xref: /freebsd/sys/kern/kern_mbuf.c (revision efe014e6b177ba1b0d70f7df751f5066d4eafe9b)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2004, 2005,
5  *	Bosko Milekic <bmilekic@FreeBSD.org>.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice unmodified, this list of conditions and the following
12  *    disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include "opt_param.h"
34 #include "opt_kern_tls.h"
35 
36 #include <sys/param.h>
37 #include <sys/conf.h>
38 #include <sys/domainset.h>
39 #include <sys/malloc.h>
40 #include <sys/systm.h>
41 #include <sys/mbuf.h>
42 #include <sys/domain.h>
43 #include <sys/eventhandler.h>
44 #include <sys/kernel.h>
45 #include <sys/ktls.h>
46 #include <sys/limits.h>
47 #include <sys/lock.h>
48 #include <sys/mutex.h>
49 #include <sys/protosw.h>
50 #include <sys/refcount.h>
51 #include <sys/sf_buf.h>
52 #include <sys/smp.h>
53 #include <sys/socket.h>
54 #include <sys/sysctl.h>
55 
56 #include <net/if.h>
57 #include <net/if_var.h>
58 
59 #include <vm/vm.h>
60 #include <vm/vm_extern.h>
61 #include <vm/vm_kern.h>
62 #include <vm/vm_page.h>
63 #include <vm/vm_pageout.h>
64 #include <vm/vm_map.h>
65 #include <vm/uma.h>
66 #include <vm/uma_dbg.h>
67 
68 /*
69  * In FreeBSD, Mbufs and Mbuf Clusters are allocated from UMA
70  * Zones.
71  *
72  * Mbuf Clusters (2K, contiguous) are allocated from the Cluster
73  * Zone.  The Zone can be capped at kern.ipc.nmbclusters, if the
74  * administrator so desires.
75  *
76  * Mbufs are allocated from a UMA Primary Zone called the Mbuf
77  * Zone.
78  *
79  * Additionally, FreeBSD provides a Packet Zone, which it
80  * configures as a Secondary Zone to the Mbuf Primary Zone,
81  * thus sharing backend Slab kegs with the Mbuf Primary Zone.
82  *
83  * Thus common-case allocations and locking are simplified:
84  *
85  *  m_clget()                m_getcl()
86  *    |                         |
87  *    |   .------------>[(Packet Cache)]    m_get(), m_gethdr()
88  *    |   |             [     Packet   ]            |
89  *  [(Cluster Cache)]   [    Secondary ]   [ (Mbuf Cache)     ]
90  *  [ Cluster Zone  ]   [     Zone     ]   [ Mbuf Primary Zone ]
91  *        |                       \________         |
92  *  [ Cluster Keg   ]                      \       /
93  *        |	                         [ Mbuf Keg   ]
94  *  [ Cluster Slabs ]                         |
95  *        |                              [ Mbuf Slabs ]
96  *         \____________(VM)_________________/
97  *
98  *
99  * Whenever an object is allocated with uma_zalloc() out of
100  * one of the Zones its _ctor_ function is executed.  The same
101  * for any deallocation through uma_zfree() the _dtor_ function
102  * is executed.
103  *
104  * Caches are per-CPU and are filled from the Primary Zone.
105  *
106  * Whenever an object is allocated from the underlying global
107  * memory pool it gets pre-initialized with the _zinit_ functions.
108  * When the Keg's are overfull objects get decommissioned with
109  * _zfini_ functions and free'd back to the global memory pool.
110  *
111  */
112 
113 int nmbufs;			/* limits number of mbufs */
114 int nmbclusters;		/* limits number of mbuf clusters */
115 int nmbjumbop;			/* limits number of page size jumbo clusters */
116 int nmbjumbo9;			/* limits number of 9k jumbo clusters */
117 int nmbjumbo16;			/* limits number of 16k jumbo clusters */
118 
119 bool mb_use_ext_pgs = true;	/* use M_EXTPG mbufs for sendfile & TLS */
120 SYSCTL_BOOL(_kern_ipc, OID_AUTO, mb_use_ext_pgs, CTLFLAG_RWTUN,
121     &mb_use_ext_pgs, 0,
122     "Use unmapped mbufs for sendfile(2) and TLS offload");
123 
124 static quad_t maxmbufmem;	/* overall real memory limit for all mbufs */
125 
126 SYSCTL_QUAD(_kern_ipc, OID_AUTO, maxmbufmem, CTLFLAG_RDTUN | CTLFLAG_NOFETCH, &maxmbufmem, 0,
127     "Maximum real memory allocatable to various mbuf types");
128 
129 static counter_u64_t snd_tag_count;
130 SYSCTL_COUNTER_U64(_kern_ipc, OID_AUTO, num_snd_tags, CTLFLAG_RW,
131     &snd_tag_count, "# of active mbuf send tags");
132 
133 /*
134  * tunable_mbinit() has to be run before any mbuf allocations are done.
135  */
136 static void
137 tunable_mbinit(void *dummy)
138 {
139 	quad_t realmem;
140 
141 	/*
142 	 * The default limit for all mbuf related memory is 1/2 of all
143 	 * available kernel memory (physical or kmem).
144 	 * At most it can be 3/4 of available kernel memory.
145 	 */
146 	realmem = qmin((quad_t)physmem * PAGE_SIZE, vm_kmem_size);
147 	maxmbufmem = realmem / 2;
148 	TUNABLE_QUAD_FETCH("kern.ipc.maxmbufmem", &maxmbufmem);
149 	if (maxmbufmem > realmem / 4 * 3)
150 		maxmbufmem = realmem / 4 * 3;
151 
152 	TUNABLE_INT_FETCH("kern.ipc.nmbclusters", &nmbclusters);
153 	if (nmbclusters == 0)
154 		nmbclusters = maxmbufmem / MCLBYTES / 4;
155 
156 	TUNABLE_INT_FETCH("kern.ipc.nmbjumbop", &nmbjumbop);
157 	if (nmbjumbop == 0)
158 		nmbjumbop = maxmbufmem / MJUMPAGESIZE / 4;
159 
160 	TUNABLE_INT_FETCH("kern.ipc.nmbjumbo9", &nmbjumbo9);
161 	if (nmbjumbo9 == 0)
162 		nmbjumbo9 = maxmbufmem / MJUM9BYTES / 6;
163 
164 	TUNABLE_INT_FETCH("kern.ipc.nmbjumbo16", &nmbjumbo16);
165 	if (nmbjumbo16 == 0)
166 		nmbjumbo16 = maxmbufmem / MJUM16BYTES / 6;
167 
168 	/*
169 	 * We need at least as many mbufs as we have clusters of
170 	 * the various types added together.
