提交 761f6026 编写于 作者: X Xin Long 提交者: David S. Miller

ipv6: fix a dst leak when removing its exception

These is no need to hold dst before calling rt6_remove_exception_rt().
The call to dst_hold_safe() in ip6_link_failure() was for ip6_del_rt(),
which has been removed in Commit 93531c67 ("net/ipv6: separate
handling of FIB entries from dst based routes"). Otherwise, it will
cause a dst leak.

This patch is to simply remove the dst_hold_safe() call before calling
rt6_remove_exception_rt() and also do the same in ip6_del_cached_rt().
It's safe, because the removal of the exception that holds its dst's
refcnt is protected by rt6_exception_lock.

Fixes: 93531c67 ("net/ipv6: separate handling of FIB entries from dst based routes")
Fixes: 23fb93a4 ("net/ipv6: Cleanup exception and cache route handling")
Reported-by: NLi Shuang <shuali@redhat.com>
Signed-off-by: NXin Long <lucien.xin@gmail.com>
Reviewed-by: NDavid Ahern <dsahern@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 83e65df6
...@@ -2232,8 +2232,7 @@ static void ip6_link_failure(struct sk_buff *skb) ...@@ -2232,8 +2232,7 @@ static void ip6_link_failure(struct sk_buff *skb)
if (rt) { if (rt) {
rcu_read_lock(); rcu_read_lock();
if (rt->rt6i_flags & RTF_CACHE) { if (rt->rt6i_flags & RTF_CACHE) {
if (dst_hold_safe(&rt->dst)) rt6_remove_exception_rt(rt);
rt6_remove_exception_rt(rt);
} else { } else {
struct fib6_info *from; struct fib6_info *from;
struct fib6_node *fn; struct fib6_node *fn;
...@@ -3214,8 +3213,8 @@ static int ip6_del_cached_rt(struct rt6_info *rt, struct fib6_config *cfg) ...@@ -3214,8 +3213,8 @@ static int ip6_del_cached_rt(struct rt6_info *rt, struct fib6_config *cfg)
if (cfg->fc_flags & RTF_GATEWAY && if (cfg->fc_flags & RTF_GATEWAY &&
!ipv6_addr_equal(&cfg->fc_gateway, &rt->rt6i_gateway)) !ipv6_addr_equal(&cfg->fc_gateway, &rt->rt6i_gateway))
goto out; goto out;
if (dst_hold_safe(&rt->dst))
rc = rt6_remove_exception_rt(rt); rc = rt6_remove_exception_rt(rt);
out: out:
return rc; return rc;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册