security: remove the security_netlink_recv hook as it is equivalent to capable()
[linux-2.6.git] / net / ipv6 / ip6_output.c
1 /*
2  *      IPv6 output functions
3  *      Linux INET6 implementation
4  *
5  *      Authors:
6  *      Pedro Roque             <roque@di.fc.ul.pt>
7  *
8  *      Based on linux/net/ipv4/ip_output.c
9  *
10  *      This program is free software; you can redistribute it and/or
11  *      modify it under the terms of the GNU General Public License
12  *      as published by the Free Software Foundation; either version
13  *      2 of the License, or (at your option) any later version.
14  *
15  *      Changes:
16  *      A.N.Kuznetsov   :       airthmetics in fragmentation.
17  *                              extension headers are implemented.
18  *                              route changes now work.
19  *                              ip6_forward does not confuse sniffers.
20  *                              etc.
21  *
22  *      H. von Brand    :       Added missing #include <linux/string.h>
23  *      Imran Patel     :       frag id should be in NBO
24  *      Kazunori MIYAZAWA @USAGI
25  *                      :       add ip6_append_data and related functions
26  *                              for datagram xmit
27  */
28
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/string.h>
32 #include <linux/socket.h>
33 #include <linux/net.h>
34 #include <linux/netdevice.h>
35 #include <linux/if_arp.h>
36 #include <linux/in6.h>
37 #include <linux/tcp.h>
38 #include <linux/route.h>
39 #include <linux/module.h>
40 #include <linux/slab.h>
41
42 #include <linux/netfilter.h>
43 #include <linux/netfilter_ipv6.h>
44
45 #include <net/sock.h>
46 #include <net/snmp.h>
47
48 #include <net/ipv6.h>
49 #include <net/ndisc.h>
50 #include <net/protocol.h>
51 #include <net/ip6_route.h>
52 #include <net/addrconf.h>
53 #include <net/rawv6.h>
54 #include <net/icmp.h>
55 #include <net/xfrm.h>
56 #include <net/checksum.h>
57 #include <linux/mroute6.h>
58
59 int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
60
61 int __ip6_local_out(struct sk_buff *skb)
62 {
63         int len;
64
65         len = skb->len - sizeof(struct ipv6hdr);
66         if (len > IPV6_MAXPLEN)
67                 len = 0;
68         ipv6_hdr(skb)->payload_len = htons(len);
69
70         return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
71                        skb_dst(skb)->dev, dst_output);
72 }
73
74 int ip6_local_out(struct sk_buff *skb)
75 {
76         int err;
77
78         err = __ip6_local_out(skb);
79         if (likely(err == 1))
80                 err = dst_output(skb);
81
82         return err;
83 }
84 EXPORT_SYMBOL_GPL(ip6_local_out);
85
86 /* dev_loopback_xmit for use with netfilter. */
87 static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
88 {
89         skb_reset_mac_header(newskb);
90         __skb_pull(newskb, skb_network_offset(newskb));
91         newskb->pkt_type = PACKET_LOOPBACK;
92         newskb->ip_summed = CHECKSUM_UNNECESSARY;
93         WARN_ON(!skb_dst(newskb));
94
95         netif_rx_ni(newskb);
96         return 0;
97 }
98
99 static int ip6_finish_output2(struct sk_buff *skb)
100 {
101         struct dst_entry *dst = skb_dst(skb);
102         struct net_device *dev = dst->dev;
103         struct neighbour *neigh;
104
105         skb->protocol = htons(ETH_P_IPV6);
106         skb->dev = dev;
107
108         if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
109                 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
110
111                 if (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(skb->sk) &&
112                     ((mroute6_socket(dev_net(dev), skb) &&
113                      !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
114                      ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
115                                          &ipv6_hdr(skb)->saddr))) {
116                         struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
117
118                         /* Do not check for IFF_ALLMULTI; multicast routing
119                            is not supported in any case.
120                          */
121                         if (newskb)
122                                 NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,
123                                         newskb, NULL, newskb->dev,
124                                         ip6_dev_loopback_xmit);
125
126                         if (ipv6_hdr(skb)->hop_limit == 0) {
127                                 IP6_INC_STATS(dev_net(dev), idev,
128                                               IPSTATS_MIB_OUTDISCARDS);
129                                 kfree_skb(skb);
130                                 return 0;
131                         }
132                 }
133
134                 IP6_UPD_PO_STATS(dev_net(dev), idev, IPSTATS_MIB_OUTMCAST,
135                                 skb->len);
136         }
137
138         rcu_read_lock();
139         neigh = dst_get_neighbour(dst);
140         if (neigh) {
141                 int res = neigh_output(neigh, skb);
142
143                 rcu_read_unlock();
144                 return res;
145         }
146         rcu_read_unlock();
147         IP6_INC_STATS_BH(dev_net(dst->dev),
148                          ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
149         kfree_skb(skb);
150         return -EINVAL;
151 }
152
153 static int ip6_finish_output(struct sk_buff *skb)
154 {
155         if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
156             dst_allfrag(skb_dst(skb)))
157                 return ip6_fragment(skb, ip6_finish_output2);
158         else
159                 return ip6_finish_output2(skb);
160 }
161
162 int ip6_output(struct sk_buff *skb)
163 {
164         struct net_device *dev = skb_dst(skb)->dev;
165         struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
166         if (unlikely(idev->cnf.disable_ipv6)) {
167                 IP6_INC_STATS(dev_net(dev), idev,
168                               IPSTATS_MIB_OUTDISCARDS);
169                 kfree_skb(skb);
170                 return 0;
171         }
172
173         return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev,
174                             ip6_finish_output,
175                             !(IP6CB(skb)->flags & IP6SKB_REROUTED));
176 }
177
178 /*
179  *      xmit an sk_buff (used by TCP, SCTP and DCCP)
180  */
181
182 int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
183              struct ipv6_txoptions *opt)
184 {
185         struct net *net = sock_net(sk);
186         struct ipv6_pinfo *np = inet6_sk(sk);
187         struct in6_addr *first_hop = &fl6->daddr;
188         struct dst_entry *dst = skb_dst(skb);
189         struct ipv6hdr *hdr;
190         u8  proto = fl6->flowi6_proto;
191         int seg_len = skb->len;
192         int hlimit = -1;
193         int tclass = 0;
194         u32 mtu;
195
196         if (opt) {
197                 unsigned int head_room;
198
199                 /* First: exthdrs may take lots of space (~8K for now)