171 	 */
172 	TUNABLE_INT_FETCH("kern.ipc.nmbufs", &nmbufs);
173 	if (nmbufs < nmbclusters + nmbjumbop + nmbjumbo9 + nmbjumbo16)
174 		nmbufs = lmax(maxmbufmem / MSIZE / 5,
175 		    nmbclusters + nmbjumbop + nmbjumbo9 + nmbjumbo16);
176 }
177 SYSINIT(tunable_mbinit, SI_SUB_KMEM, SI_ORDER_MIDDLE, tunable_mbinit, NULL);
178 
179 static int
180 sysctl_nmbclusters(SYSCTL_HANDLER_ARGS)
181 {
182 	int error, newnmbclusters;
183 
184 	newnmbclusters = nmbclusters;
185 	error = sysctl_handle_int(oidp, &newnmbclusters, 0, req);
186 	if (error == 0 && req->newptr && newnmbclusters != nmbclusters) {
187 		if (newnmbclusters > nmbclusters &&
188 		    nmbufs >= nmbclusters + nmbjumbop + nmbjumbo9 + nmbjumbo16) {
189 			nmbclusters = newnmbclusters;
190 			nmbclusters = uma_zone_set_max(zone_clust, nmbclusters);
191 			EVENTHANDLER_INVOKE(nmbclusters_change);
192 		} else
193 			error = EINVAL;
194 	}
195 	return (error);
196 }
197 SYSCTL_PROC(_kern_ipc, OID_AUTO, nmbclusters,
198     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &nmbclusters, 0,
199     sysctl_nmbclusters, "IU",
200     "Maximum number of mbuf clusters allowed");
201 
202 static int
203 sysctl_nmbjumbop(SYSCTL_HANDLER_ARGS)
204 {
205 	int error, newnmbjumbop;
206 
207 	newnmbjumbop = nmbjumbop;
208 	error = sysctl_handle_int(oidp, &newnmbjumbop, 0, req);
209 	if (error == 0 && req->newptr && newnmbjumbop != nmbjumbop) {
210 		if (newnmbjumbop > nmbjumbop &&
211 		    nmbufs >= nmbclusters + nmbjumbop + nmbjumbo9 + nmbjumbo16) {
212 			nmbjumbop = newnmbjumbop;
213 			nmbjumbop = uma_zone_set_max(zone_jumbop, nmbjumbop);
214 		} else
215 			error = EINVAL;
216 	}
217 	return (error);
218 }
219 SYSCTL_PROC(_kern_ipc, OID_AUTO, nmbjumbop,
220     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &nmbjumbop, 0,
221     sysctl_nmbjumbop, "IU",
222     "Maximum number of mbuf page size jumbo clusters allowed");
223 
224 static int
225 sysctl_nmbjumbo9(SYSCTL_HANDLER_ARGS)
226 {
227 	int error, newnmbjumbo9;
228 
229 	newnmbjumbo9 = nmbjumbo9;
230 	error = sysctl_handle_int(oidp, &newnmbjumbo9, 0, req);
231 	if (error == 0 && req->newptr && newnmbjumbo9 != nmbjumbo9) {
232 		if (newnmbjumbo9 > nmbjumbo9 &&
233 		    nmbufs >= nmbclusters + nmbjumbop + nmbjumbo9 + nmbjumbo16) {
234 			nmbjumbo9 = newnmbjumbo9;
235 			nmbjumbo9 = uma_zone_set_max(zone_jumbo9, nmbjumbo9);
236 		} else
237 			error = EINVAL;
238 	}
239 	return (error);
240 }
241 SYSCTL_PROC(_kern_ipc, OID_AUTO, nmbjumbo9,
242     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &nmbjumbo9, 0,
243     sysctl_nmbjumbo9, "IU",
244     "Maximum number of mbuf 9k jumbo clusters allowed");
245 
246 static int
247 sysctl_nmbjumbo16(SYSCTL_HANDLER_ARGS)
248 {
249 	int error, newnmbjumbo16;
250 
251 	newnmbjumbo16 = nmbjumbo16;
252 	error = sysctl_handle_int(oidp, &newnmbjumbo16, 0, req);
253 	if (error == 0 && req->newptr && newnmbjumbo16 != nmbjumbo16) {
254 		if (newnmbjumbo16 > nmbjumbo16 &&
255 		    nmbufs >= nmbclusters + nmbjumbop + nmbjumbo9 + nmbjumbo16) {
256 			nmbjumbo16 = newnmbjumbo16;
257 			nmbjumbo16 = uma_zone_set_max(zone_jumbo16, nmbjumbo16);
258 		} else
259 			error = EINVAL;
260 	}
261 	return (error);
262 }
263 SYSCTL_PROC(_kern_ipc, OID_AUTO, nmbjumbo16,
264     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &nmbjumbo16, 0,
265     sysctl_nmbjumbo16, "IU",
266     "Maximum number of mbuf 16k jumbo clusters allowed");
267 
268 static int
269 sysctl_nmbufs(SYSCTL_HANDLER_ARGS)
270 {
271 	int error, newnmbufs;
272 
273 	newnmbufs = nmbufs;
274 	error = sysctl_handle_int(oidp, &newnmbufs, 0, req);
275 	if (error == 0 && req->newptr && newnmbufs != nmbufs) {
276 		if (newnmbufs > nmbufs) {
277 			nmbufs = newnmbufs;
278 			nmbufs = uma_zone_set_max(zone_mbuf, nmbufs);
279 			EVENTHANDLER_INVOKE(nmbufs_change);
280 		} else
281 			error = EINVAL;
282 	}
283 	return (error);
284 }
285 SYSCTL_PROC(_kern_ipc, OID_AUTO, nmbufs,
286     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_NEEDGIANT,
287     &nmbufs, 0, sysctl_nmbufs, "IU",
288     "Maximum number of mbufs allowed");
289 
290 /*
291  * Zones from which we allocate.
292  */
293 uma_zone_t	zone_mbuf;
294 uma_zone_t	zone_clust;
295 uma_zone_t	zone_pack;
296 uma_zone_t	zone_jumbop;
297 uma_zone_t	zone_jumbo9;
298 uma_zone_t	zone_jumbo16;
299 
300 /*
301  * Local prototypes.
302  */
303 static int	mb_ctor_mbuf(void *, int, void *, int);
304 static int	mb_ctor_clust(void *, int, void *, int);
305 static int	mb_ctor_pack(void *, int, void *, int);
306 static void	mb_dtor_mbuf(void *, int, void *);
307 static void	mb_dtor_pack(void *, int, void *);
308 static int	mb_zinit_pack(void *, int, int);
309 static void	mb_zfini_pack(void *, int);
310 static void	mb_reclaim(uma_zone_t, int);
311 
312 /* Ensure that MSIZE is a power of 2. */
313 CTASSERT((((MSIZE - 1) ^ MSIZE) + 1) >> 1 == MSIZE);
314 
315 _Static_assert(sizeof(struct mbuf) <= MSIZE,
316     "size of mbuf exceeds MSIZE");
317 /*
318  * Initialize FreeBSD Network buffer allocation.
319  */
320 static void
321 mbuf_init(void *dummy)
322 {
323 
324 	/*
325 	 * Configure UMA zones for Mbufs, Clusters, and Packets.
326 	 */
327 	zone_mbuf = uma_zcreate(MBUF_MEM_NAME, MSIZE,
328 	    mb_ctor_mbuf, mb_dtor_mbuf, NULL, NULL,
329 	    MSIZE - 1, UMA_ZONE_CONTIG | UMA_ZONE_MAXBUCKET);
330 	if (nmbufs > 0)
331 		nmbufs = uma_zone_set_max(zone_mbuf, nmbufs);
332 	uma_zone_set_warning(zone_mbuf, "kern.ipc.nmbufs limit reached");
333 	uma_zone_set_maxaction(zone_mbuf, mb_reclaim);
334 
335 	zone_clust = uma_zcreate(MBUF_CLUSTER_MEM_NAME, MCLBYTES,
336 	    mb_ctor_clust, NULL, NULL, NULL,
337 	    UMA_ALIGN_PTR, UMA_ZONE_CONTIG);
338 	if (nmbclusters > 0)
339 		nmbclusters = uma_zone_set_max(zone_clust, nmbclusters);
340 	uma_zone_set_warning(zone_clust, "kern.ipc.nmbclusters limit reached");
341 	uma_zone_set_maxaction(zone_clust, mb_reclaim);
342 
343 	zone_pack = uma_zsecond_create(MBUF_PACKET_MEM_NAME, mb_ctor_pack,
344 	    mb_dtor_pack, mb_zinit_pack, mb_zfini_pack, zone_mbuf);
345 
346 	/* Make jumbo frame zone too. Page size, 9k and 16k. */
347 	zone_jumbop = uma_zcreate(MBUF_JUMBOP_MEM_NAME, MJUMPAGESIZE,
348 	    mb_ctor_clust, NULL, NULL, NULL,
349 	    UMA_ALIGN_PTR, UMA_ZONE_CONTIG);
350 	if (nmbjumbop > 0)
351 		nmbjumbop = uma_zone_set_max(zone_jumbop, nmbjumbop);
352 	uma_zone_set_warning(zone_jumbop, "kern.ipc.nmbjumbop limit reached");
353 	uma_zone_set_maxaction(zone_jumbop, mb_reclaim);
354 
355 	zone_jumbo9 = uma_zcreate(MBUF_JUMBO9_MEM_NAME, MJUM9BYTES,
356 	    mb_ctor_clust, NULL, NULL, NULL,
357 	    UMA_ALIGN_PTR, UMA_ZONE_CONTIG);
358 	if (nmbjumbo9 > 0)
359 		nmbjumbo9 = uma_zone_set_max(zone_jumbo9, nmbjumbo9);
360 	uma_zone_set_warning(zone_jumbo9, "kern.ipc.nmbjumbo9 limit reached");
361 	uma_zone_set_maxaction(zone_jumbo9, mb_reclaim);
362 
363 	zone_jumbo16 = uma_zcreate(MBUF_JUMBO16_MEM_NAME, MJUM16BYTES,
364 	    mb_ctor_clust, NULL, NULL, NULL,
365 	    UMA_ALIGN_PTR, UMA_ZONE_CONTIG);
366 	if (nmbjumbo16 > 0)
367 		nmbjumbo16 = uma_zone_set_max(zone_jumbo16, nmbjumbo16);
368 	uma_zone_set_warning(zone_jumbo16, "kern.ipc.nmbjumbo16 limit reached");
369 	uma_zone_set_maxaction(zone_jumbo16, mb_reclaim);
370 
371 	/*
372 	 * Hook event handler for low-memory situation, used to
373 	 * drain protocols and push data back to the caches (UMA
374 	 * later pushes it back to VM).
