// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * INET         An implementation of the TCP/IP protocol suite for the LINUX
 *              operating system.  INET is implemented using the  BSD Socket
 *              interface as the means of communication with the user level.
 *
 *              Implementation of the Transmission Control Protocol(TCP).
 *
 * Authors:     Ross Biro
 *              Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
 *              Mark Evans, <evansmp@uhura.aston.ac.uk>
 *              Corey Minyard <wf-rch!minyard@relay.EU.net>
 *              Florian La Roche, <flla@stud.uni-sb.de>
 *              Charles Hedrick, <hedrick@klinzhai.rutgers.edu>
 *              Linus Torvalds, <torvalds@cs.helsinki.fi>
 *              Alan Cox, <gw4pts@gw4pts.ampr.org>
 *              Matthew Dillon, <dillon@apollo.west.oic.com>
 *              Arnt Gulbrandsen, <agulbra@nvg.unit.no>
 *              Jorge Cwik, <jorge@laser.satlink.net>
 *
 * Fixes:
 *              Alan Cox        :       Numerous verify_area() calls
 *              Alan Cox        :       Set the ACK bit on a reset
 *              Alan Cox        :       Stopped it crashing if it closed while
 *                                      sk->inuse=1 and was trying to connect
 *                                      (tcp_err()).
 *              Alan Cox        :       All icmp error handling was broken
 *                                      pointers passed where wrong and the
 *                                      socket was looked up backwards. Nobody
 *                                      tested any icmp error code obviously.
 *              Alan Cox        :       tcp_err() now handled properly. It
 *                                      wakes people on errors. poll
 *                                      behaves and the icmp error race
 *                                      has gone by moving it into sock.c
 *              Alan Cox        :       tcp_send_reset() fixed to work for
 *                                      everything not just packets for
 *                                      unknown sockets.
 *              Alan Cox        :       tcp option processing.
 *              Alan Cox        :       Reset tweaked (still not 100%) [Had
 *                                      syn rule wrong]
 *              Herp Rosmanith  :       More reset fixes
 *              Alan Cox        :       No longer acks invalid rst frames.
 *                                      Acking any kind of RST is right out.
 *              Alan Cox        :       Sets an ignore me flag on an rst
 *                                      receive otherwise odd bits of prattle
 *                                      escape still
 *              Alan Cox        :       Fixed another acking RST frame bug.
 *                                      Should stop LAN workplace lockups.
 *              Alan Cox        :       Some tidyups using the new skb list
 *                                      facilities
 *              Alan Cox        :       sk->keepopen now seems to work
 *              Alan Cox        :       Pulls options out correctly on accepts
 *              Alan Cox        :       Fixed assorted sk->rqueue->next errors
 *              Alan Cox        :       PSH doesn't end a TCP read. Switched a
 *                                      bit to skb ops.
 *              Alan Cox        :       Tidied tcp_data to avoid a potential
 *                                      nasty.
 *              Alan Cox        :       Added some better commenting, as the
 *                                      tcp is hard to follow
 *              Alan Cox        :       Removed incorrect check for 20 * psh
 *      Michael O'Reilly        :       ack < copied bug fix.
 *      Johannes Stille         :       Misc tcp fixes (not all in yet).
 *              Alan Cox        :       FIN with no memory -> CRASH
 *              Alan Cox        :       Added socket option proto entries.
 *                                      Also added awareness of them to accept.
 *              Alan Cox        :       Added TCP options (SOL_TCP)
 *              Alan Cox        :       Switched wakeup calls to callbacks,
 *                                      so the kernel can layer network
 *                                      sockets.
 *              Alan Cox        :       Use ip_tos/ip_ttl settings.
 *              Alan Cox        :       Handle FIN (more) properly (we hope).
 *              Alan Cox        :       RST frames sent on unsynchronised
 *                                      state ack error.
 *              Alan Cox        :       Put in missing check for SYN bit.
 *              Alan Cox        :       Added tcp_select_window() aka NET2E
 *                                      window non shrink trick.
 *              Alan Cox        :       Added a couple of small NET2E timer
 *                                      fixes
 *              Charles Hedrick :       TCP fixes
 *              Toomas Tamm     :       TCP window fixes
 *              Alan Cox        :       Small URG fix to rlogin ^C ack fight
 *              Charles Hedrick :       Rewrote most of it to actually work
 *              Linus           :       Rewrote tcp_read() and URG handling
 *                                      completely
 *              Gerhard Koerting:       Fixed some missing timer handling
 *              Matthew Dillon  :       Reworked TCP machine states as per RFC
 *              Gerhard Koerting:       PC/TCP workarounds
 *              Adam Caldwell   :       Assorted timer/timing errors
 *              Matthew Dillon  :       Fixed another RST bug
 *              Alan Cox        :       Move to kernel side addressing changes.
 *              Alan Cox        :       Beginning work on TCP fastpathing
 *                                      (not yet usable)
 *              Arnt Gulbrandsen:       Turbocharged tcp_check() routine.
 *              Alan Cox        :       TCP fast path debugging
 *              Alan Cox        :       Window clamping
 *              Michael Riepe   :       Bug in tcp_check()
 *              Matt Dillon     :       More TCP improvements and RST bug fixes
 *              Matt Dillon     :       Yet more small nasties remove from the
 *                                      TCP code (Be very nice to this man if
 *                                      tcp finally works 100%) 8)
 *              Alan Cox        :       BSD accept semantics.
 *              Alan Cox        :       Reset on closedown bug.
 *      Peter De Schrijver      :       ENOTCONN check missing in tcp_sendto().
 *              Michael Pall    :       Handle poll() after URG properly in
 *                                      all cases.
 *              Michael Pall    :       Undo the last fix in tcp_read_urg()
 *                                      (multi URG PUSH broke rlogin).
 *              Michael Pall    :       Fix the multi URG PUSH problem in
 *                                      tcp_readable(), poll() after URG
 *                                      works now.
 *              Michael Pall    :       recv(...,MSG_OOB) never blocks in the
 *                                      BSD api.
 *              Alan Cox        :       Changed the semantics of sk->socket to
 *                                      fix a race and a signal problem with
 *                                      accept() and async I/O.
 *              Alan Cox        :       Relaxed the rules on tcp_sendto().
 *              Yury Shevchuk   :       Really fixed accept() blocking problem.
 *              Craig I. Hagan  :       Allow for BSD compatible TIME_WAIT for
 *                                      clients/servers which listen in on
 *                                      fixed ports.
 *              Alan Cox        :       Cleaned the above up and shrank it to
 *                                      a sensible code size.
 *              Alan Cox        :       Self connect lockup fix.
 *              Alan Cox        :       No connect to multicast.
 *              Ross Biro       :       Close unaccepted children on master
 *                                      socket close.
 *              Alan Cox        :       Reset tracing code.
 *              Alan Cox        :       Spurious resets on shutdown.
 *              Alan Cox        :       Giant 15 minute/60 second timer error
 *              Alan Cox        :       Small whoops in polling before an
 *                                      accept.
 *              Alan Cox        :       Kept the state trace facility since
 *                                      it's handy for debugging.
 *              Alan Cox        :       More reset handler fixes.
 *              Alan Cox        :       Started rewriting the code based on
 *                                      the RFC's for other useful protocol
 *                                      references see: Comer, KA9Q NOS, and
 *                                      for a reference on the difference
 *                                      between specifications and how BSD
 *                                      works see the 4.4lite source.
 *              A.N.Kuznetsov   :       Don't time wait on completion of tidy
 *                                      close.
 *              Linus Torvalds  :       Fin/Shutdown & copied_seq changes.
 *              Linus Torvalds  :       Fixed BSD port reuse to work first syn
 *              Alan Cox        :       Reimplemented timers as per the RFC
 *                                      and using multiple timers for sanity.
 *              Alan Cox        :       Small bug fixes, and a lot of new
 *                                      comments.
 *              Alan Cox        :       Fixed dual reader crash by locking
 *                                      the buffers (much like datagram.c)
 *              Alan Cox        :       Fixed stuck sockets in probe. A probe
 *                                      now gets fed up of retrying without
 *                                      (even a no space) answer.
 *              Alan Cox        :       Extracted closing code better
 *              Alan Cox        :       Fixed the closing state machine to
 *                                      resemble the RFC.
 *              Alan Cox        :       More 'per spec' fixes.
 *              Jorge Cwik      :       Even faster checksumming.
 *              Alan Cox        :       tcp_data() doesn't ack illegal PSH
 *                                      only frames. At least one pc tcp stack
 *                                      generates them.
 *              Alan Cox        :       Cache last socket.
 *              Alan Cox        :       Per route irtt.
 *              Matt Day        :       poll()->select() match BSD precisely on error
 *              Alan Cox        :       New buffers
 *              Marc Tamsky     :       Various sk->prot->retransmits and
 *                                      sk->retransmits misupdating fixed.
 *                                      Fixed tcp_write_timeout: stuck close,
 *                                      and TCP syn retries gets used now.
 *              Mark Yarvis     :       In tcp_read_wakeup(), don't send an
 *                                      ack if state is TCP_CLOSED.
 *              Alan Cox        :       Look up device on a retransmit - routes may
 *                                      change. Doesn't yet cope with MSS shrink right
 *                                      but it's a start!
 *              Marc Tamsky     :       Closing in closing fixes.
 *              Mike Shaver     :       RFC1122 verifications.
 *              Alan Cox        :       rcv_saddr errors.
 *              Alan Cox        :       Block double connect().
 *              Alan Cox        :       Small hooks for enSKIP.
 *              Alexey Kuznetsov:       Path MTU discovery.
 *              Alan Cox        :       Support soft errors.
 *              Alan Cox        :       Fix MTU discovery pathological case
 *                                      when the remote claims no mtu!
 *              Marc Tamsky     :       TCP_CLOSE fix.
 *              Colin (G3TNE)   :       Send a reset on syn ack replies in
 *                                      window but wrong (fixes NT lpd problems)
 *              Pedro Roque     :       Better TCP window handling, delayed ack.
 *              Joerg Reuter    :       No modification of locked buffers in
 *                                      tcp_do_retransmit()
 *              Eric Schenk     :       Changed receiver side silly window
 *                                      avoidance algorithm to BSD style
 *                                      algorithm. This doubles throughput
 *                                      against machines running Solaris,
 *                                      and seems to result in general
 *                                      improvement.
 *      Stefan Magdalinski      :       adjusted tcp_readable() to fix FIONREAD
 *      Willy Konynenberg       :       Transparent proxying support.
 *      Mike McLagan            :       Routing by source
 *              Keith Owens     :       Do proper merging with partial SKB's in
 *                                      tcp_do_sendmsg to avoid burstiness.
 *              Eric Schenk     :       Fix fast close down bug with
 *                                      shutdown() followed by close().
 *              Andi Kleen      :       Make poll agree with SIGIO
 *      Salvatore Sanfilippo    :       Support SO_LINGER with linger == 1 and
 *                                      lingertime == 0 (RFC 793 ABORT Call)
 *      Hirokazu Takahashi      :       Use copy_from_user() instead of
 *                                      csum_and_copy_from_user() if possible.
 *
 * Description of States:
 *
 *      TCP_SYN_SENT            sent a connection request, waiting for ack
 *
 *      TCP_SYN_RECV            received a connection request, sent ack,
 *                              waiting for final ack in three-way handshake.
 *
 *      TCP_ESTABLISHED         connection established
 *
 *      TCP_FIN_WAIT1           our side has shutdown, waiting to complete
 *                              transmission of remaining buffered data
 *
 *      TCP_FIN_WAIT2           all buffered data sent, waiting for remote
 *                              to shutdown
 *
 *      TCP_CLOSING             both sides have shutdown but we still have
 *                              data we have to finish sending
 *
 *      TCP_TIME_WAIT           timeout to catch resent junk before entering
 *                              closed, can only be entered from FIN_WAIT2
 *                              or CLOSING.  Required because the other end
 *                              may not have gotten our last ACK causing it
 *                              to retransmit the data packet (which we ignore)
 *
 *      TCP_CLOSE_WAIT          remote side has shutdown and is waiting for
 *                              us to finish writing our data and to shutdown
 *                              (we have to close() to move on to LAST_ACK)
 *
 *      TCP_LAST_ACK            out side has shutdown after remote has
 *                              shutdown.  There may still be data in our
 *                              buffer that we have to finish sending
 *
 *      TCP_CLOSE               socket is finished
 */

#define pr_fmt(fmt) "TCP: " fmt

#include <crypto/hash.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/types.h>
#include <linux/fcntl.h>
#include <linux/poll.h>
#include <linux/inet_diag.h>
#include <linux/init.h>
#include <linux/fs.h>
#include <linux/skbuff.h>
#include <linux/scatterlist.h>
#include <linux/splice.h>
#include <linux/net.h>
#include <linux/socket.h>
#include <linux/random.h>
#include <linux/memblock.h>
#include <linux/highmem.h>
#include <linux/swap.h>
#include <linux/cache.h>
#include <linux/err.h>
#include <linux/time.h>
#include <linux/slab.h>
#include <linux/errqueue.h>
#include <linux/static_key.h>
#include <linux/btf.h>

#include <net/icmp.h>
#include <net/inet_common.h>
#include <net/tcp.h>
#include <net/mptcp.h>
#include <net/xfrm.h>
#include <net/ip.h>
#include <net/sock.h>

#include <linux/uaccess.h>
#include <asm/ioctls.h>
#include <net/busy_poll.h>

/* Track pending CMSGs. */
enum {
        TCP_CMSG_INQ = 1,
        TCP_CMSG_TS = 2
};

struct percpu_counter tcp_orphan_count;
EXPORT_SYMBOL_GPL(tcp_orphan_count);

long sysctl_tcp_mem[3] __read_mostly;
EXPORT_SYMBOL(sysctl_tcp_mem);

atomic_long_t tcp_memory_allocated;     /* Current allocated memory. */
EXPORT_SYMBOL(tcp_memory_allocated);

#if IS_ENABLED(CONFIG_SMC)
DEFINE_STATIC_KEY_FALSE(tcp_have_smc);
EXPORT_SYMBOL(tcp_have_smc);
#endif

/*
 * Current number of TCP sockets.
 */
struct percpu_counter tcp_sockets_allocated;
EXPORT_SYMBOL(tcp_sockets_allocated);

/*
 * TCP splice context
 */
struct tcp_splice_state {
        struct pipe_inode_info *pipe;
        size_t len;
        unsigned int flags;
};

/*
 * Pressure flag: try to collapse.
 * Technical note: it is used by multiple contexts non atomically.
 * All the __sk_mem_schedule() is of this nature: accounting
 * is strict, actions are advisory and have some latency.
 */
unsigned long tcp_memory_pressure __read_mostly;
EXPORT_SYMBOL_GPL(tcp_memory_pressure);

DEFINE_STATIC_KEY_FALSE(tcp_rx_skb_cache_key);
EXPORT_SYMBOL(tcp_rx_skb_cache_key);

DEFINE_STATIC_KEY_FALSE(tcp_tx_skb_cache_key);

void tcp_enter_memory_pressure(struct sock *sk)
{
        unsigned long val;

        if (READ_ONCE(tcp_memory_pressure))
                return;
        val = jiffies;

        if (!val)
                val--;
        if (!cmpxchg(&tcp_memory_pressure, 0, val))
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMEMORYPRESSURES);
}
EXPORT_SYMBOL_GPL(tcp_enter_memory_pressure);

void tcp_leave_memory_pressure(struct sock *sk)
{
        unsigned long val;

        if (!READ_ONCE(tcp_memory_pressure))
                return;
        val = xchg(&tcp_memory_pressure, 0);
        if (val)
                NET_ADD_STATS(sock_net(sk), LINUX_MIB_TCPMEMORYPRESSURESCHRONO,
                              jiffies_to_msecs(jiffies - val));
}
EXPORT_SYMBOL_GPL(tcp_leave_memory_pressure);

/* Convert seconds to retransmits based on initial and max timeout */
static u8 secs_to_retrans(int seconds, int timeout, int rto_max)
{
        u8 res = 0;

        if (seconds > 0) {
                int period = timeout;

                res = 1;
                while (seconds > period && res < 255) {
                        res++;
                        timeout <<= 1;
                        if (timeout > rto_max)
                                timeout = rto_max;
                        period += timeout;
                }
        }
        return res;
}

/* Convert retransmits to seconds based on initial and max timeout */
static int retrans_to_secs(u8 retrans, int timeout, int rto_max)
{
        int period = 0;

        if (retrans > 0) {
                period = timeout;
                while (--retrans) {
                        timeout <<= 1;
                        if (timeout > rto_max)
                                timeout = rto_max;
                        period += timeout;
                }
        }
        return period;
}

static u64 tcp_compute_delivery_rate(const struct tcp_sock *tp)
{
        u32 rate = READ_ONCE(tp->rate_delivered);
        u32 intv = READ_ONCE(tp->rate_interval_us);
        u64 rate64 = 0;

        if (rate && intv) {
                rate64 = (u64)rate * tp->mss_cache * USEC_PER_SEC;
                do_div(rate64, intv);
        }
        return rate64;
}

/* Address-family independent initialization for a tcp_sock.
 *
 * NOTE: A lot of things set to zero explicitly by call to
 *       sk_alloc() so need not be done here.
 */
void tcp_init_sock(struct sock *sk)
{
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct tcp_sock *tp = tcp_sk(sk);

        tp->out_of_order_queue = RB_ROOT;
        sk->tcp_rtx_queue = RB_ROOT;
        tcp_init_xmit_timers(sk);
        INIT_LIST_HEAD(&tp->tsq_node);
        INIT_LIST_HEAD(&tp->tsorted_sent_queue);

        icsk->icsk_rto = TCP_TIMEOUT_INIT;
        icsk->icsk_rto_min = TCP_RTO_MIN;
        icsk->icsk_delack_max = TCP_DELACK_MAX;
        tp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
        minmax_reset(&tp->rtt_min, tcp_jiffies32, ~0U);

        /* So many TCP implementations out there (incorrectly) count the
         * initial SYN frame in their delayed-ACK and congestion control
         * algorithms that we must have the following bandaid to talk
         * efficiently to them.  -DaveM
         */
        tp->snd_cwnd = TCP_INIT_CWND;

        /* There's a bubble in the pipe until at least the first ACK. */
        tp->app_limited = ~0U;

        /* See draft-stevens-tcpca-spec-01 for discussion of the
         * initialization of these values.
         */
        tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
        tp->snd_cwnd_clamp = ~0;
        tp->mss_cache = TCP_MSS_DEFAULT;

        tp->reordering = sock_net(sk)->ipv4.sysctl_tcp_reordering;
        tcp_assign_congestion_control(sk);

        tp->tsoffset = 0;
        tp->rack.reo_wnd_steps = 1;

        sk->sk_write_space = sk_stream_write_space;
        sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);

        icsk->icsk_sync_mss = tcp_sync_mss;

        WRITE_ONCE(sk->sk_sndbuf, sock_net(sk)->ipv4.sysctl_tcp_wmem[1]);
        WRITE_ONCE(sk->sk_rcvbuf, sock_net(sk)->ipv4.sysctl_tcp_rmem[1]);

        sk_sockets_allocated_inc(sk);
        sk->sk_route_forced_caps = NETIF_F_GSO;
}
EXPORT_SYMBOL(tcp_init_sock);

static void tcp_tx_timestamp(struct sock *sk, u16 tsflags)
{
        struct sk_buff *skb = tcp_write_queue_tail(sk);

        if (tsflags && skb) {
                struct skb_shared_info *shinfo = skb_shinfo(skb);
                struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);

                sock_tx_timestamp(sk, tsflags, &shinfo->tx_flags);
                if (tsflags & SOF_TIMESTAMPING_TX_ACK)
                        tcb->txstamp_ack = 1;
                if (tsflags & SOF_TIMESTAMPING_TX_RECORD_MASK)
                        shinfo->tskey = TCP_SKB_CB(skb)->seq + skb->len - 1;
        }
}

static bool tcp_stream_is_readable(struct sock *sk, int target)
{
        if (tcp_epollin_ready(sk, target))
                return true;

        if (sk->sk_prot->stream_memory_read)
                return sk->sk_prot->stream_memory_read(sk);
        return false;
}

/*
 *      Wait for a TCP event.
 *
 *      Note that we don't need to lock the socket, as the upper poll layers
 *      take care of normal races (between the test and the event) and we don't
 *      go look at any of the socket buffers directly.
 */
__poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
{
        __poll_t mask;
        struct sock *sk = sock->sk;
        const struct tcp_sock *tp = tcp_sk(sk);
        int state;

        sock_poll_wait(file, sock, wait);

        state = inet_sk_state_load(sk);
        if (state == TCP_LISTEN)
                return inet_csk_listen_poll(sk);

        /* Socket is not locked. We are protected from async events
         * by poll logic and correct handling of state changes
         * made by other threads is impossible in any case.
         */

        mask = 0;

        /*
         * EPOLLHUP is certainly not done right. But poll() doesn't
         * have a notion of HUP in just one direction, and for a
         * socket the read side is more interesting.
         *
         * Some poll() documentation says that EPOLLHUP is incompatible
         * with the EPOLLOUT/POLLWR flags, so somebody should check this
         * all. But careful, it tends to be safer to return too many
         * bits than too few, and you can easily break real applications
         * if you don't tell them that something has hung up!
         *
         * Check-me.
         *
         * Check number 1. EPOLLHUP is _UNMASKABLE_ event (see UNIX98 and
         * our fs/select.c). It means that after we received EOF,
         * poll always returns immediately, making impossible poll() on write()
         * in state CLOSE_WAIT. One solution is evident --- to set EPOLLHUP
         * if and only if shutdown has been made in both directions.
         * Actually, it is interesting to look how Solaris and DUX
         * solve this dilemma. I would prefer, if EPOLLHUP were maskable,
         * then we could set it on SND_SHUTDOWN. BTW examples given
         * in Stevens' books assume exactly this behaviour, it explains
         * why EPOLLHUP is incompatible with EPOLLOUT.  --ANK
         *
         * NOTE. Check for TCP_CLOSE is added. The goal is to prevent
         * blocking on fresh not-connected or disconnected socket. --ANK
         */
        if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
                mask |= EPOLLHUP;
        if (sk->sk_shutdown & RCV_SHUTDOWN)
                mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;

        /* Connected or passive Fast Open socket? */
        if (state != TCP_SYN_SENT &&
            (state != TCP_SYN_RECV || rcu_access_pointer(tp->fastopen_rsk))) {
                int target = sock_rcvlowat(sk, 0, INT_MAX);

                if (READ_ONCE(tp->urg_seq) == READ_ONCE(tp->copied_seq) &&
                    !sock_flag(sk, SOCK_URGINLINE) &&
                    tp->urg_data)
                        target++;

                if (tcp_stream_is_readable(sk, target))
                        mask |= EPOLLIN | EPOLLRDNORM;

                if (!(sk->sk_shutdown & SEND_SHUTDOWN)) {
                        if (__sk_stream_is_writeable(sk, 1)) {
                                mask |= EPOLLOUT | EPOLLWRNORM;
                        } else {  /* send SIGIO later */
                                sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
                                set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);

                                /* Race breaker. If space is freed after
                                 * wspace test but before the flags are set,
                                 * IO signal will be lost. Memory barrier
                                 * pairs with the input side.
                                 */
                                smp_mb__after_atomic();
                                if (__sk_stream_is_writeable(sk, 1))
                                        mask |= EPOLLOUT | EPOLLWRNORM;
                        }
                } else
                        mask |= EPOLLOUT | EPOLLWRNORM;

                if (tp->urg_data & TCP_URG_VALID)
                        mask |= EPOLLPRI;
        } else if (state == TCP_SYN_SENT && inet_sk(sk)->defer_connect) {
                /* Active TCP fastopen socket with defer_connect
                 * Return EPOLLOUT so application can call write()
                 * in order for kernel to generate SYN+data
                 */
                mask |= EPOLLOUT | EPOLLWRNORM;
        }
        /* This barrier is coupled with smp_wmb() in tcp_reset() */
        smp_rmb();
        if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
                mask |= EPOLLERR;

        return mask;
}
EXPORT_SYMBOL(tcp_poll);

int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
{
        struct tcp_sock *tp = tcp_sk(sk);
        int answ;
        bool slow;

        switch (cmd) {
        case SIOCINQ:
                if (sk->sk_state == TCP_LISTEN)
                        return -EINVAL;

                slow = lock_sock_fast(sk);
                answ = tcp_inq(sk);
                unlock_sock_fast(sk, slow);
                break;
        case SIOCATMARK:
                answ = tp->urg_data &&
                       READ_ONCE(tp->urg_seq) == READ_ONCE(tp->copied_seq);
                break;
        case SIOCOUTQ:
                if (sk->sk_state == TCP_LISTEN)
                        return -EINVAL;

                if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))
                        answ = 0;
                else
                        answ = READ_ONCE(tp->write_seq) - tp->snd_una;
                break;
        case SIOCOUTQNSD:
                if (sk->sk_state == TCP_LISTEN)
                        return -EINVAL;

                if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))
                        answ = 0;
                else
                        answ = READ_ONCE(tp->write_seq) -
                               READ_ONCE(tp->snd_nxt);
                break;
        default:
                return -ENOIOCTLCMD;
        }

        return put_user(answ, (int __user *)arg);
}
EXPORT_SYMBOL(tcp_ioctl);

static inline void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb)
{
        TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_PSH;
        tp->pushed_seq = tp->write_seq;
}

static inline bool forced_push(const struct tcp_sock *tp)
{
        return after(tp->write_seq, tp->pushed_seq + (tp->max_window >> 1));
}

static void skb_entail(struct sock *sk, struct sk_buff *skb)
{
        struct tcp_sock *tp = tcp_sk(sk);
        struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);

        skb->csum    = 0;
        tcb->seq     = tcb->end_seq = tp->write_seq;
        tcb->tcp_flags = TCPHDR_ACK;
        tcb->sacked  = 0;
        __skb_header_release(skb);
        tcp_add_write_queue_tail(sk, skb);
        sk_wmem_queued_add(sk, skb->truesize);
        sk_mem_charge(sk, skb->truesize);
        if (tp->nonagle & TCP_NAGLE_PUSH)
                tp->nonagle &= ~TCP_NAGLE_PUSH;

        tcp_slow_start_after_idle_check(sk);
}

static inline void tcp_mark_urg(struct tcp_sock *tp, int flags)
{
        if (flags & MSG_OOB)
                tp->snd_up = tp->write_seq;
}

/* If a not yet filled skb is pushed, do not send it if
 * we have data packets in Qdisc or NIC queues :
 * Because TX completion will happen shortly, it gives a chance
 * to coalesce future sendmsg() payload into this skb, without
 * need for a timer, and with no latency trade off.
 * As packets containing data payload have a bigger truesize
 * than pure acks (dataless) packets, the last checks prevent
 * autocorking if we only have an ACK in Qdisc/NIC queues,
 * or if TX completion was delayed after we processed ACK packet.
 */
static bool tcp_should_autocork(struct sock *sk, struct sk_buff *skb,
                                int size_goal)
{
        return skb->len < size_goal &&
               sock_net(sk)->ipv4.sysctl_tcp_autocorking &&
               !tcp_rtx_queue_empty(sk) &&
               refcount_read(&sk->sk_wmem_alloc) > skb->truesize;
}

void tcp_push(struct sock *sk, int flags, int mss_now,
              int nonagle, int size_goal)
{
        struct tcp_sock *tp = tcp_sk(sk);
        struct sk_buff *skb;

        skb = tcp_write_queue_tail(sk);
        if (!skb)
                return;
        if (!(flags & MSG_MORE) || forced_push(tp))
                tcp_mark_push(tp, skb);

        tcp_mark_urg(tp, flags);

        if (tcp_should_autocork(sk, skb, size_goal)) {

                /* avoid atomic op if TSQ_THROTTLED bit is already set */
                if (!test_bit(TSQ_THROTTLED, &sk->sk_tsq_flags)) {
                        NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAUTOCORKING);
                        set_bit(TSQ_THROTTLED, &sk->sk_tsq_flags);
                }
                /* It is possible TX completion already happened
                 * before we set TSQ_THROTTLED.
                 */
                if (refcount_read(&sk->sk_wmem_alloc) > skb->truesize)
                        return;
        }

        if (flags & MSG_MORE)
                nonagle = TCP_NAGLE_CORK;

        __tcp_push_pending_frames(sk, mss_now, nonagle);
}

static int tcp_splice_data_recv(read_descriptor_t *rd_desc, struct sk_buff *skb,
                                unsigned int offset, size_t len)
{
        struct tcp_splice_state *tss = rd_desc->arg.data;
        int ret;

        ret = skb_splice_bits(skb, skb->sk, offset, tss->pipe,
                              min(rd_desc->count, len), tss->flags);
        if (ret > 0)
                rd_desc->count -= ret;
        return ret;
}

static int __tcp_splice_read(struct sock *sk, struct tcp_splice_state *tss)
{
        /* Store TCP splice context information in read_descriptor_t. */
        read_descriptor_t rd_desc = {
                .arg.data = tss,
                .count    = tss->len,
        };

        return tcp_read_sock(sk, &rd_desc, tcp_splice_data_recv);
}

/**
 *  tcp_splice_read - splice data from TCP socket to a pipe
 * @sock:       socket to splice from
 * @ppos:       position (not valid)
 * @pipe:       pipe to splice to
 * @len:        number of bytes to splice
 * @flags:      splice modifier flags
 *
 * Description:
 *    Will read pages from given socket and fill them into a pipe.
 *
 **/
ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
                        struct pipe_inode_info *pipe, size_t len,
                        unsigned int flags)
{
        struct sock *sk = sock->sk;
        struct tcp_splice_state tss = {
                .pipe = pipe,
                .len = len,
                .flags = flags,
        };
        long timeo;
        ssize_t spliced;
        int ret;

        sock_rps_record_flow(sk);
        /*
         * We can't seek on a socket input
         */
        if (unlikely(*ppos))
                return -ESPIPE;

        ret = spliced = 0;

        lock_sock(sk);

        timeo = sock_rcvtimeo(sk, sock->file->f_flags & O_NONBLOCK);
        while (tss.len) {
                ret = __tcp_splice_read(sk, &tss);
                if (ret < 0)
                        break;
                else if (!ret) {
                        if (spliced)
                                break;
                        if (sock_flag(sk, SOCK_DONE))
                                break;
                        if (sk->sk_err) {
                                ret = sock_error(sk);
                                break;
                        }
                        if (sk->sk_shutdown & RCV_SHUTDOWN)
                                break;
                        if (sk->sk_state == TCP_CLOSE) {
                                /*
                                 * This occurs when user tries to read
                                 * from never connected socket.
                                 */
                                ret = -ENOTCONN;
                                break;
                        }
                        if (!timeo) {
                                ret = -EAGAIN;
                                break;
                        }
                        /* if __tcp_splice_read() got nothing while we have
                         * an skb in receive queue, we do not want to loop.
                         * This might happen with URG data.
                         */
                        if (!skb_queue_empty(&sk->sk_receive_queue))
                                break;
                        sk_wait_data(sk, &timeo, NULL);
                        if (signal_pending(current)) {
                                ret = sock_intr_errno(timeo);
                                break;
                        }
                        continue;
                }
                tss.len -= ret;
                spliced += ret;

                if (!timeo)
                        break;
                release_sock(sk);
                lock_sock(sk);

                if (sk->sk_err || sk->sk_state == TCP_CLOSE ||
                    (sk->sk_shutdown & RCV_SHUTDOWN) ||
                    signal_pending(current))
                        break;
        }

        release_sock(sk);

        if (spliced)
                return spliced;

        return ret;
}
EXPORT_SYMBOL(tcp_splice_read);

struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
                                    bool force_schedule)
{
        struct sk_buff *skb;

        if (likely(!size)) {
                skb = sk->sk_tx_skb_cache;
                if (skb) {
                        skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
                        sk->sk_tx_skb_cache = NULL;
                        pskb_trim(skb, 0);
                        INIT_LIST_HEAD(&skb->tcp_tsorted_anchor);
                        skb_shinfo(skb)->tx_flags = 0;
                        memset(TCP_SKB_CB(skb), 0, sizeof(struct tcp_skb_cb));
                        return skb;
                }
        }
        /* The TCP header must be at least 32-bit aligned.  */
        size = ALIGN(size, 4);

        if (unlikely(tcp_under_memory_pressure(sk)))
                sk_mem_reclaim_partial(sk);

        skb = alloc_skb_fclone(size + sk->sk_prot->max_header, gfp);
        if (likely(skb)) {
                bool mem_scheduled;

                if (force_schedule) {
                        mem_scheduled = true;
                        sk_forced_mem_schedule(sk, skb->truesize);
                } else {
                        mem_scheduled = sk_wmem_schedule(sk, skb->truesize);
                }
                if (likely(mem_scheduled)) {
                        skb_reserve(skb, sk->sk_prot->max_header);
                        /*
                         * Make sure that we have exactly size bytes
                         * available to the caller, no more, no less.
                         */
                        skb->reserved_tailroom = skb->end - skb->tail - size;
                        INIT_LIST_HEAD(&skb->tcp_tsorted_anchor);
                        return skb;
                }
                __kfree_skb(skb);
        } else {
                sk->sk_prot->enter_memory_pressure(sk);
                sk_stream_moderate_sndbuf(sk);
        }
        return NULL;
}

static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
                                       int large_allowed)
{
        struct tcp_sock *tp = tcp_sk(sk);
        u32 new_size_goal, size_goal;

        if (!large_allowed)
                return mss_now;

        /* Note : tcp_tso_autosize() will eventually split this later */
        new_size_goal = sk->sk_gso_max_size - 1 - MAX_TCP_HEADER;
        new_size_goal = tcp_bound_to_half_wnd(tp, new_size_goal);

        /* We try hard to avoid divides here */
        size_goal = tp->gso_segs * mss_now;
        if (unlikely(new_size_goal < size_goal ||
                     new_size_goal >= size_goal + mss_now)) {
                tp->gso_segs = min_t(u16, new_size_goal / mss_now,
                                     sk->sk_gso_max_segs);
                size_goal = tp->gso_segs * mss_now;
        }

        return max(size_goal, mss_now);
}

int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
{
        int mss_now;

        mss_now = tcp_current_mss(sk);
        *size_goal = tcp_xmit_size_goal(sk, mss_now, !(flags & MSG_OOB));

        return mss_now;
}

/* In some cases, both sendpage() and sendmsg() could have added
 * an skb to the write queue, but failed adding payload on it.
 * We need to remove it to consume less memory, but more
 * importantly be able to generate EPOLLOUT for Edge Trigger epoll()
 * users.
 */
void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb)
{
        if (skb && !skb->len) {
                tcp_unlink_write_queue(skb, sk);
                if (tcp_write_queue_empty(sk))
                        tcp_chrono_stop(sk, TCP_CHRONO_BUSY);
                sk_wmem_free_skb(sk, skb);
        }
}

struct sk_buff *tcp_build_frag(struct sock *sk, int size_goal, int flags,
                               struct page *page, int offset, size_t *size)
{
        struct sk_buff *skb = tcp_write_queue_tail(sk);
        struct tcp_sock *tp = tcp_sk(sk);
        bool can_coalesce;
        int copy, i;

        if (!skb || (copy = size_goal - skb->len) <= 0 ||
            !tcp_skb_can_collapse_to(skb)) {
new_segment:
                if (!sk_stream_memory_free(sk))
                        return NULL;

                skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation,
                                          tcp_rtx_and_write_queues_empty(sk));
                if (!skb)
                        return NULL;

#ifdef CONFIG_TLS_DEVICE
                skb->decrypted = !!(flags & MSG_SENDPAGE_DECRYPTED);
#endif
                skb_entail(sk, skb);
                copy = size_goal;
        }

        if (copy > *size)
                copy = *size;

        i = skb_shinfo(skb)->nr_frags;
        can_coalesce = skb_can_coalesce(skb, i, page, offset);
        if (!can_coalesce && i >= sysctl_max_skb_frags) {
                tcp_mark_push(tp, skb);
                goto new_segment;
        }

        if (!sk_wmem_schedule(sk, copy))
                return NULL;

        if (can_coalesce) {
                skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy);
        } else {
                get_page(page);
                skb_fill_page_desc(skb, i, page, offset, copy);
        }

        if (!(flags & MSG_NO_SHARED_FRAGS))
                skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;

        skb->len += copy;
        skb->data_len += copy;
        skb->truesize += copy;
        sk_wmem_queued_add(sk, copy);
        sk_mem_charge(sk, copy);
        skb->ip_summed = CHECKSUM_PARTIAL;
        WRITE_ONCE(tp->write_seq, tp->write_seq + copy);
        TCP_SKB_CB(skb)->end_seq += copy;
        tcp_skb_pcount_set(skb, 0);

        *size = copy;
        return skb;
}

ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
                         size_t size, int flags)
{
        struct tcp_sock *tp = tcp_sk(sk);
        int mss_now, size_goal;
        int err;
        ssize_t copied;
        long timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);

        if (IS_ENABLED(CONFIG_DEBUG_VM) &&
            WARN_ONCE(!sendpage_ok(page),
                      "page must not be a Slab one and have page_count > 0"))
                return -EINVAL;

        /* Wait for a connection to finish. One exception is TCP Fast Open
         * (passive side) where data is allowed to be sent before a connection
         * is fully established.
         */
        if (((1 << sk->sk_state) & ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) &&
            !tcp_passive_fastopen(sk)) {
                err = sk_stream_wait_connect(sk, &timeo);
                if (err != 0)
                        goto out_err;
        }

        sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);

        mss_now = tcp_send_mss(sk, &size_goal, flags);
        copied = 0;

        err = -EPIPE;
        if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
                goto out_err;

        while (size > 0) {
                struct sk_buff *skb;
                size_t copy = size;

                skb = tcp_build_frag(sk, size_goal, flags, page, offset, &copy);
                if (!skb)
                        goto wait_for_space;

                if (!copied)
                        TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH;

                copied += copy;
                offset += copy;
                size -= copy;
                if (!size)
                        goto out;

                if (skb->len < size_goal || (flags & MSG_OOB))
                        continue;

                if (forced_push(tp)) {
                        tcp_mark_push(tp, skb);
                        __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_PUSH);
                } else if (skb == tcp_send_head(sk))
                        tcp_push_one(sk, mss_now);
                continue;

wait_for_space:
                set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
                tcp_push(sk, flags & ~MSG_MORE, mss_now,
                         TCP_NAGLE_PUSH, size_goal);

                err = sk_stream_wait_memory(sk, &timeo);
                if (err != 0)
                        goto do_error;

                mss_now = tcp_send_mss(sk, &size_goal, flags);
        }

out:
        if (copied) {
                tcp_tx_timestamp(sk, sk->sk_tsflags);
                if (!(flags & MSG_SENDPAGE_NOTLAST))
                        tcp_push(sk, flags, mss_now, tp->nonagle, size_goal);
        }
        return copied;

do_error:
        tcp_remove_empty_skb(sk, tcp_write_queue_tail(sk));
        if (copied)
                goto out;
out_err:
        /* make sure we wake any epoll edge trigger waiter */
        if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) {
                sk->sk_write_space(sk);
                tcp_chrono_stop(sk, TCP_CHRONO_SNDBUF_LIMITED);
        }
        return sk_stream_error(sk, flags, err);
}
EXPORT_SYMBOL_GPL(do_tcp_sendpages);

int tcp_sendpage_locked(struct sock *sk, struct page *page, int offset,
                        size_t size, int flags)
{
        if (!(sk->sk_route_caps & NETIF_F_SG))
                return sock_no_sendpage_locked(sk, page, offset, size, flags);

        tcp_rate_check_app_limited(sk);  /* is sending application-limited? */

        return do_tcp_sendpages(sk, page, offset, size, flags);
}
EXPORT_SYMBOL_GPL(tcp_sendpage_locked);

int tcp_sendpage(struct sock *sk, struct page *page, int offset,
                 size_t size, int flags)
{
        int ret;

        lock_sock(sk);
        ret = tcp_sendpage_locked(sk, page, offset, size, flags);
        release_sock(sk);

        return ret;
}
EXPORT_SYMBOL(tcp_sendpage);

void tcp_free_fastopen_req(struct tcp_sock *tp)
{
        if (tp->fastopen_req) {
                kfree(tp->fastopen_req);
                tp->fastopen_req = NULL;
        }
}

static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
                                int *copied, size_t size,
                                struct ubuf_info *uarg)
{
        struct tcp_sock *tp = tcp_sk(sk);
        struct inet_sock *inet = inet_sk(sk);
        struct sockaddr *uaddr = msg->msg_name;
        int err, flags;

        if (!(sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) ||
            (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) &&
             uaddr->sa_family == AF_UNSPEC))
                return -EOPNOTSUPP;
        if (tp->fastopen_req)
                return -EALREADY; /* Another Fast Open is in progress */

        tp->fastopen_req = kzalloc(sizeof(struct tcp_fastopen_request),
                                   sk->sk_allocation);
        if (unlikely(!tp->fastopen_req))
                return -ENOBUFS;
        tp->fastopen_req->data = msg;
        tp->fastopen_req->size = size;
        tp->fastopen_req->uarg = uarg;

        if (inet->defer_connect) {
                err = tcp_connect(sk);
                /* Same failure procedure as in tcp_v4/6_connect */
                if (err) {
                        tcp_set_state(sk, TCP_CLOSE);
                        inet->inet_dport = 0;
                        sk->sk_route_caps = 0;
                }
        }
        flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0;
        err = __inet_stream_connect(sk->sk_socket, uaddr,
                                    msg->msg_namelen, flags, 1);
        /* fastopen_req could already be freed in __inet_stream_connect
         * if the connection times out or gets rst
         */
        if (tp->fastopen_req) {
                *copied = tp->fastopen_req->copied;
                tcp_free_fastopen_req(tp);
                inet->defer_connect = 0;
        }
        return err;
}

int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
{
        struct tcp_sock *tp = tcp_sk(sk);
        struct ubuf_info *uarg = NULL;
        struct sk_buff *skb;
        struct sockcm_cookie sockc;
        int flags, err, copied = 0;
        int mss_now = 0, size_goal, copied_syn = 0;
        int process_backlog = 0;
        bool zc = false;
        long timeo;

        flags = msg->msg_flags;

        if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
                skb = tcp_write_queue_tail(sk);
                uarg = msg_zerocopy_realloc(sk, size, skb_zcopy(skb));
                if (!uarg) {
                        err = -ENOBUFS;
                        goto out_err;
                }

                zc = sk->sk_route_caps & NETIF_F_SG;
                if (!zc)
                        uarg->zerocopy = 0;
        }

        if (unlikely(flags & MSG_FASTOPEN || inet_sk(sk)->defer_connect) &&
            !tp->repair) {
                err = tcp_sendmsg_fastopen(sk, msg, &copied_syn, size, uarg);
                if (err == -EINPROGRESS && copied_syn > 0)
                        goto out;
                else if (err)
                        goto out_err;
        }

        timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);

        tcp_rate_check_app_limited(sk);  /* is sending application-limited? */

        /* Wait for a connection to finish. One exception is TCP Fast Open
         * (passive side) where data is allowed to be sent before a connection
         * is fully established.
         */
        if (((1 << sk->sk_state) & ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) &&
            !tcp_passive_fastopen(sk)) {
                err = sk_stream_wait_connect(sk, &timeo);
                if (err != 0)
                        goto do_error;
        }

        if (unlikely(tp->repair)) {
                if (tp->repair_queue == TCP_RECV_QUEUE) {
                        copied = tcp_send_rcvq(sk, msg, size);
                        goto out_nopush;
                }

                err = -EINVAL;
                if (tp->repair_queue == TCP_NO_QUEUE)
                        goto out_err;

                /* 'common' sending to sendq */
        }

        sockcm_init(&sockc, sk);
        if (msg->msg_controllen) {
                err = sock_cmsg_send(sk, msg, &sockc);
                if (unlikely(err)) {
                        err = -EINVAL;
                        goto out_err;
                }
        }

        /* This should be in poll */
        sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);

        /* Ok commence sending. */
        copied = 0;

restart:
        mss_now = tcp_send_mss(sk, &size_goal, flags);

        err = -EPIPE;
        if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
                goto do_error;

        while (msg_data_left(msg)) {
                int copy = 0;

                skb = tcp_write_queue_tail(sk);
                if (skb)
                        copy = size_goal - skb->len;

                if (copy <= 0 || !tcp_skb_can_collapse_to(skb)) {
                        bool first_skb;

new_segment:
                        if (!sk_stream_memory_free(sk))
                                goto wait_for_space;

                        if (unlikely(process_backlog >= 16)) {
                                process_backlog = 0;
                                if (sk_flush_backlog(sk))
                                        goto restart;
                        }
                        first_skb = tcp_rtx_and_write_queues_empty(sk);
                        skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation,
                                                  first_skb);
                        if (!skb)
                                goto wait_for_space;

                        process_backlog++;
                        skb->ip_summed = CHECKSUM_PARTIAL;

                        skb_entail(sk, skb);
                        copy = size_goal;

                        /* All packets are restored as if they have
                         * already been sent. skb_mstamp_ns isn't set to
                         * avoid wrong rtt estimation.
                         */
                        if (tp->repair)
                                TCP_SKB_CB(skb)->sacked |= TCPCB_REPAIRED;
                }

                /* Try to append data to the end of skb. */
                if (copy > msg_data_left(msg))
                        copy = msg_data_left(msg);

                /* Where to copy to? */
                if (skb_availroom(skb) > 0 && !zc) {
                        /* We have some space in skb head. Superb! */
                        copy = min_t(int, copy, skb_availroom(skb));
                        err = skb_add_data_nocache(sk, skb, &msg->msg_iter, copy);
                        if (err)
                                goto do_fault;
                } else if (!zc) {
                        bool merge = true;
                        int i = skb_shinfo(skb)->nr_frags;
                        struct page_frag *pfrag = sk_page_frag(sk);

                        if (!sk_page_frag_refill(sk, pfrag))
                                goto wait_for_space;

                        if (!skb_can_coalesce(skb, i, pfrag->page,
                                              pfrag->offset)) {
                                if (i >= sysctl_max_skb_frags) {
                                        tcp_mark_push(tp, skb);
                                        goto new_segment;
                                }
                                merge = false;
                        }

                        copy = min_t(int, copy, pfrag->size - pfrag->offset);

                        if (!sk_wmem_schedule(sk, copy))
                                goto wait_for_space;

                        err = skb_copy_to_page_nocache(sk, &msg->msg_iter, skb,
                                                       pfrag->page,
                                                       pfrag->offset,
                                                       copy);
                        if (err)
                                goto do_error;

                        /* Update the skb. */
                        if (merge) {
                                skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy);
                        } else {
                                skb_fill_page_desc(skb, i, pfrag->page,
                                                   pfrag->offset, copy);
                                page_ref_inc(pfrag->page);
                        }
                        pfrag->offset += copy;
                } else {
                        if (!sk_wmem_schedule(sk, copy))
                                goto wait_for_space;

                        err = skb_zerocopy_iter_stream(sk, skb, msg, copy, uarg);
                        if (err == -EMSGSIZE || err == -EEXIST) {
                                tcp_mark_push(tp, skb);
                                goto new_segment;
                        }
                        if (err < 0)
                                goto do_error;
                        copy = err;
                }

                if (!copied)
                        TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH;

                WRITE_ONCE(tp->write_seq, tp->write_seq + copy);
                TCP_SKB_CB(skb)->end_seq += copy;
                tcp_skb_pcount_set(skb, 0);

                copied += copy;
                if (!msg_data_left(msg)) {
                        if (unlikely(flags & MSG_EOR))
                                TCP_SKB_CB(skb)->eor = 1;
                        goto out;
                }

                if (skb->len < size_goal || (flags & MSG_OOB) || unlikely(tp->repair))
                        continue;

                if (forced_push(tp)) {
                        tcp_mark_push(tp, skb);
                        __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_PUSH);
                } else if (skb == tcp_send_head(sk))
                        tcp_push_one(sk, mss_now);
                continue;

wait_for_space:
                set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
                if (copied)
                        tcp_push(sk, flags & ~MSG_MORE, mss_now,
                                 TCP_NAGLE_PUSH, size_goal);

                err = sk_stream_wait_memory(sk, &timeo);
                if (err != 0)
                        goto do_error;

                mss_now = tcp_send_mss(sk, &size_goal, flags);
        }

out:
        if (copied) {
                tcp_tx_timestamp(sk, sockc.tsflags);
                tcp_push(sk, flags, mss_now, tp->nonagle, size_goal);
        }
out_nopush:
        net_zcopy_put(uarg);
        return copied + copied_syn;

do_error:
        skb = tcp_write_queue_tail(sk);
do_fault:
        tcp_remove_empty_skb(sk, skb);

        if (copied + copied_syn)
                goto out;
out_err:
        net_zcopy_put_abort(uarg, true);
        err = sk_stream_error(sk, flags, err);
        /* make sure we wake any epoll edge trigger waiter */
        if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) {
                sk->sk_write_space(sk);
                tcp_chrono_stop(sk, TCP_CHRONO_SNDBUF_LIMITED);
        }
        return err;
}
EXPORT_SYMBOL_GPL(tcp_sendmsg_locked);

int tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
{
        int ret;

        lock_sock(sk);
        ret = tcp_sendmsg_locked(sk, msg, size);
        release_sock(sk);

        return ret;
}
EXPORT_SYMBOL(tcp_sendmsg);

/*
 *      Handle reading urgent data. BSD has very simple semantics for
 *      this, no blocking and very strange errors 8)
 */

static int tcp_recv_urg(struct sock *sk, struct msghdr *msg, int len, int flags)
{
        struct tcp_sock *tp = tcp_sk(sk);

        /* No URG data to read. */
        if (sock_flag(sk, SOCK_URGINLINE) || !tp->urg_data ||
            tp->urg_data == TCP_URG_READ)
                return -EINVAL; /* Yes this is right ! */

        if (sk->sk_state == TCP_CLOSE && !sock_flag(sk, SOCK_DONE))
                return -ENOTCONN;

        if (tp->urg_data & TCP_URG_VALID) {
                int err = 0;
                char c = tp->urg_data;

                if (!(flags & MSG_PEEK))
                        tp->urg_data = TCP_URG_READ;

                /* Read urgent data. */
                msg->msg_flags |= MSG_OOB;

                if (len > 0) {
                        if (!(flags & MSG_TRUNC))
                                err = memcpy_to_msg(msg, &c, 1);
                        len = 1;
                } else
                        msg->msg_flags |= MSG_TRUNC;

                return err ? -EFAULT : len;
        }

        if (sk->sk_state == TCP_CLOSE || (sk->sk_shutdown & RCV_SHUTDOWN))
                return 0;

        /* Fixed the recv(..., MSG_OOB) behaviour.  BSD docs and
         * the available implementations agree in this case:
         * this call should never block, independent of the
         * blocking state of the socket.
         * Mike <pall@rz.uni-karlsruhe.de>
         */
        return -EAGAIN;
}

static int tcp_peek_sndq(struct sock *sk, struct msghdr *msg, int len)
{
        struct sk_buff *skb;
        int copied = 0, err = 0;

