1 files changed, 16 insertions, 8 deletions

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 905a8aee2671..2127da130dc2 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -92,7 +92,9 @@ EXPORT_SYMBOL(ip6_frag_init);
 void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
 {
         struct net_device *dev = NULL;
+        struct sk_buff *head;
 
+        rcu_read_lock();
         spin_lock(&fq->q.lock);
 
         if (fq->q.flags & INET_FRAG_COMPLETE)
@@ -100,28 +102,34 @@ void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
 
         inet_frag_kill(&fq->q);
 
-        rcu_read_lock();
         dev = dev_get_by_index_rcu(net, fq->iif);
         if (!dev)
-                goto out_rcu_unlock;
+                goto out;
 
         __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
         __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT);
 
         /* Don't send error if the first segment did not arrive. */
-        if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !fq->q.fragments)
-                goto out_rcu_unlock;
+        head = fq->q.fragments;
+        if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !head)
+                goto out;
 
         /* But use as source device on which LAST ARRIVED
          * segment was received. And do not use fq->dev
          * pointer directly, device might already disappeared.
          */
-        fq->q.fragments->dev = dev;
-        icmpv6_send(fq->q.fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
-out_rcu_unlock:
-        rcu_read_unlock();
+        head->dev = dev;
+        skb_get(head);
+        spin_unlock(&fq->q.lock);
+
+        icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
+        kfree_skb(head);
+        goto out_rcu_unlock;
+
 out:
         spin_unlock(&fq->q.lock);
+out_rcu_unlock:
+        rcu_read_unlock();
         inet_frag_put(&fq->q);
 }
 EXPORT_SYMBOL(ip6_expire_frag_queue);