• H
    [IPV6]: Don't hold extra ref count in ipv6_ifa_notify · 4641e7a3
    Herbert Xu 提交于
    Currently the logic in ipv6_ifa_notify is to hold an extra reference
    count for addrconf dst's that get added to the routing table.  Thus,
    when addrconf dst entries are taken out of the routing table, we need
    to drop that dst.  However, addrconf dst entries may be removed from
    the routing table by means other than __ipv6_ifa_notify.
    
    So we're faced with the choice of either fixing up all places where
    addrconf dst entries are removed, or dropping the extra reference count
    altogether.
    
    I chose the latter because the ifp itself always holds a dst reference
    count of 1 while it's alive.  This is dropped just before we kfree the
    ifp object.  Therefore we know that in __ipv6_ifa_notify we will always
    hold that count.
    
    This bug was found by Eric W. Biederman.
    Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    4641e7a3
addrconf.c 93.6 KB