200                    MAX_HEADER is not enough.
201                  */
202                 head_room = opt->opt_nflen + opt->opt_flen;
203                 seg_len += head_room;
204                 head_room += sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
205
206                 if (skb_headroom(skb) < head_room) {
207                         struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
208                         if (skb2 == NULL) {
209                                 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
210                                               IPSTATS_MIB_OUTDISCARDS);
211                                 kfree_skb(skb);
212                                 return -ENOBUFS;
213                         }
214                         kfree_skb(skb);
215                         skb = skb2;
216                         skb_set_owner_w(skb, sk);
217                 }
218                 if (opt->opt_flen)
219                         ipv6_push_frag_opts(skb, opt, &proto);
220                 if (opt->opt_nflen)
221                         ipv6_push_nfrag_opts(skb, opt, &proto, &first_hop);
222         }
223
224         skb_push(skb, sizeof(struct ipv6hdr));
225         skb_reset_network_header(skb);
226         hdr = ipv6_hdr(skb);
227
228         /*
229          *      Fill in the IPv6 header
230          */
231         if (np) {
232                 tclass = np->tclass;
233                 hlimit = np->hop_limit;
234         }
235         if (hlimit < 0)
236                 hlimit = ip6_dst_hoplimit(dst);
237
238         *(__be32 *)hdr = htonl(0x60000000 | (tclass << 20)) | fl6->flowlabel;
239
240         hdr->payload_len = htons(seg_len);
241         hdr->nexthdr = proto;
242         hdr->hop_limit = hlimit;
243
244         ipv6_addr_copy(&hdr->saddr, &fl6->saddr);
245         ipv6_addr_copy(&hdr->daddr, first_hop);
246
247         skb->priority = sk->sk_priority;
248         skb->mark = sk->sk_mark;
249
250         mtu = dst_mtu(dst);
251         if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) {
252                 IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)),
253                               IPSTATS_MIB_OUT, skb->len);
254                 return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
255                                dst->dev, dst_output);
256         }
257
258         if (net_ratelimit())
259                 printk(KERN_DEBUG "IPv6: sending pkt_too_big to self\n");
260         skb->dev = dst->dev;
261         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
262         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_FRAGFAILS);
263         kfree_skb(skb);
264         return -EMSGSIZE;
265 }
266
267 EXPORT_SYMBOL(ip6_xmit);
268
269 /*
270  *      To avoid extra problems ND packets are send through this
271  *      routine. It's code duplication but I really want to avoid
272  *      extra checks since ipv6_build_header is used by TCP (which
273  *      is for us performance critical)
274  */
275
276 int ip6_nd_hdr(struct sock *sk, struct sk_buff *skb, struct net_device *dev,
277                const struct in6_addr *saddr, const struct in6_addr *daddr,
278                int proto, int len)
279 {
280         struct ipv6_pinfo *np = inet6_sk(sk);
281         struct ipv6hdr *hdr;
282
283         skb->protocol = htons(ETH_P_IPV6);
284         skb->dev = dev;
285
286         skb_reset_network_header(skb);
287         skb_put(skb, sizeof(struct ipv6hdr));
288         hdr = ipv6_hdr(skb);
289
290         *(__be32*)hdr = htonl(0x60000000);
291
292         hdr->payload_len = htons(len);
293         hdr->nexthdr = proto;
294         hdr->hop_limit = np->hop_limit;
295
296         ipv6_addr_copy(&hdr->saddr, saddr);
297         ipv6_addr_copy(&hdr->daddr, daddr);
298
299         return 0;
300 }
301
302 static int ip6_call_ra_chain(struct sk_buff *skb, int sel)
303 {
304         struct ip6_ra_chain *ra;
305         struct sock *last = NULL;
306
307         read_lock(&ip6_ra_lock);
308         for (ra = ip6_ra_chain; ra; ra = ra->next) {
309                 struct sock *sk = ra->sk;
310                 if (sk && ra->sel == sel &&
311                     (!sk->sk_bound_dev_if ||
312                      sk->sk_bound_dev_if == skb->dev->ifindex)) {
313                         if (last) {
314                                 struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
315                                 if (skb2)
316                                         rawv6_rcv(last, skb2);
317                         }
318                         last = sk;
319                 }
320         }
321
322         if (last) {
323                 rawv6_rcv(last, skb);
324                 read_unlock(&ip6_ra_lock);
325                 return 1;
326         }
327         read_unlock(&ip6_ra_lock);
328         return 0;
329 }
330
331 static int ip6_forward_proxy_check(struct sk_buff *skb)
332 {
333         struct ipv6hdr *hdr = ipv6_hdr(skb);
334         u8 nexthdr = hdr->nexthdr;
335         int offset;
336
337         if (ipv6_ext_hdr(nexthdr)) {
338                 offset = ipv6_skip_exthdr(skb, sizeof(*hdr), &nexthdr);
339                 if (offset < 0)
340                         return 0;
341         } else
342                 offset = sizeof(struct ipv6hdr);
343
344         if (nexthdr == IPPROTO_ICMPV6) {
345                 struct icmp6hdr *icmp6;
346
347                 if (!pskb_may_pull(skb, (skb_network_header(skb) +
348                                          offset + 1 - skb->data)))
349                         return 0;
350
351                 icmp6 = (struct icmp6hdr *)(skb_network_header(skb) + offset);
352
353                 switch (icmp6->icmp6_type) {
354                 case NDISC_ROUTER_SOLICITATION:
355                 case NDISC_ROUTER_ADVERTISEMENT:
356                 case NDISC_NEIGHBOUR_SOLICITATION:
357                 case NDISC_NEIGHBOUR_ADVERTISEMENT:
358                 case NDISC_REDIRECT:
359                         /* For reaction involving unicast neighbor discovery
360                          * message destined to the proxied address, pass it to
361                          * input function.
362                          */
363                         return 1;
364                 default:
365                         break;
366                 }
367         }
368
369         /*
370          * The proxying router can't forward traffic sent to a link-local
371          * address, so signal the sender and discard the packet. This
372          * behavior is clarified by the MIPv6 specification.
373          */
374         if (ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) {
375                 dst_link_failure(skb);
376                 return -1;
377         }
378
379         return 0;
380 }
381
382 static inline int ip6_forward_finish(struct sk_buff *skb)
383 {
384         return dst_output(skb);
385 }
386
387 int ip6_forward(struct sk_buff *skb)
388 {
389         struct dst_entry *dst = skb_dst(skb);
390         struct ipv6hdr *hdr = ipv6_hdr(skb);
391         struct inet6_skb_parm *opt = IP6CB(skb);
392         struct net *net = dev_net(dst->dev);
393         struct neighbour *n;
394         u32 mtu;
395
396         if (net->ipv6.devconf_all->forwarding == 0)
397                 goto error;
398
399         if (skb_warn_if_lro(skb))
400                 goto drop;
401
402         if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
403                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
404                 goto drop;
405         }
406
407         if (skb->pkt_type != PACKET_HOST)
408                 goto drop;
409
410         skb_forward_csum(skb);
411
412         /*
413          *      We DO NOT make any processing on
414          *      RA packets, pushing them to user level AS IS
415          *      without ane WARRANTY that application will be able
416          *      to interpret them. The reason is that we
417          *      cannot make anything clever here.
418          *
419          *      We are not end-node, so that if packet contains
420          *      AH/ESP, we cannot make anything.
