Merge branch 'ipv6-defrag-rbtree'

Peter Oskolkov says: ==================== net: IP defrag: use rbtrees in IPv6 defragmentation Currently, IPv6 defragmentation code drops non-last fragments that are smaller than 1280 bytes: see commit 0ed4229b08 ("ipv6: defrag: drop non-last frags smaller than min mtu") This behavior is not specified in IPv6 RFCs and appears to break compatibility with some IPv6 implementations, as reported here: https://www.spinics.net/lists/netdev/msg543846.html This patchset contains four patches: - patch 1 moves rbtree-related code from IPv4 to files shared b/w IPv4/IPv6 - patch 2 changes IPv6 defragmenation code to use rbtrees for defrag queue - patch 3 changes nf_conntrack IPv6 defragmentation code to use rbtrees - patch 4 changes ip_defrag selftest to test changes made in the previous three patches. Along the way, the 1280-byte restrictions are removed. I plan to introduce similar changes to 6lowpan defragmentation code once I figure out how to test it. ==================== Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-25 21:37:11 -08:00 · 2019-01-25 21:37:11 -08:00 · dda6a7a368
commit dda6a7a368
parent ccaceadc4e 4c3510483d
8 changed files with 523 additions and 656 deletions
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@ -77,8 +77,8 @@ struct inet_frag_queue {
 	struct timer_list	timer;
 	spinlock_t		lock;
 	refcount_t		refcnt;
-	struct sk_buff		*fragments;  /* Used in IPv6. */
+	struct sk_buff		*fragments;  /* used in 6lopwpan IPv6. */
-	struct rb_root		rb_fragments; /* Used in IPv4. */
+	struct rb_root		rb_fragments; /* Used in IPv4/IPv6. */
 	struct sk_buff		*fragments_tail;
 	struct sk_buff		*last_run_head;
 	ktime_t			stamp;
@ -153,4 +153,16 @@ static inline void add_frag_mem_limit(struct netns_frags *nf, long val)
 extern const u8 ip_frag_ecn_table[16];
 /* Return values of inet_frag_queue_insert() */
 #define IPFRAG_OK	0
 #define IPFRAG_DUP	1
 #define IPFRAG_OVERLAP	2
 int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb,
 			   int offset, int end);
 void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb,
 			      struct sk_buff *parent);
 void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head,
 			    void *reasm_data);
 struct sk_buff *inet_frag_pull_head(struct inet_frag_queue *q);
 #endif
--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@ -82,8 +82,15 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq)
 	__IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT);
 	/* Don't send error if the first segment did not arrive. */
-	head = fq->q.fragments;
+	if (!(fq->q.flags & INET_FRAG_FIRST_IN))
-	if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !head)
+		goto out;
 	/* sk_buff::dev and sk_buff::rbnode are unionized. So we
 	 * pull the head out of the tree in order to be able to
 	 * deal with head->dev.
 	 */
 	head = inet_frag_pull_head(&fq->q);
 	if (!head)
 		goto out;
 	head->dev = dev;
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@ -25,6 +25,62 @@
 #include <net/sock.h>
 #include <net/inet_frag.h>
 #include <net/inet_ecn.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 /* Use skb->cb to track consecutive/adjacent fragments coming at
 * the end of the queue. Nodes in the rb-tree queue will
 * contain "runs" of one or more adjacent fragments.
 *
 * Invariants:
 * - next_frag is NULL at the tail of a "run";
 * - the head of a "run" has the sum of all fragment lengths in frag_run_len.
 */
 struct ipfrag_skb_cb {
 	union {
 		struct inet_skb_parm	h4;
 		struct inet6_skb_parm	h6;
 	};
 	struct sk_buff		*next_frag;
 	int			frag_run_len;
 };
 #define FRAG_CB(skb)		((struct ipfrag_skb_cb *)((skb)->cb))
 static void fragcb_clear(struct sk_buff *skb)
 {
 	RB_CLEAR_NODE(&skb->rbnode);
 	FRAG_CB(skb)->next_frag = NULL;
 	FRAG_CB(skb)->frag_run_len = skb->len;
 }
 /* Append skb to the last "run". */
 static void fragrun_append_to_last(struct inet_frag_queue *q,
 				   struct sk_buff *skb)
 {
 	fragcb_clear(skb);
 	FRAG_CB(q->last_run_head)->frag_run_len += skb->len;
 	FRAG_CB(q->fragments_tail)->next_frag = skb;
 	q->fragments_tail = skb;
 }
 /* Create a new "run" with the skb. */
 static void fragrun_create(struct inet_frag_queue *q, struct sk_buff *skb)
 {
 	BUILD_BUG_ON(sizeof(struct ipfrag_skb_cb) > sizeof(skb->cb));
 	fragcb_clear(skb);
 	if (q->last_run_head)
 		rb_link_node(&skb->rbnode, &q->last_run_head->rbnode,
 			     &q->last_run_head->rbnode.rb_right);
 	else
 		rb_link_node(&skb->rbnode, NULL, &q->rb_fragments.rb_node);
 	rb_insert_color(&skb->rbnode, &q->rb_fragments);
 	q->fragments_tail = skb;
 	q->last_run_head = skb;
 }
 /* Given the OR values of all fragments, apply RFC 3168 5.3 requirements
 * Value : 0xff if frame should be dropped.
@ -123,6 +179,28 @@ static void inet_frag_destroy_rcu(struct rcu_head *head)
 	kmem_cache_free(f->frags_cachep, q);
 }
 unsigned int inet_frag_rbtree_purge(struct rb_root *root)
 {
 	struct rb_node *p = rb_first(root);
 	unsigned int sum = 0;
 	while (p) {
 		struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
 		p = rb_next(p);
 		rb_erase(&skb->rbnode, root);
 		while (skb) {
 			struct sk_buff *next = FRAG_CB(skb)->next_frag;
 			sum += skb->truesize;
 			kfree_skb(skb);
 			skb = next;
 		}
 	}
 	return sum;
 }
 EXPORT_SYMBOL(inet_frag_rbtree_purge);
 void inet_frag_destroy(struct inet_frag_queue *q)
 {
 	struct sk_buff *fp;
@ -224,3 +302,218 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, void *key)
 	return fq;
 }
 EXPORT_SYMBOL(inet_frag_find);
 int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb,
 			   int offset, int end)
 {
 	struct sk_buff *last = q->fragments_tail;
 	/* RFC5722, Section 4, amended by Errata ID : 3089
 	 *                          When reassembling an IPv6 datagram, if
 	 *   one or more its constituent fragments is determined to be an
 	 *   overlapping fragment, the entire datagram (and any constituent
 	 *   fragments) MUST be silently discarded.
 	 *
 	 * Duplicates, however, should be ignored (i.e. skb dropped, but the
 	 * queue/fragments kept for later reassembly).
 	 */
 	if (!last)
 		fragrun_create(q, skb);  /* First fragment. */
 	else if (last->ip_defrag_offset + last->len < end) {
 		/* This is the common case: skb goes to the end. */
 		/* Detect and discard overlaps. */
 		if (offset < last->ip_defrag_offset + last->len)
 			return IPFRAG_OVERLAP;
 		if (offset == last->ip_defrag_offset + last->len)
 			fragrun_append_to_last(q, skb);
 		else
 			fragrun_create(q, skb);
 	} else {
 		/* Binary search. Note that skb can become the first fragment,
 		 * but not the last (covered above).
