ipv6: frags: rewrite ip6_expire_frag_queue()
authorEric Dumazet <edumazet@google.com>
Wed, 10 Oct 2018 19:30:02 +0000 (12:30 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 18 Oct 2018 07:13:25 +0000 (09:13 +0200)
Make it similar to IPv4 ip_expire(), and release the lock
before calling icmp functions.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 05c0b86b9696802fd0ce5676a92a63f1b455bdf3)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/ipv6/reassembly.c

index 8a4ece3..1cb45a0 100644 (file)
@@ -92,7 +92,9 @@ EXPORT_SYMBOL(ip6_frag_init);
 void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
 {
        struct net_device *dev = NULL;
+       struct sk_buff *head;
 
+       rcu_read_lock();
        spin_lock(&fq->q.lock);
 
        if (fq->q.flags & INET_FRAG_COMPLETE)
@@ -100,28 +102,34 @@ void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
 
        inet_frag_kill(&fq->q);
 
-       rcu_read_lock();
        dev = dev_get_by_index_rcu(net, fq->iif);
        if (!dev)
-               goto out_rcu_unlock;
+               goto out;
 
        __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
        __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT);
 
        /* Don't send error if the first segment did not arrive. */
-       if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !fq->q.fragments)
-               goto out_rcu_unlock;
+       head = fq->q.fragments;
+       if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !head)
+               goto out;
 
        /* But use as source device on which LAST ARRIVED
         * segment was received. And do not use fq->dev
         * pointer directly, device might already disappeared.
         */
-       fq->q.fragments->dev = dev;
-       icmpv6_send(fq->q.fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
-out_rcu_unlock:
-       rcu_read_unlock();
+       head->dev = dev;
+       skb_get(head);
+       spin_unlock(&fq->q.lock);
+
+       icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
+       kfree_skb(head);
+       goto out_rcu_unlock;
+
 out:
        spin_unlock(&fq->q.lock);
+out_rcu_unlock:
+       rcu_read_unlock();
        inet_frag_put(&fq->q);
 }
 EXPORT_SYMBOL(ip6_expire_frag_queue);