        /* XXX -- need to support SO_PEEK_OFF */

        skb_rbtree_walk(skb, &sk->tcp_rtx_queue) {
                err = skb_copy_datagram_msg(skb, 0, msg, skb->len);
                if (err)
                        return err;
                copied += skb->len;
        }

        skb_queue_walk(&sk->sk_write_queue, skb) {
                err = skb_copy_datagram_msg(skb, 0, msg, skb->len);
                if (err)
                        break;

                copied += skb->len;
        }

        return err ?: copied;
}

/* Clean up the receive buffer for full frames taken by the user,
 * then send an ACK if necessary.  COPIED is the number of bytes
 * tcp_recvmsg has given to the user so far, it speeds up the
 * calculation of whether or not we must ACK for the sake of
 * a window update.
 */
void tcp_cleanup_rbuf(struct sock *sk, int copied)
{
        struct tcp_sock *tp = tcp_sk(sk);
        bool time_to_ack = false;

        struct sk_buff *skb = skb_peek(&sk->sk_receive_queue);

        WARN(skb && !before(tp->copied_seq, TCP_SKB_CB(skb)->end_seq),
             "cleanup rbuf bug: copied %X seq %X rcvnxt %X\n",
             tp->copied_seq, TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt);

        if (inet_csk_ack_scheduled(sk)) {
                const struct inet_connection_sock *icsk = inet_csk(sk);

                if (/* Once-per-two-segments ACK was not sent by tcp_input.c */
                    tp->rcv_nxt - tp->rcv_wup > icsk->icsk_ack.rcv_mss ||
                    /*
                     * If this read emptied read buffer, we send ACK, if
                     * connection is not bidirectional, user drained
                     * receive buffer and there was a small segment
                     * in queue.
                     */
                    (copied > 0 &&
                     ((icsk->icsk_ack.pending & ICSK_ACK_PUSHED2) ||
                      ((icsk->icsk_ack.pending & ICSK_ACK_PUSHED) &&
                       !inet_csk_in_pingpong_mode(sk))) &&
                      !atomic_read(&sk->sk_rmem_alloc)))
                        time_to_ack = true;
        }

        /* We send an ACK if we can now advertise a non-zero window
         * which has been raised "significantly".
         *
         * Even if window raised up to infinity, do not send window open ACK
         * in states, where we will not receive more. It is useless.
         */
        if (copied > 0 && !time_to_ack && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
                __u32 rcv_window_now = tcp_receive_window(tp);

                /* Optimize, __tcp_select_window() is not cheap. */
                if (2*rcv_window_now <= tp->window_clamp) {
                        __u32 new_window = __tcp_select_window(sk);

                        /* Send ACK now, if this read freed lots of space
                         * in our buffer. Certainly, new_window is new window.
                         * We can advertise it now, if it is not less than current one.
                         * "Lots" means "at least twice" here.
                         */
                        if (new_window && new_window >= 2 * rcv_window_now)
                                time_to_ack = true;
                }
        }
        if (time_to_ack)
                tcp_send_ack(sk);
}

static struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off)
{
        struct sk_buff *skb;
        u32 offset;

        while ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) {
                offset = seq - TCP_SKB_CB(skb)->seq;
                if (unlikely(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)) {
                        pr_err_once("%s: found a SYN, please report !\n", __func__);
                        offset--;
                }
                if (offset < skb->len || (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)) {
                        *off = offset;
                        return skb;
                }
                /* This looks weird, but this can happen if TCP collapsing
                 * splitted a fat GRO packet, while we released socket lock
                 * in skb_splice_bits()
                 */
                sk_eat_skb(sk, skb);
        }
        return NULL;
}

/*
 * This routine provides an alternative to tcp_recvmsg() for routines
 * that would like to handle copying from skbuffs directly in 'sendfile'
 * fashion.
 * Note:
 *      - It is assumed that the socket was locked by the caller.
 *      - The routine does not block.
 *      - At present, there is no support for reading OOB data
 *        or for 'peeking' the socket using this routine
 *        (although both would be easy to implement).
 */
int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
                  sk_read_actor_t recv_actor)
{
        struct sk_buff *skb;
        struct tcp_sock *tp = tcp_sk(sk);
        u32 seq = tp->copied_seq;
        u32 offset;
        int copied = 0;

        if (sk->sk_state == TCP_LISTEN)
                return -ENOTCONN;
        while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
                if (offset < skb->len) {
                        int used;
                        size_t len;

                        len = skb->len - offset;
                        /* Stop reading if we hit a patch of urgent data */
                        if (tp->urg_data) {
                                u32 urg_offset = tp->urg_seq - seq;
                                if (urg_offset < len)
                                        len = urg_offset;
                                if (!len)
                                        break;
                        }
                        used = recv_actor(desc, skb, offset, len);
                        if (used <= 0) {
                                if (!copied)
                                        copied = used;
                                break;
                        } else if (used <= len) {
                                seq += used;
                                copied += used;
                                offset += used;
                        }
                        /* If recv_actor drops the lock (e.g. TCP splice
                         * receive) the skb pointer might be invalid when
                         * getting here: tcp_collapse might have deleted it
                         * while aggregating skbs from the socket queue.
                         */
                        skb = tcp_recv_skb(sk, seq - 1, &offset);
                        if (!skb)
                                break;
                        /* TCP coalescing might have appended data to the skb.
                         * Try to splice more frags
                         */
                        if (offset + 1 != skb->len)
                                continue;
                }
                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) {
                        sk_eat_skb(sk, skb);
                        ++seq;
                        break;
                }
                sk_eat_skb(sk, skb);
                if (!desc->count)
                        break;
                WRITE_ONCE(tp->copied_seq, seq);
        }
        WRITE_ONCE(tp->copied_seq, seq);

        tcp_rcv_space_adjust(sk);

        /* Clean up data we have read: This will do ACK frames. */
        if (copied > 0) {
                tcp_recv_skb(sk, seq, &offset);
                tcp_cleanup_rbuf(sk, copied);
        }
        return copied;
}
EXPORT_SYMBOL(tcp_read_sock);

int tcp_peek_len(struct socket *sock)
{
        return tcp_inq(sock->sk);
}
EXPORT_SYMBOL(tcp_peek_len);

/* Make sure sk_rcvbuf is big enough to satisfy SO_RCVLOWAT hint */
int tcp_set_rcvlowat(struct sock *sk, int val)
{
        int cap;

        if (sk->sk_userlocks & SOCK_RCVBUF_LOCK)
                cap = sk->sk_rcvbuf >> 1;
        else
                cap = sock_net(sk)->ipv4.sysctl_tcp_rmem[2] >> 1;
        val = min(val, cap);
        WRITE_ONCE(sk->sk_rcvlowat, val ? : 1);

        /* Check if we need to signal EPOLLIN right now */
        tcp_data_ready(sk);

        if (sk->sk_userlocks & SOCK_RCVBUF_LOCK)
                return 0;

        val <<= 1;
        if (val > sk->sk_rcvbuf) {
                WRITE_ONCE(sk->sk_rcvbuf, val);
                tcp_sk(sk)->window_clamp = tcp_win_from_space(sk, val);
        }
        return 0;
}
EXPORT_SYMBOL(tcp_set_rcvlowat);

void tcp_update_recv_tstamps(struct sk_buff *skb,
                             struct scm_timestamping_internal *tss)
{
        if (skb->tstamp)
                tss->ts[0] = ktime_to_timespec64(skb->tstamp);
        else
                tss->ts[0] = (struct timespec64) {0};

        if (skb_hwtstamps(skb)->hwtstamp)
                tss->ts[2] = ktime_to_timespec64(skb_hwtstamps(skb)->hwtstamp);
        else
                tss->ts[2] = (struct timespec64) {0};
}

#ifdef CONFIG_MMU
static const struct vm_operations_struct tcp_vm_ops = {
};

int tcp_mmap(struct file *file, struct socket *sock,
             struct vm_area_struct *vma)
{
        if (vma->vm_flags & (VM_WRITE | VM_EXEC))
                return -EPERM;
        vma->vm_flags &= ~(VM_MAYWRITE | VM_MAYEXEC);

        /* Instruct vm_insert_page() to not mmap_read_lock(mm) */
        vma->vm_flags |= VM_MIXEDMAP;

        vma->vm_ops = &tcp_vm_ops;
        return 0;
}
EXPORT_SYMBOL(tcp_mmap);

static skb_frag_t *skb_advance_to_frag(struct sk_buff *skb, u32 offset_skb,
                                       u32 *offset_frag)
{
        skb_frag_t *frag;

        offset_skb -= skb_headlen(skb);
        if ((int)offset_skb < 0 || skb_has_frag_list(skb))
                return NULL;

        frag = skb_shinfo(skb)->frags;
        while (offset_skb) {
                if (skb_frag_size(frag) > offset_skb) {
                        *offset_frag = offset_skb;
                        return frag;
                }
                offset_skb -= skb_frag_size(frag);
                ++frag;
        }
        *offset_frag = 0;
        return frag;
}

static bool can_map_frag(const skb_frag_t *frag)
{
        return skb_frag_size(frag) == PAGE_SIZE && !skb_frag_off(frag);
}

static int find_next_mappable_frag(const skb_frag_t *frag,
                                   int remaining_in_skb)
{
        int offset = 0;

        if (likely(can_map_frag(frag)))
                return 0;

        while (offset < remaining_in_skb && !can_map_frag(frag)) {
                offset += skb_frag_size(frag);
                ++frag;
        }
        return offset;
}

static void tcp_zerocopy_set_hint_for_skb(struct sock *sk,
                                          struct tcp_zerocopy_receive *zc,
                                          struct sk_buff *skb, u32 offset)
{
        u32 frag_offset, partial_frag_remainder = 0;
        int mappable_offset;
        skb_frag_t *frag;

        /* worst case: skip to next skb. try to improve on this case below */
        zc->recv_skip_hint = skb->len - offset;

        /* Find the frag containing this offset (and how far into that frag) */
        frag = skb_advance_to_frag(skb, offset, &frag_offset);
        if (!frag)
                return;

        if (frag_offset) {
                struct skb_shared_info *info = skb_shinfo(skb);

                /* We read part of the last frag, must recvmsg() rest of skb. */
                if (frag == &info->frags[info->nr_frags - 1])
                        return;

                /* Else, we must at least read the remainder in this frag. */
                partial_frag_remainder = skb_frag_size(frag) - frag_offset;
                zc->recv_skip_hint -= partial_frag_remainder;
                ++frag;
        }

        /* partial_frag_remainder: If part way through a frag, must read rest.
         * mappable_offset: Bytes till next mappable frag, *not* counting bytes
         * in partial_frag_remainder.
         */
        mappable_offset = find_next_mappable_frag(frag, zc->recv_skip_hint);
        zc->recv_skip_hint = mappable_offset + partial_frag_remainder;
}

static int tcp_recvmsg_locked(struct sock *sk, struct msghdr *msg, size_t len,
                              int nonblock, int flags,
                              struct scm_timestamping_internal *tss,
                              int *cmsg_flags);
static int receive_fallback_to_copy(struct sock *sk,
                                    struct tcp_zerocopy_receive *zc, int inq,
                                    struct scm_timestamping_internal *tss)
{
        unsigned long copy_address = (unsigned long)zc->copybuf_address;
        struct msghdr msg = {};
        struct iovec iov;
        int err;

        zc->length = 0;
        zc->recv_skip_hint = 0;

        if (copy_address != zc->copybuf_address)
                return -EINVAL;

        err = import_single_range(READ, (void __user *)copy_address,
                                  inq, &iov, &msg.msg_iter);
        if (err)
                return err;

        err = tcp_recvmsg_locked(sk, &msg, inq, /*nonblock=*/1, /*flags=*/0,
                                 tss, &zc->msg_flags);
        if (err < 0)
                return err;

        zc->copybuf_len = err;
        if (likely(zc->copybuf_len)) {
                struct sk_buff *skb;
                u32 offset;

                skb = tcp_recv_skb(sk, tcp_sk(sk)->copied_seq, &offset);
                if (skb)
                        tcp_zerocopy_set_hint_for_skb(sk, zc, skb, offset);
        }
        return 0;
}

static int tcp_copy_straggler_data(struct tcp_zerocopy_receive *zc,
                                   struct sk_buff *skb, u32 copylen,
                                   u32 *offset, u32 *seq)
{
        unsigned long copy_address = (unsigned long)zc->copybuf_address;
        struct msghdr msg = {};
        struct iovec iov;
        int err;

        if (copy_address != zc->copybuf_address)
                return -EINVAL;

        err = import_single_range(READ, (void __user *)copy_address,
                                  copylen, &iov, &msg.msg_iter);
        if (err)
                return err;
        err = skb_copy_datagram_msg(skb, *offset, &msg, copylen);
        if (err)
                return err;
        zc->recv_skip_hint -= copylen;
        *offset += copylen;
        *seq += copylen;
        return (__s32)copylen;
}

static int tcp_zc_handle_leftover(struct tcp_zerocopy_receive *zc,
                                  struct sock *sk,
                                  struct sk_buff *skb,
                                  u32 *seq,
                                  s32 copybuf_len,
                                  struct scm_timestamping_internal *tss)
{
        u32 offset, copylen = min_t(u32, copybuf_len, zc->recv_skip_hint);

        if (!copylen)
                return 0;
        /* skb is null if inq < PAGE_SIZE. */
        if (skb) {
                offset = *seq - TCP_SKB_CB(skb)->seq;
        } else {
                skb = tcp_recv_skb(sk, *seq, &offset);
                if (TCP_SKB_CB(skb)->has_rxtstamp) {
                        tcp_update_recv_tstamps(skb, tss);
                        zc->msg_flags |= TCP_CMSG_TS;
                }
        }

        zc->copybuf_len = tcp_copy_straggler_data(zc, skb, copylen, &offset,
                                                  seq);
        return zc->copybuf_len < 0 ? 0 : copylen;
}

static int tcp_zerocopy_vm_insert_batch_error(struct vm_area_struct *vma,
                                              struct page **pending_pages,
                                              unsigned long pages_remaining,
                                              unsigned long *address,
                                              u32 *length,
                                              u32 *seq,
                                              struct tcp_zerocopy_receive *zc,
                                              u32 total_bytes_to_map,
                                              int err)
{
        /* At least one page did not map. Try zapping if we skipped earlier. */
        if (err == -EBUSY &&
            zc->flags & TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT) {
                u32 maybe_zap_len;

                maybe_zap_len = total_bytes_to_map -  /* All bytes to map */
                                *length + /* Mapped or pending */
                                (pages_remaining * PAGE_SIZE); /* Failed map. */
                zap_page_range(vma, *address, maybe_zap_len);
                err = 0;
        }

        if (!err) {
                unsigned long leftover_pages = pages_remaining;
                int bytes_mapped;

