net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Jakub Kicinski <kuba@xxxxxxxxxx>

commit c71a192976ded2f2f416d03c4f595cdd4478b825 upstream.

dst_cache_get() gives us a reference, we need to release it.

Discovered by the ioam6.sh test, kmemleak was recently fixed
to catch per-cpu memory leaks.

Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue")
Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue")
Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue")
Reviewed-by: Justin Iurman <justin.iurman@xxxxxxxxx>
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
Link: https://patch.msgid.link/20250130031519.2716843-1-kuba@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/ipv6/ioam6_iptunnel.c |    5 +++--
 net/ipv6/rpl_iptunnel.c   |    6 ++++--
 net/ipv6/seg6_iptunnel.c  |    6 ++++--
 3 files changed, 11 insertions(+), 6 deletions(-)

--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -336,7 +336,7 @@ static int ioam6_do_encap(struct net *ne
 
 static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-	struct dst_entry *dst = skb_dst(skb), *cache_dst;
+	struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
 	struct in6_addr orig_daddr;
 	struct ioam6_lwt *ilwt;
 	int err = -EINVAL;
@@ -407,7 +407,6 @@ do_encap:
 		cache_dst = ip6_route_output(net, NULL, &fl6);
 		if (cache_dst->error) {
 			err = cache_dst->error;
-			dst_release(cache_dst);
 			goto drop;
 		}
 
@@ -429,8 +428,10 @@ do_encap:
 		return dst_output(net, sk, skb);
 	}
 out:
+	dst_release(cache_dst);
 	return dst->lwtstate->orig_output(net, sk, skb);
 drop:
+	dst_release(cache_dst);
 	kfree_skb(skb);
 	return err;
 }
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -232,7 +232,6 @@ static int rpl_output(struct net *net, s
 		dst = ip6_route_output(net, NULL, &fl6);
 		if (dst->error) {
 			err = dst->error;
-			dst_release(dst);
 			goto drop;
 		}
 
@@ -254,6 +253,7 @@ static int rpl_output(struct net *net, s
 	return dst_output(net, sk, skb);
 
 drop:
+	dst_release(dst);
 	kfree_skb(skb);
 	return err;
 }
@@ -272,8 +272,10 @@ static int rpl_input(struct sk_buff *skb
 	local_bh_enable();
 
 	err = rpl_do_srh(skb, rlwt, dst);
-	if (unlikely(err))
+	if (unlikely(err)) {
+		dst_release(dst);
 		goto drop;
+	}
 
 	if (!dst) {
 		ip6_route_input(skb);
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -482,8 +482,10 @@ static int seg6_input_core(struct net *n
 	local_bh_enable();
 
 	err = seg6_do_srh(skb, dst);
-	if (unlikely(err))
+	if (unlikely(err)) {
+		dst_release(dst);
 		goto drop;
+	}
 
 	if (!dst) {
 		ip6_route_input(skb);
@@ -571,7 +573,6 @@ static int seg6_output_core(struct net *
 		dst = ip6_route_output(net, NULL, &fl6);
 		if (dst->error) {
 			err = dst->error;
-			dst_release(dst);
 			goto drop;
 		}
 
@@ -596,6 +597,7 @@ static int seg6_output_core(struct net *
 
 	return dst_output(net, sk, skb);
 drop:
+	dst_release(dst);
 	kfree_skb(skb);
 	return err;
 }


Patches currently in stable-queue which might be from kuba@xxxxxxxxxx are

queue-6.13/vxlan-check-vxlan_vnigroup_init-return-value.patch
queue-6.13/ipv4-use-rcu-protection-in-inet_select_addr.patch
queue-6.13/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch
queue-6.13/mlxsw-add-return-value-check-for-mlxsw_sp_port_get_stats_raw.patch
queue-6.13/net-make-netdev_lock-protect-netdev-reg_state.patch
queue-6.13/net-fib_rules-annotate-data-races-around-rule-io-ifi.patch
queue-6.13/eth-iavf-extend-the-netdev_lock-usage.patch
queue-6.13/net-add-netdev-up-protected-by-netdev_lock.patch
queue-6.13/vrf-use-rcu-protection-in-l3mdev_l3_out.patch
queue-6.13/net-make-sure-we-retain-napi-ordering-on-netdev-napi.patch
queue-6.13/net-add-netdev_lock-netdev_unlock-helpers.patch
queue-6.13/ipv6-use-rcu-protection-in-ip6_default_advmss.patch
queue-6.13/reapply-net-skb-introduce-and-use-a-single-page-frag.patch
queue-6.13/ipv4-add-rcu-protection-to-ip4_dst_hoplimit.patch
queue-6.13/net-ethernet-ti-am65-cpsw-fix-rx-tx-statistics-for-x.patch
queue-6.13/flow_dissector-use-rcu-protection-to-fetch-dev_net.patch
queue-6.13/net-add-dev_net_rcu-helper.patch
queue-6.13/openvswitch-use-rcu-protection-in-ovs_vport_cmd_fill.patch
queue-6.13/net-destroy-dev-lock-later-in-free_netdev.patch
queue-6.13/ipv6-mcast-add-rcu-protection-to-mld_newpack.patch
queue-6.13/ipv4-icmp-convert-to-dev_net_rcu.patch
queue-6.13/ipv6-mcast-extend-rcu-protection-in-igmp6_send.patch
queue-6.13/ndisc-extend-rcu-protection-in-ndisc_send_skb.patch
queue-6.13/net-protect-netdev-napi_list-with-netdev_lock.patch
queue-6.13/neighbour-use-rcu-protection-in-__neigh_notify.patch
queue-6.13/team-better-team_option_type_string-validation.patch
queue-6.13/ipv6-icmp-convert-to-dev_net_rcu.patch
queue-6.13/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch
queue-6.13/rtnetlink-fix-netns-leak-with-rtnl_setlink.patch
queue-6.13/ipv4-use-rcu-protection-in-ip_dst_mtu_maybe_forward.patch
queue-6.13/net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch
queue-6.13/ndisc-use-rcu-protection-in-ndisc_alloc_skb.patch
queue-6.13/net-ipv6-fix-dst-ref-loops-in-rpl-seg6-and-ioam6-lwt.patch
queue-6.13/iavf-fix-a-locking-bug-in-an-error-path.patch
queue-6.13/ipv4-use-rcu-protection-in-__ip_rt_update_pmtu.patch
queue-6.13/ipv4-use-rcu-protection-in-rt_is_expired.patch
queue-6.13/arp-use-rcu-protection-in-arp_xmit.patch
queue-6.13/ipv4-use-rcu-protection-in-ipv4_default_advmss.patch
queue-6.13/s390-qeth-move-netif_napi_add_tx-and-napi_enable-fro.patch
queue-6.13/net-ipv6-fix-dst-refleaks-in-rpl-seg6-and-ioam6-lwtunnels.patch
queue-6.13/net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch
queue-6.13/revert-net-skb-introduce-and-use-a-single-page-frag-.patch




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux