!7193 CVE-2024-26921

int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, gfp_t gfp_mask);

struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,

				     unsigned int headroom);

struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom);

struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,

				int newtailroom, gfp_t priority);

int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,

void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb,

			      struct sk_buff *parent);

void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head,

			    void *reasm_data);

			    void *reasm_data, bool try_coalesce);

struct sk_buff *inet_frag_pull_head(struct inet_frag_queue *q);

#endif

#include <net/tcp_states.h>

#include <net/inet_ecn.h>

#include <net/dst.h>

#include <net/tcp_ext.h>

#include <linux/seq_file.h>

#include <linux/memcontrol.h>

ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,

		 size_t size, int flags);

void tcp_release_cb(struct sock *sk);

void tcp_wfree(struct sk_buff *skb);

void tcp_write_timer_handler(struct sock *sk);

void tcp_delack_timer_handler(struct sock *sk);

int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg);

/* SPDX-License-Identifier: GPL-2.0-or-later */

#ifndef _TCP_EXT_H

#define _TCP_EXT_H

void tcp_wfree(struct sk_buff *skb);

static inline bool is_skb_wmem(const struct sk_buff *skb)

{

	return skb->destructor == sock_wfree ||

	       skb->destructor == __sock_wfree ||

	       (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree);

}

#endif /* _TCP_EXT_H */

#include <net/checksum.h>

#include <net/ip6_checksum.h>

#include <net/xfrm.h>

#include <net/tcp_ext.h>

#include <linux/uaccess.h>

#include <trace/events/skb.h>

}

EXPORT_SYMBOL(skb_realloc_headroom);

/**

 *	skb_expand_head - reallocate header of &sk_buff

 *	@skb: buffer to reallocate

 *	@headroom: needed headroom

 *

 *	Unlike skb_realloc_headroom, this one does not allocate a new skb

 *	if possible; copies skb->sk to new skb as needed

 *	and frees original skb in case of failures.

 *

 *	It expect increased headroom and generates warning otherwise.

 */

struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)

{

	int delta = headroom - skb_headroom(skb);

	int osize = skb_end_offset(skb);

	struct sock *sk = skb->sk;

	if (WARN_ONCE(delta <= 0,

		      "%s is expecting an increase in the headroom", __func__))

		return skb;

	delta = SKB_DATA_ALIGN(delta);

	/* pskb_expand_head() might crash, if skb is shared. */

	if (skb_shared(skb) || !is_skb_wmem(skb)) {

		struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);

		if (unlikely(!nskb))

			goto fail;

		if (sk)

			skb_set_owner_w(nskb, sk);

		consume_skb(skb);

		skb = nskb;

	}

	if (pskb_expand_head(skb, delta, 0, GFP_ATOMIC))

		goto fail;

	if (sk && is_skb_wmem(skb)) {

		delta = skb_end_offset(skb) - osize;

		refcount_add(delta, &sk->sk_wmem_alloc);

		skb->truesize += delta;

	}

	return skb;

fail:

	kfree_skb(skb);

	return NULL;

}

EXPORT_SYMBOL(skb_expand_head);

/**

 *	skb_copy_expand	-	copy and expand sk_buff

 *	@skb: buffer to copy