inet: frags: do not clone skb in ip_expire()

An skb_clone() was added in commit ec4fbd64751d ("inet: frag: release
spinlock before calling icmp_send()")

While fixing the bug at that time, it also added a very high cost
for DDOS frags, as the ICMP rate limit is applied after this
expensive operation (skb_clone() + consume_skb(), implying memory
allocations, copy, and freeing)

We can use skb_get(head) here, all we want is to make sure skb wont
be freed by another cpu.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 6 insertions, 10 deletions

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 053869f2c49b..fb185d9a5cc7 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -143,8 +143,8 @@ static bool frag_expire_skip_icmp(u32 user)
 static void ip_expire(struct timer_list *t)
 {
         struct inet_frag_queue *frag = from_timer(frag, t, timer);
-        struct sk_buff *clone, *head;
         const struct iphdr *iph;
+        struct sk_buff *head;
         struct net *net;
         struct ipq *qp;
         int err;
@@ -187,16 +187,12 @@ static void ip_expire(struct timer_list *t)
             (skb_rtable(head)->rt_type != RTN_LOCAL))
                 goto out;
 
-        clone = skb_clone(head, GFP_ATOMIC);
+        skb_get(head);
+        spin_unlock(&qp->q.lock);
+        icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+        kfree_skb(head);
+        goto out_rcu_unlock;
 
-        /* Send an ICMP "Fragment Reassembly Timeout" message. */
-        if (clone) {
-                spin_unlock(&qp->q.lock);
-                icmp_send(clone, ICMP_TIME_EXCEEDED,
-                          ICMP_EXC_FRAGTIME, 0);
-                consume_skb(clone);
-                goto out_rcu_unlock;
-        }
 out:
         spin_unlock(&qp->q.lock);
 out_rcu_unlock: