net: ip_push_pending_frames() fix
[linux-2.6.git] / net / ipv6 / ip6_output.c
1 /*
2  *      IPv6 output functions
3  *      Linux INET6 implementation
4  *
5  *      Authors:
6  *      Pedro Roque             <roque@di.fc.ul.pt>
7  *
8  *      Based on linux/net/ipv4/ip_output.c
9  *
10  *      This program is free software; you can redistribute it and/or
11  *      modify it under the terms of the GNU General Public License
12  *      as published by the Free Software Foundation; either version
13  *      2 of the License, or (at your option) any later version.
14  *
15  *      Changes:
16  *      A.N.Kuznetsov   :       airthmetics in fragmentation.
17  *                              extension headers are implemented.
18  *                              route changes now work.
19  *                              ip6_forward does not confuse sniffers.
20  *                              etc.
21  *
22  *      H. von Brand    :       Added missing #include <linux/string.h>
23  *      Imran Patel     :       frag id should be in NBO
24  *      Kazunori MIYAZAWA @USAGI
25  *                      :       add ip6_append_data and related functions
26  *                              for datagram xmit
27  */
28
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/string.h>
32 #include <linux/socket.h>
33 #include <linux/net.h>
34 #include <linux/netdevice.h>
35 #include <linux/if_arp.h>
36 #include <linux/in6.h>
37 #include <linux/tcp.h>
38 #include <linux/route.h>
39 #include <linux/module.h>
40
41 #include <linux/netfilter.h>
42 #include <linux/netfilter_ipv6.h>
43
44 #include <net/sock.h>
45 #include <net/snmp.h>
46
47 #include <net/ipv6.h>
48 #include <net/ndisc.h>
49 #include <net/protocol.h>
50 #include <net/ip6_route.h>
51 #include <net/addrconf.h>
52 #include <net/rawv6.h>
53 #include <net/icmp.h>
54 #include <net/xfrm.h>
55 #include <net/checksum.h>
56 #include <linux/mroute6.h>
57
58 static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
59
60 static __inline__ void ipv6_select_ident(struct sk_buff *skb, struct frag_hdr *fhdr)
61 {
62         static u32 ipv6_fragmentation_id = 1;
63         static DEFINE_SPINLOCK(ip6_id_lock);
64
65         spin_lock_bh(&ip6_id_lock);
66         fhdr->identification = htonl(ipv6_fragmentation_id);
67         if (++ipv6_fragmentation_id == 0)
68                 ipv6_fragmentation_id = 1;
69         spin_unlock_bh(&ip6_id_lock);
70 }
71
72 int __ip6_local_out(struct sk_buff *skb)
73 {
74         int len;
75
76         len = skb->len - sizeof(struct ipv6hdr);
77         if (len > IPV6_MAXPLEN)
78                 len = 0;
79         ipv6_hdr(skb)->payload_len = htons(len);
80
81         return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
82                        dst_output);
83 }
84
85 int ip6_local_out(struct sk_buff *skb)
86 {
87         int err;
88
89         err = __ip6_local_out(skb);
90         if (likely(err == 1))
91                 err = dst_output(skb);
92
93         return err;
94 }
95 EXPORT_SYMBOL_GPL(ip6_local_out);
96
97 static int ip6_output_finish(struct sk_buff *skb)
98 {
99         struct dst_entry *dst = skb_dst(skb);
100
101         if (dst->hh)
102                 return neigh_hh_output(dst->hh, skb);
103         else if (dst->neighbour)
104                 return dst->neighbour->output(skb);
105
106         IP6_INC_STATS_BH(dev_net(dst->dev),
107                          ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
108         kfree_skb(skb);
109         return -EINVAL;
110
111 }
112
113 /* dev_loopback_xmit for use with netfilter. */
114 static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
115 {
116         skb_reset_mac_header(newskb);
117         __skb_pull(newskb, skb_network_offset(newskb));
118         newskb->pkt_type = PACKET_LOOPBACK;
119         newskb->ip_summed = CHECKSUM_UNNECESSARY;
120         WARN_ON(!skb_dst(newskb));
121
122         netif_rx(newskb);
123         return 0;
124 }
125
126
127 static int ip6_output2(struct sk_buff *skb)
128 {
129         struct dst_entry *dst = skb_dst(skb);
130         struct net_device *dev = dst->dev;
131
132         skb->protocol = htons(ETH_P_IPV6);
133         skb->dev = dev;
134
135         if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
136                 struct ipv6_pinfo* np = skb->sk ? inet6_sk(skb->sk) : NULL;
137                 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
138
139                 if (!(dev->flags & IFF_LOOPBACK) && (!np || np->mc_loop) &&
140                     ((mroute6_socket(dev_net(dev)) &&
141                      !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
142                      ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
143                                          &ipv6_hdr(skb)->saddr))) {
144                         struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
145
146                         /* Do not check for IFF_ALLMULTI; multicast routing
147                            is not supported in any case.
148                          */
149                         if (newskb)
150                                 NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb,
151                                         NULL, newskb->dev,
152                                         ip6_dev_loopback_xmit);
153
154                         if (ipv6_hdr(skb)->hop_limit == 0) {
155                                 IP6_INC_STATS(dev_net(dev), idev,
156                                               IPSTATS_MIB_OUTDISCARDS);
157                                 kfree_skb(skb);
158                                 return 0;
159                         }
160                 }
161
162                 IP6_UPD_PO_STATS(dev_net(dev), idev, IPSTATS_MIB_OUTMCAST,
163                                 skb->len);
164         }
165
166         return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
167                        ip6_output_finish);
168 }
169
170 static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
171 {
172         struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
173
174         return (np && np->pmtudisc == IPV6_PMTUDISC_PROBE) ?
175                skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
176 }
177
178 int ip6_output(struct sk_buff *skb)
179 {
180         struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
181         if (unlikely(idev->cnf.disable_ipv6)) {
182                 IP6_INC_STATS(dev_net(skb_dst(skb)->dev), idev,
183                               IPSTATS_MIB_OUTDISCARDS);
184                 kfree_skb(skb);
185                 return 0;
186         }
187
188         if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
189                                 dst_allfrag(skb_dst(skb)))
190                 return ip6_fragment(skb, ip6_output2);
191         else
192                 return ip6_output2(skb);
193 }
194
195 /*
196  *      xmit an sk_buff (used by TCP)
197  */
198
199 int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
200              struct ipv6_txoptions *opt, int ipfragok)
201 {
202         struct net *net = sock_net(sk);
203         struct ipv6_pinfo *np = inet6_sk(sk);
204         struct in6_addr *first_hop = &fl->fl6_dst;
205         struct dst_entry *dst = skb_dst(skb);
206         struct ipv6hdr *hdr;
207         u8  proto = fl->proto;
208         int seg_len = skb->len;
209         int hlimit, tclass;
210         u32 mtu;
211
212         if (opt) {
213                 unsigned int head_room;
214
215                 /* First: exthdrs may take lots of space (~8K for now)
216                    MAX_HEADER is not enough.
217                  */
218                 head_room = opt->opt_nflen + opt->opt_flen;
219                 seg_len += head_room;
220                 head_room += sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
221
222                 if (skb_headroom(skb) < head_room) {
223                         struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
224                         if (skb2 == NULL) {
225                                 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
226                                               IPSTATS_MIB_OUTDISCARDS);
227                                 kfree_skb(skb);
228                                 return -ENOBUFS;
229                         }
230                         kfree_skb(skb);
231                         skb = skb2;
232                         if (sk)
233                                 skb_set_owner_w(skb, sk);
234                 }
235                 if (opt->opt_flen)
236                         ipv6_push_frag_opts(skb, opt, &proto);
237                 if (opt->opt_nflen)
238                         ipv6_push_nfrag_opts(skb, opt, &proto, &first_hop);
239         }
240
241         skb_push(skb, sizeof(struct ipv6hdr));
242         skb_reset_network_header(skb);
243         hdr = ipv6_hdr(skb);
244
245         /* Allow local fragmentation. */
246         if (ipfragok)
247                 skb->local_df = 1;
248
249         /*
250          *      Fill in the IPv6 header
251          */
252
253         hlimit = -1;
254         if (np)
255                 hlimit = np->hop_limit;
256         if (hlimit < 0)
257                 hlimit = ip6_dst_hoplimit(dst);
258
259         tclass = -1;
260         if (np)
261                 tclass = np->tclass;
262         if (tclass < 0)
263                 tclass = 0;
264
265         *(__be32 *)hdr = htonl(0x60000000 | (tclass << 20)) | fl->fl6_flowlabel;
266
267         hdr->payload_len = htons(seg_len);
268         hdr->nexthdr = proto;
269         hdr->hop_limit = hlimit;
270
271         ipv6_addr_copy(&hdr->saddr, &fl->fl6_src);
272         ipv6_addr_copy(&hdr->daddr, first_hop);
273
274         skb->priority = sk->sk_priority;
275         skb->mark = sk->sk_mark;
276
277         mtu = dst_mtu(dst);
278         if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) {
279                 IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)),
280                               IPSTATS_MIB_OUT, skb->len);
281                 return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
282                                 dst_output);
283         }
284
285         if (net_ratelimit())
286                 printk(KERN_DEBUG "IPv6: sending pkt_too_big to self\n");
287         skb->dev = dst->dev;
288         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
289         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_FRAGFAILS);
290         kfree_skb(skb);
291         return -EMSGSIZE;
292 }
293
294 EXPORT_SYMBOL(ip6_xmit);
295
296 /*
297  *      To avoid extra problems ND packets are send through this
298  *      routine. It's code duplication but I really want to avoid
299  *      extra checks since ipv6_build_header is used by TCP (which
300  *      is for us performance critical)
301  */
302
303 int ip6_nd_hdr(struct sock *sk, struct sk_buff *skb, struct net_device *dev,
304                const struct in6_addr *saddr, const struct in6_addr *daddr,
305                int proto, int len)
306 {
307         struct ipv6_pinfo *np = inet6_sk(sk);
308         struct ipv6hdr *hdr;
309         int totlen;
310
311         skb->protocol = htons(ETH_P_IPV6);
312         skb->dev = dev;
313
314         totlen = len + sizeof(struct ipv6hdr);
315
316         skb_reset_network_header(skb);
317         skb_put(skb, sizeof(struct ipv6hdr));
318         hdr = ipv6_hdr(skb);
319
320         *(__be32*)hdr = htonl(0x60000000);
321
322         hdr->payload_len = htons(len);
323         hdr->nexthdr = proto;
324         hdr->hop_limit = np->hop_limit;
325
326         ipv6_addr_copy(&hdr->saddr, saddr);
327         ipv6_addr_copy(&hdr->daddr, daddr);
328
329         return 0;
330 }
331
332 static int ip6_call_ra_chain(struct sk_buff *skb, int sel)
333 {
334         struct ip6_ra_chain *ra;
335         struct sock *last = NULL;
336
337         read_lock(&ip6_ra_lock);
338         for (ra = ip6_ra_chain; ra; ra = ra->next) {
339                 struct sock *sk = ra->sk;
340                 if (sk && ra->sel == sel &&
341                     (!sk->sk_bound_dev_if ||
342                      sk->sk_bound_dev_if == skb->dev->ifindex)) {
343                         if (last) {
344                                 struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
345                                 if (skb2)
346                                         rawv6_rcv(last, skb2);
347                         }
348                         last = sk;
349                 }
350         }
351
352         if (last) {
353                 rawv6_rcv(last, skb);
354                 read_unlock(&ip6_ra_lock);
355                 return 1;
356         }
357         read_unlock(&ip6_ra_lock);
358         return 0;
359 }
360
361 static int ip6_forward_proxy_check(struct sk_buff *skb)
362 {
363         struct ipv6hdr *hdr = ipv6_hdr(skb);
364         u8 nexthdr = hdr->nexthdr;
365         int offset;
366
367         if (ipv6_ext_hdr(nexthdr)) {
368                 offset = ipv6_skip_exthdr(skb, sizeof(*hdr), &nexthdr);
369                 if (offset < 0)
370                         return 0;
371         } else
372                 offset = sizeof(struct ipv6hdr);
373
374         if (nexthdr == IPPROTO_ICMPV6) {
375                 struct icmp6hdr *icmp6;
376
377                 if (!pskb_may_pull(skb, (skb_network_header(skb) +
378                                          offset + 1 - skb->data)))
379                         return 0;
380
381                 icmp6 = (struct icmp6hdr *)(skb_network_header(skb) + offset);
382
383                 switch (icmp6->icmp6_type) {
384                 case NDISC_ROUTER_SOLICITATION:
385                 case NDISC_ROUTER_ADVERTISEMENT:
386                 case NDISC_NEIGHBOUR_SOLICITATION:
387                 case NDISC_NEIGHBOUR_ADVERTISEMENT:
388                 case NDISC_REDIRECT:
389                         /* For reaction involving unicast neighbor discovery
390                          * message destined to the proxied address, pass it to
391                          * input function.
392                          */
393                         return 1;
394                 default:
395                         break;
396                 }
397         }
398
399         /*
400          * The proxying router can't forward traffic sent to a link-local
401          * address, so signal the sender and discard the packet. This
402          * behavior is clarified by the MIPv6 specification.
