|
|
@@ -92,7 +92,9 @@ EXPORT_SYMBOL(ip6_frag_init);
|
|
|
void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
|
|
|
{
|
|
|
struct net_device *dev = NULL;
|
|
|
+ struct sk_buff *head;
|
|
|
|
|
|
+ rcu_read_lock();
|
|
|
spin_lock(&fq->q.lock);
|
|
|
|
|
|
if (fq->q.flags & INET_FRAG_COMPLETE)
|
|
|
@@ -100,28 +102,34 @@ void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
|
|
|
|
|
|
inet_frag_kill(&fq->q);
|
|
|
|
|
|
- rcu_read_lock();
|
|
|
dev = dev_get_by_index_rcu(net, fq->iif);
|
|
|
if (!dev)
|
|
|
- goto out_rcu_unlock;
|
|
|
+ goto out;
|
|
|
|
|
|
__IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
|
|
|
__IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT);
|
|
|
|
|
|
/* Don't send error if the first segment did not arrive. */
|
|
|
- if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !fq->q.fragments)
|
|
|
- goto out_rcu_unlock;
|
|
|
+ head = fq->q.fragments;
|
|
|
+ if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !head)
|
|
|
+ goto out;
|
|
|
|
|
|
/* But use as source device on which LAST ARRIVED
|
|
|
* segment was received. And do not use fq->dev
|
|
|
* pointer directly, device might already disappeared.
|
|
|
*/
|
|
|
- fq->q.fragments->dev = dev;
|
|
|
- icmpv6_send(fq->q.fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
|
|
|
-out_rcu_unlock:
|
|
|
- rcu_read_unlock();
|
|
|
+ head->dev = dev;
|
|
|
+ skb_get(head);
|
|
|
+ spin_unlock(&fq->q.lock);
|
|
|
+
|
|
|
+ icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
|
|
|
+ kfree_skb(head);
|
|
|
+ goto out_rcu_unlock;
|
|
|
+
|
|
|
out:
|
|
|
spin_unlock(&fq->q.lock);
|
|
|
+out_rcu_unlock:
|
|
|
+ rcu_read_unlock();
|
|
|
inet_frag_put(&fq->q);
|
|
|
}
|
|
|
EXPORT_SYMBOL(ip6_expire_frag_queue);
|
Eric Dumazet