 		 */
 		struct rb_node **rbn, *parent;
 		rbn = &q->rb_fragments.rb_node;
 		do {
 			struct sk_buff *curr;
 			int curr_run_end;
 			parent = *rbn;
 			curr = rb_to_skb(parent);
 			curr_run_end = curr->ip_defrag_offset +
 					FRAG_CB(curr)->frag_run_len;
 			if (end <= curr->ip_defrag_offset)
 				rbn = &parent->rb_left;
 			else if (offset >= curr_run_end)
 				rbn = &parent->rb_right;
 			else if (offset >= curr->ip_defrag_offset &&
 				 end <= curr_run_end)
 				return IPFRAG_DUP;
 			else
 				return IPFRAG_OVERLAP;
 		} while (*rbn);
 		/* Here we have parent properly set, and rbn pointing to
 		 * one of its NULL left/right children. Insert skb.
 		 */
 		fragcb_clear(skb);
 		rb_link_node(&skb->rbnode, parent, rbn);
 		rb_insert_color(&skb->rbnode, &q->rb_fragments);
 	}
 	skb->ip_defrag_offset = offset;
 	return IPFRAG_OK;
 }
 EXPORT_SYMBOL(inet_frag_queue_insert);
 void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb,
 			      struct sk_buff *parent)
 {
 	struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments);
 	struct sk_buff **nextp;
 	int delta;
 	if (head != skb) {
 		fp = skb_clone(skb, GFP_ATOMIC);
 		if (!fp)
 			return NULL;
 		FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag;
 		if (RB_EMPTY_NODE(&skb->rbnode))
 			FRAG_CB(parent)->next_frag = fp;
 		else
 			rb_replace_node(&skb->rbnode, &fp->rbnode,
 					&q->rb_fragments);
 		if (q->fragments_tail == skb)
 			q->fragments_tail = fp;
 		skb_morph(skb, head);
 		FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag;
 		rb_replace_node(&head->rbnode, &skb->rbnode,
 				&q->rb_fragments);
 		consume_skb(head);
 		head = skb;
 	}
 	WARN_ON(head->ip_defrag_offset != 0);
 	delta = -head->truesize;
 	/* Head of list must not be cloned. */
 	if (skb_unclone(head, GFP_ATOMIC))
 		return NULL;
 	delta += head->truesize;
 	if (delta)
 		add_frag_mem_limit(q->net, delta);
 	/* If the first fragment is fragmented itself, we split
 	 * it to two chunks: the first with data and paged part
 	 * and the second, holding only fragments.
 	 */
 	if (skb_has_frag_list(head)) {
 		struct sk_buff *clone;
 		int i, plen = 0;
 		clone = alloc_skb(0, GFP_ATOMIC);
 		if (!clone)
 			return NULL;
 		skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
 		skb_frag_list_init(head);
 		for (i = 0; i < skb_shinfo(head)->nr_frags; i++)
 			plen += skb_frag_size(&skb_shinfo(head)->frags[i]);
 		clone->data_len = head->data_len - plen;
 		clone->len = clone->data_len;
 		head->truesize += clone->truesize;
 		clone->csum = 0;
 		clone->ip_summed = head->ip_summed;
 		add_frag_mem_limit(q->net, clone->truesize);
 		skb_shinfo(head)->frag_list = clone;
 		nextp = &clone->next;
 	} else {
 		nextp = &skb_shinfo(head)->frag_list;
 	}
 	return nextp;
 }
 EXPORT_SYMBOL(inet_frag_reasm_prepare);
 void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head,
 			    void *reasm_data)
 {
 	struct sk_buff **nextp = (struct sk_buff **)reasm_data;
 	struct rb_node *rbn;
 	struct sk_buff *fp;
 	skb_push(head, head->data - skb_network_header(head));
 	/* Traverse the tree in order, to build frag_list. */
 	fp = FRAG_CB(head)->next_frag;
 	rbn = rb_next(&head->rbnode);
 	rb_erase(&head->rbnode, &q->rb_fragments);
 	while (rbn || fp) {
 		/* fp points to the next sk_buff in the current run;
 		 * rbn points to the next run.
 		 */
 		/* Go through the current run. */
 		while (fp) {
 			*nextp = fp;
 			nextp = &fp->next;
 			fp->prev = NULL;
 			memset(&fp->rbnode, 0, sizeof(fp->rbnode));
 			fp->sk = NULL;
 			head->data_len += fp->len;
 			head->len += fp->len;
 			if (head->ip_summed != fp->ip_summed)
 				head->ip_summed = CHECKSUM_NONE;
 			else if (head->ip_summed == CHECKSUM_COMPLETE)
 				head->csum = csum_add(head->csum, fp->csum);
 			head->truesize += fp->truesize;
 			fp = FRAG_CB(fp)->next_frag;
 		}
 		/* Move to the next run. */
 		if (rbn) {
 			struct rb_node *rbnext = rb_next(rbn);
 			fp = rb_to_skb(rbn);
 			rb_erase(rbn, &q->rb_fragments);
 			rbn = rbnext;
 		}
 	}
 	sub_frag_mem_limit(q->net, head->truesize);
 	*nextp = NULL;
 	skb_mark_not_on_list(head);
 	head->prev = NULL;
 	head->tstamp = q->stamp;
 }
 EXPORT_SYMBOL(inet_frag_reasm_finish);
 struct sk_buff *inet_frag_pull_head(struct inet_frag_queue *q)
 {
 	struct sk_buff *head;
 	if (q->fragments) {
 		head = q->fragments;
 		q->fragments = head->next;
 	} else {
 		struct sk_buff *skb;
 		head = skb_rb_first(&q->rb_fragments);
 		if (!head)
 			return NULL;
 		skb = FRAG_CB(head)->next_frag;
 		if (skb)
 			rb_replace_node(&head->rbnode, &skb->rbnode,
 					&q->rb_fragments);
 		else
 			rb_erase(&head->rbnode, &q->rb_fragments);
 		memset(&head->rbnode, 0, sizeof(head->rbnode));
 		barrier();
 	}
 	if (head == q->fragments_tail)
 		q->fragments_tail = NULL;
 	sub_frag_mem_limit(q->net, head->truesize);
 	return head;
 }
 EXPORT_SYMBOL(inet_frag_pull_head);
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@ -57,57 +57,6 @@
 */
 static const char ip_frag_cache_name[] = "ip4-frags";
 /* Use skb->cb to track consecutive/adjacent fragments coming at
 * the end of the queue. Nodes in the rb-tree queue will
 * contain "runs" of one or more adjacent fragments.
 *
 * Invariants:
 * - next_frag is NULL at the tail of a "run";
 * - the head of a "run" has the sum of all fragment lengths in frag_run_len.