421          *      Defragmentation also would be mistake, RA packets
422          *      cannot be fragmented, because there is no warranty
423          *      that different fragments will go along one path. --ANK
424          */
425         if (opt->ra) {
426                 u8 *ptr = skb_network_header(skb) + opt->ra;
427                 if (ip6_call_ra_chain(skb, (ptr[2]<<8) + ptr[3]))
428                         return 0;
429         }
430
431         /*
432          *      check and decrement ttl
433          */
434         if (hdr->hop_limit <= 1) {
435                 /* Force OUTPUT device used as source address */
436                 skb->dev = dst->dev;
437                 icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 0);
438                 IP6_INC_STATS_BH(net,
439                                  ip6_dst_idev(dst), IPSTATS_MIB_INHDRERRORS);
440
441                 kfree_skb(skb);
442                 return -ETIMEDOUT;
443         }
444
445         /* XXX: idev->cnf.proxy_ndp? */
446         if (net->ipv6.devconf_all->proxy_ndp &&
447             pneigh_lookup(&nd_tbl, net, &hdr->daddr, skb->dev, 0)) {
448                 int proxied = ip6_forward_proxy_check(skb);
449                 if (proxied > 0)
450                         return ip6_input(skb);
451                 else if (proxied < 0) {
452                         IP6_INC_STATS(net, ip6_dst_idev(dst),
453                                       IPSTATS_MIB_INDISCARDS);
454                         goto drop;
455                 }
456         }
457
458         if (!xfrm6_route_forward(skb)) {
459                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
460                 goto drop;
461         }
462         dst = skb_dst(skb);
463
464         /* IPv6 specs say nothing about it, but it is clear that we cannot
465            send redirects to source routed frames.
466            We don't send redirects to frames decapsulated from IPsec.
467          */
468         n = dst_get_neighbour(dst);
469         if (skb->dev == dst->dev && n && opt->srcrt == 0 && !skb_sec_path(skb)) {
470                 struct in6_addr *target = NULL;
471                 struct rt6_info *rt;
472
473                 /*
474                  *      incoming and outgoing devices are the same
475                  *      send a redirect.
476                  */
477
478                 rt = (struct rt6_info *) dst;
479                 if ((rt->rt6i_flags & RTF_GATEWAY))
480                         target = (struct in6_addr*)&n->primary_key;
481                 else
482                         target = &hdr->daddr;
483
484                 if (!rt->rt6i_peer)
485                         rt6_bind_peer(rt, 1);
486
487                 /* Limit redirects both by destination (here)
488                    and by source (inside ndisc_send_redirect)
489                  */
490                 if (inet_peer_xrlim_allow(rt->rt6i_peer, 1*HZ))
491                         ndisc_send_redirect(skb, n, target);
492         } else {
493                 int addrtype = ipv6_addr_type(&hdr->saddr);
494
495                 /* This check is security critical. */
496                 if (addrtype == IPV6_ADDR_ANY ||
497                     addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
498                         goto error;
499                 if (addrtype & IPV6_ADDR_LINKLOCAL) {
500                         icmpv6_send(skb, ICMPV6_DEST_UNREACH,
501                                     ICMPV6_NOT_NEIGHBOUR, 0);
502                         goto error;
503                 }
504         }
505
506         mtu = dst_mtu(dst);
507         if (mtu < IPV6_MIN_MTU)
508                 mtu = IPV6_MIN_MTU;
509
510         if (skb->len > mtu && !skb_is_gso(skb)) {
511                 /* Again, force OUTPUT device used as source address */
512                 skb->dev = dst->dev;
513                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
514                 IP6_INC_STATS_BH(net,
515                                  ip6_dst_idev(dst), IPSTATS_MIB_INTOOBIGERRORS);
516                 IP6_INC_STATS_BH(net,
517                                  ip6_dst_idev(dst), IPSTATS_MIB_FRAGFAILS);
518                 kfree_skb(skb);
519                 return -EMSGSIZE;
520         }
521
522         if (skb_cow(skb, dst->dev->hard_header_len)) {
523                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTDISCARDS);
524                 goto drop;
525         }
526
527         hdr = ipv6_hdr(skb);
528
529         /* Mangling hops number delayed to point after skb COW */
530
531         hdr->hop_limit--;
532
533         IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
534         return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
535                        ip6_forward_finish);
536
537 error:
538         IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_INADDRERRORS);
539 drop:
540         kfree_skb(skb);
541         return -EINVAL;
542 }
543
544 static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
545 {
546         to->pkt_type = from->pkt_type;
547         to->priority = from->priority;
548         to->protocol = from->protocol;
549         skb_dst_drop(to);
550         skb_dst_set(to, dst_clone(skb_dst(from)));
551         to->dev = from->dev;
552         to->mark = from->mark;
553
554 #ifdef CONFIG_NET_SCHED
555         to->tc_index = from->tc_index;
556 #endif
557         nf_copy(to, from);
558 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
559     defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
560         to->nf_trace = from->nf_trace;
561 #endif
562         skb_copy_secmark(to, from);
563 }
564
565 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
566 {
567         u16 offset = sizeof(struct ipv6hdr);
568         struct ipv6_opt_hdr *exthdr =
569                                 (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
570         unsigned int packet_len = skb->tail - skb->network_header;
571         int found_rhdr = 0;
572         *nexthdr = &ipv6_hdr(skb)->nexthdr;
573
574         while (offset + 1 <= packet_len) {
575
576                 switch (**nexthdr) {
577
578                 case NEXTHDR_HOP:
579                         break;
580                 case NEXTHDR_ROUTING:
581                         found_rhdr = 1;
582                         break;
583                 case NEXTHDR_DEST:
584 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
585                         if (ipv6_find_tlv(skb, offset, IPV6_TLV_HAO) >= 0)
586                                 break;
587 #endif
588                         if (found_rhdr)
589                                 return offset;
590                         break;
591                 default :
592                         return offset;
593                 }
594
595                 offset += ipv6_optlen(exthdr);
596                 *nexthdr = &exthdr->nexthdr;
597                 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
598                                                  offset);
599         }
600
601         return offset;
602 }
603
604 void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
605 {
606         static atomic_t ipv6_fragmentation_id;
607         int old, new;
608
609         if (rt) {
610                 struct inet_peer *peer;
611
612                 if (!rt->rt6i_peer)
613                         rt6_bind_peer(rt, 1);
614                 peer = rt->rt6i_peer;
615                 if (peer) {
616                         fhdr->identification = htonl(inet_getid(peer, 0));
617                         return;
618                 }
619         }
620         do {
621                 old = atomic_read(&ipv6_fragmentation_id);
622                 new = old + 1;
623                 if (!new)
624                         new = 1;
625         } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
626         fhdr->identification = htonl(new);
627 }
628
629 int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
630 {
631         struct sk_buff *frag;
632         struct rt6_info *rt = (struct rt6_info*)skb_dst(skb);
633         struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
634         struct ipv6hdr *tmp_hdr;
635         struct frag_hdr *fh;
636         unsigned int mtu, hlen, left, len;
637         __be32 frag_id = 0;
638         int ptr, offset = 0, err=0;
639         u8 *prevhdr, nexthdr = 0;
640         struct net *net = dev_net(skb_dst(skb)->dev);
641
642         hlen = ip6_find_1stfragopt(skb, &prevhdr);
643         nexthdr = *prevhdr;
644
645         mtu = ip6_skb_dst_mtu(skb);
646
647         /* We must not fragment if the socket is set to force MTU discovery
648          * or if the skb it not generated by a local socket.
