1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 *	IPv6 output functions
4
 *	Linux INET6 implementation
5
 *
6
 *	Authors:
7
 *	Pedro Roque		<[email protected]>
8
 *
9
 *	Based on linux/net/ipv4/ip_output.c
10
 *
11
 *	Changes:
12
 *	A.N.Kuznetsov	:	airthmetics in fragmentation.
13
 *				extension headers are implemented.
14
 *				route changes now work.
15
 *				ip6_forward does not confuse sniffers.
16
 *				etc.
17
 *
18
 *      H. von Brand    :       Added missing #include <linux/string.h>
19
 *	Imran Patel	:	frag id should be in NBO
20
 *      Kazunori MIYAZAWA @USAGI
21
 *			:       add ip6_append_data and related functions
22
 *				for datagram xmit
23
 */
24

25
#include <linux/errno.h>
26
#include <linux/kernel.h>
27
#include <linux/string.h>
28
#include <linux/socket.h>
29
#include <linux/net.h>
30
#include <linux/netdevice.h>
31
#include <linux/if_arp.h>
32
#include <linux/in6.h>
33
#include <linux/tcp.h>
34
#include <linux/route.h>
35
#include <linux/module.h>
36
#include <linux/slab.h>
37

38
#include <linux/bpf-cgroup.h>
39
#include <linux/netfilter.h>
40
#include <linux/netfilter_ipv6.h>
41

42
#include <net/sock.h>
43
#include <net/snmp.h>
44

45
#include <net/gso.h>
46
#include <net/ipv6.h>
47
#include <net/ndisc.h>
48
#include <net/protocol.h>
49
#include <net/ip6_route.h>
50
#include <net/addrconf.h>
51
#include <net/rawv6.h>
52
#include <net/icmp.h>
53
#include <net/xfrm.h>
54
#include <net/checksum.h>
55
#include <linux/mroute6.h>
56
#include <net/l3mdev.h>
57
#include <net/lwtunnel.h>
58
#include <net/ip_tunnels.h>
59

60
static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
61
{
62
	struct dst_entry *dst = skb_dst(skb);
63
	struct net_device *dev = dst_dev_rcu(dst);
64
	struct inet6_dev *idev = ip6_dst_idev(dst);
65
	unsigned int hh_len = LL_RESERVED_SPACE(dev);
66
	const struct in6_addr *daddr, *nexthop;
67
	struct ipv6hdr *hdr;
68
	struct neighbour *neigh;
69
	int ret;
70

71
	/* Be paranoid, rather than too clever. */
72
	if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
73
		/* idev stays alive because we hold rcu_read_lock(). */
74
		skb = skb_expand_head(skb, hh_len);
75
		if (!skb) {
76
			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
77
			return -ENOMEM;
78
		}
79
	}
80

81
	hdr = ipv6_hdr(skb);
82
	daddr = &hdr->daddr;
83
	if (ipv6_addr_is_multicast(daddr)) {
84
		if (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(sk) &&
85
		    ((mroute6_is_socket(net, skb) &&
86
		     !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
87
		     ipv6_chk_mcast_addr(dev, daddr, &hdr->saddr))) {
88
			struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
89

90
			/* Do not check for IFF_ALLMULTI; multicast routing
91
			   is not supported in any case.
92
			 */
93
			if (newskb)
94
				NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,
95
					net, sk, newskb, NULL, newskb->dev,
96
					dev_loopback_xmit);
97

98
			if (hdr->hop_limit == 0) {
99
				IP6_INC_STATS(net, idev,
100
					      IPSTATS_MIB_OUTDISCARDS);
101
				kfree_skb(skb);
102
				return 0;
103
			}
104
		}
105

106
		IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, skb->len);
107
		if (IPV6_ADDR_MC_SCOPE(daddr) <= IPV6_ADDR_SCOPE_NODELOCAL &&
108
		    !(dev->flags & IFF_LOOPBACK)) {
109
			kfree_skb(skb);
110
			return 0;
111
		}
112
	}
113

114
	if (lwtunnel_xmit_redirect(dst->lwtstate)) {
115
		int res = lwtunnel_xmit(skb);
116

117
		if (res != LWTUNNEL_XMIT_CONTINUE)
118
			return res;
119
	}
120

121
	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
122

123
	nexthop = rt6_nexthop(dst_rt6_info(dst), daddr);
124
	neigh = __ipv6_neigh_lookup_noref(dev, nexthop);
125

126
	if (IS_ERR_OR_NULL(neigh)) {
127
		if (unlikely(!neigh))
128
			neigh = __neigh_create(&nd_tbl, nexthop, dev, false);
129
		if (IS_ERR(neigh)) {
130
			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES);
131
			kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL);
132
			return -EINVAL;
133
		}
134
	}
135
	sock_confirm_neigh(skb, neigh);
136
	ret = neigh_output(neigh, skb, false);
137
	return ret;
138
}
139

140
static int
141
ip6_finish_output_gso_slowpath_drop(struct net *net, struct sock *sk,
142
				    struct sk_buff *skb, unsigned int mtu)
143
{
144
	struct sk_buff *segs, *nskb;
145
	netdev_features_t features;
146
	int ret = 0;
147

148
	/* Please see corresponding comment in ip_finish_output_gso
149
	 * describing the cases where GSO segment length exceeds the
150
	 * egress MTU.
151
	 */
152
	features = netif_skb_features(skb);
153
	segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
154
	if (IS_ERR_OR_NULL(segs)) {
155
		kfree_skb(skb);
156
		return -ENOMEM;
157
	}
158

159
	consume_skb(skb);
160

161
	skb_list_walk_safe(segs, segs, nskb) {
162
		int err;
163

164
		skb_mark_not_on_list(segs);
165
		/* Last GSO segment can be smaller than gso_size (and MTU).
166
		 * Adding a fragment header would produce an "atomic fragment",
167
		 * which is considered harmful (RFC-8021). Avoid that.
168
		 */
169
		err = segs->len > mtu ?
170
			ip6_fragment(net, sk, segs, ip6_finish_output2) :
171
			ip6_finish_output2(net, sk, segs);
172
		if (err && ret == 0)
173
			ret = err;
174
	}
175

176
	return ret;
177
}
178

179
static int ip6_finish_output_gso(struct net *net, struct sock *sk,
180
				 struct sk_buff *skb, unsigned int mtu)
181
{
182
	if (!(IP6CB(skb)->flags & IP6SKB_FAKEJUMBO) &&
183
	    !skb_gso_validate_network_len(skb, mtu))
184
		return ip6_finish_output_gso_slowpath_drop(net, sk, skb, mtu);
185

186
	return ip6_finish_output2(net, sk, skb);
187
}
188

189
static int __ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
190
{
191
	unsigned int mtu;
192

193
#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
194
	/* Policy lookup after SNAT yielded a new policy */
195
	if (skb_dst(skb)->xfrm) {
196
		IP6CB(skb)->flags |= IP6SKB_REROUTED;
197
		return dst_output(net, sk, skb);
198
	}
199
#endif
200

201
	mtu = ip6_skb_dst_mtu(skb);
202
	if (skb_is_gso(skb))
203
		return ip6_finish_output_gso(net, sk, skb, mtu);
204

205
	if (skb->len > mtu ||
206
	    (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
207
		return ip6_fragment(net, sk, skb, ip6_finish_output2);
208

209
	return ip6_finish_output2(net, sk, skb);
210
}
211

212
static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
213
{
214
	int ret;
215

216
	ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
217
	switch (ret) {
218
	case NET_XMIT_SUCCESS:
219
	case NET_XMIT_CN:
220
		return __ip6_finish_output(net, sk, skb) ? : ret;
221
	default:
222
		kfree_skb_reason(skb, SKB_DROP_REASON_BPF_CGROUP_EGRESS);
223
		return ret;
224
	}
225
}
226

227
int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
228
{
229
	struct dst_entry *dst = skb_dst(skb);
230
	struct net_device *dev, *indev = skb->dev;
231
	struct inet6_dev *idev;
232
	int ret;
233

234
	skb->protocol = htons(ETH_P_IPV6);
235
	rcu_read_lock();
236
	dev = dst_dev_rcu(dst);
237
	idev = ip6_dst_idev(dst);
238
	skb->dev = dev;
239

240
	if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) {
241
		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
242
		rcu_read_unlock();
243
		kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED);
244
		return 0;
245
	}
246

247
	ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
248
			   net, sk, skb, indev, dev,
249
			   ip6_finish_output,
250
			   !(IP6CB(skb)->flags & IP6SKB_REROUTED));
251
	rcu_read_unlock();
252
	return ret;
253
}
254
EXPORT_SYMBOL(ip6_output);
255

256
bool ip6_autoflowlabel(struct net *net, const struct sock *sk)
257
{
258
	if (!inet6_test_bit(AUTOFLOWLABEL_SET, sk))
259
		return ip6_default_np_autolabel(net);
260
	return inet6_test_bit(AUTOFLOWLABEL, sk);
261
}
262

263
/*
264
 * xmit an sk_buff (used by TCP and SCTP)
265
 * Note : socket lock is not held for SYNACK packets, but might be modified
266
 * by calls to skb_set_owner_w() and ipv6_local_error(),
267
 * which are using proper atomic operations or spinlocks.
268
 */
269
int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
270
	     __u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority)
271
{
272
	const struct ipv6_pinfo *np = inet6_sk(sk);
273
	struct in6_addr *first_hop = &fl6->daddr;
274
	struct dst_entry *dst = skb_dst(skb);
275
	struct inet6_dev *idev = ip6_dst_idev(dst);
276
	struct hop_jumbo_hdr *hop_jumbo;
277
	int hoplen = sizeof(*hop_jumbo);
278
	struct net *net = sock_net(sk);
279
	unsigned int head_room;
280
	struct net_device *dev;
281
	struct ipv6hdr *hdr;
282
	u8  proto = fl6->flowi6_proto;
283
	int seg_len = skb->len;
284
	int ret, hlimit = -1;
285
	u32 mtu;
286

