191 	kfree_skb(skb);
5192 }
5193 EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
5194 
5195 void __skb_tstamp_tx(struct sk_buff *orig_skb,
5196 		     const struct sk_buff *ack_skb,
5197 		     struct skb_shared_hwtstamps *hwtstamps,
5198 		     struct sock *sk, int tstype)
5199 {
5200 	struct sk_buff *skb;
5201 	bool tsonly, opt_stats = false;
5202 
5203 	if (!sk)
5204 		return;
5205 
5206 	if (!hwtstamps && !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_TX_SWHW) &&
5207 	    skb_shinfo(orig_skb)->tx_flags & SKBTX_IN_PROGRESS)
5208 		return;
5209 
5210 	tsonly = sk->sk_tsflags & SOF_TIMESTAMPING_OPT_TSONLY;
5211 	if (!skb_may_tx_timestamp(sk, tsonly))
5212 		return;
5213 
5214 	if (tsonly) {
5215 #ifdef CONFIG_INET
5216 		if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
5217 		    sk_is_tcp(sk)) {
5218 			skb = tcp_get_timestamping_opt_stats(sk, orig_skb,
5219 							     ack_skb);
5220 			opt_stats = true;
5221 		} else
5222 #endif
5223 			skb = alloc_skb(0, GFP_ATOMIC);
5224 	} else {
5225 		skb = skb_clone(orig_skb, GFP_ATOMIC);
5226 
5227 		if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
5228 			kfree_skb(skb);
5229 			return;
5230 		}
5231 	}
5232 	if (!skb)
5233 		return;
5234 
5235 	if (tsonly) {
5236 		skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags &
5237 					     SKBTX_ANY_TSTAMP;
5238 		skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey;
5239 	}
5240 
5241 	if (hwtstamps)
5242 		*skb_hwtstamps(skb) = *hwtstamps;
5243 	else
5244 		__net_timestamp(skb);
5245 
5246 	__skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
5247 }
5248 EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
5249 
5250 void skb_tstamp_tx(struct sk_buff *orig_skb,
5251 		   struct skb_shared_hwtstamps *hwtstamps)
5252 {
5253 	return __skb_tstamp_tx(orig_skb, NULL, hwtstamps, orig_skb->sk,
5254 			       SCM_TSTAMP_SND);
5255 }
5256 EXPORT_SYMBOL_GPL(skb_tstamp_tx);
5257 
5258 #ifdef CONFIG_WIRELESS
5259 void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
5260 {
5261 	struct sock *sk = skb->sk;
5262 	struct sock_exterr_skb *serr;
5263 	int err = 1;
5264 
5265 	skb->wifi_acked_valid = 1;
5266 	skb->wifi_acked = acked;
5267 
5268 	serr = SKB_EXT_ERR(skb);
5269 	memset(serr, 0, sizeof(*serr));
5270 	serr->ee.ee_errno = ENOMSG;
5271 	serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
5272 
5273 	/* Take a reference to prevent skb_orphan() from freeing the socket,
5274 	 * but only if the socket refcount is not zero.
5275 	 */
5276 	if (likely(refcount_inc_not_zero(&sk->sk_refcnt))) {
5277 		err = sock_queue_err_skb(sk, skb);
5278 		sock_put(sk);
5279 	}
5280 	if (err)
5281 		kfree_skb(skb);
5282 }
5283 EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
5284 #endif /* CONFIG_WIRELESS */
5285 
5286 /**
5287  * skb_partial_csum_set - set up and verify partial csum values for packet
5288  * @skb: the skb to set
5289  * @start: the number of bytes after skb->data to start checksumming.
5290  * @off: the offset from start to place the checksum.
5291  *
5292  * For untrusted partially-checksummed packets, we need to make sure the values
5293  * for skb->csum_start and skb->csum_offset are valid so we don't oops.
5294  *
5295  * This function checks and sets those values and skb->ip_summed: if this
5296  * returns false you should drop the packet.
5297  */
5298 bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off)
5299 {
5300 	u32 csum_end = (u32)start + (u32)off + sizeof(__sum16);
5301 	u32 csum_start = skb_headroom(skb) + (u32)start;
5302 
5303 	if (unlikely(csum_start >= U16_MAX || csum_end > skb_headlen(skb))) {
5304 		net_warn_ratelimited("bad partial csum: csum=%u/%u headroom=%u headlen=%u\n",
5305 				     start, off, skb_headroom(skb), skb_headlen(skb));
5306 		return false;
5307 	}
5308 	skb->ip_summed = CHECKSUM_PARTIAL;
5309 	skb->csum_start = csum_start;
5310 	skb->csum_offset = off;
5311 	skb->transport_header = csum_start;
5312 	return true;
5313 }
5314 EXPORT_SYMBOL_GPL(skb_partial_csum_set);
5315 
5316 static int skb_maybe_pull_tail(struct sk_buff *skb, unsigned int len,
5317 			       unsigned int max)
5318 {
5319 	if (skb_headlen(skb) >= len)
5320 		return 0;
5321 
5322 	/* If we need to pullup then pullup to the max, so we
5323 	 * won't need to do it again.
5324 	 */
5325 	if (max > skb->len)
5326 		max = skb->len;
5327 
5328 	if (__pskb_pull_tail(skb, max - skb_headlen(skb)) == NULL)
5329 		return -ENOMEM;
5330 
5331 	if (skb_headlen(skb) < len)
5332 		return -EPROTO;
5333 
5334 	return 0;
5335 }
5336 
5337 #define MAX_TCP_HDR_LEN (15 * 4)
5338 
5339 static __sum16 *skb_checksum_setup_ip(struct sk_buff *skb,
5340 				      typeof(IPPROTO_IP) proto,
5341 				      unsigned int off)
5342 {
5343 	int err;
5344 
5345 	switch (proto) {
5346 	case IPPROTO_TCP:
5347 		err = skb_maybe_pull_tail(skb, off + sizeof(struct tcphdr),
5348 					  off + MAX_TCP_HDR_LEN);
5349 		if (!err && !skb_partial_csum_set(skb, off,
5350 						  offsetof(struct tcphdr,
5351 							   check)))
5352 			err = -EPROTO;
5353 		return err ? ERR_PTR(err) : &tcp_hdr(skb)->check;
5354 
5355 	case IPPROTO_UDP:
5356 		err = skb_maybe_pull_tail(skb, off + sizeof(struct udphdr),
5357 					  off + sizeof(struct udphdr));
5358 		if (!err && !skb_partial_csum_set(skb, off,
5359 						  offsetof(struct udphdr,
5360 							   check)))
5361 			err = -EPROTO;
5362 		return err ? ERR_PTR(err) : &udp_hdr(skb)->check;
5363 	}
5364 
5365 	return ERR_PTR(-EPROTO);
5366 }
5367 
5368 /* This value should be large enough to cover a tagged ethernet header plus
5369  * maximally sized IP and TCP or UDP headers.
5370  */
5371 #define MAX_IP_HDR_LEN 128
5372 
5373 static int skb_checksum_setup_ipv4(struct sk_buff *skb, bool recalculate)
5374 {
5375 	unsigned int off;
5376 	bool fragment;
5377 	__sum16 *csum;
5378 	int err;
5379 
5380 	fragment = false;
5381 
5382 	err = skb_maybe_pull_tail(skb,
5383 				  sizeof(struct iphdr),
5384 				  MAX_IP_HDR_LEN);
5385 	if (err < 0)
5386 		goto out;
5387 
5388 	if (ip_is_fragment(ip_hdr(skb)))
5389 		fragment = true;
5390 
5391 	off = ip_hdrlen(skb);
5392 
5393 	err = -EPROTO;
5394 
5395 	if (fragment)
5396 		goto out;
5397 
5398 	csum = skb_checksum_setup_ip(skb, ip_hdr(skb)->protocol, off);
5399 	if (IS_ERR(csum))
5400 		return PTR_ERR(csum);
5401 
5402 	if (recalculate)
5403 		*csum = ~csum_tcpudp_magic(ip_hdr(skb)->saddr,
5404 					   ip_hdr(skb)->daddr,
5405 					   skb->len - off,
5406 					   ip_hdr(skb)->protocol, 0);
5407 	err = 0;
5408 
5409 out:
5410 	return err;
5411 }
5412 
5413 /* This value should be large enough to cover a tagged ethernet header plus
5414  * an IPv6 header, all options, and a maximal TCP or UDP header.