649          */
650         if (!skb->local_df && skb->len > mtu) {
651                 skb->dev = skb_dst(skb)->dev;
652                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
653                 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
654                               IPSTATS_MIB_FRAGFAILS);
655                 kfree_skb(skb);
656                 return -EMSGSIZE;
657         }
658
659         if (np && np->frag_size < mtu) {
660                 if (np->frag_size)
661                         mtu = np->frag_size;
662         }
663         mtu -= hlen + sizeof(struct frag_hdr);
664
665         if (skb_has_frag_list(skb)) {
666                 int first_len = skb_pagelen(skb);
667                 struct sk_buff *frag2;
668
669                 if (first_len - hlen > mtu ||
670                     ((first_len - hlen) & 7) ||
671                     skb_cloned(skb))
672                         goto slow_path;
673
674                 skb_walk_frags(skb, frag) {
675                         /* Correct geometry. */
676                         if (frag->len > mtu ||
677                             ((frag->len & 7) && frag->next) ||
678                             skb_headroom(frag) < hlen)
679                                 goto slow_path_clean;
680
681                         /* Partially cloned skb? */
682                         if (skb_shared(frag))
683                                 goto slow_path_clean;
684
685                         BUG_ON(frag->sk);
686                         if (skb->sk) {
687                                 frag->sk = skb->sk;
688                                 frag->destructor = sock_wfree;
689                         }
690                         skb->truesize -= frag->truesize;
691                 }
692
693                 err = 0;
694                 offset = 0;
695                 frag = skb_shinfo(skb)->frag_list;
696                 skb_frag_list_init(skb);
697                 /* BUILD HEADER */
698
699                 *prevhdr = NEXTHDR_FRAGMENT;
700                 tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC);
701                 if (!tmp_hdr) {
702                         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
703                                       IPSTATS_MIB_FRAGFAILS);
704                         return -ENOMEM;
705                 }
706
707                 __skb_pull(skb, hlen);
708                 fh = (struct frag_hdr*)__skb_push(skb, sizeof(struct frag_hdr));
709                 __skb_push(skb, hlen);
710                 skb_reset_network_header(skb);
711                 memcpy(skb_network_header(skb), tmp_hdr, hlen);
712
713                 ipv6_select_ident(fh, rt);
714                 fh->nexthdr = nexthdr;
715                 fh->reserved = 0;
716                 fh->frag_off = htons(IP6_MF);
717                 frag_id = fh->identification;
718
719                 first_len = skb_pagelen(skb);
720                 skb->data_len = first_len - skb_headlen(skb);
721                 skb->len = first_len;
722                 ipv6_hdr(skb)->payload_len = htons(first_len -
723                                                    sizeof(struct ipv6hdr));
724
725                 dst_hold(&rt->dst);
726
727                 for (;;) {
728                         /* Prepare header of the next frame,
729                          * before previous one went down. */
730                         if (frag) {
731                                 frag->ip_summed = CHECKSUM_NONE;
732                                 skb_reset_transport_header(frag);
733                                 fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
734                                 __skb_push(frag, hlen);
735                                 skb_reset_network_header(frag);
736                                 memcpy(skb_network_header(frag), tmp_hdr,
737                                        hlen);
738                                 offset += skb->len - hlen - sizeof(struct frag_hdr);
739                                 fh->nexthdr = nexthdr;
740                                 fh->reserved = 0;
741                                 fh->frag_off = htons(offset);
742                                 if (frag->next != NULL)
743                                         fh->frag_off |= htons(IP6_MF);
744                                 fh->identification = frag_id;
745                                 ipv6_hdr(frag)->payload_len =
746                                                 htons(frag->len -
747                                                       sizeof(struct ipv6hdr));
748                                 ip6_copy_metadata(frag, skb);
749                         }
750
751                         err = output(skb);
752                         if(!err)
753                                 IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
754                                               IPSTATS_MIB_FRAGCREATES);
755
756                         if (err || !frag)
757                                 break;
758
759                         skb = frag;
760                         frag = skb->next;
761                         skb->next = NULL;
762                 }
763
764                 kfree(tmp_hdr);
765
766                 if (err == 0) {
767                         IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
768                                       IPSTATS_MIB_FRAGOKS);
769                         dst_release(&rt->dst);
770                         return 0;
771                 }
772
773                 while (frag) {
774                         skb = frag->next;
775                         kfree_skb(frag);
776                         frag = skb;
777                 }
778
779                 IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
780                               IPSTATS_MIB_FRAGFAILS);
781                 dst_release(&rt->dst);
782                 return err;
783
784 slow_path_clean:
785                 skb_walk_frags(skb, frag2) {
786                         if (frag2 == frag)
787                                 break;
788                         frag2->sk = NULL;
789                         frag2->destructor = NULL;
790                         skb->truesize += frag2->truesize;
791                 }
792         }
793
794 slow_path:
795         left = skb->len - hlen;         /* Space per frame */
796         ptr = hlen;                     /* Where to start from */
797
798         /*
799          *      Fragment the datagram.
800          */
801
802         *prevhdr = NEXTHDR_FRAGMENT;
803
804         /*
805          *      Keep copying data until we run out.
806          */
807         while(left > 0) {
808                 len = left;
809                 /* IF: it doesn't fit, use 'mtu' - the data space left */
810                 if (len > mtu)
811                         len = mtu;
812                 /* IF: we are not sending up to and including the packet end
813                    then align the next start on an eight byte boundary */
814                 if (len < left) {
815                         len &= ~7;
816                 }
817                 /*
818                  *      Allocate buffer.
819                  */
820
821                 if ((frag = alloc_skb(len+hlen+sizeof(struct frag_hdr)+LL_ALLOCATED_SPACE(rt->dst.dev), GFP_ATOMIC)) == NULL) {
822                         NETDEBUG(KERN_INFO "IPv6: frag: no memory for new fragment!\n");
823                         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
824                                       IPSTATS_MIB_FRAGFAILS);
825                         err = -ENOMEM;
826                         goto fail;
827                 }
828
829                 /*
830                  *      Set up data on packet
831                  */
832
833                 ip6_copy_metadata(frag, skb);
834                 skb_reserve(frag, LL_RESERVED_SPACE(rt->dst.dev));
835                 skb_put(frag, len + hlen + sizeof(struct frag_hdr));
836                 skb_reset_network_header(frag);
837                 fh = (struct frag_hdr *)(skb_network_header(frag) + hlen);
838                 frag->transport_header = (frag->network_header + hlen +
839                                           sizeof(struct frag_hdr));
840
841                 /*
842                  *      Charge the memory for the fragment to any owner
843                  *      it might possess
844                  */
845                 if (skb->sk)
846                         skb_set_owner_w(frag, skb->sk);
847
848                 /*
849                  *      Copy the packet header into the new buffer.
850                  */
851                 skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
852
853                 /*
854                  *      Build fragment header.
855                  */
856                 fh->nexthdr = nexthdr;
857                 fh->reserved = 0;
858                 if (!frag_id) {
859                         ipv6_select_ident(fh, rt);
860                         frag_id = fh->identification;
861                 } else
862                         fh->identification = frag_id;
863
864                 /*
865                  *      Copy a block of the IP datagram.