 */
 struct ipfrag_skb_cb {
 	struct inet_skb_parm	h;
 	struct sk_buff		*next_frag;
 	int			frag_run_len;
 };
 #define FRAG_CB(skb)		((struct ipfrag_skb_cb *)((skb)->cb))
 static void ip4_frag_init_run(struct sk_buff *skb)
 {
 	BUILD_BUG_ON(sizeof(struct ipfrag_skb_cb) > sizeof(skb->cb));
 	FRAG_CB(skb)->next_frag = NULL;
 	FRAG_CB(skb)->frag_run_len = skb->len;
 }
 /* Append skb to the last "run". */
 static void ip4_frag_append_to_last_run(struct inet_frag_queue *q,
 					struct sk_buff *skb)
 {
 	RB_CLEAR_NODE(&skb->rbnode);
 	FRAG_CB(skb)->next_frag = NULL;
 	FRAG_CB(q->last_run_head)->frag_run_len += skb->len;
 	FRAG_CB(q->fragments_tail)->next_frag = skb;
 	q->fragments_tail = skb;
 }
 /* Create a new "run" with the skb. */
 static void ip4_frag_create_run(struct inet_frag_queue *q, struct sk_buff *skb)
 {
 	if (q->last_run_head)
 		rb_link_node(&skb->rbnode, &q->last_run_head->rbnode,
 			     &q->last_run_head->rbnode.rb_right);
 	else
 		rb_link_node(&skb->rbnode, NULL, &q->rb_fragments.rb_node);
 	rb_insert_color(&skb->rbnode, &q->rb_fragments);
 	ip4_frag_init_run(skb);
 	q->fragments_tail = skb;
 	q->last_run_head = skb;
 }
 /* Describe an entry in the "incomplete datagrams" queue. */
 struct ipq {
 	struct inet_frag_queue q;
@ -212,27 +161,9 @@ static void ip_expire(struct timer_list *t)
 	 * pull the head out of the tree in order to be able to
 	 * deal with head->dev.
 	 */
-	if (qp->q.fragments) {
+	head = inet_frag_pull_head(&qp->q);
 		head = qp->q.fragments;
 		qp->q.fragments = head->next;
 	} else {
 		head = skb_rb_first(&qp->q.rb_fragments);
 	if (!head)
 		goto out;
 		if (FRAG_CB(head)->next_frag)
 			rb_replace_node(&head->rbnode,
 					&FRAG_CB(head)->next_frag->rbnode,
 					&qp->q.rb_fragments);
 		else
 			rb_erase(&head->rbnode, &qp->q.rb_fragments);
 		memset(&head->rbnode, 0, sizeof(head->rbnode));
 		barrier();
 	}
 	if (head == qp->q.fragments_tail)
 		qp->q.fragments_tail = NULL;
 	sub_frag_mem_limit(qp->q.net, head->truesize);
 	head->dev = dev_get_by_index_rcu(net, qp->iif);
 	if (!head->dev)
 		goto out;
@ -344,12 +275,10 @@ static int ip_frag_reinit(struct ipq *qp)
 static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
 {
 	struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
-	struct rb_node **rbn, *parent;
+	int ihl, end, flags, offset;
-	struct sk_buff *skb1, *prev_tail;
+	struct sk_buff *prev_tail;
 	int ihl, end, skb1_run_end;
 	struct net_device *dev;
 	unsigned int fragsize;
 	int flags, offset;
 	int err = -ENOENT;
 	u8 ecn;
@ -413,62 +342,13 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
 	/* Makes sure compiler wont do silly aliasing games */
 	barrier();
 	/* RFC5722, Section 4, amended by Errata ID : 3089
 	 *                          When reassembling an IPv6 datagram, if
 	 *   one or more its constituent fragments is determined to be an
 	 *   overlapping fragment, the entire datagram (and any constituent
 	 *   fragments) MUST be silently discarded.
 	 *
 	 * We do the same here for IPv4 (and increment an snmp counter) but
 	 * we do not want to drop the whole queue in response to a duplicate
 	 * fragment.
 	 */
 	err = -EINVAL;
 	/* Find out where to put this fragment.  */
 	prev_tail = qp->q.fragments_tail;
-	if (!prev_tail)
+	err = inet_frag_queue_insert(&qp->q, skb, offset, end);
-		ip4_frag_create_run(&qp->q, skb);  /* First fragment. */
+	if (err)
-	else if (prev_tail->ip_defrag_offset + prev_tail->len < end) {
+		goto insert_error;
 		/* This is the common case: skb goes to the end. */
 		/* Detect and discard overlaps. */
 		if (offset < prev_tail->ip_defrag_offset + prev_tail->len)
 			goto overlap;
 		if (offset == prev_tail->ip_defrag_offset + prev_tail->len)
 			ip4_frag_append_to_last_run(&qp->q, skb);
 		else
 			ip4_frag_create_run(&qp->q, skb);
 	} else {
 		/* Binary search. Note that skb can become the first fragment,
 		 * but not the last (covered above).
 		 */
 		rbn = &qp->q.rb_fragments.rb_node;
 		do {
 			parent = *rbn;
 			skb1 = rb_to_skb(parent);
 			skb1_run_end = skb1->ip_defrag_offset +
 				       FRAG_CB(skb1)->frag_run_len;
 			if (end <= skb1->ip_defrag_offset)
 				rbn = &parent->rb_left;
 			else if (offset >= skb1_run_end)
 				rbn = &parent->rb_right;
 			else if (offset >= skb1->ip_defrag_offset &&
 				 end <= skb1_run_end)
 				goto err; /* No new data, potential duplicate */
 			else
 				goto overlap; /* Found an overlap */
 		} while (*rbn);
 		/* Here we have parent properly set, and rbn pointing to
 		 * one of its NULL left/right children. Insert skb.
 		 */
 		ip4_frag_init_run(skb);
 		rb_link_node(&skb->rbnode, parent, rbn);
 		rb_insert_color(&skb->rbnode, &qp->q.rb_fragments);
 	}
 	if (dev)
 		qp->iif = dev->ifindex;
 	skb->ip_defrag_offset = offset;
 	qp->q.stamp = skb->tstamp;
 	qp->q.meat += skb->len;
@ -501,10 +381,16 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
 	skb_dst_drop(skb);
 	return -EINPROGRESS;
-overlap:
+insert_error:
 	if (err == IPFRAG_DUP) {
 		kfree_skb(skb);
 		return -EINVAL;
 	}
 	err = -EINVAL;
 	__IP_INC_STATS(net, IPSTATS_MIB_REASM_OVERLAPS);
 discard_qp:
 	inet_frag_kill(&qp->q);
 	__IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS);
 err:
 	kfree_skb(skb);
 	return err;
@ -516,13 +402,8 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
 {
 	struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
 	struct iphdr *iph;
-	struct sk_buff *fp, *head = skb_rb_first(&qp->q.rb_fragments);
+	void *reasm_data;
-	struct sk_buff **nextp; /* To build frag_list. */
+	int len, err;
 	struct rb_node *rbn;
 	int len;
 	int ihlen;
 	int delta;
 	int err;
 	u8 ecn;
 	ipq_kill(qp);
@ -532,117 +413,23 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
 		err = -EINVAL;
 		goto out_fail;
 	}
 	/* Make the one we just received the head. */
-	if (head != skb) {
+	reasm_data = inet_frag_reasm_prepare(&qp->q, skb, prev_tail);
-		fp = skb_clone(skb, GFP_ATOMIC);
+	if (!reasm_data)
 		if (!fp)
 		goto out_nomem;
 		FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag;
 		if (RB_EMPTY_NODE(&skb->rbnode))
 			FRAG_CB(prev_tail)->next_frag = fp;
 		else
 			rb_replace_node(&skb->rbnode, &fp->rbnode,
 					&qp->q.rb_fragments);
 		if (qp->q.fragments_tail == skb)
 			qp->q.fragments_tail = fp;
 		skb_morph(skb, head);
 		FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag;
 		rb_replace_node(&head->rbnode, &skb->rbnode,
 				&qp->q.rb_fragments);
 		consume_skb(head);
 		head = skb;
 	}
 	WARN_ON(head->ip_defrag_offset != 0);
 	/* Allocate a new buffer for the datagram. */
 	ihlen = ip_hdrlen(head);
 	len = ihlen + qp->q.len;
 	len = ip_hdrlen(skb) + qp->q.len;
 	err = -E2BIG;
 	if (len > 65535)
 		goto out_oversize;
-	delta = - head->truesize;
+	inet_frag_reasm_finish(&qp->q, skb, reasm_data);
-	/* Head of list must not be cloned. */
+	skb->dev = dev;
-	if (skb_unclone(head, GFP_ATOMIC))
+	IPCB(skb)->frag_max_size = max(qp->max_df_size, qp->q.max_size);
 		goto out_nomem;
-	delta += head->truesize;
+	iph = ip_hdr(skb);
 	if (delta)
 		add_frag_mem_limit(qp->q.net, delta);
 	/* If the first fragment is fragmented itself, we split
 	 * it to two chunks: the first with data and paged part
 	 * and the second, holding only fragments. */
 	if (skb_has_frag_list(head)) {
 		struct sk_buff *clone;
 		int i, plen = 0;
 		clone = alloc_skb(0, GFP_ATOMIC);
 		if (!clone)
 			goto out_nomem;
 		skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
 		skb_frag_list_init(head);
 		for (i = 0; i < skb_shinfo(head)->nr_frags; i++)
 			plen += skb_frag_size(&skb_shinfo(head)->frags[i]);
 		clone->len = clone->data_len = head->data_len - plen;
 		head->truesize += clone->truesize;
 		clone->csum = 0;
 		clone->ip_summed = head->ip_summed;
 		add_frag_mem_limit(qp->q.net, clone->truesize);
 		skb_shinfo(head)->frag_list = clone;
 		nextp = &clone->next;
 	} else {
 		nextp = &skb_shinfo(head)->frag_list;
 	}
 	skb_push(head, head->data - skb_network_header(head));
 	/* Traverse the tree in order, to build frag_list. */
 	fp = FRAG_CB(head)->next_frag;
 	rbn = rb_next(&head->rbnode);
 	rb_erase(&head->rbnode, &qp->q.rb_fragments);
 	while (rbn || fp) {
 		/* fp points to the next sk_buff in the current run;
 		 * rbn points to the next run.
 		 */
 		/* Go through the current run. */
 		while (fp) {
 			*nextp = fp;
 			nextp = &fp->next;
 			fp->prev = NULL;
 			memset(&fp->rbnode, 0, sizeof(fp->rbnode));
 			fp->sk = NULL;
 			head->data_len += fp->len;
 			head->len += fp->len;
 			if (head->ip_summed != fp->ip_summed)
 				head->ip_summed = CHECKSUM_NONE;
 			else if (head->ip_summed == CHECKSUM_COMPLETE)
 				head->csum = csum_add(head->csum, fp->csum);
 			head->truesize += fp->truesize;
 			fp = FRAG_CB(fp)->next_frag;
 		}
 		/* Move to the next run. */
 		if (rbn) {
 			struct rb_node *rbnext = rb_next(rbn);
 			fp = rb_to_skb(rbn);
 			rb_erase(rbn, &qp->q.rb_fragments);
 			rbn = rbnext;
 		}
 	}
 	sub_frag_mem_limit(qp->q.net, head->truesize);
 	*nextp = NULL;
 	skb_mark_not_on_list(head);
 	head->prev = NULL;
 	head->dev = dev;
 	head->tstamp = qp->q.stamp;
 	IPCB(head)->frag_max_size = max(qp->max_df_size, qp->q.max_size);
 	iph = ip_hdr(head);
 	iph->tot_len = htons(len);
 	iph->tos |= ecn;
@ -655,7 +442,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
 	 * from one very small df-fragment and one large non-df frag.
 	 */
 	if (qp->max_df_size == qp->q.max_size) {
-		IPCB(head)->flags |= IPSKB_FRAG_PMTU;
+		IPCB(skb)->flags |= IPSKB_FRAG_PMTU;
 		iph->frag_off = htons(IP_DF);
 	} else {
 		iph->frag_off = 0;
@ -753,28 +540,6 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user)
 }
 EXPORT_SYMBOL(ip_check_defrag);
 unsigned int inet_frag_rbtree_purge(struct rb_root *root)
 {
 	struct rb_node *p = rb_first(root);
 	unsigned int sum = 0;
 	while (p) {
 		struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
 		p = rb_next(p);
 		rb_erase(&skb->rbnode, root);
 		while (skb) {
 			struct sk_buff *next = FRAG_CB(skb)->next_frag;
 			sum += skb->truesize;
 			kfree_skb(skb);
 			skb = next;
 		}
 	}
 	return sum;
 }
 EXPORT_SYMBOL(inet_frag_rbtree_purge);
 #ifdef CONFIG_SYSCTL
 static int dist_min;
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@ -136,6 +136,9 @@ static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
 }
 #endif
 static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb,
 			     struct sk_buff *prev_tail, struct net_device *dev);
 static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
 {
 	return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
@ -177,9 +180,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
 static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
 			     const struct frag_hdr *fhdr, int nhoff)
 {
 	struct sk_buff *prev, *next;
 	unsigned int payload_len;
-	int offset, end;
+	struct net_device *dev;
 	struct sk_buff *prev;
 	int offset, end, err;
 	u8 ecn;
 	if (fq->q.flags & INET_FRAG_COMPLETE) {
@ -254,55 +258,18 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
 		goto err;
 	}
-	/* Find out which fragments are in front and at the back of us
+	/* Note : skb->rbnode and skb->dev share the same location. */
-	 * in the chain of fragments so far.  We must know where to put
+	dev = skb->dev;
 	 * this fragment, right?
 	 */
 	prev = fq->q.fragments_tail;
 	if (!prev || prev->ip_defrag_offset < offset) {
 		next = NULL;
 		goto found;
 	}
 	prev = NULL;
 	for (next = fq->q.fragments; next != NULL; next = next->next) {
 		if (next->ip_defrag_offset >= offset)
 			break;	/* bingo! */
 		prev = next;
 	}
 found:
 	/* RFC5722, Section 4:
 	 *                                  When reassembling an IPv6 datagram, if
 	 *   one or more its constituent fragments is determined to be an
 	 *   overlapping fragment, the entire datagram (and any constituent
 	 *   fragments, including those not yet received) MUST be silently
 	 *   discarded.