287
	rcu_read_lock();
288

289
	dev = dst_dev_rcu(dst);
290
	head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev);
291
	if (opt)
292
		head_room += opt->opt_nflen + opt->opt_flen;
293

294
	if (unlikely(head_room > skb_headroom(skb))) {
295
		/* idev stays alive while we hold rcu_read_lock(). */
296
		skb = skb_expand_head(skb, head_room);
297
		if (!skb) {
298
			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
299
			ret = -ENOBUFS;
300
			goto unlock;
301
		}
302
	}
303

304
	if (opt) {
305
		seg_len += opt->opt_nflen + opt->opt_flen;
306

307
		if (opt->opt_flen)
308
			ipv6_push_frag_opts(skb, opt, &proto);
309

310
		if (opt->opt_nflen)
311
			ipv6_push_nfrag_opts(skb, opt, &proto, &first_hop,
312
					     &fl6->saddr);
313
	}
314

315
	if (unlikely(seg_len > IPV6_MAXPLEN)) {
316
		hop_jumbo = skb_push(skb, hoplen);
317

318
		hop_jumbo->nexthdr = proto;
319
		hop_jumbo->hdrlen = 0;
320
		hop_jumbo->tlv_type = IPV6_TLV_JUMBO;
321
		hop_jumbo->tlv_len = 4;
322
		hop_jumbo->jumbo_payload_len = htonl(seg_len + hoplen);
323

324
		proto = IPPROTO_HOPOPTS;
325
		seg_len = 0;
326
		IP6CB(skb)->flags |= IP6SKB_FAKEJUMBO;
327
	}
328

329
	skb_push(skb, sizeof(struct ipv6hdr));
330
	skb_reset_network_header(skb);
331
	hdr = ipv6_hdr(skb);
332

333
	/*
334
	 *	Fill in the IPv6 header
335
	 */
336
	if (np)
337
		hlimit = READ_ONCE(np->hop_limit);
338
	if (hlimit < 0)
339
		hlimit = ip6_dst_hoplimit(dst);
340

341
	ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
342
				ip6_autoflowlabel(net, sk), fl6));
343

344
	hdr->payload_len = htons(seg_len);
345
	hdr->nexthdr = proto;
346
	hdr->hop_limit = hlimit;
347

348
	hdr->saddr = fl6->saddr;
349
	hdr->daddr = *first_hop;
350

351
	skb->protocol = htons(ETH_P_IPV6);
352
	skb->priority = priority;
353
	skb->mark = mark;
354

355
	mtu = dst_mtu(dst);
356
	if ((skb->len <= mtu) || skb->ignore_df || skb_is_gso(skb)) {
357
		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTREQUESTS);
358

359
		/* if egress device is enslaved to an L3 master device pass the
360
		 * skb to its handler for processing
361
		 */
362
		skb = l3mdev_ip6_out((struct sock *)sk, skb);
363
		if (unlikely(!skb)) {
364
			ret = 0;
365
			goto unlock;
366
		}
367

368
		/* hooks should never assume socket lock is held.
369
		 * we promote our socket to non const
370
		 */
371
		ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
372
			      net, (struct sock *)sk, skb, NULL, dev,
373
			      dst_output);
374
		goto unlock;
375
	}
376

377
	ret = -EMSGSIZE;
378
	skb->dev = dev;
379
	/* ipv6_local_error() does not require socket lock,
380
	 * we promote our socket to non const
381
	 */
382
	ipv6_local_error((struct sock *)sk, EMSGSIZE, fl6, mtu);
383

384
	IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS);
385
	kfree_skb(skb);
386
unlock:
387
	rcu_read_unlock();
388
	return ret;
389
}
390
EXPORT_SYMBOL(ip6_xmit);
391

392
static int ip6_call_ra_chain(struct sk_buff *skb, int sel)
393
{
394
	struct ip6_ra_chain *ra;
395
	struct sock *last = NULL;
396

397
	read_lock(&ip6_ra_lock);
398
	for (ra = ip6_ra_chain; ra; ra = ra->next) {
399
		struct sock *sk = ra->sk;
400
		if (sk && ra->sel == sel &&
401
		    (!sk->sk_bound_dev_if ||
402
		     sk->sk_bound_dev_if == skb->dev->ifindex)) {
403

404
			if (inet6_test_bit(RTALERT_ISOLATE, sk) &&
405
			    !net_eq(sock_net(sk), dev_net(skb->dev))) {
406
				continue;
407
			}
408
			if (last) {
409
				struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
410
				if (skb2)
411
					rawv6_rcv(last, skb2);
412
			}
413
			last = sk;
414
		}
415
	}
416

417
	if (last) {
418
		rawv6_rcv(last, skb);
419
		read_unlock(&ip6_ra_lock);
420
		return 1;
421
	}
422
	read_unlock(&ip6_ra_lock);
423
	return 0;
424
}
425

426
static int ip6_forward_proxy_check(struct sk_buff *skb)
427
{
428
	struct ipv6hdr *hdr = ipv6_hdr(skb);
429
	u8 nexthdr = hdr->nexthdr;
430
	__be16 frag_off;
431
	int offset;
432

433
	if (ipv6_ext_hdr(nexthdr)) {
434
		offset = ipv6_skip_exthdr(skb, sizeof(*hdr), &nexthdr, &frag_off);
435
		if (offset < 0)
436
			return 0;
437
	} else
438
		offset = sizeof(struct ipv6hdr);
439

440
	if (nexthdr == IPPROTO_ICMPV6) {
441
		struct icmp6hdr *icmp6;
442

443
		if (!pskb_may_pull(skb, (skb_network_header(skb) +
444
					 offset + 1 - skb->data)))
445
			return 0;
446

447
		icmp6 = (struct icmp6hdr *)(skb_network_header(skb) + offset);
448

449
		switch (icmp6->icmp6_type) {
450
		case NDISC_ROUTER_SOLICITATION:
451
		case NDISC_ROUTER_ADVERTISEMENT:
452
		case NDISC_NEIGHBOUR_SOLICITATION:
453
		case NDISC_NEIGHBOUR_ADVERTISEMENT:
454
		case NDISC_REDIRECT:
455
			/* For reaction involving unicast neighbor discovery
456
			 * message destined to the proxied address, pass it to
457
			 * input function.
458
			 */
459
			return 1;
460
		default:
461
			break;
462
		}
463
	}
464

465
	/*
466
	 * The proxying router can't forward traffic sent to a link-local
467
	 * address, so signal the sender and discard the packet. This
468
	 * behavior is clarified by the MIPv6 specification.
469
	 */
470
	if (ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) {
471
		dst_link_failure(skb);
472
		return -1;
473
	}
474

475
	return 0;
476
}
477

478
static inline int ip6_forward_finish(struct net *net, struct sock *sk,
479
				     struct sk_buff *skb)
480
{
481
#ifdef CONFIG_NET_SWITCHDEV
482
	if (skb->offload_l3_fwd_mark) {
483
		consume_skb(skb);
484
		return 0;
485
	}
486
#endif
487

488
	skb_clear_tstamp(skb);
489
	return dst_output(net, sk, skb);
490
}
491

492
static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
493
{
494
	if (skb->len <= mtu)
495
		return false;
496

497
	/* ipv6 conntrack defrag sets max_frag_size + ignore_df */
498
	if (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)
499
		return true;
500

501
	if (skb->ignore_df)
502
		return false;
503

504
	if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
505
		return false;
506

507
	return true;
508
}
509

510
int ip6_forward(struct sk_buff *skb)
511
{
512
	struct dst_entry *dst = skb_dst(skb);
513
	struct ipv6hdr *hdr = ipv6_hdr(skb);
514
	struct inet6_skb_parm *opt = IP6CB(skb);
515
	struct net *net = dev_net(dst_dev(dst));
516
	struct net_device *dev;
517
	struct inet6_dev *idev;
518
	SKB_DR(reason);
519
	u32 mtu;
520

521
	idev = __in6_dev_get_safely(dev_get_by_index_rcu(net, IP6CB(skb)->iif));
522
	if (!READ_ONCE(net->ipv6.devconf_all->forwarding) &&
523
	    (!idev || !READ_ONCE(idev->cnf.force_forwarding)))
524
		goto error;
525

526
	if (skb->pkt_type != PACKET_HOST)
527
		goto drop;
528

529
	if (unlikely(skb->sk))
530
		goto drop;
531

532
	if (skb_warn_if_lro(skb))
533
		goto drop;
534

535
	if (!READ_ONCE(net->ipv6.devconf_all->disable_policy) &&
536
	    (!idev || !READ_ONCE(idev->cnf.disable_policy)) &&
537
	    !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
538
		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
539
		goto drop;
540
	}
541

542
	skb_forward_csum(skb);
543

544
	/*
545
	 *	We DO NOT make any processing on
546
	 *	RA packets, pushing them to user level AS IS
547
	 *	without ane WARRANTY that application will be able
548
	 *	to interpret them. The reason is that we
549
	 *	cannot make anything clever here.
550
	 *
551
	 *	We are not end-node, so that if packet contains
552
	 *	AH/ESP, we cannot make anything.
553
	 *	Defragmentation also would be mistake, RA packets
554
	 *	cannot be fragmented, because there is no warranty
555
	 *	that different fragments will go along one path. --ANK
556
	 */
557
	if (unlikely(opt->flags & IP6SKB_ROUTERALERT)) {
558
		if (ip6_call_ra_chain(skb, ntohs(opt->ra)))
559
			return 0;
560
	}
561

562
	/*
563
	 *	check and decrement ttl
564
	 */
565
	if (hdr->hop_limit <= 1) {
566
		icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 0);
567
		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
568

569
		kfree_skb_reason(skb, SKB_DROP_REASON_IP_INHDR);
570
		return -ETIMEDOUT;
571
	}
572

573
	/* XXX: idev->cnf.proxy_ndp? */
574
	if (READ_ONCE(net->ipv6.devconf_all->proxy_ndp) &&
575
	    pneigh_lookup(&nd_tbl, net, &hdr->daddr, skb->dev)) {
576
		int proxied = ip6_forward_proxy_check(skb);
577
		if (proxied > 0) {
578
			/* It's tempting to decrease the hop limit
579
			 * here by 1, as we do at the end of the
580
			 * function too.
581
			 *
582
			 * But that would be incorrect, as proxying is
583
			 * not forwarding.  The ip6_input function
584
			 * will handle this packet locally, and it
585
			 * depends on the hop limit being unchanged.
586
			 *
587
			 * One example is the NDP hop limit, that
588
			 * always has to stay 255, but other would be
589
			 * similar checks around RA packets, where the
590
			 * user can even change the desired limit.
591
			 */
592
			return ip6_input(skb);
593
		} else if (proxied < 0) {
594
			__IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
595
			goto drop;
596
		}
597
	}
598

599
	if (!xfrm6_route_forward(skb)) {
600
		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
601
		SKB_DR_SET(reason, XFRM_POLICY);
602
		goto drop;
603
	}
604
	dst = skb_dst(skb);
605
	dev = dst_dev(dst);
606
	/* IPv6 specs say nothing about it, but it is clear that we cannot
607
	   send redirects to source routed frames.
608
	   We don't send redirects to frames decapsulated from IPsec.
609
	 */
610
	if (IP6CB(skb)->iif == dev->ifindex &&
611
	    opt->srcrt == 0 && !skb_sec_path(skb)) {
612
		struct in6_addr *target = NULL;
613
		struct inet_peer *peer;
614
		struct rt6_info *rt;
615

616
		/*
617
		 *	incoming and outgoing devices are the same
618
		 *	send a redirect.
619
		 */
620

621
		rt = dst_rt6_info(dst);
622
		if (rt->rt6i_flags & RTF_GATEWAY)
623
			target = &rt->rt6i_gateway;
624
		else
625
			target = &hdr->daddr;
626

627
		rcu_read_lock();
628
		peer = inet_getpeer_v6(net->ipv6.peers, &hdr->daddr);
629

630
		/* Limit redirects both by destination (here)
631
		   and by source (inside ndisc_send_redirect)
632
		 */
633
		if (inet_peer_xrlim_allow(peer, 1*HZ))
634
			ndisc_send_redirect(skb, target);
635
		rcu_read_unlock();
636
	} else {
637
		int addrtype = ipv6_addr_type(&hdr->saddr);
638

639
		/* This check is security critical. */
640
		if (addrtype == IPV6_ADDR_ANY ||
641
		    addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
642
			goto error;
643
		if (addrtype & IPV6_ADDR_LINKLOCAL) {
644
			icmpv6_send(skb, ICMPV6_DEST_UNREACH,
645
				    ICMPV6_NOT_NEIGHBOUR, 0);
646
			goto error;
647
		}
648
	}
649

650
	__IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
651

652
	mtu = ip6_dst_mtu_maybe_forward(dst, true);
653
	if (mtu < IPV6_MIN_MTU)
654
		mtu = IPV6_MIN_MTU;
655

656
	if (ip6_pkt_too_big(skb, mtu)) {
657
		/* Again, force OUTPUT device used as source address */
658
		skb->dev = dev;
659
		icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
660
		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INTOOBIGERRORS);
661
		__IP6_INC_STATS(net, ip6_dst_idev(dst),
662
				IPSTATS_MIB_FRAGFAILS);
663
		kfree_skb_reason(skb, SKB_DROP_REASON_PKT_TOO_BIG);
664
		return -EMSGSIZE;
665
	}
666

667
	if (skb_cow(skb, dev->hard_header_len)) {
668
		__IP6_INC_STATS(net, ip6_dst_idev(dst),
669
				IPSTATS_MIB_OUTDISCARDS);
670
		goto drop;
671
	}
672

673
	hdr = ipv6_hdr(skb);
674

675
	/* Mangling hops number delayed to point after skb COW */
676

677
	hdr->hop_limit--;
678

679
	return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
680
		       net, NULL, skb, skb->dev, dev,
681
		       ip6_forward_finish);
682

683
error:
684
	__IP6_INC_STATS(net, idev, IPSTATS_MIB_INADDRERRORS);
685
	SKB_DR_SET(reason, IP_INADDRERRORS);
686
drop:
687
	kfree_skb_reason(skb, reason);
688
	return -EINVAL;
689
}
690

691
static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
692
{
693
	to->pkt_type = from->pkt_type;
694
	to->priority = from->priority;
695
	to->protocol = from->protocol;
696
	skb_dst_drop(to);
697
	skb_dst_set(to, dst_clone(skb_dst(from)));
698
	to->dev = from->dev;
699
	to->mark = from->mark;
700

701
	skb_copy_hash(to, from);
702

703
#ifdef CONFIG_NET_SCHED
704
	to->tc_index = from->tc_index;
705
#endif
706
	nf_copy(to, from);
707
	skb_ext_copy(to, from);
708
	skb_copy_secmark(to, from);
709
}
710

711
int ip6_fraglist_init(struct sk_buff *skb, unsigned int hlen, u8 *prevhdr,
712
		      u8 nexthdr, __be32 frag_id,
713
		      struct ip6_fraglist_iter *iter)
714
{
715
	unsigned int first_len;
716
	struct frag_hdr *fh;
717

718
	/* BUILD HEADER */
719
	*prevhdr = NEXTHDR_FRAGMENT;
720
	iter->tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC);
721
	if (!iter->tmp_hdr)
722
		return -ENOMEM;
723

724
	iter->frag = skb_shinfo(skb)->frag_list;
725
	skb_frag_list_init(skb);
726

727
	iter->offset = 0;
728
	iter->hlen = hlen;
729
	iter->frag_id = frag_id;
730
	iter->nexthdr = nexthdr;
731

732
	__skb_pull(skb, hlen);
733
	fh = __skb_push(skb, sizeof(struct frag_hdr));
734
	__skb_push(skb, hlen);
735
	skb_reset_network_header(skb);
736
	memcpy(skb_network_header(skb), iter->tmp_hdr, hlen);
737

738
	fh->nexthdr = nexthdr;
739
	fh->reserved = 0;
740
	fh->frag_off = htons(IP6_MF);
741
	fh->identification = frag_id;
742

743
	first_len = skb_pagelen(skb);
744
	skb->data_len = first_len - skb_headlen(skb);
745
	skb->len = first_len;
746
	ipv6_hdr(skb)->payload_len = htons(first_len - sizeof(struct ipv6hdr));
747

748
	return 0;
749
}
750
EXPORT_SYMBOL(ip6_fraglist_init);
751

752
void ip6_fraglist_prepare(struct sk_buff *skb,
753
			  struct ip6_fraglist_iter *iter)
754
{
755
	struct sk_buff *frag = iter->frag;
756
	unsigned int hlen = iter->hlen;
757
	struct frag_hdr *fh;
758

759
	frag->ip_summed = CHECKSUM_NONE;
760
	skb_reset_transport_header(frag);
761
	fh = __skb_push(frag, sizeof(struct frag_hdr));
762
	__skb_push(frag, hlen);
763
	skb_reset_network_header(frag);
764
	memcpy(skb_network_header(frag), iter->tmp_hdr, hlen);
765
	iter->offset += skb->len - hlen - sizeof(struct frag_hdr);
766
	fh->nexthdr = iter->nexthdr;
767
	fh->reserved = 0;
768
	fh->frag_off = htons(iter->offset);
769
	if (frag->next)
770
		fh->frag_off |= htons(IP6_MF);
771
	fh->identification = iter->frag_id;
772
	ipv6_hdr(frag)->payload_len = htons(frag->len - sizeof(struct ipv6hdr));
773
	ip6_copy_metadata(frag, skb);
774
}
775
EXPORT_SYMBOL(ip6_fraglist_prepare);
776

777
void ip6_frag_init(struct sk_buff *skb, unsigned int hlen, unsigned int mtu,
778
		   unsigned short needed_tailroom, int hdr_room, u8 *prevhdr,
779
		   u8 nexthdr, __be32 frag_id, struct ip6_frag_state *state)
780
{
781
	state->prevhdr = prevhdr;
782
	state->nexthdr = nexthdr;
783
	state->frag_id = frag_id;
784

785
	state->hlen = hlen;
786
	state->mtu = mtu;
787

788
	state->left = skb->len - hlen;	/* Space per frame */
789
	state->ptr = hlen;		/* Where to start from */
790

791
	state->hroom = hdr_room;
792
	state->troom = needed_tailroom;
793

794
	state->offset = 0;
795
}
796
EXPORT_SYMBOL(ip6_frag_init);
797

798
struct sk_buff *ip6_frag_next(struct sk_buff *skb, struct ip6_frag_state *state)
799
{
800
	u8 *prevhdr = state->prevhdr, *fragnexthdr_offset;
801
	struct sk_buff *frag;
802
	struct frag_hdr *fh;
803
	unsigned int len;
804

805
	len = state->left;
806
	/* IF: it doesn't fit, use 'mtu' - the data space left */
807
	if (len > state->mtu)
808
		len = state->mtu;
809
	/* IF: we are not sending up to and including the packet end
810
	   then align the next start on an eight byte boundary */
811
	if (len < state->left)
812
		len &= ~7;
813

814
	/* Allocate buffer */
815
	frag = alloc_skb(len + state->hlen + sizeof(struct frag_hdr) +
816
			 state->hroom + state->troom, GFP_ATOMIC);
817
	if (!frag)
818
		return ERR_PTR(-ENOMEM);
819

820
	/*
821
	 *	Set up data on packet
822
	 */
823

824
	ip6_copy_metadata(frag, skb);
825
	skb_reserve(frag, state->hroom);
826
	skb_put(frag, len + state->hlen + sizeof(struct frag_hdr));
827
	skb_reset_network_header(frag);
828
	fh = (struct frag_hdr *)(skb_network_header(frag) + state->hlen);
829
	frag->transport_header = (frag->network_header + state->hlen +
830
				  sizeof(struct frag_hdr));
831

832
	/*
833
	 *	Charge the memory for the fragment to any owner
834
	 *	it might possess
835
	 */
836
	if (skb->sk)
837
		skb_set_owner_w(frag, skb->sk);
838

839
	/*
840
	 *	Copy the packet header into the new buffer.
841
	 */
842
	skb_copy_from_linear_data(skb, skb_network_header(frag), state->hlen);
843

844
	fragnexthdr_offset = skb_network_header(frag);
845
	fragnexthdr_offset += prevhdr - skb_network_header(skb);
846
	*fragnexthdr_offset = NEXTHDR_FRAGMENT;
847

848
	/*
849
	 *	Build fragment header.
850
	 */
851
	fh->nexthdr = state->nexthdr;
852
	fh->reserved = 0;
853
	fh->identification = state->frag_id;
854

855
	/*
856
	 *	Copy a block of the IP datagram.
857
	 */
858
	BUG_ON(skb_copy_bits(skb, state->ptr, skb_transport_header(frag),
859
			     len));
860
	state->left -= len;
861

862
	fh->frag_off = htons(state->offset);
863
	if (state->left > 0)
864
		fh->frag_off |= htons(IP6_MF);
865
	ipv6_hdr(frag)->payload_len = htons(frag->len - sizeof(struct ipv6hdr));
866

867
	state->ptr += len;
868
	state->offset += len;
869

870
	return frag;
871
}
872
EXPORT_SYMBOL(ip6_frag_next);
873

874
int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
875
		 int (*output)(struct net *, struct sock *, struct sk_buff *))
876
{
877
	struct sk_buff *frag;
878
	struct rt6_info *rt = dst_rt6_info(skb_dst(skb));
879
	struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
880
				inet6_sk(skb->sk) : NULL;
881
	u8 tstamp_type = skb->tstamp_type;
882
	struct ip6_frag_state state;
883
	unsigned int mtu, hlen, nexthdr_offset;
884
	ktime_t tstamp = skb->tstamp;
885
	int hroom, err = 0;
886
	__be32 frag_id;
887
	u8 *prevhdr, nexthdr = 0;
888

889
	err = ip6_find_1stfragopt(skb, &prevhdr);
890
	if (err < 0)
891
		goto fail;
892
	hlen = err;
893
	nexthdr = *prevhdr;
894
	nexthdr_offset = prevhdr - skb_network_header(skb);
895

896
	mtu = ip6_skb_dst_mtu(skb);
897

898
	/* We must not fragment if the socket is set to force MTU discovery
899
	 * or if the skb it not generated by a local socket.
900
	 */
901
	if (unlikely(!skb->ignore_df && skb->len > mtu))
902
		goto fail_toobig;
903

904
	if (IP6CB(skb)->frag_max_size) {
905
		if (IP6CB(skb)->frag_max_size > mtu)
906
			goto fail_toobig;
907

908
		/* don't send fragments larger than what we received */
909
		mtu = IP6CB(skb)->frag_max_size;
910
		if (mtu < IPV6_MIN_MTU)
911
			mtu = IPV6_MIN_MTU;
912
	}
913

914
	if (np) {
915
		u32 frag_size = READ_ONCE(np->frag_size);
916

917
		if (frag_size && frag_size < mtu)
918
			mtu = frag_size;
919
	}
920
	if (mtu < hlen + sizeof(struct frag_hdr) + 8)
921
		goto fail_toobig;
922
	mtu -= hlen + sizeof(struct frag_hdr);
923

924
	frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
925
				    &ipv6_hdr(skb)->saddr);
926

927
	if (skb->ip_summed == CHECKSUM_PARTIAL &&
928
	    (err = skb_checksum_help(skb)))
929
		goto fail;
930

931
	prevhdr = skb_network_header(skb) + nexthdr_offset;
932
	hroom = LL_RESERVED_SPACE(rt->dst.dev);
933
	if (skb_has_frag_list(skb)) {
934
		unsigned int first_len = skb_pagelen(skb);
935
		struct ip6_fraglist_iter iter;
936
		struct sk_buff *frag2;
937

938
		if (first_len - hlen > mtu ||
939
		    ((first_len - hlen) & 7) ||
940
		    skb_cloned(skb) ||
941
		    skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
942
			goto slow_path;
943

944
		skb_walk_frags(skb, frag) {
945
			/* Correct geometry. */
946
			if (frag->len > mtu ||
947
			    ((frag->len & 7) && frag->next) ||
948
			    skb_headroom(frag) < (hlen + hroom + sizeof(struct frag_hdr)))
949
				goto slow_path_clean;
950

951
			/* Partially cloned skb? */
952
			if (skb_shared(frag))
953
				goto slow_path_clean;
954

955
			BUG_ON(frag->sk);
956
			if (skb->sk) {
957
				frag->sk = skb->sk;
958
				frag->destructor = sock_wfree;
959
			}
960
			skb->truesize -= frag->truesize;
961
		}
962

963
		err = ip6_fraglist_init(skb, hlen, prevhdr, nexthdr, frag_id,
964
					&iter);
965
		if (err < 0)
966
			goto fail;
967

968
		/* We prevent @rt from being freed. */
969
		rcu_read_lock();
970

971
		for (;;) {
972
			/* Prepare header of the next frame,
973
			 * before previous one went down. */
974
			if (iter.frag)
975
				ip6_fraglist_prepare(skb, &iter);
976

977
			skb_set_delivery_time(skb, tstamp, tstamp_type);
978
			err = output(net, sk, skb);
979
			if (!err)
980
				IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
981
					      IPSTATS_MIB_FRAGCREATES);
982

983
			if (err || !iter.frag)
984
				break;
985

986
			skb = ip6_fraglist_next(&iter);
987
		}
988

989
		kfree(iter.tmp_hdr);
990

991
		if (err == 0) {
992
			IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
993
				      IPSTATS_MIB_FRAGOKS);
994
			rcu_read_unlock();
995
			return 0;
996
		}
997

998
		kfree_skb_list(iter.frag);
999

1000
		IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
1001
			      IPSTATS_MIB_FRAGFAILS);
1002
		rcu_read_unlock();
1003
		return err;
1004

1005
slow_path_clean:
1006
		skb_walk_frags(skb, frag2) {
1007
			if (frag2 == frag)
1008
				break;
1009
			frag2->sk = NULL;
1010
			frag2->destructor = NULL;
1011
			skb->truesize += frag2->truesize;
1012
		}
1013
	}
1014

1015
slow_path:
1016
	/*
1017
	 *	Fragment the datagram.
1018
	 */
1019

1020
	ip6_frag_init(skb, hlen, mtu, rt->dst.dev->needed_tailroom,
1021
		      LL_RESERVED_SPACE(rt->dst.dev), prevhdr, nexthdr, frag_id,
1022
		      &state);
1023

1024
	/*
1025
	 *	Keep copying data until we run out.
1026
	 */
1027

1028
	while (state.left > 0) {
1029
		frag = ip6_frag_next(skb, &state);
1030
		if (IS_ERR(frag)) {
1031
			err = PTR_ERR(frag);
1032
			goto fail;
1033
		}
1034

1035
		/*
1036
		 *	Put this fragment into the sending queue.
1037
		 */
1038
		skb_set_delivery_time(frag, tstamp, tstamp_type);
1039
		err = output(net, sk, frag);
1040
		if (err)
1041
			goto fail;
1042

1043
		IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
1044
			      IPSTATS_MIB_FRAGCREATES);
1045
	}
1046
	IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
1047
		      IPSTATS_MIB_FRAGOKS);
1048
	consume_skb(skb);
1049
	return err;
1050

1051
fail_toobig:
1052
	icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
1053
	err = -EMSGSIZE;
1054

1055
fail:
1056
	IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
1057
		      IPSTATS_MIB_FRAGFAILS);
1058
	kfree_skb(skb);
1059
	return err;
1060
}
1061

1062
static inline int ip6_rt_check(const struct rt6key *rt_key,
1063
			       const struct in6_addr *fl_addr,
1064
			       const struct in6_addr *addr_cache)
1065
{
1066
	return (rt_key->plen != 128 || !ipv6_addr_equal(fl_addr, &rt_key->addr)) &&
1067
		(!addr_cache || !ipv6_addr_equal(fl_addr, addr_cache));
1068
}
1069

1070
static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
1071
					  struct dst_entry *dst,
1072
					  const struct flowi6 *fl6)
1073
{
1074
	struct ipv6_pinfo *np = inet6_sk(sk);
1075
	struct rt6_info *rt;
1076

1077
	if (!dst)
1078
		goto out;
1079

1080
	if (dst->ops->family != AF_INET6) {
1081
		dst_release(dst);
1082
		return NULL;
1083
	}
1084

1085
	rt = dst_rt6_info(dst);
1086
	/* Yes, checking route validity in not connected
1087
	 * case is not very simple. Take into account,
1088
	 * that we do not support routing by source, TOS,
1089
	 * and MSG_DONTROUTE		--ANK (980726)
1090
	 *
1091
	 * 1. ip6_rt_check(): If route was host route,
1092
	 *    check that cached destination is current.
1093
	 *    If it is network route, we still may
1094
	 *    check its validity using saved pointer
1095
	 *    to the last used address: daddr_cache.
1096
	 *    We do not want to save whole address now,
1097
	 *    (because main consumer of this service
1098
	 *    is tcp, which has not this problem),
1099
	 *    so that the last trick works only on connected
1100
	 *    sockets.
1101
	 * 2. oif also should be the same.
1102
	 */
1103
	if (ip6_rt_check(&rt->rt6i_dst, &fl6->daddr,
1104
			 np->daddr_cache ? &sk->sk_v6_daddr : NULL) ||
1105
#ifdef CONFIG_IPV6_SUBTREES
1106
	    ip6_rt_check(&rt->rt6i_src, &fl6->saddr,
1107
			 np->saddr_cache ? &np->saddr : NULL) ||
1108
#endif
1109
	   (fl6->flowi6_oif && fl6->flowi6_oif != dst_dev(dst)->ifindex)) {
1110
		dst_release(dst);
1111
		dst = NULL;
1112
	}
1113

1114
out:
1115
	return dst;
1116
}
1117

1118
static int ip6_dst_lookup_tail(struct net *net, const struct sock *sk,
1119
			       struct dst_entry **dst, struct flowi6 *fl6)
1120
{
1121
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
1122
	struct neighbour *n;
1123
	struct rt6_info *rt;
1124
#endif
1125
	int err;
1126
	int flags = 0;
1127

1128
	/* The correct way to handle this would be to do
1129
	 * ip6_route_get_saddr, and then ip6_route_output; however,
1130
	 * the route-specific preferred source forces the
1131
	 * ip6_route_output call _before_ ip6_route_get_saddr.
1132
	 *
1133
	 * In source specific routing (no src=any default route),
1134
	 * ip6_route_output will fail given src=any saddr, though, so
1135
	 * that's why we try it again later.
1136
	 */
1137
	if (ipv6_addr_any(&fl6->saddr)) {
1138
		struct fib6_info *from;
1139
		struct rt6_info *rt;
1140

1141
		*dst = ip6_route_output(net, sk, fl6);
1142
		rt = (*dst)->error ? NULL : dst_rt6_info(*dst);
1143

1144
		rcu_read_lock();
1145
		from = rt ? rcu_dereference(rt->from) : NULL;
1146
		err = ip6_route_get_saddr(net, from, &fl6->daddr,
1147
					  sk ? READ_ONCE(inet6_sk(sk)->srcprefs) : 0,
1148
					  fl6->flowi6_l3mdev,
1149
					  &fl6->saddr);
1150
		rcu_read_unlock();
1151

1152
		if (err)
1153
			goto out_err_release;
1154

1155
		/* If we had an erroneous initial result, pretend it
1156
		 * never existed and let the SA-enabled version take
1157
		 * over.
1158
		 */
1159
		if ((*dst)->error) {
1160
			dst_release(*dst);
1161
			*dst = NULL;
1162
		}
1163

1164
		if (fl6->flowi6_oif)
1165
			flags |= RT6_LOOKUP_F_IFACE;
1166
	}
1167

1168
	if (!*dst)
1169
		*dst = ip6_route_output_flags(net, sk, fl6, flags);
1170

1171
	err = (*dst)->error;
1172
	if (err)
1173
		goto out_err_release;
1174

1175
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
1176
	/*
1177
	 * Here if the dst entry we've looked up
1178
	 * has a neighbour entry that is in the INCOMPLETE
1179
	 * state and the src address from the flow is
1180
	 * marked as OPTIMISTIC, we release the found
1181
	 * dst entry and replace it instead with the
1182
	 * dst entry of the nexthop router
1183
	 */
1184
	rt = dst_rt6_info(*dst);
1185
	rcu_read_lock();
1186
	n = __ipv6_neigh_lookup_noref(rt->dst.dev,
1187
				      rt6_nexthop(rt, &fl6->daddr));
1188
	err = n && !(READ_ONCE(n->nud_state) & NUD_VALID) ? -EINVAL : 0;
1189
	rcu_read_unlock();
1190

1191
	if (err) {
1192
		struct inet6_ifaddr *ifp;
1193
		struct flowi6 fl_gw6;
1194
		int redirect;
1195

1196
		ifp = ipv6_get_ifaddr(net, &fl6->saddr,
1197
				      (*dst)->dev, 1);
1198

1199
		redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
1200
		if (ifp)
1201
			in6_ifa_put(ifp);
1202

1203
		if (redirect) {
1204
			/*
1205
			 * We need to get the dst entry for the
1206
			 * default router instead
1207
			 */
1208
			dst_release(*dst);
1209
			memcpy(&fl_gw6, fl6, sizeof(struct flowi6));
1210
			memset(&fl_gw6.daddr, 0, sizeof(struct in6_addr));
1211
			*dst = ip6_route_output(net, sk, &fl_gw6);
1212
			err = (*dst)->error;
1213
			if (err)
1214
				goto out_err_release;
1215
		}
1216
	}
1217
#endif
1218
	if (ipv6_addr_v4mapped(&fl6->saddr) &&
1219
	    !(ipv6_addr_v4mapped(&fl6->daddr) || ipv6_addr_any(&fl6->daddr))) {
1220
		err = -EAFNOSUPPORT;
1221
		goto out_err_release;
1222
	}
1223

1224
	return 0;
1225

1226
out_err_release:
1227
	dst_release(*dst);
1228
	*dst = NULL;
1229

1230
	if (err == -ENETUNREACH)
1231
		IP6_INC_STATS(net, NULL, IPSTATS_MIB_OUTNOROUTES);
1232
	return err;
1233
}
1234

1235
/**
1236
 *	ip6_dst_lookup - perform route lookup on flow
1237
 *	@net: Network namespace to perform lookup in
1238
 *	@sk: socket which provides route info
1239
 *	@dst: pointer to dst_entry * for result
1240
 *	@fl6: flow to lookup
1241
 *
1242
 *	This function performs a route lookup on the given flow.
1243
 *
1244
 *	It returns zero on success, or a standard errno code on error.
1245
 */
1246
int ip6_dst_lookup(struct net *net, struct sock *sk, struct dst_entry **dst,
1247
		   struct flowi6 *fl6)
1248
{
1249
	*dst = NULL;
1250
	return ip6_dst_lookup_tail(net, sk, dst, fl6);
1251
}
1252
EXPORT_SYMBOL_GPL(ip6_dst_lookup);
1253

1254
/**
1255
 *	ip6_dst_lookup_flow - perform route lookup on flow with ipsec
1256
 *	@net: Network namespace to perform lookup in
1257
 *	@sk: socket which provides route info
1258
 *	@fl6: flow to lookup
1259
 *	@final_dst: final destination address for ipsec lookup
1260
 *
1261
 *	This function performs a route lookup on the given flow.
1262
 *
1263
 *	It returns a valid dst pointer on success, or a pointer encoded
1264
 *	error code.
1265
 */
1266
struct dst_entry *ip6_dst_lookup_flow(struct net *net, const struct sock *sk, struct flowi6 *fl6,
1267
				      const struct in6_addr *final_dst)
1268
{
1269
	struct dst_entry *dst = NULL;
1270
	int err;
1271

1272
	err = ip6_dst_lookup_tail(net, sk, &dst, fl6);
1273
	if (err)
1274
		return ERR_PTR(err);
1275
	if (final_dst)
1276
		fl6->daddr = *final_dst;
1277

1278
	return xfrm_lookup_route(net, dst, flowi6_to_flowi(fl6), sk, 0);
1279
}
1280
EXPORT_SYMBOL_GPL(ip6_dst_lookup_flow);
1281

1282
/**
1283
 *	ip6_sk_dst_lookup_flow - perform socket cached route lookup on flow
1284
 *	@sk: socket which provides the dst cache and route info
1285
 *	@fl6: flow to lookup
1286
 *	@final_dst: final destination address for ipsec lookup
1287
 *	@connected: whether @sk is connected or not
1288
 *
1289
 *	This function performs a route lookup on the given flow with the
1290
 *	possibility of using the cached route in the socket if it is valid.
1291
 *	It will take the socket dst lock when operating on the dst cache.
1292
 *	As a result, this function can only be used in process context.
1293
 *
1294
 *	In addition, for a connected socket, cache the dst in the socket
1295
 *	if the current cache is not valid.
1296
 *
1297
 *	It returns a valid dst pointer on success, or a pointer encoded
1298
 *	error code.
1299
 */
1300
struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
1301
					 const struct in6_addr *final_dst,
1302
					 bool connected)
1303
{
1304
	struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
1305

1306
	dst = ip6_sk_dst_check(sk, dst, fl6);
1307
	if (dst)
1308
		return dst;
1309

1310
	dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_dst);
1311
	if (connected && !IS_ERR(dst))
1312
		ip6_sk_dst_store_flow(sk, dst_clone(dst), fl6);
1313

1314
	return dst;
1315
}
1316
EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
1317

1318
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
1319
					       gfp_t gfp)
1320
{
1321
	return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
1322
}
1323

1324
static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
1325
						gfp_t gfp)
1326
{
1327
	return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
1328
}
1329

1330
static void ip6_append_data_mtu(unsigned int *mtu,
1331
				int *maxfraglen,
1332
				unsigned int fragheaderlen,
1333
				struct sk_buff *skb,
1334
				struct rt6_info *rt,
1335
				unsigned int orig_mtu)
1336
{
1337
	if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
1338
		if (!skb) {
1339
			/* first fragment, reserve header_len */
1340
			*mtu = orig_mtu - rt->dst.header_len;
1341

1342
		} else {
1343
			/*
1344
			 * this fragment is not first, the headers
1345
			 * space is regarded as data space.
1346
			 */
1347
			*mtu = orig_mtu;
1348
		}
1349
		*maxfraglen = ((*mtu - fragheaderlen) & ~7)
1350
			      + fragheaderlen - sizeof(struct frag_hdr);
1351
	}
1352
}
1353

1354
static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork,
1355
			  struct inet6_cork *v6_cork, struct ipcm6_cookie *ipc6,
1356
			  struct rt6_info *rt)
1357
{
1358
	struct ipv6_pinfo *np = inet6_sk(sk);
1359
	unsigned int mtu, frag_size;
1360
	struct ipv6_txoptions *nopt, *opt = ipc6->opt;
1361

1362
	/* callers pass dst together with a reference, set it first so
1363
	 * ip6_cork_release() can put it down even in case of an error.
1364
	 */
1365
	cork->base.dst = &rt->dst;
1366

1367
	/*
1368
	 * setup for corking
1369
	 */
1370
	if (opt) {
1371
		if (WARN_ON(v6_cork->opt))
1372
			return -EINVAL;
1373

1374
		nopt = v6_cork->opt = kzalloc(sizeof(*opt), sk->sk_allocation);
1375
		if (unlikely(!nopt))
1376
			return -ENOBUFS;
1377

1378
		nopt->tot_len = sizeof(*opt);
1379
		nopt->opt_flen = opt->opt_flen;
1380
		nopt->opt_nflen = opt->opt_nflen;
1381

1382
		nopt->dst0opt = ip6_opt_dup(opt->dst0opt, sk->sk_allocation);
1383
		if (opt->dst0opt && !nopt->dst0opt)
1384
			return -ENOBUFS;
1385

1386
		nopt->dst1opt = ip6_opt_dup(opt->dst1opt, sk->sk_allocation);
1387
		if (opt->dst1opt && !nopt->dst1opt)
1388
			return -ENOBUFS;
1389

1390
		nopt->hopopt = ip6_opt_dup(opt->hopopt, sk->sk_allocation);
1391
		if (opt->hopopt && !nopt->hopopt)
1392
			return -ENOBUFS;
1393

1394
		nopt->srcrt = ip6_rthdr_dup(opt->srcrt, sk->sk_allocation);
1395
		if (opt->srcrt && !nopt->srcrt)
1396
			return -ENOBUFS;
1397

1398
		/* need source address above miyazawa*/
1399
	}
1400
	v6_cork->hop_limit = ipc6->hlimit;
1401
	v6_cork->tclass = ipc6->tclass;
1402
	v6_cork->dontfrag = ipc6->dontfrag;
1403
	if (rt->dst.flags & DST_XFRM_TUNNEL)
1404
		mtu = READ_ONCE(np->pmtudisc) >= IPV6_PMTUDISC_PROBE ?
1405
		      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
1406
	else
1407
		mtu = READ_ONCE(np->pmtudisc) >= IPV6_PMTUDISC_PROBE ?
1408
			READ_ONCE(rt->dst.dev->mtu) : dst_mtu(xfrm_dst_path(&rt->dst));
1409

1410
	frag_size = READ_ONCE(np->frag_size);
1411
	if (frag_size && frag_size < mtu)
1412
		mtu = frag_size;
1413

1414
	cork->base.fragsize = mtu;
1415
	cork->base.gso_size = ipc6->gso_size;
1416
	cork->base.tx_flags = 0;
1417
	cork->base.mark = ipc6->sockc.mark;
1418
	cork->base.priority = ipc6->sockc.priority;
1419
	sock_tx_timestamp(sk, &ipc6->sockc, &cork->base.tx_flags);
1420
	if (ipc6->sockc.tsflags & SOCKCM_FLAG_TS_OPT_ID) {
1421
		cork->base.flags |= IPCORK_TS_OPT_ID;
1422
		cork->base.ts_opt_id = ipc6->sockc.ts_opt_id;
1423
	}
1424
	cork->base.length = 0;
1425
	cork->base.transmit_time = ipc6->sockc.transmit_time;
1426

1427
	return 0;
1428
}
1429

1430
static int __ip6_append_data(struct sock *sk,
1431
			     struct sk_buff_head *queue,
1432
			     struct inet_cork_full *cork_full,
1433
			     struct inet6_cork *v6_cork,
1434
			     struct page_frag *pfrag,
1435
			     int getfrag(void *from, char *to, int offset,
1436
					 int len, int odd, struct sk_buff *skb),
1437
			     void *from, size_t length, int transhdrlen,
1438
			     unsigned int flags)
1439
{
1440
	struct sk_buff *skb, *skb_prev = NULL;
1441
	struct inet_cork *cork = &cork_full->base;
1442
	struct flowi6 *fl6 = &cork_full->fl.u.ip6;
1443
	unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu;
1444
	struct ubuf_info *uarg = NULL;
1445
	int exthdrlen = 0;
1446
	int dst_exthdrlen = 0;
1447
	int hh_len;
1448
	int copy;
1449
	int err;
1450
	int offset = 0;
1451
	bool zc = false;
1452
	u32 tskey = 0;
1453
	struct rt6_info *rt = dst_rt6_info(cork->dst);
1454
	bool paged, hold_tskey = false, extra_uref = false;
1455
	struct ipv6_txoptions *opt = v6_cork->opt;
1456
	int csummode = CHECKSUM_NONE;
1457
	unsigned int maxnonfragsize, headersize;
1458
	unsigned int wmem_alloc_delta = 0;
1459

1460
	skb = skb_peek_tail(queue);
1461
	if (!skb) {
1462
		exthdrlen = opt ? opt->opt_flen : 0;
1463
		dst_exthdrlen = rt->dst.header_len - rt->rt6i_nfheader_len;
1464
	}
1465

1466
	paged = !!cork->gso_size;
1467
	mtu = cork->gso_size ? IP6_MAX_MTU : cork->fragsize;
1468
	orig_mtu = mtu;
1469

1470
	hh_len = LL_RESERVED_SPACE(rt->dst.dev);
1471

1472
	fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len +
1473
			(opt ? opt->opt_nflen : 0);
1474

1475
	headersize = sizeof(struct ipv6hdr) +
1476
		     (opt ? opt->opt_flen + opt->opt_nflen : 0) +
1477
		     rt->rt6i_nfheader_len;
1478

1479
	if (mtu <= fragheaderlen ||
1480
	    ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
1481
		goto emsgsize;
1482

1483
	maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
1484
		     sizeof(struct frag_hdr);
1485

1486
	/* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
1487
	 * the first fragment
1488
	 */
1489
	if (headersize + transhdrlen > mtu)
1490
		goto emsgsize;
1491

1492
	if (cork->length + length > mtu - headersize && v6_cork->dontfrag &&
1493
	    (sk->sk_protocol == IPPROTO_UDP ||
1494
	     sk->sk_protocol == IPPROTO_ICMPV6 ||
1495
	     sk->sk_protocol == IPPROTO_RAW)) {
1496
		ipv6_local_rxpmtu(sk, fl6, mtu - headersize +
1497
				sizeof(struct ipv6hdr));
1498
		goto emsgsize;
1499
	}
1500

1501
	if (ip6_sk_ignore_df(sk))
1502
		maxnonfragsize = sizeof(struct ipv6hdr) + IPV6_MAXPLEN;
1503
	else
1504
		maxnonfragsize = mtu;
1505

1506
	if (cork->length + length > maxnonfragsize - headersize) {
1507
emsgsize:
1508
		pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
1509
		ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
1510
		return -EMSGSIZE;
1511
	}
1512

1513
	/* CHECKSUM_PARTIAL only with no extension headers and when
1514
	 * we are not going to fragment
1515
	 */
1516
	if (transhdrlen && sk->sk_protocol == IPPROTO_UDP &&
1517
	    headersize == sizeof(struct ipv6hdr) &&
1518
	    length <= mtu - headersize &&
1519
	    (!(flags & MSG_MORE) || cork->gso_size) &&
1520
	    rt->dst.dev->features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM))
1521
		csummode = CHECKSUM_PARTIAL;
1522

1523
	if ((flags & MSG_ZEROCOPY) && length) {
1524
		struct msghdr *msg = from;
1525

1526
		if (getfrag == ip_generic_getfrag && msg->msg_ubuf) {
1527
			if (skb_zcopy(skb) && msg->msg_ubuf != skb_zcopy(skb))
1528
				return -EINVAL;
1529

1530
			/* Leave uarg NULL if can't zerocopy, callers should
1531
			 * be able to handle it.
1532
			 */
1533
			if ((rt->dst.dev->features & NETIF_F_SG) &&
1534
			    csummode == CHECKSUM_PARTIAL) {
1535
				paged = true;
1536
				zc = true;
1537
				uarg = msg->msg_ubuf;
1538
			}
1539
		} else if (sock_flag(sk, SOCK_ZEROCOPY)) {
1540
			uarg = msg_zerocopy_realloc(sk, length, skb_zcopy(skb),
1541
						    false);
1542
			if (!uarg)
1543
				return -ENOBUFS;
1544
			extra_uref = !skb_zcopy(skb);	/* only ref on new uarg */
1545
			if (rt->dst.dev->features & NETIF_F_SG &&
1546
			    csummode == CHECKSUM_PARTIAL) {
1547
				paged = true;
1548
				zc = true;
1549
			} else {
1550
				uarg_to_msgzc(uarg)->zerocopy = 0;
1551
				skb_zcopy_set(skb, uarg, &extra_uref);
1552
			}
1553
		}
1554
	} else if ((flags & MSG_SPLICE_PAGES) && length) {
1555
		if (inet_test_bit(HDRINCL, sk))
1556
			return -EPERM;
1557
		if (rt->dst.dev->features & NETIF_F_SG &&
1558
		    getfrag == ip_generic_getfrag)
1559
			/* We need an empty buffer to attach stuff to */
1560
			paged = true;
1561
		else
1562
			flags &= ~MSG_SPLICE_PAGES;
1563
	}
1564

1565
	if (cork->tx_flags & SKBTX_ANY_TSTAMP &&
1566
	    READ_ONCE(sk->sk_tsflags) & SOF_TIMESTAMPING_OPT_ID) {
1567
		if (cork->flags & IPCORK_TS_OPT_ID) {
1568
			tskey = cork->ts_opt_id;
1569
		} else {
1570
			tskey = atomic_inc_return(&sk->sk_tskey) - 1;
1571
			hold_tskey = true;
1572
		}
1573
	}
1574

1575
	/*
1576
	 * Let's try using as much space as possible.
1577
	 * Use MTU if total length of the message fits into the MTU.
1578
	 * Otherwise, we need to reserve fragment header and
1579
	 * fragment alignment (= 8-15 octects, in total).
1580
	 *
1581
	 * Note that we may need to "move" the data from the tail
1582
	 * of the buffer to the new fragment when we split
1583
	 * the message.
1584
	 *
1585
	 * FIXME: It may be fragmented into multiple chunks
1586
	 *        at once if non-fragmentable extension headers
1587
	 *        are too large.
1588
	 * --yoshfuji
1589
	 */
1590

1591
	cork->length += length;
1592
	if (!skb)
1593
		goto alloc_new_skb;
1594

1595
	while (length > 0) {
1596
		/* Check if the remaining data fits into current packet. */
1597
		copy = (cork->length <= mtu ? mtu : maxfraglen) - skb->len;
1598
		if (copy < length)
1599
			copy = maxfraglen - skb->len;
1600

1601
		if (copy <= 0) {
1602
			char *data;
1603
			unsigned int datalen;
1604
			unsigned int fraglen;
1605
			unsigned int fraggap;
1606
			unsigned int alloclen, alloc_extra;
1607
			unsigned int pagedlen;
1608
alloc_new_skb:
1609
			/* There's no room in the current skb */
1610
			if (skb)
1611
				fraggap = skb->len - maxfraglen;
1612
			else
1613
				fraggap = 0;
1614
			/* update mtu and maxfraglen if necessary */
1615
			if (!skb || !skb_prev)
1616
				ip6_append_data_mtu(&mtu, &maxfraglen,
1617
						    fragheaderlen, skb, rt,
1618
						    orig_mtu);
1619

1620
			skb_prev = skb;
1621

1622
			/*
1623
			 * If remaining data exceeds the mtu,
1624
			 * we know we need more fragment(s).
1625
			 */
1626
			datalen = length + fraggap;
1627

1628
			if (datalen > (cork->length <= mtu ? mtu : maxfraglen) - fragheaderlen)
1629
				datalen = maxfraglen - fragheaderlen - rt->dst.trailer_len;
1630
			fraglen = datalen + fragheaderlen;
1631
			pagedlen = 0;
1632

1633
			alloc_extra = hh_len;
1634
			alloc_extra += dst_exthdrlen;
1635
			alloc_extra += rt->dst.trailer_len;
1636

1637
			/* We just reserve space for fragment header.
1638
			 * Note: this may be overallocation if the message
1639
			 * (without MSG_MORE) fits into the MTU.
1640
			 */
1641
			alloc_extra += sizeof(struct frag_hdr);
1642

1643
			if ((flags & MSG_MORE) &&
1644
			    !(rt->dst.dev->features&NETIF_F_SG))
1645
				alloclen = mtu;
1646
			else if (!paged &&
1647
				 (fraglen + alloc_extra < SKB_MAX_ALLOC ||
1648
				  !(rt->dst.dev->features & NETIF_F_SG)))
1649
				alloclen = fraglen;
1650
			else {
1651
				alloclen = fragheaderlen + transhdrlen;
1652
				pagedlen = datalen - transhdrlen;
1653
			}
1654
			alloclen += alloc_extra;
1655

1656
			if (datalen != length + fraggap) {
1657
				/*
1658
				 * this is not the last fragment, the trailer
1659
				 * space is regarded as data space.
1660
				 */
1661
				datalen += rt->dst.trailer_len;
1662
			}
1663

1664
			fraglen = datalen + fragheaderlen;
1665

1666
			copy = datalen - transhdrlen - fraggap - pagedlen;
1667
			/* [!] NOTE: copy may be negative if pagedlen>0
1668
			 * because then the equation may reduces to -fraggap.
1669
			 */
1670
			if (copy < 0 && !(flags & MSG_SPLICE_PAGES)) {
1671
				err = -EINVAL;
1672
				goto error;
1673
			}
1674
			if (transhdrlen) {
1675
				skb = sock_alloc_send_skb(sk, alloclen,
1676
						(flags & MSG_DONTWAIT), &err);
1677
			} else {
1678
				skb = NULL;
1679
				if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <=
1680
				    2 * sk->sk_sndbuf)
1681
					skb = alloc_skb(alloclen,
1682
							sk->sk_allocation);
1683
				if (unlikely(!skb))
1684
					err = -ENOBUFS;
1685
			}
1686
			if (!skb)
1687
				goto error;
1688
			/*
1689
			 *	Fill in the control structures
1690
			 */
1691
			skb->protocol = htons(ETH_P_IPV6);
1692
			skb->ip_summed = csummode;
1693
			skb->csum = 0;
1694
			/* reserve for fragmentation and ipsec header */
1695
			skb_reserve(skb, hh_len + sizeof(struct frag_hdr) +
1696
				    dst_exthdrlen);
1697

1698
			/*
1699
			 *	Find where to start putting bytes
1700
			 */
1701
			data = skb_put(skb, fraglen - pagedlen);
1702
			skb_set_network_header(skb, exthdrlen);
1703
			data += fragheaderlen;
1704
			skb->transport_header = (skb->network_header +
1705
						 fragheaderlen);
1706
			if (fraggap) {
1707
				skb->csum = skb_copy_and_csum_bits(
1708
					skb_prev, maxfraglen,
1709
					data + transhdrlen, fraggap);
1710
				skb_prev->csum = csum_sub(skb_prev->csum,
1711
							  skb->csum);
1712
				data += fraggap;
1713
				pskb_trim_unique(skb_prev, maxfraglen);
1714
			}
1715
			if (copy > 0 &&
1716
			    INDIRECT_CALL_1(getfrag, ip_generic_getfrag,
1717
					   from, data + transhdrlen, offset,
1718
					   copy, fraggap, skb) < 0) {
1719
				err = -EFAULT;
1720
				kfree_skb(skb);
1721
				goto error;
1722
			} else if (flags & MSG_SPLICE_PAGES) {
1723
				copy = 0;
1724
			}
1725

1726
			offset += copy;
1727
			length -= copy + transhdrlen;
1728
			transhdrlen = 0;
1729
			exthdrlen = 0;
1730
			dst_exthdrlen = 0;
1731

1732
			/* Only the initial fragment is time stamped */
1733
			skb_shinfo(skb)->tx_flags = cork->tx_flags;
1734
			cork->tx_flags = 0;
1735
			skb_shinfo(skb)->tskey = tskey;
1736
			tskey = 0;
1737
			skb_zcopy_set(skb, uarg, &extra_uref);
1738

1739
			if ((flags & MSG_CONFIRM) && !skb_prev)
1740
				skb_set_dst_pending_confirm(skb, 1);
1741

1742
			/*
1743
			 * Put the packet on the pending queue
1744
			 */
1745
			if (!skb->destructor) {
1746
				skb->destructor = sock_wfree;
1747
				skb->sk = sk;
1748
				wmem_alloc_delta += skb->truesize;
1749
			}
1750
			__skb_queue_tail(queue, skb);
1751
			continue;
1752
		}
1753

1754
		if (copy > length)
1755
			copy = length;
1756

1757
		if (!(rt->dst.dev->features&NETIF_F_SG) &&
1758
		    skb_tailroom(skb) >= copy) {
1759
			unsigned int off;
1760

1761
			off = skb->len;
1762
			if (INDIRECT_CALL_1(getfrag, ip_generic_getfrag,
1763
					    from, skb_put(skb, copy),
1764
					    offset, copy, off, skb) < 0) {
1765
				__skb_trim(skb, off);
1766
				err = -EFAULT;
1767
				goto error;
1768
			}
1769
		} else if (flags & MSG_SPLICE_PAGES) {
1770
			struct msghdr *msg = from;
1771

1772
			err = -EIO;
1773
			if (WARN_ON_ONCE(copy > msg->msg_iter.count))
1774
				goto error;
1775

1776
			err = skb_splice_from_iter(skb, &msg->msg_iter, copy);
1777
			if (err < 0)
1778
				goto error;
1779
			copy = err;
1780
			wmem_alloc_delta += copy;
1781
		} else if (!zc) {
1782
			int i = skb_shinfo(skb)->nr_frags;
1783

1784
			err = -ENOMEM;
1785
			if (!sk_page_frag_refill(sk, pfrag))
1786
				goto error;
1787

1788
			skb_zcopy_downgrade_managed(skb);
1789
			if (!skb_can_coalesce(skb, i, pfrag->page,
1790
					      pfrag->offset)) {
1791
				err = -EMSGSIZE;
1792
				if (i == MAX_SKB_FRAGS)
1793
					goto error;
1794

1795
				__skb_fill_page_desc(skb, i, pfrag->page,
1796
						     pfrag->offset, 0);
1797
				skb_shinfo(skb)->nr_frags = ++i;
1798
				get_page(pfrag->page);
1799
			}
1800
			copy = min_t(int, copy, pfrag->size - pfrag->offset);
1801
			if (INDIRECT_CALL_1(getfrag, ip_generic_getfrag,
1802
				    from,
1803
				    page_address(pfrag->page) + pfrag->offset,
1804
				    offset, copy, skb->len, skb) < 0)
1805
				goto error_efault;
1806

1807
			pfrag->offset += copy;
1808
			skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy);
1809
			skb->len += copy;
1810
			skb->data_len += copy;
1811
			skb->truesize += copy;
1812
			wmem_alloc_delta += copy;
1813
		} else {
1814
			err = skb_zerocopy_iter_dgram(skb, from, copy);
1815
			if (err < 0)
1816
				goto error;
1817
		}
1818
		offset += copy;
1819
		length -= copy;
1820
	}
1821

1822
	if (wmem_alloc_delta)
1823
		refcount_add(wmem_alloc_delta, &sk->sk_wmem_alloc);
1824
	return 0;
1825

1826
error_efault:
1827
	err = -EFAULT;
1828
error:
1829
	net_zcopy_put_abort(uarg, extra_uref);
1830
	cork->length -= length;
1831
	IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
1832
	refcount_add(wmem_alloc_delta, &sk->sk_wmem_alloc);
1833
	if (hold_tskey)
1834
		atomic_dec(&sk->sk_tskey);
1835
	return err;
1836
}
1837

1838
int ip6_append_data(struct sock *sk,
1839
		    int getfrag(void *from, char *to, int offset, int len,
1840
				int odd, struct sk_buff *skb),
1841
		    void *from, size_t length, int transhdrlen,
1842
		    struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
1843
		    struct rt6_info *rt, unsigned int flags)
1844
{
1845
	struct inet_sock *inet = inet_sk(sk);
1846
	struct ipv6_pinfo *np = inet6_sk(sk);
1847
	int exthdrlen;
1848
	int err;
1849

1850
	if (flags&MSG_PROBE)
1851
		return 0;
1852
	if (skb_queue_empty(&sk->sk_write_queue)) {
1853
		/*
1854
		 * setup for corking
1855
		 */
1856
		dst_hold(&rt->dst);
1857
		err = ip6_setup_cork(sk, &inet->cork, &np->cork,
1858
				     ipc6, rt);
1859
		if (err)
1860
			return err;
1861

1862
		inet->cork.fl.u.ip6 = *fl6;
1863
		exthdrlen = (ipc6->opt ? ipc6->opt->opt_flen : 0);
1864
		length += exthdrlen;
1865
		transhdrlen += exthdrlen;
1866
	} else {
1867
		transhdrlen = 0;
1868
	}
1869

1870
	return __ip6_append_data(sk, &sk->sk_write_queue, &inet->cork,
1871
				 &np->cork, sk_page_frag(sk), getfrag,
1872
				 from, length, transhdrlen, flags);
1873
}
1874
EXPORT_SYMBOL_GPL(ip6_append_data);
1875

1876
static void ip6_cork_steal_dst(struct sk_buff *skb, struct inet_cork_full *cork)
1877
{
1878
	struct dst_entry *dst = cork->base.dst;
1879

1880
	cork->base.dst = NULL;
1881
	skb_dst_set(skb, dst);
1882
}
1883

1884
static void ip6_cork_release(struct inet_cork_full *cork,
1885
			     struct inet6_cork *v6_cork)
1886
{
1887
	if (v6_cork->opt) {
1888
		struct ipv6_txoptions *opt = v6_cork->opt;
1889

1890
		kfree(opt->dst0opt);
1891
		kfree(opt->dst1opt);
1892
		kfree(opt->hopopt);
1893
		kfree(opt->srcrt);
1894
		kfree(opt);
1895
		v6_cork->opt = NULL;
1896
	}
1897

1898
	if (cork->base.dst) {
1899
		dst_release(cork->base.dst);
1900
		cork->base.dst = NULL;
1901
	}
1902
}
1903

1904
struct sk_buff *__ip6_make_skb(struct sock *sk,
1905
			       struct sk_buff_head *queue,
1906
			       struct inet_cork_full *cork,
1907
			       struct inet6_cork *v6_cork)
1908
{
1909
	struct sk_buff *skb, *tmp_skb;
1910
	struct sk_buff **tail_skb;
1911
	struct in6_addr *final_dst;
1912
	struct net *net = sock_net(sk);
1913
	struct ipv6hdr *hdr;
1914
	struct ipv6_txoptions *opt = v6_cork->opt;
1915
	struct rt6_info *rt = dst_rt6_info(cork->base.dst);
1916
	struct flowi6 *fl6 = &cork->fl.u.ip6;
1917
	unsigned char proto = fl6->flowi6_proto;
1918

1919
	skb = __skb_dequeue(queue);
1920
	if (!skb)
1921
		goto out;
1922
	tail_skb = &(skb_shinfo(skb)->frag_list);
1923

1924
	/* move skb->data to ip header from ext header */
1925
	if (skb->data < skb_network_header(skb))
1926
		__skb_pull(skb, skb_network_offset(skb));
1927
	while ((tmp_skb = __skb_dequeue(queue)) != NULL) {
1928
		__skb_pull(tmp_skb, skb_network_header_len(skb));
1929
		*tail_skb = tmp_skb;
1930
		tail_skb = &(tmp_skb->next);
1931
		skb->len += tmp_skb->len;
1932
		skb->data_len += tmp_skb->len;
1933
		skb->truesize += tmp_skb->truesize;
1934
		tmp_skb->destructor = NULL;
1935
		tmp_skb->sk = NULL;
1936
	}
1937

1938
	/* Allow local fragmentation. */
1939
	skb->ignore_df = ip6_sk_ignore_df(sk);
1940
	__skb_pull(skb, skb_network_header_len(skb));
1941

1942
	final_dst = &fl6->daddr;
1943
	if (opt && opt->opt_flen)
1944
		ipv6_push_frag_opts(skb, opt, &proto);
1945
	if (opt && opt->opt_nflen)
1946
		ipv6_push_nfrag_opts(skb, opt, &proto, &final_dst, &fl6->saddr);
1947

1948
	skb_push(skb, sizeof(struct ipv6hdr));
1949
	skb_reset_network_header(skb);
1950
	hdr = ipv6_hdr(skb);
1951

1952
	ip6_flow_hdr(hdr, v6_cork->tclass,
1953
		     ip6_make_flowlabel(net, skb, fl6->flowlabel,
1954
					ip6_autoflowlabel(net, sk), fl6));
1955
	hdr->hop_limit = v6_cork->hop_limit;
1956
	hdr->nexthdr = proto;
1957
	hdr->saddr = fl6->saddr;
1958
	hdr->daddr = *final_dst;
1959

1960
	skb->priority = cork->base.priority;
1961
	skb->mark = cork->base.mark;
1962
	if (sk_is_tcp(sk))
1963
		skb_set_delivery_time(skb, cork->base.transmit_time, SKB_CLOCK_MONOTONIC);
1964
	else
1965
		skb_set_delivery_type_by_clockid(skb, cork->base.transmit_time, sk->sk_clockid);
1966

1967
	ip6_cork_steal_dst(skb, cork);
1968
	IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS);
1969
	if (proto == IPPROTO_ICMPV6) {
1970
		struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
1971
		u8 icmp6_type;
1972

1973
		if (sk->sk_socket->type == SOCK_RAW &&
1974
		   !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH))
1975
			icmp6_type = fl6->fl6_icmp_type;
1976
		else
1977
			icmp6_type = icmp6_hdr(skb)->icmp6_type;
1978
		ICMP6MSGOUT_INC_STATS(net, idev, icmp6_type);
1979
		ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
1980
	}
1981

1982
	ip6_cork_release(cork, v6_cork);
1983
out:
1984
	return skb;
1985
}
1986

1987
int ip6_send_skb(struct sk_buff *skb)
1988
{
1989
	struct net *net = sock_net(skb->sk);
1990
	struct rt6_info *rt = dst_rt6_info(skb_dst(skb));
1991
	int err;
1992

1993
	rcu_read_lock();
1994
	err = ip6_local_out(net, skb->sk, skb);
1995
	if (err) {
1996
		if (err > 0)
1997
			err = net_xmit_errno(err);
1998
		if (err)
1999
			IP6_INC_STATS(net, rt->rt6i_idev,
2000
				      IPSTATS_MIB_OUTDISCARDS);
2001
	}
2002

2003
	rcu_read_unlock();
2004
	return err;
2005
}
2006

2007
int ip6_push_pending_frames(struct sock *sk)
2008
{
2009
	struct sk_buff *skb;
2010

2011
	skb = ip6_finish_skb(sk);
2012
	if (!skb)
2013
		return 0;
2014

2015
	return ip6_send_skb(skb);
2016
}
2017
EXPORT_SYMBOL_GPL(ip6_push_pending_frames);
2018

2019
static void __ip6_flush_pending_frames(struct sock *sk,
2020
				       struct sk_buff_head *queue,
2021
				       struct inet_cork_full *cork,
2022
				       struct inet6_cork *v6_cork)
2023
{
2024
	struct sk_buff *skb;
2025

2026
	while ((skb = __skb_dequeue_tail(queue)) != NULL) {
2027
		if (skb_dst(skb))
2028
			IP6_INC_STATS(sock_net(sk), ip6_dst_idev(skb_dst(skb)),
2029
				      IPSTATS_MIB_OUTDISCARDS);
2030
		kfree_skb(skb);
2031
	}
2032

2033
	ip6_cork_release(cork, v6_cork);
2034
}
2035

2036
void ip6_flush_pending_frames(struct sock *sk)
2037
{
2038
	__ip6_flush_pending_frames(sk, &sk->sk_write_queue,
2039
				   &inet_sk(sk)->cork, &inet6_sk(sk)->cork);
2040
}
2041
EXPORT_SYMBOL_GPL(ip6_flush_pending_frames);
2042

2043
struct sk_buff *ip6_make_skb(struct sock *sk,
2044
			     int getfrag(void *from, char *to, int offset,
2045
					 int len, int odd, struct sk_buff *skb),
2046
			     void *from, size_t length, int transhdrlen,
2047
			     struct ipcm6_cookie *ipc6, struct rt6_info *rt,
2048
			     unsigned int flags, struct inet_cork_full *cork)
2049
{
2050
	struct inet6_cork v6_cork;
2051
	struct sk_buff_head queue;
2052
	int exthdrlen = (ipc6->opt ? ipc6->opt->opt_flen : 0);
2053
	int err;
2054

2055
	if (flags & MSG_PROBE) {
2056
		dst_release(&rt->dst);
2057
		return NULL;
2058
	}
2059

2060
	__skb_queue_head_init(&queue);
2061

2062
	cork->base.flags = 0;
2063
	cork->base.addr = 0;
2064
	cork->base.opt = NULL;
2065
	v6_cork.opt = NULL;
2066
	err = ip6_setup_cork(sk, cork, &v6_cork, ipc6, rt);
2067
	if (err) {
2068
		ip6_cork_release(cork, &v6_cork);
2069
		return ERR_PTR(err);
2070
	}
2071

2072
	err = __ip6_append_data(sk, &queue, cork, &v6_cork,
2073
				&current->task_frag, getfrag, from,
2074
				length + exthdrlen, transhdrlen + exthdrlen,
2075
				flags);
2076
	if (err) {
2077
		__ip6_flush_pending_frames(sk, &queue, cork, &v6_cork);
2078
		return ERR_PTR(err);
2079
	}
2080

2081
	return __ip6_make_skb(sk, &queue, cork, &v6_cork);
2082
}
2083

2084