866                  */
867                 if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len))
868                         BUG();
869                 left -= len;
870
871                 fh->frag_off = htons(offset);
872                 if (left > 0)
873                         fh->frag_off |= htons(IP6_MF);
874                 ipv6_hdr(frag)->payload_len = htons(frag->len -
875                                                     sizeof(struct ipv6hdr));
876
877                 ptr += len;
878                 offset += len;
879
880                 /*
881                  *      Put this fragment into the sending queue.
882                  */
883                 err = output(frag);
884                 if (err)
885                         goto fail;
886
887                 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
888                               IPSTATS_MIB_FRAGCREATES);
889         }
890         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
891                       IPSTATS_MIB_FRAGOKS);
892         kfree_skb(skb);
893         return err;
894
895 fail:
896         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
897                       IPSTATS_MIB_FRAGFAILS);
898         kfree_skb(skb);
899         return err;
900 }
901
902 static inline int ip6_rt_check(const struct rt6key *rt_key,
903                                const struct in6_addr *fl_addr,
904                                const struct in6_addr *addr_cache)
905 {
906         return (rt_key->plen != 128 || !ipv6_addr_equal(fl_addr, &rt_key->addr)) &&
907                 (addr_cache == NULL || !ipv6_addr_equal(fl_addr, addr_cache));
908 }
909
910 static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
911                                           struct dst_entry *dst,
912                                           const struct flowi6 *fl6)
913 {
914         struct ipv6_pinfo *np = inet6_sk(sk);
915         struct rt6_info *rt = (struct rt6_info *)dst;
916
917         if (!dst)
918                 goto out;
919
920         /* Yes, checking route validity in not connected
921          * case is not very simple. Take into account,
922          * that we do not support routing by source, TOS,
923          * and MSG_DONTROUTE            --ANK (980726)
924          *
925          * 1. ip6_rt_check(): If route was host route,
926          *    check that cached destination is current.
927          *    If it is network route, we still may
928          *    check its validity using saved pointer
929          *    to the last used address: daddr_cache.
930          *    We do not want to save whole address now,
931          *    (because main consumer of this service
932          *    is tcp, which has not this problem),
933          *    so that the last trick works only on connected
934          *    sockets.
935          * 2. oif also should be the same.
936          */
937         if (ip6_rt_check(&rt->rt6i_dst, &fl6->daddr, np->daddr_cache) ||
938 #ifdef CONFIG_IPV6_SUBTREES
939             ip6_rt_check(&rt->rt6i_src, &fl6->saddr, np->saddr_cache) ||
940 #endif
941             (fl6->flowi6_oif && fl6->flowi6_oif != dst->dev->ifindex)) {
942                 dst_release(dst);
943                 dst = NULL;
944         }
945
946 out:
947         return dst;
948 }
949
950 static int ip6_dst_lookup_tail(struct sock *sk,
951                                struct dst_entry **dst, struct flowi6 *fl6)
952 {
953         struct net *net = sock_net(sk);
954 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
955         struct neighbour *n;
956 #endif
957         int err;
958
959         if (*dst == NULL)
960                 *dst = ip6_route_output(net, sk, fl6);
961
962         if ((err = (*dst)->error))
963                 goto out_err_release;
964
965         if (ipv6_addr_any(&fl6->saddr)) {
966                 struct rt6_info *rt = (struct rt6_info *) *dst;
967                 err = ip6_route_get_saddr(net, rt, &fl6->daddr,
968                                           sk ? inet6_sk(sk)->srcprefs : 0,
969                                           &fl6->saddr);
970                 if (err)
971                         goto out_err_release;
972         }
973
974 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
975         /*
976          * Here if the dst entry we've looked up
977          * has a neighbour entry that is in the INCOMPLETE
978          * state and the src address from the flow is
979          * marked as OPTIMISTIC, we release the found
980          * dst entry and replace it instead with the
981          * dst entry of the nexthop router
982          */
983         rcu_read_lock();
984         n = dst_get_neighbour(*dst);
985         if (n && !(n->nud_state & NUD_VALID)) {
986                 struct inet6_ifaddr *ifp;
987                 struct flowi6 fl_gw6;
988                 int redirect;
989
990                 rcu_read_unlock();
991                 ifp = ipv6_get_ifaddr(net, &fl6->saddr,
992                                       (*dst)->dev, 1);
993
994                 redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
995                 if (ifp)
996                         in6_ifa_put(ifp);
997
998                 if (redirect) {
999                         /*
1000                          * We need to get the dst entry for the
1001                          * default router instead
1002                          */
1003                         dst_release(*dst);
1004                         memcpy(&fl_gw6, fl6, sizeof(struct flowi6));
1005                         memset(&fl_gw6.daddr, 0, sizeof(struct in6_addr));
1006                         *dst = ip6_route_output(net, sk, &fl_gw6);
1007                         if ((err = (*dst)->error))
1008                                 goto out_err_release;
1009                 }
1010         } else {
1011                 rcu_read_unlock();
1012         }
1013 #endif
1014
1015         return 0;
1016
1017 out_err_release:
1018         if (err == -ENETUNREACH)
1019                 IP6_INC_STATS_BH(net, NULL, IPSTATS_MIB_OUTNOROUTES);
1020         dst_release(*dst);
1021         *dst = NULL;
1022         return err;
1023 }
1024
1025 /**
1026  *      ip6_dst_lookup - perform route lookup on flow
1027  *      @sk: socket which provides route info
1028  *      @dst: pointer to dst_entry * for result
1029  *      @fl6: flow to lookup
1030  *
1031  *      This function performs a route lookup on the given flow.
1032  *
1033  *      It returns zero on success, or a standard errno code on error.
1034  */
1035 int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi6 *fl6)
1036 {
1037         *dst = NULL;
1038         return ip6_dst_lookup_tail(sk, dst, fl6);
1039 }
1040 EXPORT_SYMBOL_GPL(ip6_dst_lookup);
1041
1042 /**
1043  *      ip6_dst_lookup_flow - perform route lookup on flow with ipsec
1044  *      @sk: socket which provides route info
1045  *      @fl6: flow to lookup
1046  *      @final_dst: final destination address for ipsec lookup
1047  *      @can_sleep: we are in a sleepable context
1048  *
1049  *      This function performs a route lookup on the given flow.
1050  *
1051  *      It returns a valid dst pointer on success, or a pointer encoded
1052  *      error code.
1053  */
1054 struct dst_entry *ip6_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
1055                                       const struct in6_addr *final_dst,
1056                                       bool can_sleep)
1057 {
1058         struct dst_entry *dst = NULL;
1059         int err;
1060
1061         err = ip6_dst_lookup_tail(sk, &dst, fl6);
1062         if (err)
1063                 return ERR_PTR(err);
1064         if (final_dst)
1065                 ipv6_addr_copy(&fl6->daddr, final_dst);
1066         if (can_sleep)
1067                 fl6->flowi6_flags |= FLOWI_FLAG_CAN_SLEEP;
1068
1069         return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
1070 }
1071 EXPORT_SYMBOL_GPL(ip6_dst_lookup_flow);
1072
1073 /**
1074  *      ip6_sk_dst_lookup_flow - perform socket cached route lookup on flow
1075  *      @sk: socket which provides the dst cache and route info
1076  *      @fl6: flow to lookup
1077  *      @final_dst: final destination address for ipsec lookup
1078  *      @can_sleep: we are in a sleepable context
1079  *
1080  *      This function performs a route lookup on the given flow with the
1081  *      possibility of using the cached route in the socket if it is valid.
