From: Jakub Kicinski <kuba@xxxxxxxxxx>
commit c71a192976ded2f2f416d03c4f595cdd4478b825 upstream.
dst_cache_get() gives us a reference, we need to release it.
Discovered by the ioam6.sh test, kmemleak was recently fixed
to catch per-cpu memory leaks.
Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue")
Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue")
Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue")
Reviewed-by: Justin Iurman <justin.iurman@xxxxxxxxx>
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
Link: https://patch.msgid.link/20250130031519.2716843-1-kuba@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/ioam6_iptunnel.c | 5 +++--
net/ipv6/rpl_iptunnel.c | 6 ++++--
net/ipv6/seg6_iptunnel.c | 6 ++++--
3 files changed, 11 insertions(+), 6 deletions(-)
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -336,7 +336,7 @@ static int ioam6_do_encap(struct net *ne
static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- struct dst_entry *dst = skb_dst(skb), *cache_dst;
+ struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
struct in6_addr orig_daddr;
struct ioam6_lwt *ilwt;
int err = -EINVAL;
@@ -407,7 +407,6 @@ do_encap:
cache_dst = ip6_route_output(net, NULL, &fl6);
if (cache_dst->error) {
err = cache_dst->error;
- dst_release(cache_dst);
goto drop;
}
@@ -429,8 +428,10 @@ do_encap:
return dst_output(net, sk, skb);
}
out:
+ dst_release(cache_dst);
return dst->lwtstate->orig_output(net, sk, skb);
drop:
+ dst_release(cache_dst);
kfree_skb(skb);
return err;
}
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -232,7 +232,6 @@ static int rpl_output(struct net *net, s
dst = ip6_route_output(net, NULL, &fl6);
if (dst->error) {
err = dst->error;
- dst_release(dst);
goto drop;
}
@@ -254,6 +253,7 @@ static int rpl_output(struct net *net, s
return dst_output(net, sk, skb);
drop:
+ dst_release(dst);
kfree_skb(skb);
return err;
}
@@ -272,8 +272,10 @@ static int rpl_input(struct sk_buff *skb
local_bh_enable();
err = rpl_do_srh(skb, rlwt, dst);
- if (unlikely(err))
+ if (unlikely(err)) {
+ dst_release(dst);
goto drop;
+ }
if (!dst) {
ip6_route_input(skb);
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -482,8 +482,10 @@ static int seg6_input_core(struct net *n
local_bh_enable();
err = seg6_do_srh(skb, dst);
- if (unlikely(err))
+ if (unlikely(err)) {
+ dst_release(dst);
goto drop;
+ }
if (!dst) {
ip6_route_input(skb);
@@ -571,7 +573,6 @@ static int seg6_output_core(struct net *
dst = ip6_route_output(net, NULL, &fl6);
if (dst->error) {
err = dst->error;
- dst_release(dst);
goto drop;
}
@@ -596,6 +597,7 @@ static int seg6_output_core(struct net *
return dst_output(net, sk, skb);
drop:
+ dst_release(dst);
kfree_skb(skb);
return err;
}
Patches currently in stable-queue which might be from kuba@xxxxxxxxxx are
queue-6.13/vxlan-check-vxlan_vnigroup_init-return-value.patch
queue-6.13/ipv4-use-rcu-protection-in-inet_select_addr.patch
queue-6.13/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch
queue-6.13/mlxsw-add-return-value-check-for-mlxsw_sp_port_get_stats_raw.patch
queue-6.13/net-make-netdev_lock-protect-netdev-reg_state.patch
queue-6.13/net-fib_rules-annotate-data-races-around-rule-io-ifi.patch
queue-6.13/eth-iavf-extend-the-netdev_lock-usage.patch
queue-6.13/net-add-netdev-up-protected-by-netdev_lock.patch
queue-6.13/vrf-use-rcu-protection-in-l3mdev_l3_out.patch
queue-6.13/net-make-sure-we-retain-napi-ordering-on-netdev-napi.patch
queue-6.13/net-add-netdev_lock-netdev_unlock-helpers.patch
queue-6.13/ipv6-use-rcu-protection-in-ip6_default_advmss.patch
queue-6.13/reapply-net-skb-introduce-and-use-a-single-page-frag.patch
queue-6.13/ipv4-add-rcu-protection-to-ip4_dst_hoplimit.patch
queue-6.13/net-ethernet-ti-am65-cpsw-fix-rx-tx-statistics-for-x.patch
queue-6.13/flow_dissector-use-rcu-protection-to-fetch-dev_net.patch
queue-6.13/net-add-dev_net_rcu-helper.patch
queue-6.13/openvswitch-use-rcu-protection-in-ovs_vport_cmd_fill.patch
queue-6.13/net-destroy-dev-lock-later-in-free_netdev.patch
queue-6.13/ipv6-mcast-add-rcu-protection-to-mld_newpack.patch
queue-6.13/ipv4-icmp-convert-to-dev_net_rcu.patch
queue-6.13/ipv6-mcast-extend-rcu-protection-in-igmp6_send.patch
queue-6.13/ndisc-extend-rcu-protection-in-ndisc_send_skb.patch
queue-6.13/net-protect-netdev-napi_list-with-netdev_lock.patch
queue-6.13/neighbour-use-rcu-protection-in-__neigh_notify.patch
queue-6.13/team-better-team_option_type_string-validation.patch
queue-6.13/ipv6-icmp-convert-to-dev_net_rcu.patch
queue-6.13/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch
queue-6.13/rtnetlink-fix-netns-leak-with-rtnl_setlink.patch
queue-6.13/ipv4-use-rcu-protection-in-ip_dst_mtu_maybe_forward.patch
queue-6.13/net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch
queue-6.13/ndisc-use-rcu-protection-in-ndisc_alloc_skb.patch
queue-6.13/net-ipv6-fix-dst-ref-loops-in-rpl-seg6-and-ioam6-lwt.patch
queue-6.13/iavf-fix-a-locking-bug-in-an-error-path.patch
queue-6.13/ipv4-use-rcu-protection-in-__ip_rt_update_pmtu.patch
queue-6.13/ipv4-use-rcu-protection-in-rt_is_expired.patch
queue-6.13/arp-use-rcu-protection-in-arp_xmit.patch
queue-6.13/ipv4-use-rcu-protection-in-ipv4_default_advmss.patch
queue-6.13/s390-qeth-move-netif_napi_add_tx-and-napi_enable-fro.patch
queue-6.13/net-ipv6-fix-dst-refleaks-in-rpl-seg6-and-ioam6-lwtunnels.patch
queue-6.13/net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch
queue-6.13/revert-net-skb-introduce-and-use-a-single-page-frag-.patch