375 	 */
376 	EVENTHANDLER_REGISTER(vm_lowmem, mb_reclaim, NULL,
377 	    EVENTHANDLER_PRI_FIRST);
378 
379 	snd_tag_count = counter_u64_alloc(M_WAITOK);
380 }
381 SYSINIT(mbuf, SI_SUB_MBUF, SI_ORDER_FIRST, mbuf_init, NULL);
382 
383 #ifdef DEBUGNET
384 /*
385  * debugnet makes use of a pre-allocated pool of mbufs and clusters.  When
386  * debugnet is configured, we initialize a set of UMA cache zones which return
387  * items from this pool.  At panic-time, the regular UMA zone pointers are
388  * overwritten with those of the cache zones so that drivers may allocate and
389  * free mbufs and clusters without attempting to allocate physical memory.
390  *
391  * We keep mbufs and clusters in a pair of mbuf queues.  In particular, for
392  * the purpose of caching clusters, we treat them as mbufs.
393  */
394 static struct mbufq dn_mbufq =
395     { STAILQ_HEAD_INITIALIZER(dn_mbufq.mq_head), 0, INT_MAX };
396 static struct mbufq dn_clustq =
397     { STAILQ_HEAD_INITIALIZER(dn_clustq.mq_head), 0, INT_MAX };
398 
399 static int dn_clsize;
400 static uma_zone_t dn_zone_mbuf;
401 static uma_zone_t dn_zone_clust;
402 static uma_zone_t dn_zone_pack;
403 
404 static struct debugnet_saved_zones {
405 	uma_zone_t dsz_mbuf;
406 	uma_zone_t dsz_clust;
407 	uma_zone_t dsz_pack;
408 	uma_zone_t dsz_jumbop;
409 	uma_zone_t dsz_jumbo9;
410 	uma_zone_t dsz_jumbo16;
411 	bool dsz_debugnet_zones_enabled;
412 } dn_saved_zones;
413 
414 static int
415 dn_buf_import(void *arg, void **store, int count, int domain __unused,
416     int flags)
417 {
418 	struct mbufq *q;
419 	struct mbuf *m;
420 	int i;
421 
422 	q = arg;
423 
424 	for (i = 0; i < count; i++) {
425 		m = mbufq_dequeue(q);
426 		if (m == NULL)
427 			break;
428 		trash_init(m, q == &dn_mbufq ? MSIZE : dn_clsize, flags);
429 		store[i] = m;
430 	}
431 	KASSERT((flags & M_WAITOK) == 0 || i == count,
432 	    ("%s: ran out of pre-allocated mbufs", __func__));
433 	return (i);
434 }
435 
436 static void
437 dn_buf_release(void *arg, void **store, int count)
438 {
439 	struct mbufq *q;
440 	struct mbuf *m;
441 	int i;
442 
443 	q = arg;
444 
445 	for (i = 0; i < count; i++) {
446 		m = store[i];
447 		(void)mbufq_enqueue(q, m);
448 	}
449 }
450 
451 static int
452 dn_pack_import(void *arg __unused, void **store, int count, int domain __unused,
453     int flags __unused)
454 {
455 	struct mbuf *m;
456 	void *clust;
457 	int i;
458 
459 	for (i = 0; i < count; i++) {
460 		m = m_get(MT_DATA, M_NOWAIT);
461 		if (m == NULL)
462 			break;
463 		clust = uma_zalloc(dn_zone_clust, M_NOWAIT);
464 		if (clust == NULL) {
465 			m_free(m);
466 			break;
467 		}
468 		mb_ctor_clust(clust, dn_clsize, m, 0);
469 		store[i] = m;
470 	}
471 	KASSERT((flags & M_WAITOK) == 0 || i == count,
472 	    ("%s: ran out of pre-allocated mbufs", __func__));
473 	return (i);
474 }
475 
476 static void
477 dn_pack_release(void *arg __unused, void **store, int count)
478 {
479 	struct mbuf *m;
480 	void *clust;
481 	int i;
482 
483 	for (i = 0; i < count; i++) {
484 		m = store[i];
485 		clust = m->m_ext.ext_buf;
486 		uma_zfree(dn_zone_clust, clust);
487 		uma_zfree(dn_zone_mbuf, m);
488 	}
489 }
490 
491 /*
492  * Free the pre-allocated mbufs and clusters reserved for debugnet, and destroy
493  * the corresponding UMA cache zones.
494  */
495 void
496 debugnet_mbuf_drain(void)
497 {
498 	struct mbuf *m;
499 	void *item;
500 
501 	if (dn_zone_mbuf != NULL) {
502 		uma_zdestroy(dn_zone_mbuf);
503 		dn_zone_mbuf = NULL;
504 	}
505 	if (dn_zone_clust != NULL) {
506 		uma_zdestroy(dn_zone_clust);
507 		dn_zone_clust = NULL;
508 	}
509 	if (dn_zone_pack != NULL) {
510 		uma_zdestroy(dn_zone_pack);
511 		dn_zone_pack = NULL;
512 	}
513 
514 	while ((m = mbufq_dequeue(&dn_mbufq)) != NULL)
515 		m_free(m);
516 	while ((item = mbufq_dequeue(&dn_clustq)) != NULL)
517 		uma_zfree(m_getzone(dn_clsize), item);
518 }
519 
520 /*
521  * Callback invoked immediately prior to starting a debugnet connection.
522  */
523 void
524 debugnet_mbuf_start(void)
525 {
526 
527 	MPASS(!dn_saved_zones.dsz_debugnet_zones_enabled);
528 
529 	/* Save the old zone pointers to restore when debugnet is closed. */
530 	dn_saved_zones = (struct debugnet_saved_zones) {
531 		.dsz_debugnet_zones_enabled = true,
532 		.dsz_mbuf = zone_mbuf,
533 		.dsz_clust = zone_clust,
534 		.dsz_pack = zone_pack,
535 		.dsz_jumbop = zone_jumbop,
536 		.dsz_jumbo9 = zone_jumbo9,
537 		.dsz_jumbo16 = zone_jumbo16,
538 	};
539 
540 	/*
541 	 * All cluster zones return buffers of the size requested by the
542 	 * drivers.  It's up to the driver to reinitialize the zones if the
543 	 * MTU of a debugnet-enabled interface changes.
544 	 */
545 	printf("debugnet: overwriting mbuf zone pointers\n");
546 	zone_mbuf = dn_zone_mbuf;
547 	zone_clust = dn_zone_clust;
548 	zone_pack = dn_zone_pack;
549 	zone_jumbop = dn_zone_clust;
550 	zone_jumbo9 = dn_zone_clust;
551 	zone_jumbo16 = dn_zone_clust;
552 }
553 
554 /*
555  * Callback invoked when a debugnet connection is closed/finished.
556  */
557 void
558 debugnet_mbuf_finish(void)
559 {
560 
561 	MPASS(dn_saved_zones.dsz_debugnet_zones_enabled);
562 
563 	printf("debugnet: restoring mbuf zone pointers\n");
564 	zone_mbuf = dn_saved_zones.dsz_mbuf;
565 	zone_clust = dn_saved_zones.dsz_clust;
566 	zone_pack = dn_saved_zones.dsz_pack;
567 	zone_jumbop = dn_saved_zones.dsz_jumbop;
568 	zone_jumbo9 = dn_saved_zones.dsz_jumbo9;
569 	zone_jumbo16 = dn_saved_zones.dsz_jumbo16;
570 
571 	memset(&dn_saved_zones, 0, sizeof(dn_saved_zones));
572 }
573 
574 /*
575  * Reinitialize the debugnet mbuf+cluster pool and cache zones.
576  */
577 void
578 debugnet_mbuf_reinit(int nmbuf, int nclust, int clsize)
579 {
580 	struct mbuf *m;
581 	void *item;
582 
583 	debugnet_mbuf_drain();
584 
585 	dn_clsize = clsize;
586 
587 	dn_zone_mbuf = uma_zcache_create("debugnet_" MBUF_MEM_NAME,
588 	    MSIZE, mb_ctor_mbuf, mb_dtor_mbuf, NULL, NULL,
589 	    dn_buf_import, dn_buf_release,
590 	    &dn_mbufq, UMA_ZONE_NOBUCKET);
591 
592 	dn_zone_clust = uma_zcache_create("debugnet_" MBUF_CLUSTER_MEM_NAME,
593 	    clsize, mb_ctor_clust, NULL, NULL, NULL,
594 	    dn_buf_import, dn_buf_release,
595 	    &dn_clustq, UMA_ZONE_NOBUCKET);
596 
597 	dn_zone_pack = uma_zcache_create("debugnet_" MBUF_PACKET_MEM_NAME,
598 	    MCLBYTES, mb_ctor_pack, mb_dtor_pack, NULL, NULL,
599 	    dn_pack_import, dn_pack_release,
600 	    NULL, UMA_ZONE_NOBUCKET);
601 
602 	while (nmbuf-- > 0) {
603 		m = m_get(MT_DATA, M_WAITOK);
604 		uma_zfree(dn_zone_mbuf, m);
605 	}
606 	while (nclust-- > 0) {
607 		item = uma_zalloc(m_getzone(dn_clsize), M_WAITOK);
608 		uma_zfree(dn_zone_clust, item);
609 	}
610 }
611 #endif /* DEBUGNET */
612 
613 /*
614  * Constructor for Mbuf primary zone.
615  *
616  * The 'arg' pointer points to a mb_args structure which
617  * contains call-specific information required to support the
618  * mbuf allocation API.  See mbuf.h.
619  */
620 static int
621 mb_ctor_mbuf(void *mem, int size, void *arg, int how)
622 {
623 	struct mbuf *m;
624 	struct mb_args *args;
625 	int error;
626 	int flags;
627 	short type;
628 
629 	args = (struct mb_args *)arg;
630 	type = args->type;
631 
632 	/*
633 	 * The mbuf is initialized later.  The caller has the
634 	 * responsibility to set up any MAC labels too.
635 	 */
636 	if (type == MT_NOINIT)
637 		return (0);
638 
639 	m = (struct mbuf *)mem;
640 	flags = args->flags;
641 	MPASS((flags & M_NOFREE) == 0);
642 
643 	error = m_init(m, how, type, flags);
644 
645 	return (error);
646 }
647 
648 /*
649  * The Mbuf primary zone destructor.
650  */
651 static void
652 mb_dtor_mbuf(void *mem, int size, void *arg)
653 {
654 	struct mbuf *m;
655 	unsigned long flags;
656 
657 	m = (struct mbuf *)mem;
658 	flags = (unsigned long)arg;
659 
660 	KASSERT((m->m_flags & M_NOFREE) == 0, ("%s: M_NOFREE set", __func__));
661 	KASSERT((flags & 0x1) == 0, ("%s: obsolete MB_DTOR_SKIP passed", __func__));
662 	if ((m->m_flags & M_PKTHDR) && !SLIST_EMPTY(&m->m_pkthdr.tags))
663 		m_tag_delete_chain(m, NULL);
664 }
665 
666 /*
667  * The Mbuf Packet zone destructor.
668  */
669 static void
670 mb_dtor_pack(void *mem, int size, void *arg)
671 {
672 	struct mbuf *m;
673 
674 	m = (struct mbuf *)mem;
675 	if ((m->m_flags & M_PKTHDR) != 0)
676 		m_tag_delete_chain(m, NULL);
677 
678 	/* Make sure we've got a clean cluster back. */
679 	KASSERT((m->m_flags & M_EXT) == M_EXT, ("%s: M_EXT not set", __func__));
680 	KASSERT(m->m_ext.ext_buf != NULL, ("%s: ext_buf == NULL", __func__));
681 	KASSERT(m->m_ext.ext_free == NULL, ("%s: ext_free != NULL", __func__));
682 	KASSERT(m->m_ext.ext_arg1 == NULL, ("%s: ext_arg1 != NULL", __func__));
683 	KASSERT(m->m_ext.ext_arg2 == NULL, ("%s: ext_arg2 != NULL", __func__));
684 	KASSERT(m->m_ext.ext_size == MCLBYTES, ("%s: ext_size != MCLBYTES", __func__));
685 	KASSERT(m->m_ext.ext_type == EXT_PACKET, ("%s: ext_type != EXT_PACKET", __func__));
686 #if defined(INVARIANTS) && !defined(KMSAN)
687 	trash_dtor(m->m_ext.ext_buf, MCLBYTES, arg);
688 #endif
689 	/*
690 	 * If there are processes blocked on zone_clust, waiting for pages
691 	 * to be freed up, cause them to be woken up by draining the
692 	 * packet zone.  We are exposed to a race here (in the check for
693 	 * the UMA_ZFLAG_FULL) where we might miss the flag set, but that
694 	 * is deliberate. We don't want to acquire the zone lock for every
695 	 * mbuf free.
696 	 */
697 	if (uma_zone_exhausted(zone_clust))
698 		uma_zone_reclaim(zone_pack, UMA_RECLAIM_DRAIN);
699 }
700 
701 /*
702  * The Cluster and Jumbo[PAGESIZE|9|16] zone constructor.
703  *
704  * Here the 'arg' pointer points to the Mbuf which we
705  * are configuring cluster storage for.  If 'arg' is
706  * empty we allocate just the cluster without setting
707  * the mbuf to it.  See mbuf.h.
708  */
709 static int
710 mb_ctor_clust(void *mem, int size, void *arg, int how)
711 {
712 	struct mbuf *m;
713 
714 	m = (struct mbuf *)arg;
715 	if (m != NULL) {
716 		m->m_ext.ext_buf = (char *)mem;
717 		m->m_data = m->m_ext.ext_buf;
718 		m->m_flags |= M_EXT;
719 		m->m_ext.ext_free = NULL;
720 		m->m_ext.ext_arg1 = NULL;
721 		m->m_ext.ext_arg2 = NULL;
722 		m->m_ext.ext_size = size;
723 		m->m_ext.ext_type = m_gettype(size);
724 		m->m_ext.ext_flags = EXT_FLAG_EMBREF;
725 		m->m_ext.ext_count = 1;
726 	}
727 
728 	return (0);
729 }
730 
731 /*
732  * The Packet secondary zone's init routine, executed on the
733  * object's transition from mbuf keg slab to zone cache.
734  */
735 static int
736 mb_zinit_pack(void *mem, int size, int how)
737 {
738 	struct mbuf *m;
739 
740 	m = (struct mbuf *)mem;		/* m is virgin. */
741 	if (uma_zalloc_arg(zone_clust, m, how) == NULL ||
742 	    m->m_ext.ext_buf == NULL)
743 		return (ENOMEM);
744 	m->m_ext.ext_type = EXT_PACKET;	/* Override. */
745 #if defined(INVARIANTS) && !defined(KMSAN)
746 	trash_init(m->m_ext.ext_buf, MCLBYTES, how);
747 #endif
748 	return (0);
749 }
750 
751 /*
752  * The Packet secondary zone's fini routine, executed on the
753  * object's transition from zone cache to keg slab.
754  */
755 static void
756 mb_zfini_pack(void *mem, int size)
757 {
758 	struct mbuf *m;
759 
760 	m = (struct mbuf *)mem;
761 #if defined(INVARIANTS) && !defined(KMSAN)
762 	trash_fini(m->m_ext.ext_buf, MCLBYTES);
763 #endif
764 	uma_zfree_arg(zone_clust, m->m_ext.ext_buf, NULL);
765 #if defined(INVARIANTS) && !defined(KMSAN)
766 	trash_dtor(mem, size, NULL);
767 #endif
768 }
769 
770 /*
771  * The "packet" keg constructor.
772  */
773 static int
774 mb_ctor_pack(void *mem, int size, void *arg, int how)
775 {
776 	struct mbuf *m;
777 	struct mb_args *args;
778 	int error, flags;
779 	short type;
780 
781 	m = (struct mbuf *)mem;
782 	args = (struct mb_args *)arg;
783 	flags = args->flags;
784 	type = args->type;
785 	MPASS((flags & M_NOFREE) == 0);
786 
787 #if defined(INVARIANTS) && !defined(KMSAN)
788 	trash_ctor(m->m_ext.ext_buf, MCLBYTES, arg, how);
789 #endif
790 
791 	error = m_init(m, how, type, flags);
792 
793 	/* m_ext is already initialized. */
794 	m->m_data = m->m_ext.ext_buf;
795  	m->m_flags = (flags | M_EXT);
796 
797 	return (error);
798 }
799 
800 /*
801  * This is the protocol drain routine.  Called by UMA whenever any of the
802  * mbuf zones is closed to its limit.
803  *
804  * No locks should be held when this is called.  The drain routines have to
805  * presently acquire some locks which raises the possibility of lock order
806  * reversal.
807  */
808 static void
809 mb_reclaim(uma_zone_t zone __unused, int pending __unused)
810 {
811 	struct epoch_tracker et;
812 	struct domain *dp;
813 	struct protosw *pr;
814 
815 	WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK | WARN_PANIC, NULL, __func__);
816 
817 	NET_EPOCH_ENTER(et);
818 	for (dp = domains; dp != NULL; dp = dp->dom_next)
819 		for (pr = dp->dom_protosw; pr < dp->dom_protoswNPROTOSW; pr++)
820 			if (pr->pr_drain != NULL)
821 				(*pr->pr_drain)();
822 	NET_EPOCH_EXIT(et);
823 }
824 
825 /*
826  * Free "count" units of I/O from an mbuf chain.  They could be held
827  * in M_EXTPG or just as a normal mbuf.  This code is intended to be
828  * called in an error path (I/O error, closed connection, etc).