403          */
404         if (ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) {
405                 dst_link_failure(skb);
406                 return -1;
407         }
408
409         return 0;
410 }
411
412 static inline int ip6_forward_finish(struct sk_buff *skb)
413 {
414         return dst_output(skb);
415 }
416
417 int ip6_forward(struct sk_buff *skb)
418 {
419         struct dst_entry *dst = skb_dst(skb);
420         struct ipv6hdr *hdr = ipv6_hdr(skb);
421         struct inet6_skb_parm *opt = IP6CB(skb);
422         struct net *net = dev_net(dst->dev);
423
424         if (net->ipv6.devconf_all->forwarding == 0)
425                 goto error;
426
427         if (skb_warn_if_lro(skb))
428                 goto drop;
429
430         if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
431                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
432                 goto drop;
433         }
434
435         skb_forward_csum(skb);
436
437         /*
438          *      We DO NOT make any processing on
439          *      RA packets, pushing them to user level AS IS
440          *      without ane WARRANTY that application will be able
441          *      to interpret them. The reason is that we
442          *      cannot make anything clever here.
443          *
444          *      We are not end-node, so that if packet contains
445          *      AH/ESP, we cannot make anything.
446          *      Defragmentation also would be mistake, RA packets
447          *      cannot be fragmented, because there is no warranty
448          *      that different fragments will go along one path. --ANK
449          */
450         if (opt->ra) {
451                 u8 *ptr = skb_network_header(skb) + opt->ra;
452                 if (ip6_call_ra_chain(skb, (ptr[2]<<8) + ptr[3]))
453                         return 0;
454         }
455
456         /*
457          *      check and decrement ttl
458          */
459         if (hdr->hop_limit <= 1) {
460                 /* Force OUTPUT device used as source address */
461                 skb->dev = dst->dev;
462                 icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
463                             0, skb->dev);
464                 IP6_INC_STATS_BH(net,
465                                  ip6_dst_idev(dst), IPSTATS_MIB_INHDRERRORS);
466
467                 kfree_skb(skb);
468                 return -ETIMEDOUT;
469         }
470
471         /* XXX: idev->cnf.proxy_ndp? */
472         if (net->ipv6.devconf_all->proxy_ndp &&
473             pneigh_lookup(&nd_tbl, net, &hdr->daddr, skb->dev, 0)) {
474                 int proxied = ip6_forward_proxy_check(skb);
475                 if (proxied > 0)
476                         return ip6_input(skb);
477                 else if (proxied < 0) {
478                         IP6_INC_STATS(net, ip6_dst_idev(dst),
479                                       IPSTATS_MIB_INDISCARDS);
480                         goto drop;
481                 }
482         }
483
484         if (!xfrm6_route_forward(skb)) {
485                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
486                 goto drop;
487         }
488         dst = skb_dst(skb);
489
490         /* IPv6 specs say nothing about it, but it is clear that we cannot
491            send redirects to source routed frames.
492            We don't send redirects to frames decapsulated from IPsec.
493          */
494         if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 &&
495             !skb_sec_path(skb)) {
496                 struct in6_addr *target = NULL;
497                 struct rt6_info *rt;
498                 struct neighbour *n = dst->neighbour;
499
500                 /*
501                  *      incoming and outgoing devices are the same
502                  *      send a redirect.
503                  */
504
505                 rt = (struct rt6_info *) dst;
506                 if ((rt->rt6i_flags & RTF_GATEWAY))
507                         target = (struct in6_addr*)&n->primary_key;
508                 else
509                         target = &hdr->daddr;
510
511                 /* Limit redirects both by destination (here)
512                    and by source (inside ndisc_send_redirect)
513                  */
514                 if (xrlim_allow(dst, 1*HZ))
515                         ndisc_send_redirect(skb, n, target);
516         } else {
517                 int addrtype = ipv6_addr_type(&hdr->saddr);
518
519                 /* This check is security critical. */
520                 if (addrtype == IPV6_ADDR_ANY ||
521                     addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
522                         goto error;
523                 if (addrtype & IPV6_ADDR_LINKLOCAL) {
524                         icmpv6_send(skb, ICMPV6_DEST_UNREACH,
525                                 ICMPV6_NOT_NEIGHBOUR, 0, skb->dev);
526                         goto error;
527                 }
528         }
529
530         if (skb->len > dst_mtu(dst)) {
531                 /* Again, force OUTPUT device used as source address */
532                 skb->dev = dst->dev;
533                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, dst_mtu(dst), skb->dev);
534                 IP6_INC_STATS_BH(net,
535                                  ip6_dst_idev(dst), IPSTATS_MIB_INTOOBIGERRORS);
536                 IP6_INC_STATS_BH(net,
537                                  ip6_dst_idev(dst), IPSTATS_MIB_FRAGFAILS);
538                 kfree_skb(skb);
539                 return -EMSGSIZE;
540         }
541
542         if (skb_cow(skb, dst->dev->hard_header_len)) {
543                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTDISCARDS);
544                 goto drop;
545         }
546
547         hdr = ipv6_hdr(skb);
548
549         /* Mangling hops number delayed to point after skb COW */
550
551         hdr->hop_limit--;
552
553         IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
554         return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
555                        ip6_forward_finish);
556
557 error:
558         IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_INADDRERRORS);
559 drop:
560         kfree_skb(skb);
561         return -EINVAL;
562 }
563
564 static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
565 {
566         to->pkt_type = from->pkt_type;
567         to->priority = from->priority;
568         to->protocol = from->protocol;
569         skb_dst_drop(to);
570         skb_dst_set(to, dst_clone(skb_dst(from)));
571         to->dev = from->dev;
572         to->mark = from->mark;
573
574 #ifdef CONFIG_NET_SCHED
575         to->tc_index = from->tc_index;
576 #endif
577         nf_copy(to, from);
578 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
579     defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
580         to->nf_trace = from->nf_trace;
581 #endif
582         skb_copy_secmark(to, from);
583 }
584
585 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
586 {
587         u16 offset = sizeof(struct ipv6hdr);
588         struct ipv6_opt_hdr *exthdr =
589                                 (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
590         unsigned int packet_len = skb->tail - skb->network_header;
591         int found_rhdr = 0;
592         *nexthdr = &ipv6_hdr(skb)->nexthdr;
593
594         while (offset + 1 <= packet_len) {
595
596                 switch (**nexthdr) {
597
598                 case NEXTHDR_HOP:
599                         break;
600                 case NEXTHDR_ROUTING:
601                         found_rhdr = 1;
602                         break;
603                 case NEXTHDR_DEST:
604 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
605                         if (ipv6_find_tlv(skb, offset, IPV6_TLV_HAO) >= 0)
606                                 break;
607 #endif
608                         if (found_rhdr)
609                                 return offset;
610                         break;
611                 default :
612                         return offset;
613                 }
614
615                 offset += ipv6_optlen(exthdr);
616                 *nexthdr = &exthdr->nexthdr;
617                 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
618                                                  offset);
619         }
620
621         return offset;
622 }
623
624 static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
625 {
626         struct sk_buff *frag;
627         struct rt6_info *rt = (struct rt6_info*)skb_dst(skb);
628         struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
629         struct ipv6hdr *tmp_hdr;
630         struct frag_hdr *fh;
631         unsigned int mtu, hlen, left, len;
632         __be32 frag_id = 0;
633         int ptr, offset = 0, err=0;
634         u8 *prevhdr, nexthdr = 0;
635         struct net *net = dev_net(skb_dst(skb)->dev);
636
637         hlen = ip6_find_1stfragopt(skb, &prevhdr);
638         nexthdr = *prevhdr;
639
640         mtu = ip6_skb_dst_mtu(skb);
641
642         /* We must not fragment if the socket is set to force MTU discovery
643          * or if the skb it not generated by a local socket.  (This last
644          * check should be redundant, but it's free.)
