3.16.40-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx> commit a220445f9f4382c36a53d8ef3e08165fa27f7e2c upstream. The goal of the patch is to fix this scenario: ip link add dummy1 type dummy ip link set dummy1 up ip link set lo down ; ip link set lo up After that sequence, the local route to the link layer address of dummy1 is not there anymore. When the loopback is set down, all local routes are deleted by addrconf_ifdown()/rt6_ifdown(). At this time, the rt6_info entry still exists, because the corresponding idev has a reference on it. After the rcu grace period, dst_rcu_free() is called, and thus ___dst_free(), which will set obsolete to DST_OBSOLETE_DEAD. In this case, init_loopback() is called before dst_rcu_free(), thus obsolete is still sets to something <= 0. So, the function doesn't add the route again. To avoid that race, let's check the rt6 refcnt instead. Fixes: 25fb6ca4ed9c ("net IPv6 : Fix broken IPv6 routing table after loopback down-up") Fixes: a881ae1f625c ("ipv6: don't call addrconf_dst_alloc again when enable lo") Fixes: 33d99113b110 ("ipv6: reallocate addrconf router for ipv6 address when lo device up") Reported-by: Francesco Santoro <francesco.santoro@xxxxxxxxx> Reported-by: Samuel Gauthier <samuel.gauthier@xxxxxxxxx> CC: Balakumaran Kannan <Balakumaran.Kannan@xxxxxxxxxxx> CC: Maruthi Thotad <Maruthi.Thotad@xxxxxxxxxxx> CC: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> CC: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx> CC: Weilong Chen <chenweilong@xxxxxxxxxx> CC: Gao feng <gaofeng@xxxxxxxxxxxxxx> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> --- net/ipv6/addrconf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -2692,7 +2692,7 @@ static void init_loopback(struct net_dev * lo device down, release this obsolete dst and * reallocate a new router for ifa. */ - if (sp_ifa->rt->dst.obsolete > 0) { + if (!atomic_read(&sp_ifa->rt->rt6i_ref)) { ip6_rt_put(sp_ifa->rt); sp_ifa->rt = NULL; } else {