829  */
830 void
831 mb_free_notready(struct mbuf *m, int count)
832 {
833 	int i;
834 
835 	for (i = 0; i < count && m != NULL; i++) {
836 		if ((m->m_flags & M_EXTPG) != 0) {
837 			m->m_epg_nrdy--;
838 			if (m->m_epg_nrdy != 0)
839 				continue;
840 		}
841 		m = m_free(m);
842 	}
843 	KASSERT(i == count, ("Removed only %d items from %p", i, m));
844 }
845 
846 /*
847  * Compress an unmapped mbuf into a simple mbuf when it holds a small
848  * amount of data.  This is used as a DOS defense to avoid having
849  * small packets tie up wired pages, an ext_pgs structure, and an
850  * mbuf.  Since this converts the existing mbuf in place, it can only
851  * be used if there are no other references to 'm'.
852  */
853 int
854 mb_unmapped_compress(struct mbuf *m)
855 {
856 	volatile u_int *refcnt;
857 	char buf[MLEN];
858 
859 	/*
860 	 * Assert that 'm' does not have a packet header.  If 'm' had
861 	 * a packet header, it would only be able to hold MHLEN bytes
862 	 * and m_data would have to be initialized differently.
863 	 */
864 	KASSERT((m->m_flags & M_PKTHDR) == 0 && (m->m_flags & M_EXTPG),
865             ("%s: m %p !M_EXTPG or M_PKTHDR", __func__, m));
866 	KASSERT(m->m_len <= MLEN, ("m_len too large %p", m));
867 
868 	if (m->m_ext.ext_flags & EXT_FLAG_EMBREF) {
869 		refcnt = &m->m_ext.ext_count;
870 	} else {
871 		KASSERT(m->m_ext.ext_cnt != NULL,
872 		    ("%s: no refcounting pointer on %p", __func__, m));
873 		refcnt = m->m_ext.ext_cnt;
874 	}
875 
876 	if (*refcnt != 1)
877 		return (EBUSY);
878 
879 	m_copydata(m, 0, m->m_len, buf);
880 
881 	/* Free the backing pages. */
882 	m->m_ext.ext_free(m);
883 
884 	/* Turn 'm' into a "normal" mbuf. */
885 	m->m_flags &= ~(M_EXT | M_RDONLY | M_EXTPG);
886 	m->m_data = m->m_dat;
887 
888 	/* Copy data back into m. */
889 	bcopy(buf, mtod(m, char *), m->m_len);
890 
891 	return (0);
892 }
893 
894 /*
895  * These next few routines are used to permit downgrading an unmapped
896  * mbuf to a chain of mapped mbufs.  This is used when an interface
897  * doesn't supported unmapped mbufs or if checksums need to be
898  * computed in software.
899  *
900  * Each unmapped mbuf is converted to a chain of mbufs.  First, any
901  * TLS header data is stored in a regular mbuf.  Second, each page of
902  * unmapped data is stored in an mbuf with an EXT_SFBUF external
903  * cluster.  These mbufs use an sf_buf to provide a valid KVA for the
904  * associated physical page.  They also hold a reference on the
905  * original M_EXTPG mbuf to ensure the physical page doesn't go away.
906  * Finally, any TLS trailer data is stored in a regular mbuf.
907  *
908  * mb_unmapped_free_mext() is the ext_free handler for the EXT_SFBUF
909  * mbufs.  It frees the associated sf_buf and releases its reference
910  * on the original M_EXTPG mbuf.
911  *
912  * _mb_unmapped_to_ext() is a helper function that converts a single
913  * unmapped mbuf into a chain of mbufs.
914  *
915  * mb_unmapped_to_ext() is the public function that walks an mbuf
916  * chain converting any unmapped mbufs to mapped mbufs.  It returns
917  * the new chain of unmapped mbufs on success.  On failure it frees
918  * the original mbuf chain and returns NULL.
919  */
920 static void
921 mb_unmapped_free_mext(struct mbuf *m)
922 {
923 	struct sf_buf *sf;
924 	struct mbuf *old_m;
925 
926 	sf = m->m_ext.ext_arg1;
927 	sf_buf_free(sf);
928 
929 	/* Drop the reference on the backing M_EXTPG mbuf. */
930 	old_m = m->m_ext.ext_arg2;
931 	mb_free_extpg(old_m);
932 }
933 
934 static struct mbuf *
935 _mb_unmapped_to_ext(struct mbuf *m)
936 {
937 	struct mbuf *m_new, *top, *prev, *mref;
938 	struct sf_buf *sf;
939 	vm_page_t pg;
940 	int i, len, off, pglen, pgoff, seglen, segoff;
941 	volatile u_int *refcnt;
942 	u_int ref_inc = 0;
943 
944 	M_ASSERTEXTPG(m);
945 	len = m->m_len;
946 	KASSERT(m->m_epg_tls == NULL, ("%s: can't convert TLS mbuf %p",
947 	    __func__, m));
948 
949 	/* See if this is the mbuf that holds the embedded refcount. */
950 	if (m->m_ext.ext_flags & EXT_FLAG_EMBREF) {
951 		refcnt = &m->m_ext.ext_count;
952 		mref = m;
953 	} else {
954 		KASSERT(m->m_ext.ext_cnt != NULL,
955 		    ("%s: no refcounting pointer on %p", __func__, m));
956 		refcnt = m->m_ext.ext_cnt;
957 		mref = __containerof(refcnt, struct mbuf, m_ext.ext_count);
958 	}
959 
960 	/* Skip over any data removed from the front. */
961 	off = mtod(m, vm_offset_t);
962 
963 	top = NULL;
964 	if (m->m_epg_hdrlen != 0) {
965 		if (off >= m->m_epg_hdrlen) {
966 			off -= m->m_epg_hdrlen;
967 		} else {
968 			seglen = m->m_epg_hdrlen - off;
969 			segoff = off;
970 			seglen = min(seglen, len);
971 			off = 0;
972 			len -= seglen;
973 			m_new = m_get(M_NOWAIT, MT_DATA);
974 			if (m_new == NULL)
975 				goto fail;
976 			m_new->m_len = seglen;
977 			prev = top = m_new;
978 			memcpy(mtod(m_new, void *), &m->m_epg_hdr[segoff],
979 			    seglen);
980 		}
981 	}
982 	pgoff = m->m_epg_1st_off;
983 	for (i = 0; i < m->m_epg_npgs && len > 0; i++) {
984 		pglen = m_epg_pagelen(m, i, pgoff);
985 		if (off >= pglen) {
986 			off -= pglen;
987 			pgoff = 0;
988 			continue;
989 		}
990 		seglen = pglen - off;
991 		segoff = pgoff + off;
992 		off = 0;
993 		seglen = min(seglen, len);
994 		len -= seglen;
995 
996 		pg = PHYS_TO_VM_PAGE(m->m_epg_pa[i]);
997 		m_new = m_get(M_NOWAIT, MT_DATA);
998 		if (m_new == NULL)
999 			goto fail;
1000 		if (top == NULL) {
1001 			top = prev = m_new;
1002 		} else {
1003 			prev->m_next = m_new;
1004 			prev = m_new;
1005 		}
1006 		sf = sf_buf_alloc(pg, SFB_NOWAIT);
1007 		if (sf == NULL)
1008 			goto fail;
1009 
1010 		ref_inc++;
1011 		m_extadd(m_new, (char *)sf_buf_kva(sf), PAGE_SIZE,
1012 		    mb_unmapped_free_mext, sf, mref, M_RDONLY, EXT_SFBUF);
1013 		m_new->m_data += segoff;
1014 		m_new->m_len = seglen;
1015 
1016 		pgoff = 0;
1017 	};
1018 	if (len != 0) {
1019 		KASSERT((off + len) <= m->m_epg_trllen,
1020 		    ("off + len > trail (%d + %d > %d)", off, len,
1021 		    m->m_epg_trllen));
1022 		m_new = m_get(M_NOWAIT, MT_DATA);
1023 		if (m_new == NULL)
1024 			goto fail;
1025 		if (top == NULL)
1026 			top = m_new;
1027 		else
1028 			prev->m_next = m_new;
1029 		m_new->m_len = len;
1030 		memcpy(mtod(m_new, void *), &m->m_epg_trail[off], len);
1031 	}
1032 
1033 	if (ref_inc != 0) {
1034 		/*
1035 		 * Obtain an additional reference on the old mbuf for
1036 		 * each created EXT_SFBUF mbuf.  They will be dropped
1037 		 * in mb_unmapped_free_mext().
1038 		 */
1039 		if (*refcnt == 1)
1040 			*refcnt += ref_inc;
1041 		else
1042 			atomic_add_int(refcnt, ref_inc);
1043 	}
1044 	m_free(m);
1045 	return (top);
1046 
1047 fail:
1048 	if (ref_inc != 0) {
1049 		/*
1050 		 * Obtain an additional reference on the old mbuf for
1051 		 * each created EXT_SFBUF mbuf.  They will be
1052 		 * immediately dropped when these mbufs are freed
1053 		 * below.
1054 		 */
1055 		if (*refcnt == 1)
1056 			*refcnt += ref_inc;
1057 		else
1058 			atomic_add_int(refcnt, ref_inc);
1059 	}
1060 	m_free(m);
1061 	m_freem(top);
1062 	return (NULL);
1063 }
1064 
1065 struct mbuf *
1066 mb_unmapped_to_ext(struct mbuf *top)
1067 {
1068 	struct mbuf *m, *next, *prev = NULL;
1069 
1070 	prev = NULL;
1071 	for (m = top; m != NULL; m = next) {
1072 		/* m might be freed, so cache the next pointer. */
1073 		next = m->m_next;
1074 		if (m->m_flags & M_EXTPG) {
1075 			if (prev != NULL) {
1076 				/*
1077 				 * Remove 'm' from the new chain so
1078 				 * that the 'top' chain terminates
1079 				 * before 'm' in case 'top' is freed
1080 				 * due to an error.
1081 				 */
1082 				prev->m_next = NULL;
1083 			}
1084 			m = _mb_unmapped_to_ext(m);
1085 			if (m == NULL) {
1086 				m_freem(top);
1087 				m_freem(next);
1088 				return (NULL);
1089 			}
1090 			if (prev == NULL) {
1091 				top = m;
1092 			} else {
1093 				prev->m_next = m;
1094 			}
1095 
1096 			/*
1097 			 * Replaced one mbuf with a chain, so we must
1098 			 * find the end of chain.
1099 			 */
1100 			prev = m_last(m);
1101 		} else {
1102 			if (prev != NULL) {
1103 				prev->m_next = m;
1104 			}
1105 			prev = m;
1106 		}
1107 	}
1108 	return (top);
1109 }
1110 
1111 /*
1112  * Allocate an empty M_EXTPG mbuf.  The ext_free routine is
1113  * responsible for freeing any pages backing this mbuf when it is
1114  * freed.
1115  */
1116 struct mbuf *
1117 mb_alloc_ext_pgs(int how, m_ext_free_t ext_free)
1118 {
1119 	struct mbuf *m;
1120 
1121 	m = m_get(how, MT_DATA);
1122 	if (m == NULL)
1123 		return (NULL);
1124 
1125 	m->m_epg_npgs = 0;
1126 	m->m_epg_nrdy = 0;
1127 	m->m_epg_1st_off = 0;
1128 	m->m_epg_last_len = 0;
1129 	m->m_epg_flags = 0;
1130 	m->m_epg_hdrlen = 0;
1131 	m->m_epg_trllen = 0;
1132 	m->m_epg_tls = NULL;
1133 	m->m_epg_so = NULL;
1134 	m->m_data = NULL;
1135 	m->m_flags |= (M_EXT | M_RDONLY | M_EXTPG);
1136 	m->m_ext.ext_flags = EXT_FLAG_EMBREF;
1137 	m->m_ext.ext_count = 1;
1138 	m->m_ext.ext_size = 0;
1139 	m->m_ext.ext_free = ext_free;
1140 	return (m);
1141 }
1142 
1143 /*
1144  * Clean up after mbufs with M_EXT storage attached to them if the
1145  * reference count hits 1.
1146  */
1147 void
1148 mb_free_ext(struct mbuf *m)
1149 {
1150 	volatile u_int *refcnt;
1151 	struct mbuf *mref;
1152 	int freembuf;
1153 
1154 	KASSERT(m->m_flags & M_EXT, ("%s: M_EXT not set on %p", __func__, m));
1155 
1156 	/* See if this is the mbuf that holds the embedded refcount. */
1157 	if (m->m_ext.ext_flags & EXT_FLAG_EMBREF) {
1158 		refcnt = &m->m_ext.ext_count;
1159 		mref = m;
1160 	} else {
1161 		KASSERT(m->m_ext.ext_cnt != NULL,
1162 		    ("%s: no refcounting pointer on %p", __func__, m));
1163 		refcnt = m->m_ext.ext_cnt;
1164 		mref = __containerof(refcnt, struct mbuf, m_ext.ext_count);
1165 	}
1166 
1167 	/*
1168 	 * Check if the header is embedded in the cluster.  It is
1169 	 * important that we can't touch any of the mbuf fields
1170 	 * after we have freed the external storage, since mbuf
1171 	 * could have been embedded in it.  For now, the mbufs
1172 	 * embedded into the cluster are always of type EXT_EXTREF,
1173 	 * and for this type we won't free the mref.
1174 	 */
1175 	if (m->m_flags & M_NOFREE) {
1176 		freembuf = 0;
1177 		KASSERT(m->m_ext.ext_type == EXT_EXTREF ||
1178 		    m->m_ext.ext_type == EXT_RXRING,
1179 		    ("%s: no-free mbuf %p has wrong type", __func__, m));
1180 	} else
1181 		freembuf = 1;
1182 
1183 	/* Free attached storage if this mbuf is the only reference to it. */
1184 	if (*refcnt == 1 || atomic_fetchadd_int(refcnt, -1) == 1) {
1185 		switch (m->m_ext.ext_type) {
1186 		case EXT_PACKET:
1187 			/* The packet zone is special. */
1188 			if (*refcnt == 0)
1189 				*refcnt = 1;
1190 			uma_zfree(zone_pack, mref);
1191 			break;
1192 		case EXT_CLUSTER:
1193 			uma_zfree(zone_clust, m->m_ext.ext_buf);
1194 			m_free_raw(mref);
1195 			break;
1196 		case EXT_JUMBOP:
1197 			uma_zfree(zone_jumbop, m->m_ext.ext_buf);
1198 			m_free_raw(mref);
1199 			break;
1200 		case EXT_JUMBO9:
1201 			uma_zfree(zone_jumbo9, m->m_ext.ext_buf);
1202 			m_free_raw(mref);
1203 			break;
1204 		case EXT_JUMBO16:
1205 			uma_zfree(zone_jumbo16, m->m_ext.ext_buf);
1206 			m_free_raw(mref);
1207 			break;
1208 		case EXT_SFBUF:
1209 		case EXT_NET_DRV:
1210 		case EXT_MOD_TYPE:
1211 		case EXT_DISPOSABLE:
1212 			KASSERT(mref->m_ext.ext_free != NULL,
1213 			    ("%s: ext_free not set", __func__));
1214 			mref->m_ext.ext_free(mref);
1215 			m_free_raw(mref);
1216 			break;
1217 		case EXT_EXTREF:
1218 			KASSERT(m->m_ext.ext_free != NULL,
1219 			    ("%s: ext_free not set", __func__));
1220 			m->m_ext.ext_free(m);
1221 			break;
1222 		case EXT_RXRING:
1223 			KASSERT(m->m_ext.ext_free == NULL,
1224 			    ("%s: ext_free is set", __func__));
1225 			break;
1226 		default:
1227 			KASSERT(m->m_ext.ext_type == 0,
1228 			    ("%s: unknown ext_type", __func__));
1229 		}
1230 	}
1231 
1232 	if (freembuf && m != mref)
1233 		m_free_raw(m);
1234 }
1235 
1236 /*
1237  * Clean up after mbufs with M_EXTPG storage attached to them if the
1238  * reference count hits 1.
