From: Jakub Kicinski <kuba@xxxxxxxxxx> commit c71a192976ded2f2f416d03c4f595cdd4478b825 upstream. dst_cache_get() gives us a reference, we need to release it. Discovered by the ioam6.sh test, kmemleak was recently fixed to catch per-cpu memory leaks. Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue") Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue") Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue") Reviewed-by: Justin Iurman <justin.iurman@xxxxxxxxx> Reviewed-by: Simon Horman <horms@xxxxxxxxxx> Link: https://patch.msgid.link/20250130031519.2716843-1-kuba@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv6/ioam6_iptunnel.c | 5 +++-- net/ipv6/rpl_iptunnel.c | 6 ++++-- net/ipv6/seg6_iptunnel.c | 6 ++++-- 3 files changed, 11 insertions(+), 6 deletions(-) --- a/net/ipv6/ioam6_iptunnel.c +++ b/net/ipv6/ioam6_iptunnel.c @@ -336,7 +336,7 @@ static int ioam6_do_encap(struct net *ne static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb) { - struct dst_entry *dst = skb_dst(skb), *cache_dst; + struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL; struct in6_addr orig_daddr; struct ioam6_lwt *ilwt; int err = -EINVAL; @@ -407,7 +407,6 @@ do_encap: cache_dst = ip6_route_output(net, NULL, &fl6); if (cache_dst->error) { err = cache_dst->error; - dst_release(cache_dst); goto drop; } @@ -429,8 +428,10 @@ do_encap: return dst_output(net, sk, skb); } out: + dst_release(cache_dst); return dst->lwtstate->orig_output(net, sk, skb); drop: + dst_release(cache_dst); kfree_skb(skb); return err; } --- a/net/ipv6/rpl_iptunnel.c +++ b/net/ipv6/rpl_iptunnel.c @@ -232,7 +232,6 @@ static int rpl_output(struct net *net, s dst = ip6_route_output(net, NULL, &fl6); if (dst->error) { err = dst->error; - dst_release(dst); goto drop; } @@ -254,6 +253,7 @@ static int rpl_output(struct net *net, s return dst_output(net, sk, skb); drop: + dst_release(dst); kfree_skb(skb); return err; } @@ -272,8 +272,10 @@ static int rpl_input(struct sk_buff *skb local_bh_enable(); err = rpl_do_srh(skb, rlwt, dst); - if (unlikely(err)) + if (unlikely(err)) { + dst_release(dst); goto drop; + } if (!dst) { ip6_route_input(skb); --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -482,8 +482,10 @@ static int seg6_input_core(struct net *n local_bh_enable(); err = seg6_do_srh(skb, dst); - if (unlikely(err)) + if (unlikely(err)) { + dst_release(dst); goto drop; + } if (!dst) { ip6_route_input(skb); @@ -571,7 +573,6 @@ static int seg6_output_core(struct net * dst = ip6_route_output(net, NULL, &fl6); if (dst->error) { err = dst->error; - dst_release(dst); goto drop; } @@ -596,6 +597,7 @@ static int seg6_output_core(struct net * return dst_output(net, sk, skb); drop: + dst_release(dst); kfree_skb(skb); return err; } Patches currently in stable-queue which might be from kuba@xxxxxxxxxx are queue-6.13/vxlan-check-vxlan_vnigroup_init-return-value.patch queue-6.13/ipv4-use-rcu-protection-in-inet_select_addr.patch queue-6.13/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch queue-6.13/mlxsw-add-return-value-check-for-mlxsw_sp_port_get_stats_raw.patch queue-6.13/net-make-netdev_lock-protect-netdev-reg_state.patch queue-6.13/net-fib_rules-annotate-data-races-around-rule-io-ifi.patch queue-6.13/eth-iavf-extend-the-netdev_lock-usage.patch queue-6.13/net-add-netdev-up-protected-by-netdev_lock.patch queue-6.13/vrf-use-rcu-protection-in-l3mdev_l3_out.patch queue-6.13/net-make-sure-we-retain-napi-ordering-on-netdev-napi.patch queue-6.13/net-add-netdev_lock-netdev_unlock-helpers.patch queue-6.13/ipv6-use-rcu-protection-in-ip6_default_advmss.patch queue-6.13/reapply-net-skb-introduce-and-use-a-single-page-frag.patch queue-6.13/ipv4-add-rcu-protection-to-ip4_dst_hoplimit.patch queue-6.13/net-ethernet-ti-am65-cpsw-fix-rx-tx-statistics-for-x.patch queue-6.13/flow_dissector-use-rcu-protection-to-fetch-dev_net.patch queue-6.13/net-add-dev_net_rcu-helper.patch queue-6.13/openvswitch-use-rcu-protection-in-ovs_vport_cmd_fill.patch queue-6.13/net-destroy-dev-lock-later-in-free_netdev.patch queue-6.13/ipv6-mcast-add-rcu-protection-to-mld_newpack.patch queue-6.13/ipv4-icmp-convert-to-dev_net_rcu.patch queue-6.13/ipv6-mcast-extend-rcu-protection-in-igmp6_send.patch queue-6.13/ndisc-extend-rcu-protection-in-ndisc_send_skb.patch queue-6.13/net-protect-netdev-napi_list-with-netdev_lock.patch queue-6.13/neighbour-use-rcu-protection-in-__neigh_notify.patch queue-6.13/team-better-team_option_type_string-validation.patch queue-6.13/ipv6-icmp-convert-to-dev_net_rcu.patch queue-6.13/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch queue-6.13/rtnetlink-fix-netns-leak-with-rtnl_setlink.patch queue-6.13/ipv4-use-rcu-protection-in-ip_dst_mtu_maybe_forward.patch queue-6.13/net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch queue-6.13/ndisc-use-rcu-protection-in-ndisc_alloc_skb.patch queue-6.13/net-ipv6-fix-dst-ref-loops-in-rpl-seg6-and-ioam6-lwt.patch queue-6.13/iavf-fix-a-locking-bug-in-an-error-path.patch queue-6.13/ipv4-use-rcu-protection-in-__ip_rt_update_pmtu.patch queue-6.13/ipv4-use-rcu-protection-in-rt_is_expired.patch queue-6.13/arp-use-rcu-protection-in-arp_xmit.patch queue-6.13/ipv4-use-rcu-protection-in-ipv4_default_advmss.patch queue-6.13/s390-qeth-move-netif_napi_add_tx-and-napi_enable-fro.patch queue-6.13/net-ipv6-fix-dst-refleaks-in-rpl-seg6-and-ioam6-lwtunnels.patch queue-6.13/net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch queue-6.13/revert-net-skb-introduce-and-use-a-single-page-frag-.patch