 	 */
 	/* Check for overlap with preceding fragment. */
 	if (prev &&
 	    (prev->ip_defrag_offset + prev->len) > offset)
 		goto discard_fq;
 	/* Look for overlap with succeeding segment. */
 	if (next && next->ip_defrag_offset < end)
 		goto discard_fq;
 	/* Note : skb->ip_defrag_offset and skb->dev share the same location */
 	if (skb->dev)
 		fq->iif = skb->dev->ifindex;
 	/* Makes sure compiler wont do silly aliasing games */
 	barrier();
 	skb->ip_defrag_offset = offset;
-	/* Insert this fragment in the chain of fragments. */
+	prev = fq->q.fragments_tail;
-	skb->next = next;
+	err = inet_frag_queue_insert(&fq->q, skb, offset, end);
-	if (!next)
+	if (err)
-		fq->q.fragments_tail = skb;
+		goto insert_error;
-	if (prev)
+
-		prev->next = skb;
+	if (dev)
-	else
+		fq->iif = dev->ifindex;
 		fq->q.fragments = skb;
 	fq->q.stamp = skb->tstamp;
 	fq->q.meat += skb->len;
@ -319,11 +286,25 @@ found:
 		fq->q.flags |= INET_FRAG_FIRST_IN;
 	}
-	return 0;
+	if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
 	    fq->q.meat == fq->q.len) {
 		unsigned long orefdst = skb->_skb_refdst;
-discard_fq:
+		skb->_skb_refdst = 0UL;
 		err = nf_ct_frag6_reasm(fq, skb, prev, dev);
 		skb->_skb_refdst = orefdst;
 		return err;
 	}
 	skb_dst_drop(skb);
 	return -EINPROGRESS;
 insert_error:
 	if (err == IPFRAG_DUP)
 		goto err;
 	inet_frag_kill(&fq->q);
 err:
 	skb_dst_drop(skb);
 	return -EINVAL;
 }
@ -333,147 +314,67 @@ err:
 *	It is called with locked fq, and caller must check that
 *	queue is eligible for reassembly i.e. it is not COMPLETE,
 *	the last and the first frames arrived and all the bits are here.
 *
 *	returns true if *prev skb has been transformed into the reassembled
 *	skb, false otherwise.
 */
-static bool
+static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb,
-nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_device *dev)
+			     struct sk_buff *prev_tail, struct net_device *dev)
 {
-	struct sk_buff *fp, *head = fq->q.fragments;
+	void *reasm_data;
-	int    payload_len, delta;
+	int payload_len;
 	u8 ecn;
 	inet_frag_kill(&fq->q);
 	WARN_ON(head == NULL);
 	WARN_ON(head->ip_defrag_offset != 0);
 	ecn = ip_frag_ecn_table[fq->ecn];
 	if (unlikely(ecn == 0xff))
-		return false;
+		goto err;
-	/* Unfragmented part is taken from the first segment. */
+	reasm_data = inet_frag_reasm_prepare(&fq->q, skb, prev_tail);
-	payload_len = ((head->data - skb_network_header(head)) -
+	if (!reasm_data)
 		goto err;
 	payload_len = ((skb->data - skb_network_header(skb)) -
 		       sizeof(struct ipv6hdr) + fq->q.len -
 		       sizeof(struct frag_hdr));
 	if (payload_len > IPV6_MAXPLEN) {
 		net_dbg_ratelimited("nf_ct_frag6_reasm: payload len = %d\n",
 				    payload_len);
-		return false;
+		goto err;
 	}
 	delta = - head->truesize;
 	/* Head of list must not be cloned. */
 	if (skb_unclone(head, GFP_ATOMIC))
 		return false;
 	delta += head->truesize;
 	if (delta)
 		add_frag_mem_limit(fq->q.net, delta);
 	/* If the first fragment is fragmented itself, we split
 	 * it to two chunks: the first with data and paged part
 	 * and the second, holding only fragments. */
 	if (skb_has_frag_list(head)) {
 		struct sk_buff *clone;
 		int i, plen = 0;
 		clone = alloc_skb(0, GFP_ATOMIC);
 		if (clone == NULL)
 			return false;
 		clone->next = head->next;
 		head->next = clone;
 		skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
 		skb_frag_list_init(head);
 		for (i = 0; i < skb_shinfo(head)->nr_frags; i++)
 			plen += skb_frag_size(&skb_shinfo(head)->frags[i]);
 		clone->len = clone->data_len = head->data_len - plen;
 		head->data_len -= clone->len;
 		head->len -= clone->len;
 		clone->csum = 0;
 		clone->ip_summed = head->ip_summed;
 		add_frag_mem_limit(fq->q.net, clone->truesize);
 	}
 	/* morph head into last received skb: prev.
 	 *
 	 * This allows callers of ipv6 conntrack defrag to continue
 	 * to use the last skb(frag) passed into the reasm engine.
 	 * The last skb frag 'silently' turns into the full reassembled skb.
 	 *
 	 * Since prev is also part of q->fragments we have to clone it first.
 	 */
 	if (head != prev) {
 		struct sk_buff *iter;
 		fp = skb_clone(prev, GFP_ATOMIC);
 		if (!fp)
 			return false;
 		fp->next = prev->next;
 		iter = head;
 		while (iter) {
 			if (iter->next == prev) {
 				iter->next = fp;
 				break;
 			}
 			iter = iter->next;
 		}
 		skb_morph(prev, head);
 		prev->next = head->next;
 		consume_skb(head);
 		head = prev;
 	}
 	/* We have to remove fragment header from datagram and to relocate
 	 * header in order to calculate ICV correctly. */
-	skb_network_header(head)[fq->nhoffset] = skb_transport_header(head)[0];
+	skb_network_header(skb)[fq->nhoffset] = skb_transport_header(skb)[0];
-	memmove(head->head + sizeof(struct frag_hdr), head->head,
+	memmove(skb->head + sizeof(struct frag_hdr), skb->head,
-		(head->data - head->head) - sizeof(struct frag_hdr));
+		(skb->data - skb->head) - sizeof(struct frag_hdr));
-	head->mac_header += sizeof(struct frag_hdr);
+	skb->mac_header += sizeof(struct frag_hdr);
-	head->network_header += sizeof(struct frag_hdr);
+	skb->network_header += sizeof(struct frag_hdr);
-	skb_shinfo(head)->frag_list = head->next;
+	skb_reset_transport_header(skb);
 	skb_reset_transport_header(head);
 	skb_push(head, head->data - skb_network_header(head));
-	for (fp = head->next; fp; fp = fp->next) {
+	inet_frag_reasm_finish(&fq->q, skb, reasm_data);
 		head->data_len += fp->len;
 		head->len += fp->len;
 		if (head->ip_summed != fp->ip_summed)
 			head->ip_summed = CHECKSUM_NONE;
 		else if (head->ip_summed == CHECKSUM_COMPLETE)
 			head->csum = csum_add(head->csum, fp->csum);
 		head->truesize += fp->truesize;
 		fp->sk = NULL;
 	}
 	sub_frag_mem_limit(fq->q.net, head->truesize);
-	head->ignore_df = 1;
+	skb->ignore_df = 1;
-	skb_mark_not_on_list(head);
+	skb->dev = dev;
-	head->dev = dev;
+	ipv6_hdr(skb)->payload_len = htons(payload_len);
-	head->tstamp = fq->q.stamp;
+	ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn);
-	ipv6_hdr(head)->payload_len = htons(payload_len);
+	IP6CB(skb)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
 	ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
 	IP6CB(head)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
 	/* Yes, and fold redundant checksum back. 8) */
-	if (head->ip_summed == CHECKSUM_COMPLETE)
+	if (skb->ip_summed == CHECKSUM_COMPLETE)
-		head->csum = csum_partial(skb_network_header(head),
+		skb->csum = csum_partial(skb_network_header(skb),
-					  skb_network_header_len(head),
+					 skb_network_header_len(skb),
-					  head->csum);
+					 skb->csum);
 	fq->q.fragments = NULL;
 	fq->q.rb_fragments = RB_ROOT;
 	fq->q.fragments_tail = NULL;
 	fq->q.last_run_head = NULL;
-	return true;
+	return 0;
 err:
 	inet_frag_kill(&fq->q);
 	return -EINVAL;
 }
 /*
@ -542,7 +443,6 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
 int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
 {
 	u16 savethdr = skb->transport_header;
 	struct net_device *dev = skb->dev;
 	int fhoff, nhoff, ret;
 	struct frag_hdr *fhdr;
 	struct frag_queue *fq;
@ -565,10 +465,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
 	hdr = ipv6_hdr(skb);
 	fhdr = (struct frag_hdr *)skb_transport_header(skb);
 	if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
 	    fhdr->frag_off & htons(IP6_MF))
 		return -EINVAL;
 	skb_orphan(skb);
 	fq = fq_find(net, fhdr->identification, user, hdr,
 		     skb->dev ? skb->dev->ifindex : 0);
@ -580,31 +476,17 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
 	spin_lock_bh(&fq->q.lock);
 	ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff);
 	if (ret < 0) {
 	if (ret == -EPROTO) {
 		skb->transport_header = savethdr;
 		ret = 0;
 	}
 		goto out_unlock;
 	}
 	/* after queue has assumed skb ownership, only 0 or -EINPROGRESS
 	 * must be returned.