1239  */
1240 void
1241 mb_free_extpg(struct mbuf *m)
1242 {
1243 	volatile u_int *refcnt;
1244 	struct mbuf *mref;
1245 
1246 	M_ASSERTEXTPG(m);
1247 
1248 	/* See if this is the mbuf that holds the embedded refcount. */
1249 	if (m->m_ext.ext_flags & EXT_FLAG_EMBREF) {
1250 		refcnt = &m->m_ext.ext_count;
1251 		mref = m;
1252 	} else {
1253 		KASSERT(m->m_ext.ext_cnt != NULL,
1254 		    ("%s: no refcounting pointer on %p", __func__, m));
1255 		refcnt = m->m_ext.ext_cnt;
1256 		mref = __containerof(refcnt, struct mbuf, m_ext.ext_count);
1257 	}
1258 
1259 	/* Free attached storage if this mbuf is the only reference to it. */
1260 	if (*refcnt == 1 || atomic_fetchadd_int(refcnt, -1) == 1) {
1261 		KASSERT(mref->m_ext.ext_free != NULL,
1262 		    ("%s: ext_free not set", __func__));
1263 
1264 		mref->m_ext.ext_free(mref);
1265 #ifdef KERN_TLS
1266 		if (mref->m_epg_tls != NULL &&
1267 		    !refcount_release_if_not_last(&mref->m_epg_tls->refcount))
1268 			ktls_enqueue_to_free(mref);
1269 		else
1270 #endif
1271 			m_free_raw(mref);
1272 	}
1273 
1274 	if (m != mref)
1275 		m_free_raw(m);
1276 }
1277 
1278 /*
1279  * Official mbuf(9) allocation KPI for stack and drivers:
1280  *
1281  * m_get()	- a single mbuf without any attachments, sys/mbuf.h.
1282  * m_gethdr()	- a single mbuf initialized as M_PKTHDR, sys/mbuf.h.
1283  * m_getcl()	- an mbuf + 2k cluster, sys/mbuf.h.
1284  * m_clget()	- attach cluster to already allocated mbuf.
1285  * m_cljget()	- attach jumbo cluster to already allocated mbuf.
1286  * m_get2()	- allocate minimum mbuf that would fit size argument.
1287  * m_getm2()	- allocate a chain of mbufs/clusters.
1288  * m_extadd()	- attach external cluster to mbuf.
1289  *
1290  * m_free()	- free single mbuf with its tags and ext, sys/mbuf.h.
1291  * m_freem()	- free chain of mbufs.
1292  */
1293 
1294 int
1295 m_clget(struct mbuf *m, int how)
1296 {
1297 
1298 	KASSERT((m->m_flags & M_EXT) == 0, ("%s: mbuf %p has M_EXT",
1299 	    __func__, m));
1300 	m->m_ext.ext_buf = (char *)NULL;
1301 	uma_zalloc_arg(zone_clust, m, how);
1302 	/*
1303 	 * On a cluster allocation failure, drain the packet zone and retry,
1304 	 * we might be able to loosen a few clusters up on the drain.
1305 	 */
1306 	if ((how & M_NOWAIT) && (m->m_ext.ext_buf == NULL)) {
1307 		uma_zone_reclaim(zone_pack, UMA_RECLAIM_DRAIN);
1308 		uma_zalloc_arg(zone_clust, m, how);
1309 	}
1310 	MBUF_PROBE2(m__clget, m, how);
1311 	return (m->m_flags & M_EXT);
1312 }
1313 
1314 /*
1315  * m_cljget() is different from m_clget() as it can allocate clusters without
1316  * attaching them to an mbuf.  In that case the return value is the pointer
1317  * to the cluster of the requested size.  If an mbuf was specified, it gets
1318  * the cluster attached to it and the return value can be safely ignored.
1319  * For size it takes MCLBYTES, MJUMPAGESIZE, MJUM9BYTES, MJUM16BYTES.
1320  */
1321 void *
1322 m_cljget(struct mbuf *m, int how, int size)
1323 {
1324 	uma_zone_t zone;
1325 	void *retval;
1326 
1327 	if (m != NULL) {
1328 		KASSERT((m->m_flags & M_EXT) == 0, ("%s: mbuf %p has M_EXT",
1329 		    __func__, m));
1330 		m->m_ext.ext_buf = NULL;
1331 	}
1332 
1333 	zone = m_getzone(size);
1334 	retval = uma_zalloc_arg(zone, m, how);
1335 
1336 	MBUF_PROBE4(m__cljget, m, how, size, retval);
1337 
1338 	return (retval);
1339 }
1340 
1341 /*
1342  * m_get2() allocates minimum mbuf that would fit "size" argument.
1343  */
1344 struct mbuf *
1345 m_get2(int size, int how, short type, int flags)
1346 {
1347 	struct mb_args args;
1348 	struct mbuf *m, *n;
1349 
1350 	args.flags = flags;
1351 	args.type = type;
1352 
1353 	if (size <= MHLEN || (size <= MLEN && (flags & M_PKTHDR) == 0))
1354 		return (uma_zalloc_arg(zone_mbuf, &args, how));
1355 	if (size <= MCLBYTES)
1356 		return (uma_zalloc_arg(zone_pack, &args, how));
1357 
1358 	if (size > MJUMPAGESIZE)
1359 		return (NULL);
1360 
1361 	m = uma_zalloc_arg(zone_mbuf, &args, how);
1362 	if (m == NULL)
1363 		return (NULL);
1364 
1365 	n = uma_zalloc_arg(zone_jumbop, m, how);
1366 	if (n == NULL) {
1367 		m_free_raw(m);
1368 		return (NULL);
1369 	}
1370 
1371 	return (m);
1372 }
1373 
1374 /*
1375  * m_get3() allocates minimum mbuf that would fit "size" argument.
1376  * Unlike m_get2() it can allocate clusters up to MJUM16BYTES.
1377  */
1378 struct mbuf *
1379 m_get3(int size, int how, short type, int flags)
1380 {
1381 	struct mb_args args;
1382 	struct mbuf *m, *n;
1383 	uma_zone_t zone;
1384 
1385 	if (size <= MJUMPAGESIZE)
1386 		return (m_get2(size, how, type, flags));
1387 
1388 	if (size > MJUM16BYTES)
1389 		return (NULL);
1390 
1391 	args.flags = flags;
1392 	args.type = type;
1393 
1394 	m = uma_zalloc_arg(zone_mbuf, &args, how);
1395 	if (m == NULL)
1396 		return (NULL);
1397 
1398 	if (size <= MJUM9BYTES)
1399 		zone = zone_jumbo9;
1400 	else
1401 		zone = zone_jumbo16;
1402 
1403 	n = uma_zalloc_arg(zone_jumbop, m, how);
1404 	if (n == NULL) {
1405 		m_free_raw(m);
1406 		return (NULL);
1407 	}
1408 
1409 	return (m);
1410 }
1411 
1412 /*
1413  * m_getjcl() returns an mbuf with a cluster of the specified size attached.
1414  * For size it takes MCLBYTES, MJUMPAGESIZE, MJUM9BYTES, MJUM16BYTES.
1415  */
1416 struct mbuf *
1417 m_getjcl(int how, short type, int flags, int size)
1418 {
1419 	struct mb_args args;
1420 	struct mbuf *m, *n;
1421 	uma_zone_t zone;
1422 
1423 	if (size == MCLBYTES)
1424 		return m_getcl(how, type, flags);
1425 
1426 	args.flags = flags;
1427 	args.type = type;
1428 
1429 	m = uma_zalloc_arg(zone_mbuf, &args, how);
1430 	if (m == NULL)
1431 		return (NULL);
1432 
1433 	zone = m_getzone(size);
1434 	n = uma_zalloc_arg(zone, m, how);
1435 	if (n == NULL) {
1436 		m_free_raw(m);
1437 		return (NULL);
1438 	}
1439 	MBUF_PROBE5(m__getjcl, how, type, flags, size, m);
1440 	return (m);
1441 }
1442 
1443 /*
1444  * Allocate a given length worth of mbufs and/or clusters (whatever fits
1445  * best) and return a pointer to the top of the allocated chain.  If an
1446  * existing mbuf chain is provided, then we will append the new chain
1447  * to the existing one and return a pointer to the provided mbuf.
1448  */
1449 struct mbuf *
1450 m_getm2(struct mbuf *m, int len, int how, short type, int flags)
1451 {
1452 	struct mbuf *mb, *nm = NULL, *mtail = NULL;
1453 
1454 	KASSERT(len >= 0, ("%s: len is < 0", __func__));
1455 
1456 	/* Validate flags. */
1457 	flags &= (M_PKTHDR | M_EOR);
1458 
1459 	/* Packet header mbuf must be first in chain. */
1460 	if ((flags & M_PKTHDR) && m != NULL)
1461 		flags &= ~M_PKTHDR;
1462 
1463 	/* Loop and append maximum sized mbufs to the chain tail. */
1464 	while (len > 0) {
1465 		mb = NULL;
1466 		if (len > MCLBYTES) {
1467 			mb = m_getjcl(M_NOWAIT, type, (flags & M_PKTHDR),
1468 			    MJUMPAGESIZE);
1469 		}
1470 		if (mb == NULL) {
1471 			if (len >= MINCLSIZE)
1472 				mb = m_getcl(how, type, (flags & M_PKTHDR));
1473 			else if (flags & M_PKTHDR)
1474 				mb = m_gethdr(how, type);
1475 			else
1476 				mb = m_get(how, type);
1477 
1478 			/*
1479 			 * Fail the whole operation if one mbuf can't be
1480 			 * allocated.