645          */
646         if (!skb->local_df) {
647                 skb->dev = skb_dst(skb)->dev;
648                 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
649                 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
650                               IPSTATS_MIB_FRAGFAILS);
651                 kfree_skb(skb);
652                 return -EMSGSIZE;
653         }
654
655         if (np && np->frag_size < mtu) {
656                 if (np->frag_size)
657                         mtu = np->frag_size;
658         }
659         mtu -= hlen + sizeof(struct frag_hdr);
660
661         if (skb_has_frags(skb)) {
662                 int first_len = skb_pagelen(skb);
663                 int truesizes = 0;
664
665                 if (first_len - hlen > mtu ||
666                     ((first_len - hlen) & 7) ||
667                     skb_cloned(skb))
668                         goto slow_path;
669
670                 skb_walk_frags(skb, frag) {
671                         /* Correct geometry. */
672                         if (frag->len > mtu ||
673                             ((frag->len & 7) && frag->next) ||
674                             skb_headroom(frag) < hlen)
675                             goto slow_path;
676
677                         /* Partially cloned skb? */
678                         if (skb_shared(frag))
679                                 goto slow_path;
680
681                         BUG_ON(frag->sk);
682                         if (skb->sk) {
683                                 frag->sk = skb->sk;
684                                 frag->destructor = sock_wfree;
685                                 truesizes += frag->truesize;
686                         }
687                 }
688
689                 err = 0;
690                 offset = 0;
691                 frag = skb_shinfo(skb)->frag_list;
692                 skb_frag_list_init(skb);
693                 /* BUILD HEADER */
694
695                 *prevhdr = NEXTHDR_FRAGMENT;
696                 tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC);
697                 if (!tmp_hdr) {
698                         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
699                                       IPSTATS_MIB_FRAGFAILS);
700                         return -ENOMEM;
701                 }
702
703                 __skb_pull(skb, hlen);
704                 fh = (struct frag_hdr*)__skb_push(skb, sizeof(struct frag_hdr));
705                 __skb_push(skb, hlen);
706                 skb_reset_network_header(skb);
707                 memcpy(skb_network_header(skb), tmp_hdr, hlen);
708
709                 ipv6_select_ident(skb, fh);
710                 fh->nexthdr = nexthdr;
711                 fh->reserved = 0;
712                 fh->frag_off = htons(IP6_MF);
713                 frag_id = fh->identification;
714
715                 first_len = skb_pagelen(skb);
716                 skb->data_len = first_len - skb_headlen(skb);
717                 skb->truesize -= truesizes;
718                 skb->len = first_len;
719                 ipv6_hdr(skb)->payload_len = htons(first_len -
720                                                    sizeof(struct ipv6hdr));
721
722                 dst_hold(&rt->u.dst);
723
724                 for (;;) {
725                         /* Prepare header of the next frame,
726                          * before previous one went down. */
727                         if (frag) {
728                                 frag->ip_summed = CHECKSUM_NONE;
729                                 skb_reset_transport_header(frag);
730                                 fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
731                                 __skb_push(frag, hlen);
732                                 skb_reset_network_header(frag);
733                                 memcpy(skb_network_header(frag), tmp_hdr,
734                                        hlen);
735                                 offset += skb->len - hlen - sizeof(struct frag_hdr);
736                                 fh->nexthdr = nexthdr;
737                                 fh->reserved = 0;
738                                 fh->frag_off = htons(offset);
739                                 if (frag->next != NULL)
740                                         fh->frag_off |= htons(IP6_MF);
741                                 fh->identification = frag_id;
742                                 ipv6_hdr(frag)->payload_len =
743                                                 htons(frag->len -
744                                                       sizeof(struct ipv6hdr));
745                                 ip6_copy_metadata(frag, skb);
746                         }
747
748                         err = output(skb);
749                         if(!err)
750                                 IP6_INC_STATS(net, ip6_dst_idev(&rt->u.dst),
751                                               IPSTATS_MIB_FRAGCREATES);
752
753                         if (err || !frag)
754                                 break;
755
756                         skb = frag;
757                         frag = skb->next;
758                         skb->next = NULL;
759                 }
760
761                 kfree(tmp_hdr);
762
763                 if (err == 0) {
764                         IP6_INC_STATS(net, ip6_dst_idev(&rt->u.dst),
765                                       IPSTATS_MIB_FRAGOKS);
766                         dst_release(&rt->u.dst);
767                         return 0;
768                 }
769
770                 while (frag) {
771                         skb = frag->next;
772                         kfree_skb(frag);
773                         frag = skb;
774                 }
775
776                 IP6_INC_STATS(net, ip6_dst_idev(&rt->u.dst),
777                               IPSTATS_MIB_FRAGFAILS);
778                 dst_release(&rt->u.dst);
779                 return err;
780         }
781
782 slow_path:
783         left = skb->len - hlen;         /* Space per frame */
784         ptr = hlen;                     /* Where to start from */
785
786         /*
787          *      Fragment the datagram.
788          */
789
790         *prevhdr = NEXTHDR_FRAGMENT;
791
792         /*
793          *      Keep copying data until we run out.
794          */
795         while(left > 0) {
796                 len = left;
797                 /* IF: it doesn't fit, use 'mtu' - the data space left */
798                 if (len > mtu)
799                         len = mtu;
800                 /* IF: we are not sending upto and including the packet end
801                    then align the next start on an eight byte boundary */
802                 if (len < left) {
803                         len &= ~7;
804                 }
805                 /*
806                  *      Allocate buffer.
807                  */
808
809                 if ((frag = alloc_skb(len+hlen+sizeof(struct frag_hdr)+LL_ALLOCATED_SPACE(rt->u.dst.dev), GFP_ATOMIC)) == NULL) {
810                         NETDEBUG(KERN_INFO "IPv6: frag: no memory for new fragment!\n");
811                         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
812                                       IPSTATS_MIB_FRAGFAILS);
813                         err = -ENOMEM;
814                         goto fail;
815                 }
816
817                 /*
818                  *      Set up data on packet
819                  */
820
821                 ip6_copy_metadata(frag, skb);
822                 skb_reserve(frag, LL_RESERVED_SPACE(rt->u.dst.dev));
823                 skb_put(frag, len + hlen + sizeof(struct frag_hdr));
824                 skb_reset_network_header(frag);
825                 fh = (struct frag_hdr *)(skb_network_header(frag) + hlen);
826                 frag->transport_header = (frag->network_header + hlen +
827                                           sizeof(struct frag_hdr));
828
829                 /*
830                  *      Charge the memory for the fragment to any owner
831                  *      it might possess
832                  */
833                 if (skb->sk)
834                         skb_set_owner_w(frag, skb->sk);
835
836                 /*
837                  *      Copy the packet header into the new buffer.
838                  */
839                 skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
840
841                 /*
842                  *      Build fragment header.
843                  */
844                 fh->nexthdr = nexthdr;
845                 fh->reserved = 0;
846                 if (!frag_id) {
847                         ipv6_select_ident(skb, fh);
848                         frag_id = fh->identification;
849                 } else
850                         fh->identification = frag_id;
851
852                 /*
853                  *      Copy a block of the IP datagram.
854                  */
855                 if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len))
856                         BUG();
857                 left -= len;
858
859                 fh->frag_off = htons(offset);
860                 if (left > 0)
861                         fh->frag_off |= htons(IP6_MF);
862                 ipv6_hdr(frag)->payload_len = htons(frag->len -
863                                                     sizeof(struct ipv6hdr));
864
865                 ptr += len;
866                 offset += len;
867
868                 /*
869                  *      Put this fragment into the sending queue.
870                  */
871                 err = output(frag);
872                 if (err)
873                         goto fail;
874
875                 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
876                               IPSTATS_MIB_FRAGCREATES);
877         }
878         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
879                       IPSTATS_MIB_FRAGOKS);
880         kfree_skb(skb);
881         return err;
882
883 fail:
884         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
885                       IPSTATS_MIB_FRAGFAILS);
886         kfree_skb(skb);
887         return err;
888 }
889
890 static inline int ip6_rt_check(struct rt6key *rt_key,
891                                struct in6_addr *fl_addr,
892                                struct in6_addr *addr_cache)
893 {
894         return ((rt_key->plen != 128 || !ipv6_addr_equal(fl_addr, &rt_key->addr)) &&
895                 (addr_cache == NULL || !ipv6_addr_equal(fl_addr, addr_cache)));
896 }
897
898 static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
899                                           struct dst_entry *dst,
900                                           struct flowi *fl)
901 {
902         struct ipv6_pinfo *np = inet6_sk(sk);
903         struct rt6_info *rt = (struct rt6_info *)dst;
904
905         if (!dst)
906                 goto out;
907
908         /* Yes, checking route validity in not connected
909          * case is not very simple. Take into account,
910          * that we do not support routing by source, TOS,
911          * and MSG_DONTROUTE            --ANK (980726)
912          *
913          * 1. ip6_rt_check(): If route was host route,
914          *    check that cached destination is current.
915          *    If it is network route, we still may
916          *    check its validity using saved pointer
917          *    to the last used address: daddr_cache.
918          *    We do not want to save whole address now,
919          *    (because main consumer of this service
920          *    is tcp, which has not this problem),
921          *    so that the last trick works only on connected
922          *    sockets.
923          * 2. oif also should be the same.
924          */
925         if (ip6_rt_check(&rt->rt6i_dst, &fl->fl6_dst, np->daddr_cache) ||
926 #ifdef CONFIG_IPV6_SUBTREES
927             ip6_rt_check(&rt->rt6i_src, &fl->fl6_src, np->saddr_cache) ||
928 #endif
929             (fl->oif && fl->oif != dst->dev->ifindex)) {
930                 dst_release(dst);
931                 dst = NULL;
932         }
933
934 out:
935         return dst;
936 }
937
938 static int ip6_dst_lookup_tail(struct sock *sk,
939                                struct dst_entry **dst, struct flowi *fl)
940 {
941         int err;
942         struct net *net = sock_net(sk);
943
944         if (*dst == NULL)
945                 *dst = ip6_route_output(net, sk, fl);
946
947         if ((err = (*dst)->error))
948                 goto out_err_release;
949
950         if (ipv6_addr_any(&fl->fl6_src)) {
951                 err = ipv6_dev_get_saddr(net, ip6_dst_idev(*dst)->dev,
952                                          &fl->fl6_dst,
953                                          sk ? inet6_sk(sk)->srcprefs : 0,
954                                          &fl->fl6_src);
955                 if (err)
956                         goto out_err_release;
957         }
958
959 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
960         /*
961          * Here if the dst entry we've looked up
962          * has a neighbour entry that is in the INCOMPLETE
963          * state and the src address from the flow is
964          * marked as OPTIMISTIC, we release the found
965          * dst entry and replace it instead with the
966          * dst entry of the nexthop router
967          */
968         if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) {
969                 struct inet6_ifaddr *ifp;
970                 struct flowi fl_gw;
971                 int redirect;
972
973                 ifp = ipv6_get_ifaddr(net, &fl->fl6_src,
974                                       (*dst)->dev, 1);
975
976                 redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
977                 if (ifp)
978                         in6_ifa_put(ifp);
979
980                 if (redirect) {
981                         /*
982                          * We need to get the dst entry for the
983                          * default router instead
984                          */
985                         dst_release(*dst);
986                         memcpy(&fl_gw, fl, sizeof(struct flowi));
987                         memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
988                         *dst = ip6_route_output(net, sk, &fl_gw);
989                         if ((err = (*dst)->error))
990                                 goto out_err_release;
991                 }
992         }
993 #endif
994
995         return 0;
996
997 out_err_release:
998         if (err == -ENETUNREACH)
999                 IP6_INC_STATS_BH(net, NULL, IPSTATS_MIB_OUTNOROUTES);
1000         dst_release(*dst);
1001         *dst = NULL;
1002         return err;
1003 }
1004
1005 /**
1006  *      ip6_dst_lookup - perform route lookup on flow
1007  *      @sk: socket which provides route info
1008  *      @dst: pointer to dst_entry * for result
1009  *      @fl: flow to lookup
1010  *
1011  *      This function performs a route lookup on the given flow.
1012  *
1013  *      It returns zero on success, or a standard errno code on error.