5415  */
5416 #define MAX_IPV6_HDR_LEN 256
5417 
5418 #define OPT_HDR(type, skb, off) \
5419 	(type *)(skb_network_header(skb) + (off))
5420 
5421 static int skb_checksum_setup_ipv6(struct sk_buff *skb, bool recalculate)
5422 {
5423 	int err;
5424 	u8 nexthdr;
5425 	unsigned int off;
5426 	unsigned int len;
5427 	bool fragment;
5428 	bool done;
5429 	__sum16 *csum;
5430 
5431 	fragment = false;
5432 	done = false;
5433 
5434 	off = sizeof(struct ipv6hdr);
5435 
5436 	err = skb_maybe_pull_tail(skb, off, MAX_IPV6_HDR_LEN);
5437 	if (err < 0)
5438 		goto out;
5439 
5440 	nexthdr = ipv6_hdr(skb)->nexthdr;
5441 
5442 	len = sizeof(struct ipv6hdr) + ntohs(ipv6_hdr(skb)->payload_len);
5443 	while (off <= len && !done) {
5444 		switch (nexthdr) {
5445 		case IPPROTO_DSTOPTS:
5446 		case IPPROTO_HOPOPTS:
5447 		case IPPROTO_ROUTING: {
5448 			struct ipv6_opt_hdr *hp;
5449 
5450 			err = skb_maybe_pull_tail(skb,
5451 						  off +
5452 						  sizeof(struct ipv6_opt_hdr),
5453 						  MAX_IPV6_HDR_LEN);
5454 			if (err < 0)
5455 				goto out;
5456 
5457 			hp = OPT_HDR(struct ipv6_opt_hdr, skb, off);
5458 			nexthdr = hp->nexthdr;
5459 			off += ipv6_optlen(hp);
5460 			break;
5461 		}
5462 		case IPPROTO_AH: {
5463 			struct ip_auth_hdr *hp;
5464 
5465 			err = skb_maybe_pull_tail(skb,
5466 						  off +
5467 						  sizeof(struct ip_auth_hdr),
5468 						  MAX_IPV6_HDR_LEN);
5469 			if (err < 0)
5470 				goto out;
5471 
5472 			hp = OPT_HDR(struct ip_auth_hdr, skb, off);
5473 			nexthdr = hp->nexthdr;
5474 			off += ipv6_authlen(hp);
5475 			break;
5476 		}
5477 		case IPPROTO_FRAGMENT: {
5478 			struct frag_hdr *hp;
5479 
5480 			err = skb_maybe_pull_tail(skb,
5481 						  off +
5482 						  sizeof(struct frag_hdr),
5483 						  MAX_IPV6_HDR_LEN);
5484 			if (err < 0)
5485 				goto out;
5486 
5487 			hp = OPT_HDR(struct frag_hdr, skb, off);
5488 
5489 			if (hp->frag_off & htons(IP6_OFFSET | IP6_MF))
5490 				fragment = true;
5491 
5492 			nexthdr = hp->nexthdr;
5493 			off += sizeof(struct frag_hdr);
5494 			break;
5495 		}
5496 		default:
5497 			done = true;
5498 			break;
5499 		}
5500 	}
5501 
5502 	err = -EPROTO;
5503 
5504 	if (!done || fragment)
5505 		goto out;
5506 
5507 	csum = skb_checksum_setup_ip(skb, nexthdr, off);
5508 	if (IS_ERR(csum))
5509 		return PTR_ERR(csum);
5510 
5511 	if (recalculate)
5512 		*csum = ~csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
5513 					 &ipv6_hdr(skb)->daddr,
5514 					 skb->len - off, nexthdr, 0);
5515 	err = 0;
5516 
5517 out:
5518 	return err;
5519 }
5520 
5521 /**
5522  * skb_checksum_setup - set up partial checksum offset
5523  * @skb: the skb to set up
5524  * @recalculate: if true the pseudo-header checksum will be recalculated
5525  */
5526 int skb_checksum_setup(struct sk_buff *skb, bool recalculate)
5527 {
5528 	int err;
5529 
5530 	switch (skb->protocol) {
5531 	case htons(ETH_P_IP):
5532 		err = skb_checksum_setup_ipv4(skb, recalculate);
5533 		break;
5534 
5535 	case htons(ETH_P_IPV6):
5536 		err = skb_checksum_setup_ipv6(skb, recalculate);
5537 		break;
5538 
5539 	default:
5540 		err = -EPROTO;
5541 		break;
5542 	}
5543 
5544 	return err;
5545 }
5546 EXPORT_SYMBOL(skb_checksum_setup);
5547 
5548 /**
5549  * skb_checksum_maybe_trim - maybe trims the given skb
5550  * @skb: the skb to check
5551  * @transport_len: the data length beyond the network header
5552  *
5553  * Checks whether the given skb has data beyond the given transport length.
5554  * If so, returns a cloned skb trimmed to this transport length.
5555  * Otherwise returns the provided skb. Returns NULL in error cases
5556  * (e.g. transport_len exceeds skb length or out-of-memory).
5557  *
5558  * Caller needs to set the skb transport header and free any returned skb if it
5559  * differs from the provided skb.
5560  */
5561 static struct sk_buff *skb_checksum_maybe_trim(struct sk_buff *skb,
5562 					       unsigned int transport_len)
5563 {
5564 	struct sk_buff *skb_chk;
5565 	unsigned int len = skb_transport_offset(skb) + transport_len;
5566 	int ret;
5567 
5568 	if (skb->len < len)
5569 		return NULL;
5570 	else if (skb->len == len)
5571 		return skb;
5572 
5573 	skb_chk = skb_clone(skb, GFP_ATOMIC);
5574 	if (!skb_chk)
5575 		return NULL;
5576 
5577 	ret = pskb_trim_rcsum(skb_chk, len);
5578 	if (ret) {
5579 		kfree_skb(skb_chk);
5580 		return NULL;
5581 	}
5582 
5583 	return skb_chk;
5584 }
5585 
5586 /**
5587  * skb_checksum_trimmed - validate checksum of an skb
5588  * @skb: the skb to check
5589  * @transport_len: the data length beyond the network header
5590  * @skb_chkf: checksum function to use
5591  *
5592  * Applies the given checksum function skb_chkf to the provided skb.
5593  * Returns a checked and maybe trimmed skb. Returns NULL on error.
5594  *
5595  * If the skb has data beyond the given transport length, then a
5596  * trimmed & cloned skb is checked and returned.
5597  *
5598  * Caller needs to set the skb transport header and free any returned skb if it
5599  * differs from the provided skb.
5600  */
5601 struct sk_buff *skb_checksum_trimmed(struct sk_buff *skb,
5602 				     unsigned int transport_len,
5603 				     __sum16(*skb_chkf)(struct sk_buff *skb))
5604 {
5605 	struct sk_buff *skb_chk;
5606 	unsigned int offset = skb_transport_offset(skb);
5607 	__sum16 ret;
5608 
5609 	skb_chk = skb_checksum_maybe_trim(skb, transport_len);
5610 	if (!skb_chk)
5611 		goto err;
5612 
5613 	if (!pskb_may_pull(skb_chk, offset))
5614 		goto err;
5615 
5616 	skb_pull_rcsum(skb_chk, offset);
5617 	ret = skb_chkf(skb_chk);
5618 	skb_push_rcsum(skb_chk, offset);
5619 
5620 	if (ret)
5621 		goto err;
5622 
5623 	return skb_chk;
5624 
5625 err:
5626 	if (skb_chk && skb_chk != skb)
5627 		kfree_skb(skb_chk);
5628 
5629 	return NULL;
5630 
5631 }
5632 EXPORT_SYMBOL(skb_checksum_trimmed);
5633 
5634 void __skb_warn_lro_forwarding(const struct sk_buff *skb)
5635 {
5636 	net_warn_ratelimited("%s: received packets cannot be forwarded while LRO is enabled\n",
5637 			     skb->dev->name);
5638 }
5639 EXPORT_SYMBOL(__skb_warn_lro_forwarding);
5640 
5641 void kfree_skb_partial(struct sk_buff *skb, bool head_stolen)
5642 {
5643 	if (head_stolen) {
5644 		skb_release_head_state(skb);
5645 		kmem_cache_free(skbuff_cache, skb);
5646 	} else {
5647 		__kfree_skb(skb);
5648 	}
5649 }
5650 EXPORT_SYMBOL(kfree_skb_partial);
5651 
5652 /**
5653  * skb_try_coalesce - try to merge skb to prior one
5654  * @to: prior buffer
5655  * @from: buffer to add
5656  * @fragstolen: pointer to boolean
5657  * @delta_truesize: how much more was allocated than was requested
5658  */
5659 bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
5660 		      bool *fragstolen, int *delta_truesize)
5661 {
5662 	struct skb_shared_info *to_shinfo, *from_shinfo;
5663 	int i, delta, len = from->len;
5664 
5665 	*fragstolen = false;
5666 
5667 	if (skb_cloned(to))
5668 		return false;
5669 
5670 	/* In general, avoid mixing page_pool and non-page_pool allocated
5671 	 * pages within the same SKB. Additionally avoid dealing with clones
5672 	 * with page_pool pages, in case the SKB is using page_pool fragment
5673 	 * references (PP_FLAG_PAGE_FRAG). Since we only take full page
5674 	 * references for cloned SKBs at the moment that would result in
5675 	 * inconsistent reference counts.
5676 	 * In theory we could take full references if @from is cloned and
5677 	 * !@to->pp_recycle but its tricky (due to potential race with
5678 	 * the clone disappearing) and rare, so not worth dealing with.
5679 	 */
5680 	if (to->pp_recycle != from->pp_recycle ||
5681 	    (from->pp_recycle && skb_cloned(from)))
5682 		return false;
5683 
5684 	if (len <= skb_tailroom(to)) {
5685 		if (len)
5686 			BUG_ON(skb_copy_bits(from, 0, skb_put(to, len), len));
5687 		*delta_truesize = 0;
5688 		return true;
5689 	}
5690 
5691 	to_shinfo = skb_shinfo(to);
5692 	from_shinfo = skb_shinfo(from);
5693 	if (to_shinfo->frag_list || from_shinfo->frag_list)
5694 		return false;
5695 	if (skb_zcopy(to) || skb_zcopy(from))
5696 		return false;
5697 
5698 	if (skb_headlen(from) != 0) {
5699 		struct page *page;
5700 		unsigned int offset;
5701 
5702 		if (to_shinfo->nr_frags +
5703 		    from_shinfo->nr_frags >= MAX_SKB_FRAGS)
5704 			return false;
5705 
5706 		if (skb_head_is_locked(from))
5707 			return false;
5708 
5709 		delta = from->truesize - SKB_DATA_ALIGN(sizeof(struct sk_buff));
5710 
5711 		page = virt_to_head_page(from->head);
5712 		offset = from->data - (unsigned char *)page_address(page);
5713 
5714 		skb_fill_page_desc(to, to_shinfo->nr_frags,
5715 				   page, offset, skb_headlen(from));
5716 		*fragstolen = true;
5717 	} else {
5718 		if (to_shinfo->nr_frags +
5719 		    from_shinfo->nr_frags > MAX_SKB_FRAGS)
5720 			return false;
5721 
5722 		delta = from->truesize - SKB_TRUESIZE(skb_end_offset(from));
5723 	}
5724 
5725 	WARN_ON_ONCE(delta < len);
5726 
5727 	memcpy(to_shinfo->frags + to_shinfo->nr_frags,
5728 	       from_shinfo->frags,
5729 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
5730 	to_shinfo->nr_frags += from_shinfo->nr_frags;
5731 
5732 	if (!skb_cloned(from))
5733 		from_shinfo->nr_frags = 0;
5734 
5735 	/* if the skb is not cloned this does nothing
5736 	 * since we set nr_frags to 0.
5737 	 */
5738 	for (i = 0; i < from_shinfo->nr_frags; i++)
5739 		__skb_frag_ref(&from_shinfo->frags[i]);
5740 
5741 	to->truesize += delta;
5742 	to->len += len;
5743 	to->data_len += len;
5744 
5745 	*delta_truesize = delta;
5746 	return true;
5747 }
5748 EXPORT_SYMBOL(skb_try_coalesce);
5749 
5750 /**
5751  * skb_scrub_packet - scrub an skb
5752  *
5753  * @skb: buffer to clean
5754  * @xnet: packet is crossing netns
5755  *
5756  * skb_scrub_packet can be used after encapsulating or decapsulting a packet
5757  * into/from a tunnel. Some information have to be cleared during these
5758  * operations.
5759  * skb_scrub_packet can also be used to clean a skb before injecting it in
5760  * another namespace (@xnet == true). We have to clear all information in the
5761  * skb that could impact namespace isolation.
5762  */
5763 void skb_scrub_packet(struct sk_buff *skb, bool xnet)
5764 {
5765 	skb->pkt_type = PACKET_HOST;
5766 	skb->skb_iif = 0;
5767 	skb->ignore_df = 0;
5768 	skb_dst_drop(skb);
5769 	skb_ext_reset(skb);
5770 	nf_reset_ct(skb);
5771 	nf_reset_trace(skb);
5772 
5773 #ifdef CONFIG_NET_SWITCHDEV
5774 	skb->offload_fwd_mark = 0;
5775 	skb->offload_l3_fwd_mark = 0;
5776 #endif
5777 
5778 	if (!xnet)
5779 		return;
5780 
5781 	ipvs_reset(skb);
5782 	skb->mark = 0;
5783 	skb_clear_tstamp(skb);
5784 }
5785 EXPORT_SYMBOL_GPL(skb_scrub_packet);
5786 
5787 /**
5788  * skb_gso_transport_seglen - Return length of individual segments of a gso packet
5789  *
5790  * @skb: GSO skb
5791  *
5792  * skb_gso_transport_seglen is used to determine the real size of the
5793  * individual segments, including Layer4 headers (TCP/UDP).
5794  *
5795  * The MAC/L2 or network (IP, IPv6) headers are not accounted for.
5796  */
5797 static unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
5798 {
5799 	const struct skb_shared_info *shinfo = skb_shinfo(skb);
5800 	unsigned int thlen = 0;
5801 
5802 	if (skb->encapsulation) {
5803 		thlen = skb_inner_transport_header(skb) -
5804 			skb_transport_header(skb);
5805 
5806 		if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
5807 			thlen += inner_tcp_hdrlen(skb);
5808 	} else if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
5809 		thlen = tcp_hdrlen(skb);
5810 	} else if (unlikely(skb_is_gso_sctp(skb))) {
5811 		thlen = sizeof(struct sctphdr);
5812 	} else if (shinfo->gso_type & SKB_GSO_UDP_L4) {
5813 		thlen = sizeof(struct udphdr);
5814 	}
5815 	/* UFO sets gso_size to the size of the fragmentation
5816 	 * payload, i.e. the size of the L4 (UDP) header is already
5817 	 * accounted for.
5818 	 */
5819 	return thlen + shinfo->gso_size;
5820 }
5821 
5822 /**
5823  * skb_gso_network_seglen - Return length of individual segments of a gso packet
5824  *
5825  * @skb: GSO skb
5826  *
5827  * skb_gso_network_seglen is used to determine the real size of the
5828  * individual segments, including Layer3 (IP, IPv6) and L4 headers (TCP/UDP).
5829  *
5830  * The MAC/L2 header is not accounted for.
5831  */
5832 static unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
5833 {
5834 	unsigned int hdr_len = skb_transport_header(skb) -
5835 			       skb_network_header(skb);
5836 
5837 	return hdr_len + skb_gso_transport_seglen(skb);
5838 }
5839 
5840 /**
5841  * skb_gso_mac_seglen - Return length of individual segments of a gso packet
5842  *
5843  * @skb: GSO skb
5844  *
5845  * skb_gso_mac_seglen is used to determine the real size of the
5846  * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
5847  * headers (TCP/UDP).
5848  */
5849 static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
5850 {
5851 	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
5852 
5853 	return hdr_len + skb_gso_transport_seglen(skb);
5854 }
5855 
5856 /**
5857  * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS
5858  *
5859  * There are a couple of instances where we have a GSO skb, and we
5860  * want to determine what size it would be after it is segmented.
5861  *
5862  * We might want to check:
5863  * -    L3+L4+payload size (e.g. IP forwarding)
5864  * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
5865  *
5866  * This is a helper to do that correctly considering GSO_BY_FRAGS.
5867  *
5868  * @skb: GSO skb
5869  *
5870  * @seg_len: The segmented length (from skb_gso_*_seglen). In the
5871  *           GSO_BY_FRAGS case this will be [header sizes + GSO_BY_FRAGS].
5872  *
5873  * @max_len: The maximum permissible length.
5874  *
5875  * Returns true if the segmented length <= max length.
5876  */
5877 static inline bool skb_gso_size_check(const struct sk_buff *skb,
5878 				      unsigned int seg_len,
5879 				      unsigned int max_len) {
5880 	const struct skb_shared_info *shinfo = skb_shinfo(skb);
5881 	const struct sk_buff *iter;
5882 
5883 	if (shinfo->gso_size != GSO_BY_FRAGS)
5884 		return seg_len <= max_len;
5885 
5886 	/* Undo this so we can re-use header sizes */
5887 	seg_len -= GSO_BY_FRAGS;
5888 
5889 	skb_walk_frags(skb, iter) {
5890 		if (seg_len + skb_headlen(iter) > max_len)
5891 			return false;
5892 	}
5893 
5894 	return true;
5895 }
5896 
5897 /**
5898  * skb_gso_validate_network_len - Will a split GSO skb fit into a given MTU?
5899  *
5900  * @skb: GSO skb
5901  * @mtu: MTU to validate against
5902  *
5903  * skb_gso_validate_network_len validates if a given skb will fit a
5904  * wanted MTU once split. It considers L3 headers, L4 headers, and the
5905  * payload.
5906  */
5907 bool skb_gso_validate_network_len(const struct sk_buff *skb, unsigned int mtu)
5908 {
5909 	return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu);
5910 }
5911 EXPORT_SYMBOL_GPL(skb_gso_validate_network_len);
5912 
5913 /**
5914  * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
5915  *
5916  * @skb: GSO skb
5917  * @len: length to validate against
5918  *
5919  * skb_gso_validate_mac_len validates if a given skb will fit a wanted
5920  * length once split, including L2, L3 and L4 headers and the payload.
5921  */
5922 bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
5923 {
5924 	return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
5925 }
5926 EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
5927 
5928 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
5929 {
5930 	int mac_len, meta_len;
5931 	void *meta;
5932 
5933 	if (skb_cow(skb, skb_headroom(skb)) < 0) {
5934 		kfree_skb(skb);
5935 		return NULL;
5936 	}
5937 
5938 	mac_len = skb->data - skb_mac_header(skb);
5939 	if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
5940 		memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
5941 			mac_len - VLAN_HLEN - ETH_TLEN);
5942 	}
5943 
5944 	meta_len = skb_metadata_len(skb);
5945 	if (meta_len) {
5946 		meta = skb_metadata_end(skb) - meta_len;
5947 		memmove(meta + VLAN_HLEN, meta, meta_len);
5948 	}
5949 
5950 	skb->mac_header += VLAN_HLEN;
5951 	return skb;
5952 }
5953 
5954 struct sk_buff *skb_vlan_untag(struct sk_buff *skb)
5955 {
5956 	struct vlan_hdr *vhdr;
5957 	u16 vlan_tci;
5958 
5959 	if (unlikely(skb_vlan_tag_present(skb))) {
5960 		/* vlan_tci is already set-up so leave this for another time */
5961 		return skb;
5962 	}
5963 
5964 	skb = skb_share_check(skb, GFP_ATOMIC);
5965 	if (unlikely(!skb))
5966 		goto err_free;
5967 	/* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
5968 	if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
5969 		goto err_free;
5970 
5971 	vhdr = (struct vlan_hdr *)skb->data;
5972 	vlan_tci = ntohs(vhdr->h_vlan_TCI);
5973 	__vlan_hwaccel_put_tag(skb, skb->protocol, vlan_tci);
5974 
5975 	skb_pull_rcsum(skb, VLAN_HLEN);
5976 	vlan_set_encap_proto(skb, vhdr);
5977 
5978 	skb = skb_reorder_vlan_header(skb);
5979 	if (unlikely(!skb))
5980 		goto err_free;
5981 
5982 	skb_reset_network_header(skb);
5983 	if (!skb_transport_header_was_set(skb))
5984 		skb_reset_transport_header(skb);
5985 	skb_reset_mac_len(skb);
5986 
5987 	return skb;
5988 
5989 err_free:
5990 	kfree_skb(skb);
5991 	return NULL;
5992 }
5993 EXPORT_SYMBOL(skb_vlan_untag);
5994 
5995 int skb_ensure_writable(struct sk_buff *skb, unsigned int write_len)
5996 {
5997 	if (!pskb_may_pull(skb, write_len))
5998 		return -ENOMEM;
5999 
6000 	if (!skb_cloned(skb) || skb_clone_writable(skb, write_len))
6001 		return 0;
6002 
6003 	return pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
6004 }
6005 EXPORT_SYMBOL(skb_ensure_writable);
6006 
6007 /* remove VLAN header from packet and update csum accordingly.
6008  * expects a non skb_vlan_tag_present skb with a vlan tag payload
6009  */
6010 int __skb_vlan_pop(struct sk_buff *skb, u16 *vlan_tci)
6011 {
6012 	int offset = skb->data - skb_mac_header(skb);
6013 	int err;
6014 
6015 	if (WARN_ONCE(offset,
6016 		      "__skb_vlan_pop got skb with skb->data not at mac header (offset %d)\n",
6017 		      offset)) {
6018 		return -EINVAL;
6019 	}
6020 
6021 	err = skb_ensure_writable(skb, VLAN_ETH_HLEN);
6022 	if (unlikely(err))
6023 		return err;
6024 
6025 	skb_postpull_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
6026 
6027 	vlan_remove_tag(skb, vlan_tci);
6028 
6029 	skb->mac_header += VLAN_HLEN;
6030 
6031 	if (skb_network_offset(skb) < ETH_HLEN)
6032 		skb_set_network_header(skb, ETH_HLEN);
6033 
6034 	skb_reset_mac_len(skb);
6035 
6036 	return err;
6037 }
6038 EXPORT_SYMBOL(__skb_vlan_pop);
6039 
6040 /* Pop a vlan tag either from hwaccel or from payload.
6041  * Expects skb->data at mac header.
6042  */
6043 int skb_vlan_pop(struct sk_buff *skb)
6044 {
6045 	u16 vlan_tci;
6046 	__be16 vlan_proto;
6047 	int err;
6048 
6049 	if (likely(skb_vlan_tag_present(skb))) {
6050 		__vlan_hwaccel_clear_tag(skb);
6051 	} else {
6052 		if (unlikely(!eth_type_vlan(skb->protocol)))
6053 			return 0;
6054 
6055 		err = __skb_vlan_pop(skb, &vlan_tci);
6056 		if (err)
6057 			return err;
6058 	}
6059 	/* move next vlan tag to hw accel tag */
6060 	if (likely(!eth_type_vlan(skb->protocol)))
6061 		return 0;
6062 
6063 	vlan_proto = skb->protocol;
6064 	err = __skb_vlan_pop(skb, &vlan_tci);
6065 	if (unlikely(err))
6066 		return err;
6067 
6068 	__vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
6069 	return 0;
6070 }
6071 EXPORT_SYMBOL(skb_vlan_pop);
6072 
6073 /* Push a vlan tag either into hwaccel or into payload (if hwaccel tag present).
6074  * Expects skb->data at mac header.
6075  */
6076 int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci)
6077 {
6078 	if (skb_vlan_tag_present(skb)) {
6079 		int offset = skb->data - skb_mac_header(skb);
6080 		int err;
6081 
6082 		if (WARN_ONCE(offset,
6083 			      "skb_vlan_push got skb with skb->data not at mac header (offset %d)\n",
6084 			      offset)) {
6085 			return -EINVAL;
6086 		}
6087 
6088 		err = __vlan_insert_tag(skb, skb->vlan_proto,
6089 					skb_vlan_tag_get(skb));
6090 		if (err)
6091 			return err;
6092 
6093 		skb->protocol = skb->vlan_proto;
6094 		skb->mac_len += VLAN_HLEN;
6095 
6096 		skb_postpush_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
6097 	}
6098 	__vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
6099 	return 0;
6100 }
6101 EXPORT_SYMBOL(skb_vlan_push);
6102 
6103 /**
6104  * skb_eth_pop() - Drop the Ethernet header at the head of a packet
6105  *
6106  * @skb: Socket buffer to modify
6107  *
6108  * Drop the Ethernet header of @skb.
6109  *
6110  * Expects that skb->data points to the mac header and that no VLAN tags are
6111  * present.
6112  *
6113  * Returns 0 on success, -errno otherwise.
6114  */
6115 int skb_eth_pop(struct sk_buff *skb)
6116 {
6117 	if (!pskb_may_pull(skb, ETH_HLEN) || skb_vlan_tagged(skb) ||
6118 	    skb_network_offset(skb) < ETH_HLEN)
6119 		return -EPROTO;
6120 
6121 	skb_pull_rcsum(skb, ETH_HLEN);
6122 	skb_reset_mac_header(skb);
6123 	skb_reset_mac_len(skb);
6124 
6125 	return 0;
6126 }
6127 EXPORT_SYMBOL(skb_eth_pop);
6128 
6129 /**
6130  * skb_eth_push() - Add a new Ethernet header at the head of a packet
6131  *
6132  * @skb: Socket buffer to modify
6133  * @dst: Destination MAC address of the new header
6134  * @src: Source MAC address of the new header
6135  *
6136  * Prepend @skb with a new Ethernet header.
6137  *
6138  * Expects that skb->data points to the mac header, which must be empty.
6139  *
6140  * Returns 0 on success, -errno otherwise.
6141  */
6142 int skb_eth_push(struct sk_buff *skb, const unsigned char *dst,
6143 		 const unsigned char *src)
6144 {
6145 	struct ethhdr *eth;
6146 	int err;
6147 
6148 	if (skb_network_offset(skb) || skb_vlan_tag_present(skb))
6149 		return -EPROTO;
6150 
6151 	err = skb_cow_head(skb, sizeof(*eth));
6152 	if (err < 0)
6153 		return err;
6154 
6155 	skb_push(skb, sizeof(*eth));
6156 	skb_reset_mac_header(skb);
6157 	skb_reset_mac_len(skb);
6158 
6159 	eth = eth_hdr(skb);
6160 	ether_addr_copy(eth->h_dest, dst);
6161 	ether_addr_copy(eth->h_source, src);
6162 	eth->h_proto = skb->protocol;
6163 
6164 	skb_postpush_rcsum(skb, eth, sizeof(*eth));
6165 
6166 	return 0;
6167 }
6168 EXPORT_SYMBOL(skb_eth_push);
6169 
6170 /* Update the ethertype of hdr and the skb csum value if required. */
6171 static void skb_mod_eth_type(struct sk_buff *skb, struct ethhdr *hdr,
6172 			     __be16 ethertype)
6173 {
6174 	if (skb->ip_summed == CHECKSUM_COMPLETE) {
6175 		__be16 diff[] = { ~hdr->h_proto, ethertype };
6176 
6177 		skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
6178 	}
6179 
6180 	hdr->h_proto = ethertype;
6181 }
6182 
6183 /**
6184  * skb_mpls_push() - push a new MPLS header after mac_len bytes from start of
6185  *                   the packet
6186  *
6187  * @skb: buffer
6188  * @mpls_lse: MPLS label stack entry to push
6189  * @mpls_proto: ethertype of the new MPLS header (expects 0x8847 or 0x8848)
6190  * @mac_len: length of the MAC header
6191  * @ethernet: flag to indicate if the resulting packet after skb_mpls_push is
6192  *            ethernet
6193  *
6194  * Expects skb->data at mac header.
6195  *
6196  * Returns 0 on success, -errno otherwise.
6197  */
6198 int skb_mpls_push(struct sk_buff *skb, __be32 mpls_lse, __be16 mpls_proto,
6199 		  int mac_len, bool ethernet)
6200 {
6201 	struct mpls_shim_hdr *lse;
6202 	int err;
6203 
6204 	if (unlikely(!eth_p_mpls(mpls_proto)))
6205 		return -EINVAL;
6206 
6207 	/* Networking stack does not allow simultaneous Tunnel and MPLS GSO. */
6208 	if (skb->encapsulation)
6209 		return -EINVAL;
6210 
6211 	err = skb_cow_head(skb, MPLS_HLEN);
6212 	if (unlikely(err))
6213 		return err;
6214 
6215 	if (!skb->inner_protocol) {
6216 		skb_set_inner_network_header(skb, skb_network_offset(skb));
6217 		skb_set_inner_protocol(skb, skb->protocol);
6218 	}
6219 
6220 	skb_push(skb, MPLS_HLEN);
6221 	memmove(skb_mac_header(skb) - MPLS_HLEN, skb_mac_header(skb),
6222 		mac_len);
6223 	skb_reset_mac_header(skb);
6224 	skb_set_network_header(skb, mac_len);
6225 	skb_reset_mac_len(skb);
6226 
6227 	lse = mpls_hdr(skb);
6228 	lse->label_stack_entry = mpls_lse;
6229 	skb_postpush_rcsum(skb, lse, MPLS_HLEN);
6230 
6231 	if (ethernet && mac_len >= ETH_HLEN)
6232 		skb_mod_eth_type(skb, eth_hdr(skb), mpls_proto);
6233 	skb->protocol = mpls_proto;
6234 
6235 	return 0;
6236 }
6237 EXPORT_SYMBOL_GPL(skb_mpls_push);
6238 
6239 /**
6240  * skb_mpls_pop() - pop the outermost MPLS header
6241  *
6242  * @skb: buffer
6243  * @next_proto: ethertype of header after popped MPLS header
6244  * @mac_len: length of the MAC header
6245  * @ethernet: flag to indicate if the packet is ethernet
6246  *
6247  * Expects skb->data at mac header.
6248  *
6249  * Returns 0 on success, -errno otherwise.
6250  */
6251 int skb_mpls_pop(struct sk_buff *skb, __be16 next_proto, int mac_len,
6252 		 bool ethernet)
6253 {
6254 	int err;
6255 
6256 	if (unlikely(!eth_p_mpls(skb->protocol)))
6257 		return 0;
6258 
6259 	err = skb_ensure_writable(skb, mac_len + MPLS_HLEN);
6260 	if (unlikely(err))
6261 		return err;
6262 
6263 	skb_postpull_rcsum(skb, mpls_hdr(skb), MPLS_HLEN);
6264 	memmove(skb_mac_header(skb) + MPLS_HLEN, skb_mac_header(skb),
6265 		mac_len);
6266 
6267 	__skb_pull(skb, MPLS_HLEN);
6268 	skb_reset_mac_header(skb);
6269 	skb_set_network_header(skb, mac_len);
6270 
6271 	if (ethernet && mac_len >= ETH_HLEN) {
6272 		struct ethhdr *hdr;
6273 
6274 		/* use mpls_hdr() to get ethertype to account for VLANs. */
6275 		hdr = (struct ethhdr *)((void *)mpls_hdr(skb) - ETH_HLEN);
6276 		skb_mod_eth_type(skb, hdr, next_proto);
6277 	}
6278 	skb->protocol = next_proto;
6279 
6280 	return 0;
6281 }
6282 EXPORT_SYMBOL_GPL(skb_mpls_pop);
6283 
6284 /**
6285  * skb_mpls_update_lse() - modify outermost MPLS header and update csum
6286  *
6287  * @skb: buffer
6288  * @mpls_lse: new MPLS label stack entry to update to
6289  *
6290  * Expects skb->data at mac header.
6291  *
6292  * Returns 0 on success, -errno otherwise.
6293  */
6294 int skb_mpls_update_lse(struct sk_buff *skb, __be32 mpls_lse)
6295 {
6296 	int err;
6297 
6298 	if (unlikely(!eth_p_mpls(skb->protocol)))
6299 		return -EINVAL;
6300 
6301 	err = skb_ensure_writable(skb, skb->mac_len + MPLS_HLEN);
6302 	if (unlikely(err))
6303 		return err;
6304 
6305 	if (skb->ip_summed == CHECKSUM_COMPLETE) {
6306 		__be32 diff[] = { ~mpls_hdr(skb)->label_stack_entry, mpls_lse };
6307 
6308 		skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
6309 	}
6310 
6311 	mpls_hdr(skb)->label_stack_entry = mpls_lse;
6312 
6313 	return 0;
6314 }
6315 EXPORT_SYMBOL_GPL(skb_mpls_update_lse);
6316 
6317 /**
6318  * skb_mpls_dec_ttl() - decrement the TTL of the outermost MPLS header
6319  *
6320  * @skb: buffer
6321  *
6322  * Expects skb->data at mac header.
6323  *
6324  * Returns 0 on success, -errno otherwise.
6325  */
6326 int skb_mpls_dec_ttl(struct sk_buff *skb)
6327 {
6328 	u32 lse;
6329 	u8 ttl;
6330 
6331 	if (unlikely(!eth_p_mpls(skb->protocol)))
6332 		return -EINVAL;
6333 
6334 	if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN))
6335 		return -ENOMEM;
6336 
6337 	lse = be32_to_cpu(mpls_hdr(skb)->label_stack_entry);
6338 	ttl = (lse & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
6339 	if (!--ttl)
6340 		return -EINVAL;
6341 
6342 	lse &= ~MPLS_LS_TTL_MASK;
6343 	lse |= ttl << MPLS_LS_TTL_SHIFT;
6344 
6345 	return skb_mpls_update_lse(skb, cpu_to_be32(lse));
6346 }
6347 EXPORT_SYMBOL_GPL(skb_mpls_dec_ttl);
6348 
6349 /**
6350  * alloc_skb_with_frags - allocate skb with page frags
6351  *
6352  * @header_len: size of linear part
6353  * @data_len: needed length in frags
6354  * @max_page_order: max page order desired.
6355  * @errcode: pointer to error code if any
6356  * @gfp_mask: allocation mask
6357  *
6358  * This can be used to allocate a paged skb, given a maximal order for frags.
6359  */
6360 struct sk_buff *alloc_skb_with_frags(unsigned long header_len,
6361 				     unsigned long data_len,
6362 				     int max_page_order,
6363 				     int *errcode,
6364 				     gfp_t gfp_mask)
6365 {
6366 	int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
6367 	unsigned long chunk;
6368 	struct sk_buff *skb;
6369 	struct page *page;
6370 	int i;
6371 
6372 	*errcode = -EMSGSIZE;
6373 	/* Note this test could be relaxed, if we succeed to allocate
6374 	 * high order pages...
6375 	 */
6376 	if (npages > MAX_SKB_FRAGS)
6377 		return NULL;
6378 
6379 	*errcode = -ENOBUFS;
6380 	skb = alloc_skb(header_len, gfp_mask);
6381 	if (!skb)
6382 		return NULL;
6383 
6384 	skb->truesize += npages << PAGE_SHIFT;
6385 
6386 	for (i = 0; npages > 0; i++) {
6387 		int order = max_page_order;
6388 
6389 		while (order) {
6390 			if (npages >= 1 << order) {
6391 				page = alloc_pages((gfp_mask & ~__GFP_DIRECT_RECLAIM) |
6392 						   __GFP_COMP |
6393 						   __GFP_NOWARN,
6394 						   order);
6395 				if (page)
6396 					goto fill_page;
6397 				/* Do not retry other high order allocations */
6398 				order = 1;
6399 				max_page_order = 0;
6400 			}
6401 			order--;
6402 		}
6403 		page = alloc_page(gfp_mask);
6404 		if (!page)
6405 			goto failure;
6406 fill_page:
6407 		chunk = min_t(unsigned long, data_len,
6408 			      PAGE_SIZE << order);
6409 		skb_fill_page_desc(skb, i, page, 0, chunk);
6410 		data_len -= chunk;
6411 		npages -= 1 << order;
6412 	}
6413 	return skb;
6414 
6415 failure:
6416 	kfree_skb(skb);
6417 	return NULL;
6418 }
6419 EXPORT_SYMBOL(alloc_skb_with_frags);
6420 
6421 /* carve out the first off bytes from skb when off < headlen */
6422 static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
6423 				    const int headlen, gfp_t gfp_mask)
6424 {
6425 	int i;
6426 	unsigned int size = skb_end_offset(skb);
6427 	int new_hlen = headlen - off;
6428 	u8 *data;
6429 
6430 	if (skb_pfmemalloc(skb))
6431 		gfp_mask |= __GFP_MEMALLOC;
6432 
6433 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
6434 	if (!data)
6435 		return -ENOMEM;
6436 	size = SKB_WITH_OVERHEAD(size);
6437 
6438 	/* Copy real data, and all frags */
6439 	skb_copy_from_linear_data_offset(skb, off, data, new_hlen);
6440 	skb->len -= off;
6441 
6442 	memcpy((struct skb_shared_info *)(data + size),
6443 	       skb_shinfo(skb),
6444 	       offsetof(struct skb_shared_info,
6445 			frags[skb_shinfo(skb)->nr_frags]));
6446 	if (skb_cloned(skb)) {
6447 		/* drop the old head gracefully */
6448 		if (skb_orphan_frags(skb, gfp_mask)) {
6449 			skb_kfree_head(data, size);
6450 			return -ENOMEM;
6451 		}
6452 		for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
6453 			skb_frag_ref(skb, i);
6454 		if (skb_has_frag_list(skb))
6455 			skb_clone_fraglist(skb);
6456 		skb_release_data(skb, SKB_CONSUMED, false);
6457 	} else {
6458 		/* we can reuse existing recount- all we did was
6459 		 * relocate values
6460 		 */
6461 		skb_free_head(skb, false);
6462 	}
6463 
6464 	skb->head = data;
6465 	skb->data = data;
6466 	skb->head_frag = 0;
6467 	skb_set_end_offset(skb, size);
6468 	skb_set_tail_pointer(skb, skb_headlen(skb));
6469 	skb_headers_offset_update(skb, 0);
6470 	skb->cloned = 0;
6471 	skb->hdr_len = 0;
6472 	skb->nohdr = 0;
6473 	atomic_set(&skb_shinfo(skb)->dataref, 1);
6474 
6475 	return 0;
6476 }
6477 
6478 static int pskb_carve(struct sk_buff *skb, const u32 off, gfp_t gfp);
6479 
6480 /* carve out the first eat bytes from skb's frag_list. May recurse into
6481  * pskb_carve()
6482  */
6483 static int pskb_carve_frag_list(struct sk_buff *skb,
6484 				struct skb_shared_info *shinfo, int eat,
6485 				gfp_t gfp_mask)
6486 {
6487 	struct sk_buff *list = shinfo->frag_list;
6488 	struct sk_buff *clone = NULL;
6489 	struct sk_buff *insp = NULL;
6490 
6491 	do {
6492 		if (!list) {
6493 			pr_err("Not enough bytes to eat. Want %d\n", eat);
6494 			return -EFAULT;
6495 		}
6496 		if (list->len <= eat) {
6497 			/* Eaten as whole. */
6498 			eat -= list->len;
6499 			list = list->next;
6500 			insp = list;
6501 		} else {
6502 			/* Eaten partially. */
6503 			if (skb_shared(list)) {
6504 				clone = skb_clone(list, gfp_mask);
6505 				if (!clone)
6506 					return -ENOMEM;
6507 				insp = list->next;
6508 				list = clone;
6509 			} else {
6510 				/* This may be pulled without problems. */
6511 				insp = list;
6512 			}
6513 			if (pskb_carve(list, eat, gfp_mask) < 0) {
6514 				kfree_skb(clone);
6515 				return -ENOMEM;
6516 			}
6517 			break;
6518 		}
6519 	} while (eat);
6520 
6521 	/* Free pulled out fragments. */
6522 	while ((list = shinfo->frag_list) != insp) {
6523 		shinfo->frag_list = list->next;
6524 		consume_skb(list);
6525 	}
6526 	/* And insert new clone at head. */
6527 	if (clone) {
6528 		clone->next = list;
6529 		shinfo->frag_list = clone;
6530 	}
6531 	return 0;
6532 }
6533 
6534 /* carve off first len bytes from skb. Split line (off) is in the
6535  * non-linear part of skb
6536  */
6537 static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
6538 				       int pos, gfp_t gfp_mask)
6539 {
6540 	int i, k = 0;
6541 	unsigned int size = skb_end_offset(skb);
6542 	u8 *data;
6543 	const int nfrags = skb_shinfo(skb)->nr_frags;
6544 	struct skb_shared_info *shinfo;
6545 
6546 	if (skb_pfmemalloc(skb))
6547 		gfp_mask |= __GFP_MEMALLOC;
6548 
6549 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
6550 	if (!data)
6551 		return -ENOMEM;
6552 	size = SKB_WITH_OVERHEAD(size);
6553 
6554 	memcpy((struct skb_shared_info *)(data + size),
6555 	       skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
6556 	if (skb_orphan_frags(skb, gfp_mask)) {
6557 		skb_kfree_head(data, size);
6558 		return -ENOMEM;
6559 	}
6560 	shinfo = (struct skb_shared_info *)(data + size);
6561 	for (i = 0; i < nfrags; i++) {
6562 		int fsize = skb_frag_size(&skb_shinfo(skb)->frags[i]);
6563 
6564 		if (pos + fsize > off) {
6565 			shinfo->frags[k] = skb_shinfo(skb)->frags[i];
6566 
6567 			if (pos < off) {
6568 				/* Split frag.
6569 				 * We have two variants in this case:
6570 				 * 1. Move all the frag to the second
6571 				 *    part, if it is possible. F.e.
6572 				 *    this approach is mandatory for TUX,
6573 				 *    where splitting is expensive.
6574 				 * 2. Split is accurately. We make this.
6575 				 */
6576 				skb_frag_off_add(&shinfo->frags[0], off - pos);
6577 				skb_frag_size_sub(&shinfo->frags[0], off - pos);
6578 			}
6579 			skb_frag_ref(skb, i);
6580 			k++;
6581 		}
6582 		pos += fsize;
6583 	}
6584 	shinfo->nr_frags = k;
6585 	if (skb_has_frag_list(skb))
6586 		skb_clone_fraglist(skb);
6587 
6588 	/* split line is in frag list */
6589 	if (k == 0 && pskb_carve_frag_list(skb, shinfo, off - pos, gfp_mask)) {
6590 		/* skb_frag_unref() is not needed here as shinfo->nr_frags = 0. */
6591 		if (skb_has_frag_list(skb))
6592 			kfree_skb_list(skb_shinfo(skb)->frag_list);
6593 		skb_kfree_head(data, size);
6594 		return -ENOMEM;
6595 	}
6596 	skb_release_data(skb, SKB_CONSUMED, false);
6597 
6598 	skb->head = data;
6599 	skb->head_frag = 0;
6600 	skb->data = data;
6601 	skb_set_end_offset(skb, size);
6602 	skb_reset_tail_pointer(skb);
6603 	skb_headers_offset_update(skb, 0);
6604 	skb->cloned   = 0;
6605 	skb->hdr_len  = 0;
6606 	skb->nohdr    = 0;
6607 	skb->len -= off;
6608 	skb->data_len = skb->len;
6609 	atomic_set(&skb_shinfo(skb)->dataref, 1);
6610 	return 0;
6611 }
6612 
6613 /* remove len bytes from the beginning of the skb */
6614 static int pskb_carve(struct sk_buff *skb, const u32 len, gfp_t gfp)
6615 {
6616 	int headlen = skb_headlen(skb);
6617 
6618 	if (len < headlen)
6619 		return pskb_carve_inside_header(skb, len, headlen, gfp);
6620 	else
6621 		return pskb_carve_inside_nonlinear(skb, len, headlen, gfp);
6622 }
6623 
6624 /* Extract to_copy bytes starting at off from skb, and return this in
6625  * a new skb
6626  */
6627 struct sk_buff *pskb_extract(struct sk_buff *skb, int off,
6628 			     int to_copy, gfp_t gfp)
6629 {
6630 	struct sk_buff  *clone = skb_clone(skb, gfp);
6631 
6632 	if (!clone)
6633 		return NULL;
6634 
6635 	if (pskb_carve(clone, off, gfp) < 0 ||
6636 	    pskb_trim(clone, to_copy)) {
6637 		kfree_skb(clone);
6638 		return NULL;
6639 	}
6640 	return clone;
6641 }
6642 EXPORT_SYMBOL(pskb_extract);
6643 
6644 /**
6645  * skb_condense - try to get rid of fragments/frag_list if possible
6646  * @skb: buffer
6647  *
6648  * Can be used to save memory before skb is added to a busy queue.
6649  * If packet has bytes in frags and enough tail room in skb->head,
6650  * pull all of them, so that we can free the frags right now and adjust
6651  * truesize.
6652  * Notes:
6653  *	We do not reallocate skb->head thus can not fail.
6654  *	Caller must re-evaluate skb->truesize if needed.
6655  */
6656 void skb_condense(struct sk_buff *skb)
6657 {
6658 	if (skb->data_len) {
6659 		if (skb->data_len > skb->end - skb->tail ||
6660 		    skb_cloned(skb))
6661 			return;
6662 
6663 		/* Nice, we can free page frag(s) right now */
6664 		__pskb_pull_tail(skb, skb->data_len);
6665 	}
6666 	/* At this point, skb->truesize might be over estimated,
6667 	 * because skb had a fragment, and fragments do not tell
6668 	 * their truesize.
6669 	 * When we pulled its content into skb->head, fragment
6670 	 * was freed, but __pskb_pull_tail() could not possibly
6671 	 * adjust skb->truesize, not knowing the frag truesize.
6672 	 */
6673 	skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
6674 }
6675 EXPORT_SYMBOL(skb_condense);
6676 
6677 #ifdef CONFIG_SKB_EXTENSIONS
6678 static void *skb_ext_get_ptr(struct skb_ext *ext, enum skb_ext_id id)
6679 {
6680 	return (void *)ext + (ext->offset[id] * SKB_EXT_ALIGN_VALUE);
6681 }
6682 
6683 /**
6684  * __skb_ext_alloc - allocate a new skb extensions storage
6685  *
6686  * @flags: See kmalloc().
6687  *
6688  * Returns the newly allocated pointer. The pointer can later attached to a
6689  * skb via __skb_ext_set().
6690  * Note: caller must handle the skb_ext as an opaque data.
6691  */
6692 struct skb_ext *__skb_ext_alloc(gfp_t flags)
6693 {
6694 	struct skb_ext *new = kmem_cache_alloc(skbuff_ext_cache, flags);
6695 
6696 	if (new) {
6697 		memset(new->offset, 0, sizeof(new->offset));
6698 		refcount_set(&new->refcnt, 1);
6699 	}
6700 
6701 	return new;
6702 }
6703 
6704 static struct skb_ext *skb_ext_maybe_cow(struct skb_ext *old,
6705 					 unsigned int old_active)
6706 {
6707 	struct skb_ext *new;
6708 
6709 	if (refcount_read(&old->refcnt) == 1)
6710 		return old;
6711 
6712 	new = kmem_cache_alloc(skbuff_ext_cache, GFP_ATOMIC);
6713 	if (!new)
6714 		return NULL;
6715 
6716 	memcpy(new, old, old->chunks * SKB_EXT_ALIGN_VALUE);
6717 	refcount_set(&new->refcnt, 1);
6718 
6719 #ifdef CONFIG_XFRM
6720 	if (old_active & (1 << SKB_EXT_SEC_PATH)) {
6721 		struct sec_path *sp = skb_ext_get_ptr(old, SKB_EXT_SEC_PATH);
6722 		unsigned int i;
6723 
6724 		for (i = 0; i < sp->len; i++)
6725 			xfrm_state_hold(sp->xvec[i]);
6726 	}
6727 #endif
6728 	__skb_ext_put(old);
6729 	return new;
6730 }
6731 
6732 /**
6733  * __skb_ext_set - attach the specified extension storage to this skb
6734  * @skb: buffer
6735  * @id: extension id
6736  * @ext: extension storage previously allocated via __skb_ext_alloc()
6737  *
6738  * Existing extensions, if any, are cleared.
6739  *
6740  * Returns the pointer to the extension.
6741  */
6742 void *__skb_ext_set(struct sk_buff *skb, enum skb_ext_id id,
6743 		    struct skb_ext *ext)
6744 {
6745 	unsigned int newlen, newoff = SKB_EXT_CHUNKSIZEOF(*ext);
6746 
6747 	skb_ext_put(skb);
6748 	newlen = newoff + skb_ext_type_len[id];
6749 	ext->chunks = newlen;
6750 	ext->offset[id] = newoff;
6751 	skb->extensions = ext;
6752 	skb->active_extensions = 1 << id;
6753 	return skb_ext_get_ptr(ext, id);
6754 }
6755 
6756 /**
6757  * skb_ext_add - allocate space for given extension, COW if needed
6758  * @skb: buffer
6759  * @id: extension to allocate space for
6760  *
6761  * Allocates enough space for the given extension.
6762  * If the extension is already present, a pointer to that extension
6763  * is returned.
6764  *
6765  * If the skb was cloned, COW applies and the returned memory can be
6766  * modified without changing the extension space of clones buffers.
6767  *
6768  * Returns pointer to the extension or NULL on allocation failure.
6769  */
6770 void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id)
6771 {
6772 	struct skb_ext *new, *old = NULL;
6773 	unsigned int newlen, newoff;
6774 
6775 	if (skb->active_extensions) {
6776 		old = skb->extensions;
6777 
6778 		new = skb_ext_maybe_cow(old, skb->active_extensions);
6779 		if (!new)
6780 			return NULL;
6781 
6782 		if (__skb_ext_exist(new, id))
6783 			goto set_active;
6784 
6785 		newoff = new->chunks;
6786 	} else {
6787 		newoff = SKB_EXT_CHUNKSIZEOF(*new);
6788 
6789 		new = __skb_ext_alloc(GFP_ATOMIC);
6790 		if (!new)
6791 			return NULL;
6792 	}
6793 
6794 	newlen = newoff + skb_ext_type_len[id];
6795 	new->chunks = newlen;
6796 	new->offset[id] = newoff;
6797 set_active:
6798 	skb->slow_gro = 1;
6799 	skb->extensions = new;
6800 	skb->active_extensions |= 1 << id;
6801 	return skb_ext_get_ptr(new, id);
6802 }
6803 EXPORT_SYMBOL(skb_ext_add);
6804 
6805 #ifdef CONFIG_XFRM
6806 static void skb_ext_put_sp(struct sec_path *sp)
6807 {
6808 	unsigned int i;
6809 
6810 	for (i = 0; i < sp->len; i++)
6811 		xfrm_state_put(sp->xvec[i]);
6812 }
6813 #endif
6814 
6815 #ifdef CONFIG_MCTP_FLOWS
6816 static void skb_ext_put_mctp(struct mctp_flow *flow)
6817 {
6818 	if (flow->key)
6819 		mctp_key_unref(flow->key);
6820 }
6821 #endif
6822 
6823 void __skb_ext_del(struct sk_buff *skb, enum skb_ext_id id)
6824 {
6825 	struct skb_ext *ext = skb->extensions;
6826 
6827 	skb->active_extensions &= ~(1 << id);
6828 	if (skb->active_extensions == 0) {
6829 		skb->extensions = NULL;
6830 		__skb_ext_put(ext);
6831 #ifdef CONFIG_XFRM
6832 	} else if (id == SKB_EXT_SEC_PATH &&
6833 		   refcount_read(&ext->refcnt) == 1) {
6834 		struct sec_path *sp = skb_ext_get_ptr(ext, SKB_EXT_SEC_PATH);
6835 
6836 		skb_ext_put_sp(sp);
6837 		sp->len = 0;
6838 #endif
6839 	}
6840 }
6841 EXPORT_SYMBOL(__skb_ext_del);
6842 
6843 void __skb_ext_put(struct skb_ext *ext)
6844 {
6845 	/* If this is last clone, nothing can increment
6846 	 * it after check passes.  Avoids one atomic op.
6847 	 */
6848 	if (refcount_read(&ext->refcnt) == 1)
6849 		goto free_now;
6850 
6851 	if (!refcount_dec_and_test(&ext->refcnt))
6852 		return;
6853 free_now:
6854 #ifdef CONFIG_XFRM
6855 	if (__skb_ext_exist(ext, SKB_EXT_SEC_PATH))
6856 		skb_ext_put_sp(skb_ext_get_ptr(ext, SKB_EXT_SEC_PATH));
6857 #endif
6858 #ifdef CONFIG_MCTP_FLOWS
6859 	if (__skb_ext_exist(ext, SKB_EXT_MCTP))
6860 		skb_ext_put_mctp(skb_ext_get_ptr(ext, SKB_EXT_MCTP));
6861 #endif
6862 
6863 	kmem_cache_free(skbuff_ext_cache, ext);
6864 }
6865 EXPORT_SYMBOL(__skb_ext_put);
6866 #endif /* CONFIG_SKB_EXTENSIONS */
6867 
6868 /**
6869  * skb_attempt_defer_free - queue skb for remote freeing
6870  * @skb: buffer
6871  *
6872  * Put @skb in a per-cpu list, using the cpu which
6873  * allocated the skb/pages to reduce false sharing
6874  * and memory zone spinlock contention.
6875  */
6876 void skb_attempt_defer_free(struct sk_buff *skb)
6877 {
6878 	int cpu = skb->alloc_cpu;
6879 	struct softnet_data *sd;
6880 	unsigned int defer_max;
6881 	bool kick;
6882 
6883 	if (WARN_ON_ONCE(cpu >= nr_cpu_ids) ||
6884 	    !cpu_online(cpu) ||
6885 	    cpu == raw_smp_processor_id()) {
6886 nodefer:	__kfree_skb(skb);
6887 		return;
6888 	}
6889 
6890 	DEBUG_NET_WARN_ON_ONCE(skb_dst(skb));
6891 	DEBUG_NET_WARN_ON_ONCE(skb->destructor);
6892 
6893 	sd = &per_cpu(softnet_data, cpu);
6894 	defer_max = READ_ONCE(sysctl_skb_defer_max);
6895 	if (READ_ONCE(sd->defer_count) >= defer_max)
6896 		goto nodefer;
6897 
6898 	spin_lock_bh(&sd->defer_lock);
6899 	/* Send an IPI every time queue reaches half capacity. */
6900 	kick = sd->defer_count == (defer_max >> 1);
6901 	/* Paired with the READ_ONCE() few lines above */
6902 	WRITE_ONCE(sd->defer_count, sd->defer_count + 1);
6903 
6904 	skb->next = sd->defer_list;
6905 	/* Paired with READ_ONCE() in skb_defer_free_flush() */
6906 	WRITE_ONCE(sd->defer_list, skb);
6907 	spin_unlock_bh(&sd->defer_lock);
6908 
6909 	/* Make sure to trigger NET_RX_SOFTIRQ on the remote CPU
6910 	 * if we are unlucky enough (this seems very unlikely).
6911 	 */
6912 	if (unlikely(kick) && !cmpxchg(&sd->defer_ipi_scheduled, 0, 1))
6913 		smp_call_function_single_async(cpu, &sd->defer_csd);
6914 }
6915