 	 */
 	if (ret)
 		ret = -EINPROGRESS;
 	if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
 	    fq->q.meat == fq->q.len) {
 		unsigned long orefdst = skb->_skb_refdst;
 		skb->_skb_refdst = 0UL;
 		if (nf_ct_frag6_reasm(fq, skb, dev))
 			ret = 0;
 		skb->_skb_refdst = orefdst;
 	} else {
 		skb_dst_drop(skb);
 	}
 out_unlock:
 	spin_unlock_bh(&fq->q.lock);
 	inet_frag_put(&fq->q);
 	return ret;
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@ -69,8 +69,8 @@ static u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
 static struct inet_frags ip6_frags;
-static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
+static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
-			  struct net_device *dev);
+			  struct sk_buff *prev_tail, struct net_device *dev);
 static void ip6_frag_expire(struct timer_list *t)
 {
@ -111,21 +111,26 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb,
 			  struct frag_hdr *fhdr, int nhoff,
 			  u32 *prob_offset)
 {
 	struct sk_buff *prev, *next;
 	struct net_device *dev;
 	int offset, end, fragsize;
 	struct net *net = dev_net(skb_dst(skb)->dev);
 	int offset, end, fragsize;
 	struct sk_buff *prev_tail;
 	struct net_device *dev;
 	int err = -ENOENT;
 	u8 ecn;
 	if (fq->q.flags & INET_FRAG_COMPLETE)
 		goto err;
 	err = -EINVAL;
 	offset = ntohs(fhdr->frag_off) & ~0x7;
 	end = offset + (ntohs(ipv6_hdr(skb)->payload_len) -
 			((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1)));
 	if ((unsigned int)end > IPV6_MAXPLEN) {
 		*prob_offset = (u8 *)&fhdr->frag_off - skb_network_header(skb);
 		/* note that if prob_offset is set, the skb is freed elsewhere,
 		 * we do not free it here.
 		 */
 		return -1;
 	}
@ -170,62 +175,27 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb,
 	if (end == offset)
 		goto discard_fq;
 	err = -ENOMEM;
 	/* Point into the IP datagram 'data' part. */
 	if (!pskb_pull(skb, (u8 *) (fhdr + 1) - skb->data))
 		goto discard_fq;
-	if (pskb_trim_rcsum(skb, end - offset))
+	err = pskb_trim_rcsum(skb, end - offset);
 	if (err)
 		goto discard_fq;
-	/* Find out which fragments are in front and at the back of us
+	/* Note : skb->rbnode and skb->dev share the same location. */
 	 * in the chain of fragments so far.  We must know where to put
 	 * this fragment, right?
 	 */
 	prev = fq->q.fragments_tail;
 	if (!prev || prev->ip_defrag_offset < offset) {
 		next = NULL;
 		goto found;
 	}
 	prev = NULL;
 	for (next = fq->q.fragments; next != NULL; next = next->next) {
 		if (next->ip_defrag_offset >= offset)
 			break;	/* bingo! */
 		prev = next;
 	}
 found:
 	/* RFC5722, Section 4, amended by Errata ID : 3089
 	 *                          When reassembling an IPv6 datagram, if
 	 *   one or more its constituent fragments is determined to be an
 	 *   overlapping fragment, the entire datagram (and any constituent
 	 *   fragments) MUST be silently discarded.
 	 */
 	/* Check for overlap with preceding fragment. */
 	if (prev &&
 	    (prev->ip_defrag_offset + prev->len) > offset)
 		goto discard_fq;
 	/* Look for overlap with succeeding segment. */
 	if (next && next->ip_defrag_offset < end)
 		goto discard_fq;
 	/* Note : skb->ip_defrag_offset and skb->sk share the same location */
 	dev = skb->dev;
 	if (dev)
 		fq->iif = dev->ifindex;
 	/* Makes sure compiler wont do silly aliasing games */
 	barrier();
 	skb->ip_defrag_offset = offset;
-	/* Insert this fragment in the chain of fragments. */
+	prev_tail = fq->q.fragments_tail;
-	skb->next = next;
+	err = inet_frag_queue_insert(&fq->q, skb, offset, end);
-	if (!next)
+	if (err)
-		fq->q.fragments_tail = skb;
+		goto insert_error;
-	if (prev)
+
-		prev->next = skb;
+	if (dev)
-	else
+		fq->iif = dev->ifindex;
 		fq->q.fragments = skb;
 	fq->q.stamp = skb->tstamp;
 	fq->q.meat += skb->len;
@ -246,44 +216,48 @@ found:
 	if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
 	    fq->q.meat == fq->q.len) {
 		int res;
 		unsigned long orefdst = skb->_skb_refdst;
 		skb->_skb_refdst = 0UL;
-		res = ip6_frag_reasm(fq, prev, dev);
+		err = ip6_frag_reasm(fq, skb, prev_tail, dev);
 		skb->_skb_refdst = orefdst;
-		return res;
+		return err;
 	}
 	skb_dst_drop(skb);
-	return -1;
+	return -EINPROGRESS;
 insert_error:
 	if (err == IPFRAG_DUP) {
 		kfree_skb(skb);
 		return -EINVAL;
 	}
 	err = -EINVAL;
 	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
 			IPSTATS_MIB_REASM_OVERLAPS);
 discard_fq:
 	inet_frag_kill(&fq->q);
 err:
 	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
 			IPSTATS_MIB_REASMFAILS);
 err:
 	kfree_skb(skb);
-	return -1;
+	return err;
 }
 /*
 *	Check if this packet is complete.
 *	Returns NULL on failure by any reason, and pointer
 *	to current nexthdr field in reassembled frame.
 *
 *	It is called with locked fq, and caller must check that
 *	queue is eligible for reassembly i.e. it is not COMPLETE,
 *	the last and the first frames arrived and all the bits are here.