1082  *      It will take the socket dst lock when operating on the dst cache.
1083  *      As a result, this function can only be used in process context.
1084  *
1085  *      It returns a valid dst pointer on success, or a pointer encoded
1086  *      error code.
1087  */
1088 struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
1089                                          const struct in6_addr *final_dst,
1090                                          bool can_sleep)
1091 {
1092         struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
1093         int err;
1094
1095         dst = ip6_sk_dst_check(sk, dst, fl6);
1096
1097         err = ip6_dst_lookup_tail(sk, &dst, fl6);
1098         if (err)
1099                 return ERR_PTR(err);
1100         if (final_dst)
1101                 ipv6_addr_copy(&fl6->daddr, final_dst);
1102         if (can_sleep)
1103                 fl6->flowi6_flags |= FLOWI_FLAG_CAN_SLEEP;
1104
1105         return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
1106 }
1107 EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
1108
1109 static inline int ip6_ufo_append_data(struct sock *sk,
1110                         int getfrag(void *from, char *to, int offset, int len,
1111                         int odd, struct sk_buff *skb),
1112                         void *from, int length, int hh_len, int fragheaderlen,
1113                         int transhdrlen, int mtu,unsigned int flags,
1114                         struct rt6_info *rt)
1115
1116 {
1117         struct sk_buff *skb;
1118         int err;
1119
1120         /* There is support for UDP large send offload by network
1121          * device, so create one single skb packet containing complete
1122          * udp datagram
1123          */
1124         if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
1125                 skb = sock_alloc_send_skb(sk,
1126                         hh_len + fragheaderlen + transhdrlen + 20,
1127                         (flags & MSG_DONTWAIT), &err);
1128                 if (skb == NULL)
1129                         return -ENOMEM;
1130
1131                 /* reserve space for Hardware header */
1132                 skb_reserve(skb, hh_len);
1133
1134                 /* create space for UDP/IP header */
1135                 skb_put(skb,fragheaderlen + transhdrlen);
1136
1137                 /* initialize network header pointer */
1138                 skb_reset_network_header(skb);
1139
1140                 /* initialize protocol header pointer */
1141                 skb->transport_header = skb->network_header + fragheaderlen;
1142
1143                 skb->ip_summed = CHECKSUM_PARTIAL;
1144                 skb->csum = 0;
1145         }
1146
1147         err = skb_append_datato_frags(sk,skb, getfrag, from,
1148                                       (length - transhdrlen));
1149         if (!err) {
1150                 struct frag_hdr fhdr;
1151
1152                 /* Specify the length of each IPv6 datagram fragment.
1153                  * It has to be a multiple of 8.
1154                  */
1155                 skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
1156                                              sizeof(struct frag_hdr)) & ~7;
1157                 skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
1158                 ipv6_select_ident(&fhdr, rt);
1159                 skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
1160                 __skb_queue_tail(&sk->sk_write_queue, skb);
1161
1162                 return 0;
1163         }
1164         /* There is not enough support do UPD LSO,
1165          * so follow normal path
1166          */
1167         kfree_skb(skb);
1168
1169         return err;
1170 }
1171
1172 static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
1173                                                gfp_t gfp)
1174 {
1175         return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
1176 }
1177
1178 static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
1179                                                 gfp_t gfp)
1180 {
1181         return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
1182 }
1183
1184 int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
1185         int offset, int len, int odd, struct sk_buff *skb),
1186         void *from, int length, int transhdrlen,
1187         int hlimit, int tclass, struct ipv6_txoptions *opt, struct flowi6 *fl6,
1188         struct rt6_info *rt, unsigned int flags, int dontfrag)
1189 {
1190         struct inet_sock *inet = inet_sk(sk);
1191         struct ipv6_pinfo *np = inet6_sk(sk);
1192         struct inet_cork *cork;
1193         struct sk_buff *skb;
1194         unsigned int maxfraglen, fragheaderlen;
1195         int exthdrlen;
1196         int hh_len;
1197         int mtu;
1198         int copy;
1199         int err;
1200         int offset = 0;
1201         int csummode = CHECKSUM_NONE;
1202         __u8 tx_flags = 0;
1203
1204         if (flags&MSG_PROBE)
1205                 return 0;
1206         cork = &inet->cork.base;
1207         if (skb_queue_empty(&sk->sk_write_queue)) {
1208                 /*
1209                  * setup for corking
1210                  */
1211                 if (opt) {
1212                         if (WARN_ON(np->cork.opt))
1213                                 return -EINVAL;
1214
1215                         np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
1216                         if (unlikely(np->cork.opt == NULL))
1217                                 return -ENOBUFS;
1218
1219                         np->cork.opt->tot_len = opt->tot_len;
1220                         np->cork.opt->opt_flen = opt->opt_flen;
1221                         np->cork.opt->opt_nflen = opt->opt_nflen;
1222
1223                         np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
1224                                                             sk->sk_allocation);
1225                         if (opt->dst0opt && !np->cork.opt->dst0opt)
1226                                 return -ENOBUFS;
1227
1228                         np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
1229                                                             sk->sk_allocation);
1230                         if (opt->dst1opt && !np->cork.opt->dst1opt)
1231                                 return -ENOBUFS;
1232
1233                         np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
1234                                                            sk->sk_allocation);
1235                         if (opt->hopopt && !np->cork.opt->hopopt)
1236                                 return -ENOBUFS;
1237
1238                         np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
1239                                                             sk->sk_allocation);
1240                         if (opt->srcrt && !np->cork.opt->srcrt)
1241                                 return -ENOBUFS;
1242
1243                         /* need source address above miyazawa*/
1244                 }
1245                 dst_hold(&rt->dst);
1246                 cork->dst = &rt->dst;
1247                 inet->cork.fl.u.ip6 = *fl6;
1248                 np->cork.hop_limit = hlimit;
1249                 np->cork.tclass = tclass;
1250                 mtu = np->pmtudisc == IPV6_PMTUDISC_PROBE ?