                /* We called zap_page_range, try to reinsert. */
                err = vm_insert_pages(vma, *address,
                                      pending_pages,
                                      &pages_remaining);
                bytes_mapped = PAGE_SIZE * (leftover_pages - pages_remaining);
                *seq += bytes_mapped;
                *address += bytes_mapped;
        }
        if (err) {
                /* Either we were unable to zap, OR we zapped, retried an
                 * insert, and still had an issue. Either ways, pages_remaining
                 * is the number of pages we were unable to map, and we unroll
                 * some state we speculatively touched before.
                 */
                const int bytes_not_mapped = PAGE_SIZE * pages_remaining;

                *length -= bytes_not_mapped;
                zc->recv_skip_hint += bytes_not_mapped;
        }
        return err;
}

static int tcp_zerocopy_vm_insert_batch(struct vm_area_struct *vma,
                                        struct page **pages,
                                        unsigned int pages_to_map,
                                        unsigned long *address,

                                        u32 *length,
                                        u32 *seq,
                                        struct tcp_zerocopy_receive *zc,
                                        u32 total_bytes_to_map)
{
        unsigned long pages_remaining = pages_to_map;
        unsigned int pages_mapped;
        unsigned int bytes_mapped;
        int err;

        err = vm_insert_pages(vma, *address, pages, &pages_remaining);
        pages_mapped = pages_to_map - (unsigned int)pages_remaining;
        bytes_mapped = PAGE_SIZE * pages_mapped;
        /* Even if vm_insert_pages fails, it may have partially succeeded in
         * mapping (some but not all of the pages).
         */
        *seq += bytes_mapped;
        *address += bytes_mapped;

        if (likely(!err))
                return 0;

        /* Error: maybe zap and retry + rollback state for failed inserts. */
        return tcp_zerocopy_vm_insert_batch_error(vma, pages + pages_mapped,
                pages_remaining, address, length, seq, zc, total_bytes_to_map,
                err);
}

#define TCP_VALID_ZC_MSG_FLAGS   (TCP_CMSG_TS)
static void tcp_zc_finalize_rx_tstamp(struct sock *sk,
                                      struct tcp_zerocopy_receive *zc,
                                      struct scm_timestamping_internal *tss)
{
        unsigned long msg_control_addr;
        struct msghdr cmsg_dummy;

        msg_control_addr = (unsigned long)zc->msg_control;
        cmsg_dummy.msg_control = (void *)msg_control_addr;
        cmsg_dummy.msg_controllen =
                (__kernel_size_t)zc->msg_controllen;
        cmsg_dummy.msg_flags = in_compat_syscall()
                ? MSG_CMSG_COMPAT : 0;
        cmsg_dummy.msg_control_is_user = true;
        zc->msg_flags = 0;
        if (zc->msg_control == msg_control_addr &&
            zc->msg_controllen == cmsg_dummy.msg_controllen) {
                tcp_recv_timestamp(&cmsg_dummy, sk, tss);
                zc->msg_control = (__u64)
                        ((uintptr_t)cmsg_dummy.msg_control);
                zc->msg_controllen =
                        (__u64)cmsg_dummy.msg_controllen;
                zc->msg_flags = (__u32)cmsg_dummy.msg_flags;
        }
}

#define TCP_ZEROCOPY_PAGE_BATCH_SIZE 32
static int tcp_zerocopy_receive(struct sock *sk,
                                struct tcp_zerocopy_receive *zc,
                                struct scm_timestamping_internal *tss)
{
        u32 length = 0, offset, vma_len, avail_len, copylen = 0;
        unsigned long address = (unsigned long)zc->address;
        struct page *pages[TCP_ZEROCOPY_PAGE_BATCH_SIZE];
        s32 copybuf_len = zc->copybuf_len;
        struct tcp_sock *tp = tcp_sk(sk);
        const skb_frag_t *frags = NULL;
        unsigned int pages_to_map = 0;
        struct vm_area_struct *vma;
        struct sk_buff *skb = NULL;
        u32 seq = tp->copied_seq;
        u32 total_bytes_to_map;
        int inq = tcp_inq(sk);
        int ret;

        zc->copybuf_len = 0;
        zc->msg_flags = 0;

        if (address & (PAGE_SIZE - 1) || address != zc->address)
                return -EINVAL;

        if (sk->sk_state == TCP_LISTEN)
                return -ENOTCONN;

        sock_rps_record_flow(sk);

        if (inq && inq <= copybuf_len)
                return receive_fallback_to_copy(sk, zc, inq, tss);

        if (inq < PAGE_SIZE) {
                zc->length = 0;
                zc->recv_skip_hint = inq;
                if (!inq && sock_flag(sk, SOCK_DONE))
                        return -EIO;
                return 0;
        }

        mmap_read_lock(current->mm);

        vma = vma_lookup(current->mm, address);
        if (!vma || vma->vm_ops != &tcp_vm_ops) {
                mmap_read_unlock(current->mm);
                return -EINVAL;
        }
        vma_len = min_t(unsigned long, zc->length, vma->vm_end - address);
        avail_len = min_t(u32, vma_len, inq);
        total_bytes_to_map = avail_len & ~(PAGE_SIZE - 1);
        if (total_bytes_to_map) {
                if (!(zc->flags & TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT))
                        zap_page_range(vma, address, total_bytes_to_map);
                zc->length = total_bytes_to_map;
                zc->recv_skip_hint = 0;
        } else {
                zc->length = avail_len;
                zc->recv_skip_hint = avail_len;
        }
        ret = 0;
        while (length + PAGE_SIZE <= zc->length) {
                int mappable_offset;
                struct page *page;

                if (zc->recv_skip_hint < PAGE_SIZE) {
                        u32 offset_frag;

                        if (skb) {
                                if (zc->recv_skip_hint > 0)
                                        break;
                                skb = skb->next;
                                offset = seq - TCP_SKB_CB(skb)->seq;
                        } else {
                                skb = tcp_recv_skb(sk, seq, &offset);
                        }

                        if (TCP_SKB_CB(skb)->has_rxtstamp) {
                                tcp_update_recv_tstamps(skb, tss);
                                zc->msg_flags |= TCP_CMSG_TS;
                        }
                        zc->recv_skip_hint = skb->len - offset;
                        frags = skb_advance_to_frag(skb, offset, &offset_frag);
                        if (!frags || offset_frag)
                                break;
                }

                mappable_offset = find_next_mappable_frag(frags,
                                                          zc->recv_skip_hint);
                if (mappable_offset) {
                        zc->recv_skip_hint = mappable_offset;
                        break;
                }
                page = skb_frag_page(frags);
                prefetchw(page);
                pages[pages_to_map++] = page;
                length += PAGE_SIZE;
                zc->recv_skip_hint -= PAGE_SIZE;
                frags++;
                if (pages_to_map == TCP_ZEROCOPY_PAGE_BATCH_SIZE ||
                    zc->recv_skip_hint < PAGE_SIZE) {
                        /* Either full batch, or we're about to go to next skb
                         * (and we cannot unroll failed ops across skbs).
                         */
                        ret = tcp_zerocopy_vm_insert_batch(vma, pages,
                                                           pages_to_map,
                                                           &address, &length,
                                                           &seq, zc,
                                                           total_bytes_to_map);
                        if (ret)
                                goto out;
                        pages_to_map = 0;
                }
        }
        if (pages_to_map) {
                ret = tcp_zerocopy_vm_insert_batch(vma, pages, pages_to_map,
                                                   &address, &length, &seq,
                                                   zc, total_bytes_to_map);
        }
out:
        mmap_read_unlock(current->mm);
        /* Try to copy straggler data. */
        if (!ret)
                copylen = tcp_zc_handle_leftover(zc, sk, skb, &seq, copybuf_len, tss);

        if (length + copylen) {
                WRITE_ONCE(tp->copied_seq, seq);
                tcp_rcv_space_adjust(sk);

                /* Clean up data we have read: This will do ACK frames. */
                tcp_recv_skb(sk, seq, &offset);
                tcp_cleanup_rbuf(sk, length + copylen);
                ret = 0;
                if (length == zc->length)
                        zc->recv_skip_hint = 0;
        } else {
                if (!zc->recv_skip_hint && sock_flag(sk, SOCK_DONE))
                        ret = -EIO;
        }
        zc->length = length;
        return ret;
}
#endif

/* Similar to __sock_recv_timestamp, but does not require an skb */
void tcp_recv_timestamp(struct msghdr *msg, const struct sock *sk,
                        struct scm_timestamping_internal *tss)
{
        int new_tstamp = sock_flag(sk, SOCK_TSTAMP_NEW);
        bool has_timestamping = false;

        if (tss->ts[0].tv_sec || tss->ts[0].tv_nsec) {
                if (sock_flag(sk, SOCK_RCVTSTAMP)) {
                        if (sock_flag(sk, SOCK_RCVTSTAMPNS)) {
                                if (new_tstamp) {
                                        struct __kernel_timespec kts = {
                                                .tv_sec = tss->ts[0].tv_sec,
                                                .tv_nsec = tss->ts[0].tv_nsec,
                                        };
                                        put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
                                                 sizeof(kts), &kts);
                                } else {
                                        struct __kernel_old_timespec ts_old = {
                                                .tv_sec = tss->ts[0].tv_sec,
                                                .tv_nsec = tss->ts[0].tv_nsec,
                                        };
                                        put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPNS_OLD,
                                                 sizeof(ts_old), &ts_old);
                                }
                        } else {
                                if (new_tstamp) {
                                        struct __kernel_sock_timeval stv = {
                                                .tv_sec = tss->ts[0].tv_sec,
                                                .tv_usec = tss->ts[0].tv_nsec / 1000,
                                        };
                                        put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMP_NEW,
                                                 sizeof(stv), &stv);
                                } else {
                                        struct __kernel_old_timeval tv = {
                                                .tv_sec = tss->ts[0].tv_sec,
                                                .tv_usec = tss->ts[0].tv_nsec / 1000,
                                        };
                                        put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMP_OLD,
                                                 sizeof(tv), &tv);
                                }
                        }
                }

                if (sk->sk_tsflags & SOF_TIMESTAMPING_SOFTWARE)
                        has_timestamping = true;
                else
                        tss->ts[0] = (struct timespec64) {0};
        }

        if (tss->ts[2].tv_sec || tss->ts[2].tv_nsec) {
                if (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)
                        has_timestamping = true;
                else
                        tss->ts[2] = (struct timespec64) {0};
        }

        if (has_timestamping) {
                tss->ts[1] = (struct timespec64) {0};
                if (sock_flag(sk, SOCK_TSTAMP_NEW))
                        put_cmsg_scm_timestamping64(msg, tss);
                else
                        put_cmsg_scm_timestamping(msg, tss);
        }
}

static int tcp_inq_hint(struct sock *sk)
{
        const struct tcp_sock *tp = tcp_sk(sk);
        u32 copied_seq = READ_ONCE(tp->copied_seq);
        u32 rcv_nxt = READ_ONCE(tp->rcv_nxt);
        int inq;

        inq = rcv_nxt - copied_seq;
        if (unlikely(inq < 0 || copied_seq != READ_ONCE(tp->copied_seq))) {
                lock_sock(sk);
                inq = tp->rcv_nxt - tp->copied_seq;
                release_sock(sk);
        }
        /* After receiving a FIN, tell the user-space to continue reading
         * by returning a non-zero inq.
         */
        if (inq == 0 && sock_flag(sk, SOCK_DONE))
                inq = 1;
        return inq;
}

