1 files changed, 50 insertions, 17 deletions

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 86964b353c31..b7c41654dde5 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -32,6 +32,9 @@
 #include <linux/netdevice.h>
 #include <linux/jhash.h>
 #include <linux/random.h>
+#include <linux/slab.h>
+#include <net/route.h>
+#include <net/dst.h>
 #include <net/sock.h>
 #include <net/ip.h>
 #include <net/icmp.h>
@@ -121,11 +124,8 @@ static int ip4_frag_match(struct inet_frag_queue *q, void *a)
 }
 
 /* Memory Tracking Functions. */
-static __inline__ void frag_kfree_skb(struct netns_frags *nf,
-                struct sk_buff *skb, int *work)
+static void frag_kfree_skb(struct netns_frags *nf, struct sk_buff *skb)
 {
-        if (work)
-                *work -= skb->truesize;
         atomic_sub(skb->truesize, &nf->mem);
         kfree_skb(skb);
 }
@@ -205,11 +205,34 @@ static void ip_expire(unsigned long arg)
         if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
                 struct sk_buff *head = qp->q.fragments;
 
-                /* Send an ICMP "Fragment Reassembly Timeout" message. */
                 rcu_read_lock();
                 head->dev = dev_get_by_index_rcu(net, qp->iif);
-                if (head->dev)
-                        icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+                if (!head->dev)
+                        goto out_rcu_unlock;
+
+                /*
+                 * Only search router table for the head fragment,
+                 * when defraging timeout at PRE_ROUTING HOOK.
+                 */
+                if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+                        const struct iphdr *iph = ip_hdr(head);
+                        int err = ip_route_input(head, iph->daddr, iph->saddr,
+                                                 iph->tos, head->dev);
+                        if (unlikely(err))
+                                goto out_rcu_unlock;
+
+                        /*
+                         * Only an end host needs to send an ICMP
+                         * "Fragment Reassembly Timeout" message, per RFC792.
+                         */
+                        if (skb_rtable(head)->rt_type != RTN_LOCAL)
+                                goto out_rcu_unlock;
+
+                }
+
+                /* Send an ICMP "Fragment Reassembly Timeout" message. */
+                icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+out_rcu_unlock:
                 rcu_read_unlock();
         }
 out:
@@ -283,7 +306,7 @@ static int ip_frag_reinit(struct ipq *qp)
         fp = qp->q.fragments;
         do {
                 struct sk_buff *xp = fp->next;
-                frag_kfree_skb(qp->q.net, fp, NULL);
+                frag_kfree_skb(qp->q.net, fp);
                 fp = xp;
         } while (fp);
 
@@ -291,6 +314,7 @@ static int ip_frag_reinit(struct ipq *qp)
         qp->q.len = 0;
         qp->q.meat = 0;
         qp->q.fragments = NULL;
+        qp->q.fragments_tail = NULL;
         qp->iif = 0;
 
         return 0;
@@ -363,6 +387,11 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
          * in the chain of fragments so far.  We must know where to put
          * this fragment, right?
          */
+        prev = qp->q.fragments_tail;
+        if (!prev || FRAG_CB(prev)->offset < offset) {
+                next = NULL;
+                goto found;
+        }
         prev = NULL;
         for (next = qp->q.fragments; next != NULL; next = next->next) {
                 if (FRAG_CB(next)->offset >= offset)
@@ -370,6 +399,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
                 prev = next;
         }
 
+found:
         /* We found where to put this one.  Check for overlap with
          * preceding fragment, and, if needed, align things so that
          * any overlaps are eliminated.
@@ -420,7 +450,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
                                 qp->q.fragments = next;
 
                         qp->q.meat -= free_it->len;
-                        frag_kfree_skb(qp->q.net, free_it, NULL);
+                        frag_kfree_skb(qp->q.net, free_it);
                 }
         }
 
@@ -428,6 +458,8 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
 
         /* Insert this fragment in the chain of fragments. */
         skb->next = next;
+        if (!next)
+                qp->q.fragments_tail = skb;
         if (prev)
                 prev->next = skb;
         else
@@ -481,6 +513,8 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
                         goto out_nomem;
 
                 fp->next = head->next;
+                if (!fp->next)
+                        qp->q.fragments_tail = fp;
                 prev->next = fp;
 
                 skb_morph(head, qp->q.fragments);
@@ -530,7 +564,6 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
 
         skb_shinfo(head)->frag_list = head->next;
         skb_push(head, head->data - skb_network_header(head));
-        atomic_sub(head->truesize, &qp->q.net->mem);
 
         for (fp=head->next; fp; fp = fp->next) {
                 head->data_len += fp->len;
@@ -540,8 +573,8 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
                 else if (head->ip_summed == CHECKSUM_COMPLETE)
                         head->csum = csum_add(head->csum, fp->csum);
                 head->truesize += fp->truesize;
-                atomic_sub(fp->truesize, &qp->q.net->mem);
         }
+        atomic_sub(head->truesize, &qp->q.net->mem);
 
         head->next = NULL;
         head->dev = dev;
@@ -552,6 +585,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
         iph->tot_len = htons(len);
         IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
         qp->q.fragments = NULL;
+        qp->q.fragments_tail = NULL;
         return 0;
 
 out_nomem:
@@ -598,6 +632,7 @@ int ip_defrag(struct sk_buff *skb, u32 user)
         kfree_skb(skb);
         return -ENOMEM;
 }
+EXPORT_SYMBOL(ip_defrag);
 
 #ifdef CONFIG_SYSCTL
 static int zero;
@@ -646,7 +681,7 @@ static struct ctl_table ip4_frags_ctl_table[] = {
         { }
 };
 
-static int ip4_frags_ns_ctl_register(struct net *net)
+static int __net_init ip4_frags_ns_ctl_register(struct net *net)
 {
         struct ctl_table *table;
         struct ctl_table_header *hdr;
@@ -676,7 +711,7 @@ err_alloc:
         return -ENOMEM;
 }
 
-static void ip4_frags_ns_ctl_unregister(struct net *net)
+static void __net_exit ip4_frags_ns_ctl_unregister(struct net *net)
 {
         struct ctl_table *table;
 
@@ -704,7 +739,7 @@ static inline void ip4_frags_ctl_register(void)
 }
 #endif
 
-static int ipv4_frags_init_net(struct net *net)
+static int __net_init ipv4_frags_init_net(struct net *net)
 {
         /*
          * Fragment cache limits. We will commit 256K at one time. Should we
@@ -726,7 +761,7 @@ static int ipv4_frags_init_net(struct net *net)
         return ip4_frags_ns_ctl_register(net);
 }
 
-static void ipv4_frags_exit_net(struct net *net)
+static void __net_exit ipv4_frags_exit_net(struct net *net)
 {
         ip4_frags_ns_ctl_unregister(net);
         inet_frags_exit_net(&net->ipv4.frags, &ip4_frags);
@@ -751,5 +786,3 @@ void __init ipfrag_init(void)
         ip4_frags.secret_interval = 10 * 60 * HZ;
         inet_frags_init(&ip4_frags);
 }
-
-EXPORT_SYMBOL(ip_defrag);