1014  */
1015 int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
1016 {
1017         *dst = NULL;
1018         return ip6_dst_lookup_tail(sk, dst, fl);
1019 }
1020 EXPORT_SYMBOL_GPL(ip6_dst_lookup);
1021
1022 /**
1023  *      ip6_sk_dst_lookup - perform socket cached route lookup on flow
1024  *      @sk: socket which provides the dst cache and route info
1025  *      @dst: pointer to dst_entry * for result
1026  *      @fl: flow to lookup
1027  *
1028  *      This function performs a route lookup on the given flow with the
1029  *      possibility of using the cached route in the socket if it is valid.
1030  *      It will take the socket dst lock when operating on the dst cache.
1031  *      As a result, this function can only be used in process context.
1032  *
1033  *      It returns zero on success, or a standard errno code on error.
1034  */
1035 int ip6_sk_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
1036 {
1037         *dst = NULL;
1038         if (sk) {
1039                 *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
1040                 *dst = ip6_sk_dst_check(sk, *dst, fl);
1041         }
1042
1043         return ip6_dst_lookup_tail(sk, dst, fl);
1044 }
1045 EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup);
1046
1047 static inline int ip6_ufo_append_data(struct sock *sk,
1048                         int getfrag(void *from, char *to, int offset, int len,
1049                         int odd, struct sk_buff *skb),
1050                         void *from, int length, int hh_len, int fragheaderlen,
1051                         int transhdrlen, int mtu,unsigned int flags)
1052
1053 {
1054         struct sk_buff *skb;
1055         int err;
1056
1057         /* There is support for UDP large send offload by network
1058          * device, so create one single skb packet containing complete
1059          * udp datagram
1060          */
1061         if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
1062                 skb = sock_alloc_send_skb(sk,
1063                         hh_len + fragheaderlen + transhdrlen + 20,
1064                         (flags & MSG_DONTWAIT), &err);
1065                 if (skb == NULL)
1066                         return -ENOMEM;
1067
1068                 /* reserve space for Hardware header */
1069                 skb_reserve(skb, hh_len);
1070
1071                 /* create space for UDP/IP header */
1072                 skb_put(skb,fragheaderlen + transhdrlen);
1073
1074                 /* initialize network header pointer */
1075                 skb_reset_network_header(skb);
1076
1077                 /* initialize protocol header pointer */
1078                 skb->transport_header = skb->network_header + fragheaderlen;
1079
1080                 skb->ip_summed = CHECKSUM_PARTIAL;
1081                 skb->csum = 0;
1082                 sk->sk_sndmsg_off = 0;
1083         }
1084
1085         err = skb_append_datato_frags(sk,skb, getfrag, from,
1086                                       (length - transhdrlen));
1087         if (!err) {
1088                 struct frag_hdr fhdr;
1089
1090                 /* specify the length of each IP datagram fragment*/
1091                 skb_shinfo(skb)->gso_size = mtu - fragheaderlen -
1092                                             sizeof(struct frag_hdr);
1093                 skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
1094                 ipv6_select_ident(skb, &fhdr);
1095                 skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
1096                 __skb_queue_tail(&sk->sk_write_queue, skb);
1097
1098                 return 0;
1099         }
1100         /* There is not enough support do UPD LSO,
1101          * so follow normal path
1102          */
1103         kfree_skb(skb);
1104
1105         return err;
1106 }
1107
1108 static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
1109                                                gfp_t gfp)
1110 {
1111         return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
1112 }
1113
1114 static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
1115                                                 gfp_t gfp)
1116 {
1117         return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
1118 }
1119
1120 int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
1121         int offset, int len, int odd, struct sk_buff *skb),
1122         void *from, int length, int transhdrlen,
1123         int hlimit, int tclass, struct ipv6_txoptions *opt, struct flowi *fl,
1124         struct rt6_info *rt, unsigned int flags)
1125 {
1126         struct inet_sock *inet = inet_sk(sk);
1127         struct ipv6_pinfo *np = inet6_sk(sk);
1128         struct sk_buff *skb;
1129         unsigned int maxfraglen, fragheaderlen;
1130         int exthdrlen;
1131         int hh_len;
1132         int mtu;
1133         int copy;
1134         int err;
1135         int offset = 0;
1136         int csummode = CHECKSUM_NONE;
1137
1138         if (flags&MSG_PROBE)
1139                 return 0;
1140         if (skb_queue_empty(&sk->sk_write_queue)) {
1141                 /*
1142                  * setup for corking
1143                  */
1144                 if (opt) {
1145                         if (WARN_ON(np->cork.opt))
1146                                 return -EINVAL;
1147
1148                         np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
1149                         if (unlikely(np->cork.opt == NULL))
1150                                 return -ENOBUFS;
1151
1152                         np->cork.opt->tot_len = opt->tot_len;
1153                         np->cork.opt->opt_flen = opt->opt_flen;
1154                         np->cork.opt->opt_nflen = opt->opt_nflen;
1155
1156                         np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
1157                                                             sk->sk_allocation);
1158                         if (opt->dst0opt && !np->cork.opt->dst0opt)
1159                                 return -ENOBUFS;
1160
1161                         np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
1162                                                             sk->sk_allocation);
1163                         if (opt->dst1opt && !np->cork.opt->dst1opt)
1164                                 return -ENOBUFS;
1165
1166                         np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
1167                                                            sk->sk_allocation);
1168                         if (opt->hopopt && !np->cork.opt->hopopt)
1169                                 return -ENOBUFS;
1170
1171                         np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
1172                                                             sk->sk_allocation);
1173                         if (opt->srcrt && !np->cork.opt->srcrt)
1174                                 return -ENOBUFS;
1175
1176                         /* need source address above miyazawa*/
1177                 }
1178                 dst_hold(&rt->u.dst);
1179                 inet->cork.dst = &rt->u.dst;
1180                 inet->cork.fl = *fl;
1181                 np->cork.hop_limit = hlimit;
1182                 np->cork.tclass = tclass;
1183                 mtu = np->pmtudisc == IPV6_PMTUDISC_PROBE ?
1184                       rt->u.dst.dev->mtu : dst_mtu(rt->u.dst.path);
1185                 if (np->frag_size < mtu) {
1186                         if (np->frag_size)
1187                                 mtu = np->frag_size;
1188                 }
1189                 inet->cork.fragsize = mtu;
1190                 if (dst_allfrag(rt->u.dst.path))
1191                         inet->cork.flags |= IPCORK_ALLFRAG;
1192                 inet->cork.length = 0;
1193                 sk->sk_sndmsg_page = NULL;
1194                 sk->sk_sndmsg_off = 0;
1195                 exthdrlen = rt->u.dst.header_len + (opt ? opt->opt_flen : 0) -
1196                             rt->rt6i_nfheader_len;
1197                 length += exthdrlen;
1198                 transhdrlen += exthdrlen;
1199         } else {
1200                 rt = (struct rt6_info *)inet->cork.dst;
1201                 fl = &inet->cork.fl;
1202                 opt = np->cork.opt;
1203                 transhdrlen = 0;
1204                 exthdrlen = 0;
1205                 mtu = inet->cork.fragsize;
1206         }
1207
1208         hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
1209
1210         fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len +
1211                         (opt ? opt->opt_nflen : 0);
1212         maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
1213
1214         if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
1215                 if (inet->cork.length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
1216                         ipv6_local_error(sk, EMSGSIZE, fl, mtu-exthdrlen);
1217                         return -EMSGSIZE;
1218                 }
1219         }
1220
1221         /*
1222          * Let's try using as much space as possible.