 */
-static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
+static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
-			  struct net_device *dev)
+			  struct sk_buff *prev_tail, struct net_device *dev)
 {
 	struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
 	struct sk_buff *fp, *head = fq->q.fragments;
 	int    payload_len, delta;
 	unsigned int nhoff;
-	int sum_truesize;
+	void *reasm_data;
 	int payload_len;
 	u8 ecn;
 	inet_frag_kill(&fq->q);
@ -292,121 +266,40 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
 	if (unlikely(ecn == 0xff))
 		goto out_fail;
-	/* Make the one we just received the head. */
+	reasm_data = inet_frag_reasm_prepare(&fq->q, skb, prev_tail);
-	if (prev) {
+	if (!reasm_data)
 		head = prev->next;
 		fp = skb_clone(head, GFP_ATOMIC);
 		if (!fp)
 		goto out_oom;
-		fp->next = head->next;
+	payload_len = ((skb->data - skb_network_header(skb)) -
 		if (!fp->next)
 			fq->q.fragments_tail = fp;
 		prev->next = fp;
 		skb_morph(head, fq->q.fragments);
 		head->next = fq->q.fragments->next;
 		consume_skb(fq->q.fragments);
 		fq->q.fragments = head;
 	}
 	WARN_ON(head == NULL);
 	WARN_ON(head->ip_defrag_offset != 0);
 	/* Unfragmented part is taken from the first segment. */
 	payload_len = ((head->data - skb_network_header(head)) -
 		       sizeof(struct ipv6hdr) + fq->q.len -
 		       sizeof(struct frag_hdr));
 	if (payload_len > IPV6_MAXPLEN)
 		goto out_oversize;
 	delta = - head->truesize;
 	/* Head of list must not be cloned. */
 	if (skb_unclone(head, GFP_ATOMIC))
 		goto out_oom;
 	delta += head->truesize;
 	if (delta)
 		add_frag_mem_limit(fq->q.net, delta);
 	/* If the first fragment is fragmented itself, we split
 	 * it to two chunks: the first with data and paged part
 	 * and the second, holding only fragments. */
 	if (skb_has_frag_list(head)) {
 		struct sk_buff *clone;
 		int i, plen = 0;
 		clone = alloc_skb(0, GFP_ATOMIC);
 		if (!clone)
 			goto out_oom;
 		clone->next = head->next;
 		head->next = clone;
 		skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
 		skb_frag_list_init(head);
 		for (i = 0; i < skb_shinfo(head)->nr_frags; i++)
 			plen += skb_frag_size(&skb_shinfo(head)->frags[i]);
 		clone->len = clone->data_len = head->data_len - plen;
 		head->data_len -= clone->len;
 		head->len -= clone->len;
 		clone->csum = 0;
 		clone->ip_summed = head->ip_summed;
 		add_frag_mem_limit(fq->q.net, clone->truesize);
 	}
 	/* We have to remove fragment header from datagram and to relocate
 	 * header in order to calculate ICV correctly. */
 	nhoff = fq->nhoffset;
-	skb_network_header(head)[nhoff] = skb_transport_header(head)[0];
+	skb_network_header(skb)[nhoff] = skb_transport_header(skb)[0];
-	memmove(head->head + sizeof(struct frag_hdr), head->head,
+	memmove(skb->head + sizeof(struct frag_hdr), skb->head,
-		(head->data - head->head) - sizeof(struct frag_hdr));
+		(skb->data - skb->head) - sizeof(struct frag_hdr));
-	if (skb_mac_header_was_set(head))
+	if (skb_mac_header_was_set(skb))
-		head->mac_header += sizeof(struct frag_hdr);
+		skb->mac_header += sizeof(struct frag_hdr);
-	head->network_header += sizeof(struct frag_hdr);
+	skb->network_header += sizeof(struct frag_hdr);
-	skb_reset_transport_header(head);
+	skb_reset_transport_header(skb);
 	skb_push(head, head->data - skb_network_header(head));
-	sum_truesize = head->truesize;
+	inet_frag_reasm_finish(&fq->q, skb, reasm_data);
 	for (fp = head->next; fp;) {
 		bool headstolen;
 		int delta;
 		struct sk_buff *next = fp->next;
-		sum_truesize += fp->truesize;
+	skb->dev = dev;
-		if (head->ip_summed != fp->ip_summed)
+	ipv6_hdr(skb)->payload_len = htons(payload_len);
-			head->ip_summed = CHECKSUM_NONE;
+	ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn);
-		else if (head->ip_summed == CHECKSUM_COMPLETE)
+	IP6CB(skb)->nhoff = nhoff;
-			head->csum = csum_add(head->csum, fp->csum);
+	IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
-
+	IP6CB(skb)->frag_max_size = fq->q.max_size;
 		if (skb_try_coalesce(head, fp, &headstolen, &delta)) {
 			kfree_skb_partial(fp, headstolen);
 		} else {
 			fp->sk = NULL;
 			if (!skb_shinfo(head)->frag_list)
 				skb_shinfo(head)->frag_list = fp;
 			head->data_len += fp->len;
 			head->len += fp->len;
 			head->truesize += fp->truesize;
 		}
 		fp = next;
 	}
 	sub_frag_mem_limit(fq->q.net, sum_truesize);
 	skb_mark_not_on_list(head);
 	head->dev = dev;
 	head->tstamp = fq->q.stamp;
 	ipv6_hdr(head)->payload_len = htons(payload_len);
 	ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
 	IP6CB(head)->nhoff = nhoff;
 	IP6CB(head)->flags |= IP6SKB_FRAGMENTED;
 	IP6CB(head)->frag_max_size = fq->q.max_size;
 	/* Yes, and fold redundant checksum back. 8) */
-	skb_postpush_rcsum(head, skb_network_header(head),
+	skb_postpush_rcsum(skb, skb_network_header(skb),
-			   skb_network_header_len(head));
+			   skb_network_header_len(skb));
 	rcu_read_lock();
 	__IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
@ -414,6 +307,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
 	fq->q.fragments = NULL;
 	fq->q.rb_fragments = RB_ROOT;
 	fq->q.fragments_tail = NULL;
 	fq->q.last_run_head = NULL;
 	return 1;
 out_oversize:
@ -464,10 +358,6 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 		return 1;
 	}
 	if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
 	    fhdr->frag_off & htons(IP6_MF))
 		goto fail_hdr;
 	iif = skb->dev ? skb->dev->ifindex : 0;
 	fq = fq_find(net, fhdr->identification, hdr, iif);
 	if (fq) {
@ -485,6 +375,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 		if (prob_offset) {
 			__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
 					IPSTATS_MIB_INHDRERRORS);
 			/* icmpv6_param_prob() calls kfree_skb(skb) */
 			icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, prob_offset);
 		}
 		return ret;
--- a/tools/testing/selftests/net/ip_defrag.c
+++ b/tools/testing/selftests/net/ip_defrag.c
@ -20,6 +20,7 @@ static bool		cfg_do_ipv4;
 static bool		cfg_do_ipv6;
 static bool		cfg_verbose;
 static bool		cfg_overlap;
 static bool		cfg_permissive;
 static unsigned short	cfg_port = 9000;
 const struct in_addr addr4 = { .s_addr = __constant_htonl(INADDR_LOOPBACK + 2) };
@ -35,7 +36,7 @@ const struct in6_addr addr6 = IN6ADDR_LOOPBACK_INIT;
 static int payload_len;
 static int max_frag_len;
-#define MSG_LEN_MAX	60000	/* Max UDP payload length. */
+#define MSG_LEN_MAX	10000	/* Max UDP payload length. */
 #define IP4_MF		(1u << 13)  /* IPv4 MF flag. */
 #define IP6_MF		(1)  /* IPv6 MF flag. */
@ -59,13 +60,14 @@ static void recv_validate_udp(int fd_udp)
 	msg_counter++;
 	if (cfg_overlap) {
 		if (ret == -1 && (errno == ETIMEDOUT || errno == EAGAIN))
 			return;  /* OK */
 		if (!cfg_permissive) {
 			if (ret != -1)
 				error(1, 0, "recv: expected timeout; got %d",
 					(int)ret);
-		if (errno != ETIMEDOUT && errno != EAGAIN)
+			error(1, errno, "recv: expected timeout: %d", errno);
-			error(1, errno, "recv: expected timeout: %d",
+		}
 				 errno);
 		return;  /* OK */
 	}
 	if (ret == -1)
@ -203,7 +205,6 @@ static void send_udp_frags(int fd_raw, struct sockaddr *addr,
 {
 	struct ip *iphdr = (struct ip *)ip_frame;
 	struct ip6_hdr *ip6hdr = (struct ip6_hdr *)ip_frame;
 	const bool ipv4 = !ipv6;
 	int res;
 	int offset;
 	int frag_len;
@ -251,7 +252,7 @@ static void send_udp_frags(int fd_raw, struct sockaddr *addr,
 	}
 	/* Occasionally test IPv4 "runs" (see net/ipv4/ip_fragment.c) */
-	if (ipv4 && !cfg_overlap && (rand() % 100 < 20) &&
+	if (!cfg_overlap && (rand() % 100 < 20) &&
 			(payload_len > 9 * max_frag_len)) {
 		offset = 6 * max_frag_len;
 		while (offset < (UDP_HLEN + payload_len)) {
@ -276,41 +277,38 @@ static void send_udp_frags(int fd_raw, struct sockaddr *addr,
 	while (offset < (UDP_HLEN + payload_len)) {
 		send_fragment(fd_raw, addr, alen, offset, ipv6);
 		/* IPv4 ignores duplicates, so randomly send a duplicate. */
-		if (ipv4 && (1 == rand() % 100))
+		if (rand() % 100 == 1)
 			send_fragment(fd_raw, addr, alen, offset, ipv6);
 		offset += 2 * max_frag_len;
 	}
 	if (cfg_overlap) {
-		/* Send an extra random fragment. */
+		/* Send an extra random fragment.