1481 			 */
1482 			if (mb == NULL) {
1483 				m_freem(nm);
1484 				return (NULL);
1485 			}
1486 		}
1487 
1488 		/* Book keeping. */
1489 		len -= M_SIZE(mb);
1490 		if (mtail != NULL)
1491 			mtail->m_next = mb;
1492 		else
1493 			nm = mb;
1494 		mtail = mb;
1495 		flags &= ~M_PKTHDR;	/* Only valid on the first mbuf. */
1496 	}
1497 	if (flags & M_EOR)
1498 		mtail->m_flags |= M_EOR;  /* Only valid on the last mbuf. */
1499 
1500 	/* If mbuf was supplied, append new chain to the end of it. */
1501 	if (m != NULL) {
1502 		for (mtail = m; mtail->m_next != NULL; mtail = mtail->m_next)
1503 			;
1504 		mtail->m_next = nm;
1505 		mtail->m_flags &= ~M_EOR;
1506 	} else
1507 		m = nm;
1508 
1509 	return (m);
1510 }
1511 
1512 /*-
1513  * Configure a provided mbuf to refer to the provided external storage
1514  * buffer and setup a reference count for said buffer.
1515  *
1516  * Arguments:
1517  *    mb     The existing mbuf to which to attach the provided buffer.
1518  *    buf    The address of the provided external storage buffer.
1519  *    size   The size of the provided buffer.
1520  *    freef  A pointer to a routine that is responsible for freeing the
1521  *           provided external storage buffer.
1522  *    args   A pointer to an argument structure (of any type) to be passed
1523  *           to the provided freef routine (may be NULL).
1524  *    flags  Any other flags to be passed to the provided mbuf.
1525  *    type   The type that the external storage buffer should be
1526  *           labeled with.
1527  *
1528  * Returns:
1529  *    Nothing.
1530  */
1531 void
1532 m_extadd(struct mbuf *mb, char *buf, u_int size, m_ext_free_t freef,
1533     void *arg1, void *arg2, int flags, int type)
1534 {
1535 
1536 	KASSERT(type != EXT_CLUSTER, ("%s: EXT_CLUSTER not allowed", __func__));
1537 
1538 	mb->m_flags |= (M_EXT | flags);
1539 	mb->m_ext.ext_buf = buf;
1540 	mb->m_data = mb->m_ext.ext_buf;
1541 	mb->m_ext.ext_size = size;
1542 	mb->m_ext.ext_free = freef;
1543 	mb->m_ext.ext_arg1 = arg1;
1544 	mb->m_ext.ext_arg2 = arg2;
1545 	mb->m_ext.ext_type = type;
1546 
1547 	if (type != EXT_EXTREF) {
1548 		mb->m_ext.ext_count = 1;
1549 		mb->m_ext.ext_flags = EXT_FLAG_EMBREF;
1550 	} else
1551 		mb->m_ext.ext_flags = 0;
1552 }
1553 
1554 /*
1555  * Free an entire chain of mbufs and associated external buffers, if
1556  * applicable.
1557  */
1558 void
1559 m_freem(struct mbuf *mb)
1560 {
1561 
1562 	MBUF_PROBE1(m__freem, mb);
1563 	while (mb != NULL)
1564 		mb = m_free(mb);
1565 }
1566 
1567 /*
1568  * Temporary primitive to allow freeing without going through m_free.
1569  */
1570 void
1571 m_free_raw(struct mbuf *mb)
1572 {
1573 
1574 	uma_zfree(zone_mbuf, mb);
1575 }
1576 
1577 int
1578 m_snd_tag_alloc(struct ifnet *ifp, union if_snd_tag_alloc_params *params,
1579     struct m_snd_tag **mstp)
1580 {
1581 
1582 	if (ifp->if_snd_tag_alloc == NULL)
1583 		return (EOPNOTSUPP);
1584 	return (ifp->if_snd_tag_alloc(ifp, params, mstp));
1585 }
1586 
1587 void
1588 m_snd_tag_init(struct m_snd_tag *mst, struct ifnet *ifp, u_int type)
1589 {
1590 
1591 	if_ref(ifp);
1592 	mst->ifp = ifp;
1593 	refcount_init(&mst->refcount, 1);
1594 	mst->type = type;
1595 	counter_u64_add(snd_tag_count, 1);
1596 }
1597 
1598 void
1599 m_snd_tag_destroy(struct m_snd_tag *mst)
1600 {
1601 	struct ifnet *ifp;
1602 
1603 	ifp = mst->ifp;
1604 	ifp->if_snd_tag_free(mst);
1605 	if_rele(ifp);
1606 	counter_u64_add(snd_tag_count, -1);
1607 }
1608 
1609 /*
1610  * Allocate an mbuf with anonymous external pages.
1611  */
1612 struct mbuf *
1613 mb_alloc_ext_plus_pages(int len, int how)
1614 {
1615 	struct mbuf *m;
1616 	vm_page_t pg;
1617 	int i, npgs;
1618 
1619 	m = mb_alloc_ext_pgs(how, mb_free_mext_pgs);
1620 	if (m == NULL)
1621 		return (NULL);
1622 	m->m_epg_flags |= EPG_FLAG_ANON;
1623 	npgs = howmany(len, PAGE_SIZE);
1624 	for (i = 0; i < npgs; i++) {
1625 		do {
1626 			pg = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL |
1627 			    VM_ALLOC_NOOBJ | VM_ALLOC_NODUMP | VM_ALLOC_WIRED);
1628 			if (pg == NULL) {
1629 				if (how == M_NOWAIT) {
1630 					m->m_epg_npgs = i;
1631 					m_free(m);
1632 					return (NULL);
1633 				}
1634 				vm_wait(NULL);
1635 			}
1636 		} while (pg == NULL);
1637 		m->m_epg_pa[i] = VM_PAGE_TO_PHYS(pg);
1638 	}
1639 	m->m_epg_npgs = npgs;
1640 	return (m);
1641 }
1642 
1643 /*
1644  * Copy the data in the mbuf chain to a chain of mbufs with anonymous external
1645  * unmapped pages.
1646  * len is the length of data in the input mbuf chain.
1647  * mlen is the maximum number of bytes put into each ext_page mbuf.
1648  */
1649 struct mbuf *
1650 mb_mapped_to_unmapped(struct mbuf *mp, int len, int mlen, int how,
1651     struct mbuf **mlast)
1652 {
1653 	struct mbuf *m, *mout;
1654 	char *pgpos, *mbpos;
1655 	int i, mblen, mbufsiz, pglen, xfer;
1656 
1657 	if (len == 0)
1658 		return (NULL);
1659 	mbufsiz = min(mlen, len);
1660 	m = mout = mb_alloc_ext_plus_pages(mbufsiz, how);
1661 	if (m == NULL)
1662 		return (m);
1663 	pgpos = (char *)(void *)PHYS_TO_DMAP(m->m_epg_pa[0]);
1664 	pglen = PAGE_SIZE;
1665 	mblen = 0;
1666 	i = 0;
1667 	do {
1668 		if (pglen == 0) {
1669 			if (++i == m->m_epg_npgs) {
1670 				m->m_epg_last_len = PAGE_SIZE;
1671 				mbufsiz = min(mlen, len);
1672 				m->m_next = mb_alloc_ext_plus_pages(mbufsiz,
1673 				    how);
1674 				m = m->m_next;
1675 				if (m == NULL) {
1676 					m_freem(mout);
1677 					return (m);
1678 				}
1679 				i = 0;
1680 			}
1681 			pgpos = (char *)(void *)PHYS_TO_DMAP(m->m_epg_pa[i]);
1682 			pglen = PAGE_SIZE;
1683 		}
1684 		while (mblen == 0) {
1685 			if (mp == NULL) {
1686 				m_freem(mout);
1687 				return (NULL);
1688 			}
1689 			KASSERT((mp->m_flags & M_EXTPG) == 0,
1690 			    ("mb_copym_ext_pgs: ext_pgs input mbuf"));
1691 			mbpos = mtod(mp, char *);
1692 			mblen = mp->m_len;
1693 			mp = mp->m_next;
1694 		}
1695 		xfer = min(mblen, pglen);
1696 		memcpy(pgpos, mbpos, xfer);
1697 		pgpos += xfer;
1698 		mbpos += xfer;
1699 		pglen -= xfer;
1700 		mblen -= xfer;
1701 		len -= xfer;
1702 		m->m_len += xfer;
1703 	} while (len > 0);
1704 	m->m_epg_last_len = PAGE_SIZE - pglen;
1705 	if (mlast != NULL)
1706 		*mlast = m;
1707 	return (mout);
1708 }
1709