1251                       rt->dst.dev->mtu : dst_mtu(rt->dst.path);
1252                 if (np->frag_size < mtu) {
1253                         if (np->frag_size)
1254                                 mtu = np->frag_size;
1255                 }
1256                 cork->fragsize = mtu;
1257                 if (dst_allfrag(rt->dst.path))
1258                         cork->flags |= IPCORK_ALLFRAG;
1259                 cork->length = 0;
1260                 sk->sk_sndmsg_page = NULL;
1261                 sk->sk_sndmsg_off = 0;
1262                 exthdrlen = rt->dst.header_len + (opt ? opt->opt_flen : 0) -
1263                             rt->rt6i_nfheader_len;
1264                 length += exthdrlen;
1265                 transhdrlen += exthdrlen;
1266         } else {
1267                 rt = (struct rt6_info *)cork->dst;
1268                 fl6 = &inet->cork.fl.u.ip6;
1269                 opt = np->cork.opt;
1270                 transhdrlen = 0;
1271                 exthdrlen = 0;
1272                 mtu = cork->fragsize;
1273         }
1274
1275         hh_len = LL_RESERVED_SPACE(rt->dst.dev);
1276
1277         fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len +
1278                         (opt ? opt->opt_nflen : 0);
1279         maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
1280
1281         if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
1282                 if (cork->length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
1283                         ipv6_local_error(sk, EMSGSIZE, fl6, mtu-exthdrlen);
1284                         return -EMSGSIZE;
1285                 }
1286         }
1287
1288         /* For UDP, check if TX timestamp is enabled */
1289         if (sk->sk_type == SOCK_DGRAM) {
1290                 err = sock_tx_timestamp(sk, &tx_flags);
1291                 if (err)
1292                         goto error;
1293         }
1294
1295         /*
1296          * Let's try using as much space as possible.
1297          * Use MTU if total length of the message fits into the MTU.
1298          * Otherwise, we need to reserve fragment header and
1299          * fragment alignment (= 8-15 octects, in total).
1300          *
1301          * Note that we may need to "move" the data from the tail of
1302          * of the buffer to the new fragment when we split
1303          * the message.
1304          *
1305          * FIXME: It may be fragmented into multiple chunks
1306          *        at once if non-fragmentable extension headers
1307          *        are too large.
1308          * --yoshfuji
1309          */
1310
1311         cork->length += length;
1312         if (length > mtu) {
1313                 int proto = sk->sk_protocol;
1314                 if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
1315                         ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
1316                         return -EMSGSIZE;
1317                 }
1318
1319                 if (proto == IPPROTO_UDP &&
1320                     (rt->dst.dev->features & NETIF_F_UFO)) {
1321
1322                         err = ip6_ufo_append_data(sk, getfrag, from, length,
1323                                                   hh_len, fragheaderlen,
1324                                                   transhdrlen, mtu, flags, rt);
1325                         if (err)
1326                                 goto error;
1327                         return 0;
1328                 }
1329         }
1330
1331         if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
1332                 goto alloc_new_skb;
1333
1334         while (length > 0) {
1335                 /* Check if the remaining data fits into current packet. */
1336                 copy = (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
1337                 if (copy < length)
1338                         copy = maxfraglen - skb->len;
1339
1340                 if (copy <= 0) {
1341                         char *data;
1342                         unsigned int datalen;
1343                         unsigned int fraglen;
1344                         unsigned int fraggap;
1345                         unsigned int alloclen;
1346                         struct sk_buff *skb_prev;
1347 alloc_new_skb:
1348                         skb_prev = skb;
1349
1350                         /* There's no room in the current skb */
1351                         if (skb_prev)
1352                                 fraggap = skb_prev->len - maxfraglen;
1353                         else
1354                                 fraggap = 0;
1355
1356                         /*
1357                          * If remaining data exceeds the mtu,
1358                          * we know we need more fragment(s).
1359                          */
1360                         datalen = length + fraggap;
1361                         if (datalen > (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
1362                                 datalen = maxfraglen - fragheaderlen;
1363
1364                         fraglen = datalen + fragheaderlen;
1365                         if ((flags & MSG_MORE) &&
1366                             !(rt->dst.dev->features&NETIF_F_SG))
1367                                 alloclen = mtu;
1368                         else
1369                                 alloclen = datalen + fragheaderlen;
1370
1371                         /*
1372                          * The last fragment gets additional space at tail.
1373                          * Note: we overallocate on fragments with MSG_MODE
1374                          * because we have no idea if we're the last one.
1375                          */
1376                         if (datalen == length + fraggap)
1377                                 alloclen += rt->dst.trailer_len;
1378
1379                         /*
1380                          * We just reserve space for fragment header.
1381                          * Note: this may be overallocation if the message
1382                          * (without MSG_MORE) fits into the MTU.
1383                          */
1384                         alloclen += sizeof(struct frag_hdr);
1385
1386                         if (transhdrlen) {
1387                                 skb = sock_alloc_send_skb(sk,
1388                                                 alloclen + hh_len,
1389                                                 (flags & MSG_DONTWAIT), &err);
1390                         } else {
1391                                 skb = NULL;
1392                                 if (atomic_read(&sk->sk_wmem_alloc) <=
1393                                     2 * sk->sk_sndbuf)
1394                                         skb = sock_wmalloc(sk,
1395                                                            alloclen + hh_len, 1,
1396                                                            sk->sk_allocation);
1397                                 if (unlikely(skb == NULL))
1398                                         err = -ENOBUFS;
1399                                 else {
1400                                         /* Only the initial fragment
1401                                          * is time stamped.
1402                                          */
1403                                         tx_flags = 0;
1404                                 }
1405                         }
1406                         if (skb == NULL)
1407                                 goto error;
1408                         /*
1409                          *      Fill in the control structures
1410                          */
1411                         skb->ip_summed = csummode;
1412                         skb->csum = 0;
1413                         /* reserve for fragmentation */
1414                         skb_reserve(skb, hh_len+sizeof(struct frag_hdr));
1415
1416                         if (sk->sk_type == SOCK_DGRAM)
1417                                 skb_shinfo(skb)->tx_flags = tx_flags;
1418
1419                         /*
1420                          *      Find where to start putting bytes
1421                          */
1422                         data = skb_put(skb, fraglen);
1423                         skb_set_network_header(skb, exthdrlen);
1424                         data += fragheaderlen;
1425                         skb->transport_header = (skb->network_header +
1426                                                  fragheaderlen);
1427                         if (fraggap) {
1428                                 skb->csum = skb_copy_and_csum_bits(
1429                                         skb_prev, maxfraglen,
1430                                         data + transhdrlen, fraggap, 0);
1431                                 skb_prev->csum = csum_sub(skb_prev->csum,
1432                                                           skb->csum);
1433                                 data += fraggap;
1434                                 pskb_trim_unique(skb_prev, maxfraglen);
1435                         }
1436                         copy = datalen - transhdrlen - fraggap;