 		 *
 		 * Duplicates and some fragments completely inside
 		 * previously sent fragments are dropped/ignored. So
 		 * random offset and frag_len can result in a dropped
 		 * fragment instead of a dropped queue/packet. Thus we
 		 * hard-code offset and frag_len.
 		 */
 		if (max_frag_len * 4 < payload_len || max_frag_len < 16) {
 			/* not enough payload for random offset and frag_len. */
 			offset = 8;
 			frag_len = UDP_HLEN + max_frag_len;
 		} else {
 			offset = rand() % (payload_len / 2);
 			frag_len = 2 * max_frag_len + 1 + rand() % 256;
 		}
 		if (ipv6) {
 			struct ip6_frag *fraghdr = (struct ip6_frag *)(ip_frame + IP6_HLEN);
 			/* sendto() returns EINVAL if offset + frag_len is too small. */
 			offset = rand() % (UDP_HLEN + payload_len - 1);
 			frag_len = max_frag_len + rand() % 256;
 			/* In IPv6 if !!(frag_len % 8), the fragment is dropped. */
 			frag_len &= ~0x7;
 			fraghdr->ip6f_offlg = htons(offset / 8 | IP6_MF);
 			ip6hdr->ip6_plen = htons(frag_len);
 			frag_len += IP6_HLEN;
 		} else {
-			/* In IPv4, duplicates and some fragments completely inside
+			frag_len += IP4_HLEN;
 			 * previously sent fragments are dropped/ignored. So
 			 * random offset and frag_len can result in a dropped
 			 * fragment instead of a dropped queue/packet. So we
 			 * hard-code offset and frag_len.
 			 *
 			 * See ade446403bfb ("net: ipv4: do not handle duplicate
 			 * fragments as overlapping").
 			 */
 			if (max_frag_len * 4 < payload_len || max_frag_len < 16) {
 				/* not enough payload to play with random offset and frag_len. */
 				offset = 8;
 				frag_len = IP4_HLEN + UDP_HLEN + max_frag_len;
 			} else {
 				offset = rand() % (payload_len / 2);
 				frag_len = 2 * max_frag_len + 1 + rand() % 256;
 			}
 			iphdr->ip_off = htons(offset / 8 | IP4_MF);
 			iphdr->ip_len = htons(frag_len);
 		}
@ -327,7 +325,7 @@ static void send_udp_frags(int fd_raw, struct sockaddr *addr,
 	while (offset < (UDP_HLEN + payload_len)) {
 		send_fragment(fd_raw, addr, alen, offset, ipv6);
 		/* IPv4 ignores duplicates, so randomly send a duplicate. */
-		if (ipv4 && (1 == rand() % 100))
+		if (rand() % 100 == 1)
 			send_fragment(fd_raw, addr, alen, offset, ipv6);
 		offset += 2 * max_frag_len;
 	}
@ -342,7 +340,7 @@ static void run_test(struct sockaddr *addr, socklen_t alen, bool ipv6)
 	 */
 	struct timeval tv = { .tv_sec = 1, .tv_usec = 10 };
 	int idx;
-	int min_frag_len = ipv6 ? 1280 : 8;
+	int min_frag_len = 8;
 	/* Initialize the payload. */
 	for (idx = 0; idx < MSG_LEN_MAX; ++idx)
@ -434,7 +432,7 @@ static void parse_opts(int argc, char **argv)
 {
 	int c;
-	while ((c = getopt(argc, argv, "46ov")) != -1) {
+	while ((c = getopt(argc, argv, "46opv")) != -1) {
 		switch (c) {
 		case '4':
 			cfg_do_ipv4 = true;
@ -445,6 +443,9 @@ static void parse_opts(int argc, char **argv)
 		case 'o':
 			cfg_overlap = true;
 			break;
 		case 'p':
 			cfg_permissive = true;
 			break;
 		case 'v':
 			cfg_verbose = true;
 			break;
--- a/tools/testing/selftests/net/ip_defrag.sh
+++ b/tools/testing/selftests/net/ip_defrag.sh
@ -20,6 +20,10 @@ setup() {
 	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_low_thresh=7000000 >/dev/null 2>&1
 	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_time=1 >/dev/null 2>&1
 	ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_high_thresh=9000000 >/dev/null 2>&1
 	ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_low_thresh=7000000  >/dev/null 2>&1
 	ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_timeout=1 >/dev/null 2>&1
 	# DST cache can get full with a lot of frags, with GC not keeping up with the test.
 	ip netns exec "${NETNS}" sysctl -w net.ipv6.route.max_size=65536 >/dev/null 2>&1
 }
@ -43,4 +47,16 @@ ip netns exec "${NETNS}" ./ip_defrag -6
 echo "ipv6 defrag with overlaps"
 ip netns exec "${NETNS}" ./ip_defrag -6o
 # insert an nf_conntrack rule so that the codepath in nf_conntrack_reasm.c taken
 ip netns exec "${NETNS}" ip6tables -A INPUT  -m conntrack --ctstate INVALID -j ACCEPT
 echo "ipv6 nf_conntrack defrag"
 ip netns exec "${NETNS}" ./ip_defrag -6
 echo "ipv6 nf_conntrack defrag with overlaps"
 # netfilter will drop some invalid packets, so we run the test in
 # permissive mode: i.e. pass the test if the packet is correctly assembled
 # even if we sent an overlap
 ip netns exec "${NETNS}" ./ip_defrag -6op
 echo "all tests done"