1223          * Use MTU if total length of the message fits into the MTU.
1224          * Otherwise, we need to reserve fragment header and
1225          * fragment alignment (= 8-15 octects, in total).
1226          *
1227          * Note that we may need to "move" the data from the tail of
1228          * of the buffer to the new fragment when we split
1229          * the message.
1230          *
1231          * FIXME: It may be fragmented into multiple chunks
1232          *        at once if non-fragmentable extension headers
1233          *        are too large.
1234          * --yoshfuji
1235          */
1236
1237         inet->cork.length += length;
1238         if (((length > mtu) && (sk->sk_protocol == IPPROTO_UDP)) &&
1239             (rt->u.dst.dev->features & NETIF_F_UFO)) {
1240
1241                 err = ip6_ufo_append_data(sk, getfrag, from, length, hh_len,
1242                                           fragheaderlen, transhdrlen, mtu,
1243                                           flags);
1244                 if (err)
1245                         goto error;
1246                 return 0;
1247         }
1248
1249         if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
1250                 goto alloc_new_skb;
1251
1252         while (length > 0) {
1253                 /* Check if the remaining data fits into current packet. */
1254                 copy = (inet->cork.length <= mtu && !(inet->cork.flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
1255                 if (copy < length)
1256                         copy = maxfraglen - skb->len;
1257
1258                 if (copy <= 0) {
1259                         char *data;
1260                         unsigned int datalen;
1261                         unsigned int fraglen;
1262                         unsigned int fraggap;
1263                         unsigned int alloclen;
1264                         struct sk_buff *skb_prev;
1265 alloc_new_skb:
1266                         skb_prev = skb;
1267
1268                         /* There's no room in the current skb */
1269                         if (skb_prev)
1270                                 fraggap = skb_prev->len - maxfraglen;
1271                         else
1272                                 fraggap = 0;
1273
1274                         /*
1275                          * If remaining data exceeds the mtu,
1276                          * we know we need more fragment(s).
1277                          */
1278                         datalen = length + fraggap;
1279                         if (datalen > (inet->cork.length <= mtu && !(inet->cork.flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
1280                                 datalen = maxfraglen - fragheaderlen;
1281
1282                         fraglen = datalen + fragheaderlen;
1283                         if ((flags & MSG_MORE) &&
1284                             !(rt->u.dst.dev->features&NETIF_F_SG))
1285                                 alloclen = mtu;
1286                         else
1287                                 alloclen = datalen + fragheaderlen;
1288
1289                         /*
1290                          * The last fragment gets additional space at tail.
1291                          * Note: we overallocate on fragments with MSG_MODE
1292                          * because we have no idea if we're the last one.
1293                          */
1294                         if (datalen == length + fraggap)
1295                                 alloclen += rt->u.dst.trailer_len;
1296
1297                         /*
1298                          * We just reserve space for fragment header.
1299                          * Note: this may be overallocation if the message
1300                          * (without MSG_MORE) fits into the MTU.
1301                          */
1302                         alloclen += sizeof(struct frag_hdr);
1303
1304                         if (transhdrlen) {
1305                                 skb = sock_alloc_send_skb(sk,
1306                                                 alloclen + hh_len,
1307                                                 (flags & MSG_DONTWAIT), &err);
1308                         } else {
1309                                 skb = NULL;
1310                                 if (atomic_read(&sk->sk_wmem_alloc) <=
1311                                     2 * sk->sk_sndbuf)
1312                                         skb = sock_wmalloc(sk,
1313                                                            alloclen + hh_len, 1,
1314                                                            sk->sk_allocation);
1315                                 if (unlikely(skb == NULL))
1316                                         err = -ENOBUFS;
1317                         }
1318                         if (skb == NULL)
1319                                 goto error;
1320                         /*
1321                          *      Fill in the control structures
1322                          */
1323                         skb->ip_summed = csummode;
1324                         skb->csum = 0;
1325                         /* reserve for fragmentation */
1326                         skb_reserve(skb, hh_len+sizeof(struct frag_hdr));
1327
1328                         /*
1329                          *      Find where to start putting bytes
1330                          */
1331                         data = skb_put(skb, fraglen);
1332                         skb_set_network_header(skb, exthdrlen);
1333                         data += fragheaderlen;
1334                         skb->transport_header = (skb->network_header +
1335                                                  fragheaderlen);
1336                         if (fraggap) {
1337                                 skb->csum = skb_copy_and_csum_bits(
1338                                         skb_prev, maxfraglen,
1339                                         data + transhdrlen, fraggap, 0);
1340                                 skb_prev->csum = csum_sub(skb_prev->csum,
1341                                                           skb->csum);
1342                                 data += fraggap;
1343                                 pskb_trim_unique(skb_prev, maxfraglen);
1344                         }
1345                         copy = datalen - transhdrlen - fraggap;
1346                         if (copy < 0) {
1347                                 err = -EINVAL;
1348                                 kfree_skb(skb);
1349                                 goto error;
1350                         } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
1351                                 err = -EFAULT;
1352                                 kfree_skb(skb);
1353                                 goto error;
1354                         }
1355
1356                         offset += copy;
1357                         length -= datalen - fraggap;
1358                         transhdrlen = 0;
1359                         exthdrlen = 0;
1360                         csummode = CHECKSUM_NONE;
1361
1362                         /*
1363                          * Put the packet on the pending queue
1364                          */
1365                         __skb_queue_tail(&sk->sk_write_queue, skb);
1366                         continue;
1367                 }
1368
1369                 if (copy > length)
1370                         copy = length;
1371
1372                 if (!(rt->u.dst.dev->features&NETIF_F_SG)) {
1373                         unsigned int off;
1374
1375                         off = skb->len;
1376                         if (getfrag(from, skb_put(skb, copy),
