Patch "net/smc: fix neighbour and rtable leak in smc_ib_find_route()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 May 2024 17:38:42 -0400

This is a note to let you know that I've just added the patch titled

    net/smc: fix neighbour and rtable leak in smc_ib_find_route()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-smc-fix-neighbour-and-rtable-leak-in-smc_ib_find.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 932f4c9031631f3904a70c9da994c129e47bf838
Author: Wen Gu <guwen@xxxxxxxxxxxxxxxxx>
Date:   Tue May 7 20:53:31 2024 +0800

    net/smc: fix neighbour and rtable leak in smc_ib_find_route()
    
    [ Upstream commit 2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06 ]
    
    In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable
    resolved by ip_route_output_flow() are not released or put before return.
    It may cause the refcount leak, so fix it.
    
    Link: https://lore.kernel.org/r/20240506015439.108739-1-guwen@xxxxxxxxxxxxxxxxx
    Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment")
    Signed-off-by: Wen Gu <guwen@xxxxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240507125331.2808-1-guwen@xxxxxxxxxxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index 89981dbe46c94..598ac9ead64b7 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -209,13 +209,18 @@ int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
 	if (IS_ERR(rt))
 		goto out;
 	if (rt->rt_uses_gateway && rt->rt_gw_family != AF_INET)
-		goto out;
-	neigh = rt->dst.ops->neigh_lookup(&rt->dst, NULL, &fl4.daddr);
-	if (neigh) {
-		memcpy(nexthop_mac, neigh->ha, ETH_ALEN);
-		*uses_gateway = rt->rt_uses_gateway;
-		return 0;
-	}
+		goto out_rt;
+	neigh = dst_neigh_lookup(&rt->dst, &fl4.daddr);
+	if (!neigh)
+		goto out_rt;
+	memcpy(nexthop_mac, neigh->ha, ETH_ALEN);
+	*uses_gateway = rt->rt_uses_gateway;
+	neigh_release(neigh);
+	ip_rt_put(rt);
+	return 0;
+
+out_rt:
+	ip_rt_put(rt);
 out:
 	return -ENOENT;
 }