1437                         if (copy < 0) {
1438                                 err = -EINVAL;
1439                                 kfree_skb(skb);
1440                                 goto error;
1441                         } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
1442                                 err = -EFAULT;
1443                                 kfree_skb(skb);
1444                                 goto error;
1445                         }
1446
1447                         offset += copy;
1448                         length -= datalen - fraggap;
1449                         transhdrlen = 0;
1450                         exthdrlen = 0;
1451                         csummode = CHECKSUM_NONE;
1452
1453                         /*
1454                          * Put the packet on the pending queue
1455                          */
1456                         __skb_queue_tail(&sk->sk_write_queue, skb);
1457                         continue;
1458                 }
1459
1460                 if (copy > length)
1461                         copy = length;
1462
1463                 if (!(rt->dst.dev->features&NETIF_F_SG)) {
1464                         unsigned int off;
1465
1466                         off = skb->len;
1467                         if (getfrag(from, skb_put(skb, copy),
1468                                                 offset, copy, off, skb) < 0) {
1469                                 __skb_trim(skb, off);
1470                                 err = -EFAULT;
1471                                 goto error;
1472                         }
1473                 } else {
1474                         int i = skb_shinfo(skb)->nr_frags;
1475                         skb_frag_t *frag = &skb_shinfo(skb)->frags[i-1];
1476                         struct page *page = sk->sk_sndmsg_page;
1477                         int off = sk->sk_sndmsg_off;
1478                         unsigned int left;
1479
1480                         if (page && (left = PAGE_SIZE - off) > 0) {
1481                                 if (copy >= left)
1482                                         copy = left;
1483                                 if (page != frag->page) {
1484                                         if (i == MAX_SKB_FRAGS) {
1485                                                 err = -EMSGSIZE;
1486                                                 goto error;
1487                                         }
1488                                         get_page(page);
1489                                         skb_fill_page_desc(skb, i, page, sk->sk_sndmsg_off, 0);
1490                                         frag = &skb_shinfo(skb)->frags[i];
1491                                 }
1492                         } else if(i < MAX_SKB_FRAGS) {
1493                                 if (copy > PAGE_SIZE)
1494                                         copy = PAGE_SIZE;
1495                                 page = alloc_pages(sk->sk_allocation, 0);
1496                                 if (page == NULL) {
1497                                         err = -ENOMEM;
1498                                         goto error;
1499                                 }
1500                                 sk->sk_sndmsg_page = page;
1501                                 sk->sk_sndmsg_off = 0;
1502
1503                                 skb_fill_page_desc(skb, i, page, 0, 0);
1504                                 frag = &skb_shinfo(skb)->frags[i];
1505                         } else {
1506                                 err = -EMSGSIZE;
1507                                 goto error;
1508                         }
1509                         if (getfrag(from, page_address(frag->page)+frag->page_offset+frag->size, offset, copy, skb->len, skb) < 0) {
1510                                 err = -EFAULT;
1511                                 goto error;
1512                         }
1513                         sk->sk_sndmsg_off += copy;
1514                         frag->size += copy;
1515                         skb->len += copy;
1516                         skb->data_len += copy;
1517                         skb->truesize += copy;
1518                         atomic_add(copy, &sk->sk_wmem_alloc);
1519                 }
1520                 offset += copy;
1521                 length -= copy;
1522         }
1523         return 0;
1524 error:
1525         cork->length -= length;
1526         IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
1527         return err;
1528 }
1529
1530 static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
1531 {
1532         if (np->cork.opt) {
1533                 kfree(np->cork.opt->dst0opt);
1534                 kfree(np->cork.opt->dst1opt);
1535                 kfree(np->cork.opt->hopopt);
1536                 kfree(np->cork.opt->srcrt);
1537                 kfree(np->cork.opt);
1538                 np->cork.opt = NULL;
1539         }
1540
1541         if (inet->cork.base.dst) {
1542                 dst_release(inet->cork.base.dst);
1543                 inet->cork.base.dst = NULL;
1544                 inet->cork.base.flags &= ~IPCORK_ALLFRAG;
1545         }
1546         memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
1547 }
1548
1549 int ip6_push_pending_frames(struct sock *sk)
1550 {
1551         struct sk_buff *skb, *tmp_skb;
1552         struct sk_buff **tail_skb;
1553         struct in6_addr final_dst_buf, *final_dst = &final_dst_buf;
1554         struct inet_sock *inet = inet_sk(sk);
1555         struct ipv6_pinfo *np = inet6_sk(sk);
1556         struct net *net = sock_net(sk);
1557         struct ipv6hdr *hdr;
1558         struct ipv6_txoptions *opt = np->cork.opt;
1559         struct rt6_info *rt = (struct rt6_info *)inet->cork.base.dst;
1560         struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
1561         unsigned char proto = fl6->flowi6_proto;
1562         int err = 0;
1563
1564         if ((skb = __skb_dequeue(&sk->sk_write_queue)) == NULL)
1565                 goto out;
1566         tail_skb = &(skb_shinfo(skb)->frag_list);
1567
1568         /* move skb->data to ip header from ext header */
1569         if (skb->data < skb_network_header(skb))
1570                 __skb_pull(skb, skb_network_offset(skb));
1571         while ((tmp_skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) {
1572                 __skb_pull(tmp_skb, skb_network_header_len(skb));
1573                 *tail_skb = tmp_skb;
1574                 tail_skb = &(tmp_skb->next);
1575                 skb->len += tmp_skb->len;
1576                 skb->data_len += tmp_skb->len;
1577                 skb->truesize += tmp_skb->truesize;
1578                 tmp_skb->destructor = NULL;
1579                 tmp_skb->sk = NULL;
1580         }
1581
1582         /* Allow local fragmentation. */
1583         if (np->pmtudisc < IPV6_PMTUDISC_DO)
1584                 skb->local_df = 1;
1585
1586         ipv6_addr_copy(final_dst, &fl6->daddr);
1587         __skb_pull(skb, skb_network_header_len(skb));
1588         if (opt && opt->opt_flen)
1589                 ipv6_push_frag_opts(skb, opt, &proto);
1590         if (opt && opt->opt_nflen)
1591                 ipv6_push_nfrag_opts(skb, opt, &proto, &final_dst);
1592
1593         skb_push(skb, sizeof(struct ipv6hdr));
1594         skb_reset_network_header(skb);
1595         hdr = ipv6_hdr(skb);
1596
1597         *(__be32*)hdr = fl6->flowlabel |
1598                      htonl(0x60000000 | ((int)np->cork.tclass << 20));
1599
1600         hdr->hop_limit = np->cork.hop_limit;
1601         hdr->nexthdr = proto;
1602         ipv6_addr_copy(&hdr->saddr, &fl6->saddr);
1603         ipv6_addr_copy(&hdr->daddr, final_dst);
1604
1605         skb->priority = sk->sk_priority;
1606         skb->mark = sk->sk_mark;
1607
1608         skb_dst_set(skb, dst_clone(&rt->dst));
1609         IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
1610         if (proto == IPPROTO_ICMPV6) {
1611                 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
1612
1613                 ICMP6MSGOUT_INC_STATS_BH(net, idev, icmp6_hdr(skb)->icmp6_type);
1614                 ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS);
1615         }
1616
1617         err = ip6_local_out(skb);
1618         if (err) {
1619                 if (err > 0)
1620                         err = net_xmit_errno(err);
1621                 if (err)
1622                         goto error;
1623         }
1624
1625 out:
1626         ip6_cork_release(inet, np);
1627         return err;
1628 error:
1629         IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
1630         goto out;
1631 }
1632
1633 void ip6_flush_pending_frames(struct sock *sk)
1634 {
1635         struct sk_buff *skb;
1636
1637         while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL) {
1638                 if (skb_dst(skb))
1639                         IP6_INC_STATS(sock_net(sk), ip6_dst_idev(skb_dst(skb)),
1640                                       IPSTATS_MIB_OUTDISCARDS);
1641                 kfree_skb(skb);
1642         }
1643
1644         ip6_cork_release(inet_sk(sk), inet6_sk(sk));
1645 }