1377                                                 offset, copy, off, skb) < 0) {
1378                                 __skb_trim(skb, off);
1379                                 err = -EFAULT;
1380                                 goto error;
1381                         }
1382                 } else {
1383                         int i = skb_shinfo(skb)->nr_frags;
1384                         skb_frag_t *frag = &skb_shinfo(skb)->frags[i-1];
1385                         struct page *page = sk->sk_sndmsg_page;
1386                         int off = sk->sk_sndmsg_off;
1387                         unsigned int left;
1388
1389                         if (page && (left = PAGE_SIZE - off) > 0) {
1390                                 if (copy >= left)
1391                                         copy = left;
1392                                 if (page != frag->page) {
1393                                         if (i == MAX_SKB_FRAGS) {
1394                                                 err = -EMSGSIZE;
1395                                                 goto error;
1396                                         }
1397                                         get_page(page);
1398                                         skb_fill_page_desc(skb, i, page, sk->sk_sndmsg_off, 0);
1399                                         frag = &skb_shinfo(skb)->frags[i];
1400                                 }
1401                         } else if(i < MAX_SKB_FRAGS) {
1402                                 if (copy > PAGE_SIZE)
1403                                         copy = PAGE_SIZE;
1404                                 page = alloc_pages(sk->sk_allocation, 0);
1405                                 if (page == NULL) {
1406                                         err = -ENOMEM;
1407                                         goto error;
1408                                 }
1409                                 sk->sk_sndmsg_page = page;
1410                                 sk->sk_sndmsg_off = 0;
1411
1412                                 skb_fill_page_desc(skb, i, page, 0, 0);
1413                                 frag = &skb_shinfo(skb)->frags[i];
1414                         } else {
1415                                 err = -EMSGSIZE;
1416                                 goto error;
1417                         }
1418                         if (getfrag(from, page_address(frag->page)+frag->page_offset+frag->size, offset, copy, skb->len, skb) < 0) {
1419                                 err = -EFAULT;
1420                                 goto error;
1421                         }
1422                         sk->sk_sndmsg_off += copy;
1423                         frag->size += copy;
1424                         skb->len += copy;
1425                         skb->data_len += copy;
1426                         skb->truesize += copy;
1427                         atomic_add(copy, &sk->sk_wmem_alloc);
1428                 }
1429                 offset += copy;
1430                 length -= copy;
1431         }
1432         return 0;
1433 error:
1434         inet->cork.length -= length;
1435         IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
1436         return err;
1437 }
1438
1439 static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
1440 {
1441         if (np->cork.opt) {
1442                 kfree(np->cork.opt->dst0opt);
1443                 kfree(np->cork.opt->dst1opt);
1444                 kfree(np->cork.opt->hopopt);
1445                 kfree(np->cork.opt->srcrt);
1446                 kfree(np->cork.opt);
1447                 np->cork.opt = NULL;
1448         }
1449
1450         if (inet->cork.dst) {
1451                 dst_release(inet->cork.dst);
1452                 inet->cork.dst = NULL;
1453                 inet->cork.flags &= ~IPCORK_ALLFRAG;
1454         }
1455         memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
1456 }
1457
1458 int ip6_push_pending_frames(struct sock *sk)
1459 {
1460         struct sk_buff *skb, *tmp_skb;
1461         struct sk_buff **tail_skb;
1462         struct in6_addr final_dst_buf, *final_dst = &final_dst_buf;
1463         struct inet_sock *inet = inet_sk(sk);
1464         struct ipv6_pinfo *np = inet6_sk(sk);
1465         struct net *net = sock_net(sk);
1466         struct ipv6hdr *hdr;
1467         struct ipv6_txoptions *opt = np->cork.opt;
1468         struct rt6_info *rt = (struct rt6_info *)inet->cork.dst;
1469         struct flowi *fl = &inet->cork.fl;
1470         unsigned char proto = fl->proto;
1471         int err = 0;
1472
1473         if ((skb = __skb_dequeue(&sk->sk_write_queue)) == NULL)
1474                 goto out;
1475         tail_skb = &(skb_shinfo(skb)->frag_list);
1476
1477         /* move skb->data to ip header from ext header */
1478         if (skb->data < skb_network_header(skb))
1479                 __skb_pull(skb, skb_network_offset(skb));
1480         while ((tmp_skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) {
1481                 __skb_pull(tmp_skb, skb_network_header_len(skb));
1482                 *tail_skb = tmp_skb;
1483                 tail_skb = &(tmp_skb->next);
1484                 skb->len += tmp_skb->len;
1485                 skb->data_len += tmp_skb->len;
1486                 skb->truesize += tmp_skb->truesize;
1487                 tmp_skb->destructor = NULL;
1488                 tmp_skb->sk = NULL;
1489         }
1490
1491         /* Allow local fragmentation. */
1492         if (np->pmtudisc < IPV6_PMTUDISC_DO)
1493                 skb->local_df = 1;
1494
1495         ipv6_addr_copy(final_dst, &fl->fl6_dst);
1496         __skb_pull(skb, skb_network_header_len(skb));
1497         if (opt && opt->opt_flen)
1498                 ipv6_push_frag_opts(skb, opt, &proto);
1499         if (opt && opt->opt_nflen)
1500                 ipv6_push_nfrag_opts(skb, opt, &proto, &final_dst);
1501
1502         skb_push(skb, sizeof(struct ipv6hdr));
1503         skb_reset_network_header(skb);
1504         hdr = ipv6_hdr(skb);
1505
1506         *(__be32*)hdr = fl->fl6_flowlabel |
1507                      htonl(0x60000000 | ((int)np->cork.tclass << 20));
1508
1509         hdr->hop_limit = np->cork.hop_limit;
1510         hdr->nexthdr = proto;
1511         ipv6_addr_copy(&hdr->saddr, &fl->fl6_src);
1512         ipv6_addr_copy(&hdr->daddr, final_dst);
1513
1514         skb->priority = sk->sk_priority;
1515         skb->mark = sk->sk_mark;
1516
1517         skb_dst_set(skb, dst_clone(&rt->u.dst));
1518         IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
1519         if (proto == IPPROTO_ICMPV6) {
1520                 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
1521
1522                 ICMP6MSGOUT_INC_STATS_BH(net, idev, icmp6_hdr(skb)->icmp6_type);
1523                 ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS);
1524         }
1525
1526         err = ip6_local_out(skb);
1527         if (err) {
1528                 if (err > 0)
1529                         err = np->recverr ? net_xmit_errno(err) : 0;
1530                 if (err)
1531                         goto error;
1532         }
1533
1534 out:
1535         ip6_cork_release(inet, np);
1536         return err;
1537 error:
1538         goto out;
1539 }
1540
1541 void ip6_flush_pending_frames(struct sock *sk)
1542 {
1543         struct sk_buff *skb;
1544
1545         while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL) {
1546                 if (skb_dst(skb))
1547                         IP6_INC_STATS(sock_net(sk), ip6_dst_idev(skb_dst(skb)),
1548                                       IPSTATS_MIB_OUTDISCARDS);
1549                 kfree_skb(skb);
1550         }
1551
1552         ip6_cork_release(inet_sk(sk), inet6_sk(sk));
1553 }