/*
 *      This routine copies from a sock struct into the user buffer.
 *
 *      Technical note: in 2.3 we work on _locked_ socket, so that
 *      tricks with *seq access order and skb->users are not required.
 *      Probably, code can be easily improved even more.
 */

static int tcp_recvmsg_locked(struct sock *sk, struct msghdr *msg, size_t len,
                              int nonblock, int flags,
                              struct scm_timestamping_internal *tss,
                              int *cmsg_flags)
{
        struct tcp_sock *tp = tcp_sk(sk);
        int copied = 0;
        u32 peek_seq;
        u32 *seq;
        unsigned long used;
        int err;
        int target;             /* Read at least this many bytes */
        long timeo;
        struct sk_buff *skb, *last;
        u32 urg_hole = 0;

        err = -ENOTCONN;
        if (sk->sk_state == TCP_LISTEN)
                goto out;

        if (tp->recvmsg_inq)
                *cmsg_flags = TCP_CMSG_INQ;
        timeo = sock_rcvtimeo(sk, nonblock);

        /* Urgent data needs to be handled specially. */
        if (flags & MSG_OOB)
                goto recv_urg;

        if (unlikely(tp->repair)) {
                err = -EPERM;
                if (!(flags & MSG_PEEK))
                        goto out;

                if (tp->repair_queue == TCP_SEND_QUEUE)
                        goto recv_sndq;

                err = -EINVAL;
                if (tp->repair_queue == TCP_NO_QUEUE)
                        goto out;

                /* 'common' recv queue MSG_PEEK-ing */
        }

        seq = &tp->copied_seq;
        if (flags & MSG_PEEK) {
                peek_seq = tp->copied_seq;
                seq = &peek_seq;
        }

        target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);

        do {
                u32 offset;

                /* Are we at urgent data? Stop if we have read anything or have SIGURG pending. */
                if (tp->urg_data && tp->urg_seq == *seq) {
                        if (copied)
                                break;
                        if (signal_pending(current)) {
                                copied = timeo ? sock_intr_errno(timeo) : -EAGAIN;
                                break;
                        }
                }

                /* Next get a buffer. */

                last = skb_peek_tail(&sk->sk_receive_queue);
                skb_queue_walk(&sk->sk_receive_queue, skb) {
                        last = skb;
                        /* Now that we have two receive queues this
                         * shouldn't happen.
                         */
                        if (WARN(before(*seq, TCP_SKB_CB(skb)->seq),
                                 "TCP recvmsg seq # bug: copied %X, seq %X, rcvnxt %X, fl %X\n",
                                 *seq, TCP_SKB_CB(skb)->seq, tp->rcv_nxt,
                                 flags))
                                break;

                        offset = *seq - TCP_SKB_CB(skb)->seq;
                        if (unlikely(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)) {
                                pr_err_once("%s: found a SYN, please report !\n", __func__);
                                offset--;
                        }
                        if (offset < skb->len)
                                goto found_ok_skb;
                        if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
                                goto found_fin_ok;
                        WARN(!(flags & MSG_PEEK),
                             "TCP recvmsg seq # bug 2: copied %X, seq %X, rcvnxt %X, fl %X\n",
                             *seq, TCP_SKB_CB(skb)->seq, tp->rcv_nxt, flags);
                }

                /* Well, if we have backlog, try to process it now yet. */

                if (copied >= target && !READ_ONCE(sk->sk_backlog.tail))
                        break;

                if (copied) {
                        if (sk->sk_err ||
                            sk->sk_state == TCP_CLOSE ||
                            (sk->sk_shutdown & RCV_SHUTDOWN) ||
                            !timeo ||
                            signal_pending(current))
                                break;
                } else {
                        if (sock_flag(sk, SOCK_DONE))
                                break;

                        if (sk->sk_err) {
                                copied = sock_error(sk);
                                break;
                        }

                        if (sk->sk_shutdown & RCV_SHUTDOWN)
                                break;

                        if (sk->sk_state == TCP_CLOSE) {
                                /* This occurs when user tries to read
                                 * from never connected socket.
                                 */
                                copied = -ENOTCONN;
                                break;
                        }

                        if (!timeo) {
                                copied = -EAGAIN;
                                break;
                        }

                        if (signal_pending(current)) {
                                copied = sock_intr_errno(timeo);
                                break;
                        }
                }

                tcp_cleanup_rbuf(sk, copied);

                if (copied >= target) {
                        /* Do not sleep, just process backlog. */
                        release_sock(sk);
                        lock_sock(sk);
                } else {
                        sk_wait_data(sk, &timeo, last);
                }

                if ((flags & MSG_PEEK) &&
                    (peek_seq - copied - urg_hole != tp->copied_seq)) {
                        net_dbg_ratelimited("TCP(%s:%d): Application bug, race in MSG_PEEK\n",
                                            current->comm,
                                            task_pid_nr(current));
                        peek_seq = tp->copied_seq;
                }
                continue;

found_ok_skb:
                /* Ok so how much can we use? */
                used = skb->len - offset;
                if (len < used)
                        used = len;

                /* Do we have urgent data here? */
                if (tp->urg_data) {
                        u32 urg_offset = tp->urg_seq - *seq;
                        if (urg_offset < used) {
                                if (!urg_offset) {
                                        if (!sock_flag(sk, SOCK_URGINLINE)) {
                                                WRITE_ONCE(*seq, *seq + 1);
                                                urg_hole++;
                                                offset++;
                                                used--;
                                                if (!used)
                                                        goto skip_copy;
                                        }
                                } else
                                        used = urg_offset;
                        }
                }

                if (!(flags & MSG_TRUNC)) {
                        err = skb_copy_datagram_msg(skb, offset, msg, used);
                        if (err) {
                                /* Exception. Bailout! */
                                if (!copied)
                                        copied = -EFAULT;
                                break;
                        }
                }

                WRITE_ONCE(*seq, *seq + used);
                copied += used;
                len -= used;

                tcp_rcv_space_adjust(sk);

skip_copy:
                if (tp->urg_data && after(tp->copied_seq, tp->urg_seq)) {
                        tp->urg_data = 0;
                        tcp_fast_path_check(sk);
                }

                if (TCP_SKB_CB(skb)->has_rxtstamp) {
                        tcp_update_recv_tstamps(skb, tss);
                        *cmsg_flags |= TCP_CMSG_TS;
                }

                if (used + offset < skb->len)
                        continue;

                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
                        goto found_fin_ok;
                if (!(flags & MSG_PEEK))
                        sk_eat_skb(sk, skb);
                continue;

found_fin_ok:
                /* Process the FIN. */
                WRITE_ONCE(*seq, *seq + 1);
                if (!(flags & MSG_PEEK))
                        sk_eat_skb(sk, skb);
                break;
        } while (len > 0);

        /* According to UNIX98, msg_name/msg_namelen are ignored
         * on connected socket. I was just happy when found this 8) --ANK
         */

        /* Clean up data we have read: This will do ACK frames. */
        tcp_cleanup_rbuf(sk, copied);
        return copied;

out:
        return err;

recv_urg:
        err = tcp_recv_urg(sk, msg, len, flags);
        goto out;

recv_sndq:
        err = tcp_peek_sndq(sk, msg, len);
        goto out;
}

int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock,
                int flags, int *addr_len)
{
        int cmsg_flags = 0, ret, inq;
        struct scm_timestamping_internal tss;

        if (unlikely(flags & MSG_ERRQUEUE))
                return inet_recv_error(sk, msg, len, addr_len);

        if (sk_can_busy_loop(sk) &&
            skb_queue_empty_lockless(&sk->sk_receive_queue) &&
            sk->sk_state == TCP_ESTABLISHED)
                sk_busy_loop(sk, nonblock);

        lock_sock(sk);
        ret = tcp_recvmsg_locked(sk, msg, len, nonblock, flags, &tss,
                                 &cmsg_flags);
        release_sock(sk);

        if (cmsg_flags && ret >= 0) {
                if (cmsg_flags & TCP_CMSG_TS)
                        tcp_recv_timestamp(msg, sk, &tss);
                if (cmsg_flags & TCP_CMSG_INQ) {
                        inq = tcp_inq_hint(sk);
                        put_cmsg(msg, SOL_TCP, TCP_CM_INQ, sizeof(inq), &inq);
                }
        }
        return ret;
}
EXPORT_SYMBOL(tcp_recvmsg);

void tcp_set_state(struct sock *sk, int state)
{
        int oldstate = sk->sk_state;

        /* We defined a new enum for TCP states that are exported in BPF
         * so as not force the internal TCP states to be frozen. The
         * following checks will detect if an internal state value ever
         * differs from the BPF value. If this ever happens, then we will
         * need to remap the internal value to the BPF value before calling
         * tcp_call_bpf_2arg.
         */
        BUILD_BUG_ON((int)BPF_TCP_ESTABLISHED != (int)TCP_ESTABLISHED);
        BUILD_BUG_ON((int)BPF_TCP_SYN_SENT != (int)TCP_SYN_SENT);
        BUILD_BUG_ON((int)BPF_TCP_SYN_RECV != (int)TCP_SYN_RECV);
        BUILD_BUG_ON((int)BPF_TCP_FIN_WAIT1 != (int)TCP_FIN_WAIT1);
        BUILD_BUG_ON((int)BPF_TCP_FIN_WAIT2 != (int)TCP_FIN_WAIT2);
        BUILD_BUG_ON((int)BPF_TCP_TIME_WAIT != (int)TCP_TIME_WAIT);
        BUILD_BUG_ON((int)BPF_TCP_CLOSE != (int)TCP_CLOSE);
        BUILD_BUG_ON((int)BPF_TCP_CLOSE_WAIT != (int)TCP_CLOSE_WAIT);
        BUILD_BUG_ON((int)BPF_TCP_LAST_ACK != (int)TCP_LAST_ACK);
        BUILD_BUG_ON((int)BPF_TCP_LISTEN != (int)TCP_LISTEN);
        BUILD_BUG_ON((int)BPF_TCP_CLOSING != (int)TCP_CLOSING);
        BUILD_BUG_ON((int)BPF_TCP_NEW_SYN_RECV != (int)TCP_NEW_SYN_RECV);
        BUILD_BUG_ON((int)BPF_TCP_MAX_STATES != (int)TCP_MAX_STATES);

        /* bpf uapi header bpf.h defines an anonymous enum with values
         * BPF_TCP_* used by bpf programs. Currently gcc built vmlinux
         * is able to emit this enum in DWARF due to the above BUILD_BUG_ON.
         * But clang built vmlinux does not have this enum in DWARF
         * since clang removes the above code before generating IR/debuginfo.
         * Let us explicitly emit the type debuginfo to ensure the
         * above-mentioned anonymous enum in the vmlinux DWARF and hence BTF
         * regardless of which compiler is used.
         */
        BTF_TYPE_EMIT_ENUM(BPF_TCP_ESTABLISHED);

        if (BPF_SOCK_OPS_TEST_FLAG(tcp_sk(sk), BPF_SOCK_OPS_STATE_CB_FLAG))
                tcp_call_bpf_2arg(sk, BPF_SOCK_OPS_STATE_CB, oldstate, state);

        switch (state) {
        case TCP_ESTABLISHED:
                if (oldstate != TCP_ESTABLISHED)
                        TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
                break;

        case TCP_CLOSE:
                if (oldstate == TCP_CLOSE_WAIT || oldstate == TCP_ESTABLISHED)
                        TCP_INC_STATS(sock_net(sk), TCP_MIB_ESTABRESETS);

                sk->sk_prot->unhash(sk);
                if (inet_csk(sk)->icsk_bind_hash &&
                    !(sk->sk_userlocks & SOCK_BINDPORT_LOCK))
                        inet_put_port(sk);
                fallthrough;
        default:
                if (oldstate == TCP_ESTABLISHED)
                        TCP_DEC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
        }

        /* Change state AFTER socket is unhashed to avoid closed
         * socket sitting in hash tables.
         */
        inet_sk_state_store(sk, state);
}
EXPORT_SYMBOL_GPL(tcp_set_state);

/*
 *      State processing on a close. This implements the state shift for
 *      sending our FIN frame. Note that we only send a FIN for some
 *      states. A shutdown() may have already sent the FIN, or we may be
 *      closed.
 */

static const unsigned char new_state[16] = {
  /* current state:        new state:      action:      */
  [0 /* (Invalid) */]   = TCP_CLOSE,
  [TCP_ESTABLISHED]     = TCP_FIN_WAIT1 | TCP_ACTION_FIN,
  [TCP_SYN_SENT]        = TCP_CLOSE,
  [TCP_SYN_RECV]        = TCP_FIN_WAIT1 | TCP_ACTION_FIN,
  [TCP_FIN_WAIT1]       = TCP_FIN_WAIT1,
  [TCP_FIN_WAIT2]       = TCP_FIN_WAIT2,
  [TCP_TIME_WAIT]       = TCP_CLOSE,
  [TCP_CLOSE]           = TCP_CLOSE,
  [TCP_CLOSE_WAIT]      = TCP_LAST_ACK  | TCP_ACTION_FIN,
  [TCP_LAST_ACK]        = TCP_LAST_ACK,
  [TCP_LISTEN]          = TCP_CLOSE,
  [TCP_CLOSING]         = TCP_CLOSING,
  [TCP_NEW_SYN_RECV]    = TCP_CLOSE,    /* should not happen ! */
};

static int tcp_close_state(struct sock *sk)
{
        int next = (int)new_state[sk->sk_state];
        int ns = next & TCP_STATE_MASK;

        tcp_set_state(sk, ns);

        return next & TCP_ACTION_FIN;
}

/*
 *      Shutdown the sending side of a connection. Much like close except
 *      that we don't receive shut down or sock_set_flag(sk, SOCK_DEAD).
 */

void tcp_shutdown(struct sock *sk, int how)
{
        /*      We need to grab some memory, and put together a FIN,
         *      and then put it into the queue to be sent.
         *              Tim MacKenzie(tym@dibbler.cs.monash.edu.au) 4 Dec '92.
         */
        if (!(how & SEND_SHUTDOWN))
                return;

        /* If we've already sent a FIN, or it's a closed state, skip this. */
        if ((1 << sk->sk_state) &
            (TCPF_ESTABLISHED | TCPF_SYN_SENT |
             TCPF_SYN_RECV | TCPF_CLOSE_WAIT)) {
                /* Clear out any half completed packets.  FIN if needed. */
                if (tcp_close_state(sk))
                        tcp_send_fin(sk);
        }
}
EXPORT_SYMBOL(tcp_shutdown);

bool tcp_check_oom(struct sock *sk, int shift)
{
        bool too_many_orphans, out_of_socket_memory;

        too_many_orphans = tcp_too_many_orphans(sk, shift);
        out_of_socket_memory = tcp_out_of_memory(sk);

        if (too_many_orphans)
                net_info_ratelimited("too many orphaned sockets\n");
        if (out_of_socket_memory)
                net_info_ratelimited("out of memory -- consider tuning tcp_mem\n");
        return too_many_orphans || out_of_socket_memory;
}

void __tcp_close(struct sock *sk, long timeout)
{
        struct sk_buff *skb;
        int data_was_unread = 0;
        int state;

        sk->sk_shutdown = SHUTDOWN_MASK;

        if (sk->sk_state == TCP_LISTEN) {
                tcp_set_state(sk, TCP_CLOSE);

                /* Special case. */
                inet_csk_listen_stop(sk);

                goto adjudge_to_death;
        }

        /*  We need to flush the recv. buffs.  We do this only on the
         *  descriptor close, not protocol-sourced closes, because the
         *  reader process may not have drained the data yet!
         */
        while ((skb = __skb_dequeue(&sk->sk_receive_queue)) != NULL) {
                u32 len = TCP_SKB_CB(skb)->end_seq - TCP_SKB_CB(skb)->seq;

                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
                        len--;
                data_was_unread += len;
                __kfree_skb(skb);
        }

        sk_mem_reclaim(sk);

        /* If socket has been already reset (e.g. in tcp_reset()) - kill it. */
        if (sk->sk_state == TCP_CLOSE)
                goto adjudge_to_death;

        /* As outlined in RFC 2525, section 2.17, we send a RST here because
         * data was lost. To witness the awful effects of the old behavior of
         * always doing a FIN, run an older 2.1.x kernel or 2.0.x, start a bulk
         * GET in an FTP client, suspend the process, wait for the client to
         * advertise a zero window, then kill -9 the FTP client, wheee...
         * Note: timeout is always zero in such a case.
         */
        if (unlikely(tcp_sk(sk)->repair)) {
                sk->sk_prot->disconnect(sk, 0);
        } else if (data_was_unread) {
                /* Unread data was tossed, zap the connection. */
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONCLOSE);
                tcp_set_state(sk, TCP_CLOSE);
                tcp_send_active_reset(sk, sk->sk_allocation);
        } else if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) {
                /* Check zero linger _after_ checking for unread data. */
                sk->sk_prot->disconnect(sk, 0);
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONDATA);
        } else if (tcp_close_state(sk)) {
                /* We FIN if the application ate all the data before
                 * zapping the connection.
                 */

                /* RED-PEN. Formally speaking, we have broken TCP state
                 * machine. State transitions:
                 *
                 * TCP_ESTABLISHED -> TCP_FIN_WAIT1
                 * TCP_SYN_RECV -> TCP_FIN_WAIT1 (forget it, it's impossible)
                 * TCP_CLOSE_WAIT -> TCP_LAST_ACK
                 *
                 * are legal only when FIN has been sent (i.e. in window),
                 * rather than queued out of window. Purists blame.
                 *
                 * F.e. "RFC state" is ESTABLISHED,
                 * if Linux state is FIN-WAIT-1, but FIN is still not sent.
                 *
                 * The visible declinations are that sometimes
                 * we enter time-wait state, when it is not required really
                 * (harmless), do not send active resets, when they are
                 * required by specs (TCP_ESTABLISHED, TCP_CLOSE_WAIT, when
                 * they look as CLOSING or LAST_ACK for Linux)
                 * Probably, I missed some more holelets.
                 *                                              --ANK
                 * XXX (TFO) - To start off we don't support SYN+ACK+FIN
                 * in a single packet! (May consider it later but will
                 * probably need API support or TCP_CORK SYN-ACK until
                 * data is written and socket is closed.)
                 */
                tcp_send_fin(sk);
        }

        sk_stream_wait_close(sk, timeout);

adjudge_to_death:
        state = sk->sk_state;
        sock_hold(sk);
        sock_orphan(sk);

        local_bh_disable();
        bh_lock_sock(sk);
        /* remove backlog if any, without releasing ownership. */
        __release_sock(sk);

        percpu_counter_inc(sk->sk_prot->orphan_count);

        /* Have we already been destroyed by a softirq or backlog? */
        if (state != TCP_CLOSE && sk->sk_state == TCP_CLOSE)
                goto out;

        /*      This is a (useful) BSD violating of the RFC. There is a
         *      problem with TCP as specified in that the other end could
         *      keep a socket open forever with no application left this end.
         *      We use a 1 minute timeout (about the same as BSD) then kill
         *      our end. If they send after that then tough - BUT: long enough
         *      that we won't make the old 4*rto = almost no time - whoops
         *      reset mistake.
         *
         *      Nope, it was not mistake. It is really desired behaviour
         *      f.e. on http servers, when such sockets are useless, but
         *      consume significant resources. Let's do it with special
         *      linger2 option.                                 --ANK
         */

        if (sk->sk_state == TCP_FIN_WAIT2) {
                struct tcp_sock *tp = tcp_sk(sk);
                if (tp->linger2 < 0) {
                        tcp_set_state(sk, TCP_CLOSE);
                        tcp_send_active_reset(sk, GFP_ATOMIC);
                        __NET_INC_STATS(sock_net(sk),
                                        LINUX_MIB_TCPABORTONLINGER);
                } else {
                        const int tmo = tcp_fin_time(sk);

                        if (tmo > TCP_TIMEWAIT_LEN) {
                                inet_csk_reset_keepalive_timer(sk,
                                                tmo - TCP_TIMEWAIT_LEN);
                        } else {
                                tcp_time_wait(sk, TCP_FIN_WAIT2, tmo);
                                goto out;
                        }
                }
        }
        if (sk->sk_state != TCP_CLOSE) {
                sk_mem_reclaim(sk);
                if (tcp_check_oom(sk, 0)) {
                        tcp_set_state(sk, TCP_CLOSE);
                        tcp_send_active_reset(sk, GFP_ATOMIC);
                        __NET_INC_STATS(sock_net(sk),
                                        LINUX_MIB_TCPABORTONMEMORY);
                } else if (!check_net(sock_net(sk))) {
                        /* Not possible to send reset; just close */
                        tcp_set_state(sk, TCP_CLOSE);
                }
        }

        if (sk->sk_state == TCP_CLOSE) {
                struct request_sock *req;

                req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk,
                                                lockdep_sock_is_held(sk));
                /* We could get here with a non-NULL req if the socket is
                 * aborted (e.g., closed with unread data) before 3WHS
                 * finishes.
                 */
                if (req)
                        reqsk_fastopen_remove(sk, req, false);
                inet_csk_destroy_sock(sk);
        }
        /* Otherwise, socket is reprieved until protocol close. */

out:
        bh_unlock_sock(sk);
        local_bh_enable();
}

void tcp_close(struct sock *sk, long timeout)
{
        lock_sock(sk);
        __tcp_close(sk, timeout);
        release_sock(sk);
        sock_put(sk);
}
EXPORT_SYMBOL(tcp_close);

/* These states need RST on ABORT according to RFC793 */

static inline bool tcp_need_reset(int state)
{
        return (1 << state) &
               (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT | TCPF_FIN_WAIT1 |
                TCPF_FIN_WAIT2 | TCPF_SYN_RECV);
}

static void tcp_rtx_queue_purge(struct sock *sk)
{
        struct rb_node *p = rb_first(&sk->tcp_rtx_queue);

        tcp_sk(sk)->highest_sack = NULL;
        while (p) {
                struct sk_buff *skb = rb_to_skb(p);

                p = rb_next(p);
                /* Since we are deleting whole queue, no need to
                 * list_del(&skb->tcp_tsorted_anchor)
                 */
                tcp_rtx_queue_unlink(skb, sk);
                sk_wmem_free_skb(sk, skb);
        }
}

void tcp_write_queue_purge(struct sock *sk)
{
        struct sk_buff *skb;

        tcp_chrono_stop(sk, TCP_CHRONO_BUSY);
        while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) {
                tcp_skb_tsorted_anchor_cleanup(skb);
                sk_wmem_free_skb(sk, skb);
        }
        tcp_rtx_queue_purge(sk);
        skb = sk->sk_tx_skb_cache;
        if (skb) {
                __kfree_skb(skb);
                sk->sk_tx_skb_cache = NULL;
        }
        INIT_LIST_HEAD(&tcp_sk(sk)->tsorted_sent_queue);
        sk_mem_reclaim(sk);
        tcp_clear_all_retrans_hints(tcp_sk(sk));
        tcp_sk(sk)->packets_out = 0;
        inet_csk(sk)->icsk_backoff = 0;
}

int tcp_disconnect(struct sock *sk, int flags)
{
        struct inet_sock *inet = inet_sk(sk);
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct tcp_sock *tp = tcp_sk(sk);
        int old_state = sk->sk_state;
        u32 seq;

        if (old_state != TCP_CLOSE)
                tcp_set_state(sk, TCP_CLOSE);

        /* ABORT function of RFC793 */
        if (old_state == TCP_LISTEN) {
                inet_csk_listen_stop(sk);
        } else if (unlikely(tp->repair)) {
                sk->sk_err = ECONNABORTED;
        } else if (tcp_need_reset(old_state) ||
                   (tp->snd_nxt != tp->write_seq &&
                    (1 << old_state) & (TCPF_CLOSING | TCPF_LAST_ACK))) {
                /* The last check adjusts for discrepancy of Linux wrt. RFC
                 * states
                 */
                tcp_send_active_reset(sk, gfp_any());
                sk->sk_err = ECONNRESET;
        } else if (old_state == TCP_SYN_SENT)
                sk->sk_err = ECONNRESET;

        tcp_clear_xmit_timers(sk);
        __skb_queue_purge(&sk->sk_receive_queue);
        if (sk->sk_rx_skb_cache) {
                __kfree_skb(sk->sk_rx_skb_cache);
                sk->sk_rx_skb_cache = NULL;
        }
        WRITE_ONCE(tp->copied_seq, tp->rcv_nxt);
        tp->urg_data = 0;
        tcp_write_queue_purge(sk);
        tcp_fastopen_active_disable_ofo_check(sk);
        skb_rbtree_purge(&tp->out_of_order_queue);

        inet->inet_dport = 0;

        if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
                inet_reset_saddr(sk);

        sk->sk_shutdown = 0;
        sock_reset_flag(sk, SOCK_DONE);
        tp->srtt_us = 0;
        tp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
        tp->rcv_rtt_last_tsecr = 0;

        seq = tp->write_seq + tp->max_window + 2;
        if (!seq)
                seq = 1;
        WRITE_ONCE(tp->write_seq, seq);

        icsk->icsk_backoff = 0;
        icsk->icsk_probes_out = 0;
        icsk->icsk_probes_tstamp = 0;
        icsk->icsk_rto = TCP_TIMEOUT_INIT;
        icsk->icsk_rto_min = TCP_RTO_MIN;
        icsk->icsk_delack_max = TCP_DELACK_MAX;
        tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
        tp->snd_cwnd = TCP_INIT_CWND;
        tp->snd_cwnd_cnt = 0;
        tp->window_clamp = 0;
        tp->delivered = 0;