| Message ID | 1595664139-40703-1-git-send-email-xiyuyang19@fudan.edu.cn |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | ipv6: Fix nexthop refcnt leak when creating ipv6 route info | expand |
On 7/25/20 2:02 AM, Xiyu Yang wrote: > ip6_route_info_create() invokes nexthop_get(), which increases the > refcount of the "nh". > > When ip6_route_info_create() returns, local variable "nh" becomes > invalid, so the refcount should be decreased to keep refcount balanced. I forgot to write the test case for this very code path in tools/testing/selftests/net/fib_nexthops.sh. If you have the time, it goes in ipv6_fcnal_runtime() - see the last 'TO-DO' item. > > The reference counting issue happens in one exception handling path of > ip6_route_info_create(). When nexthops can not be used with source > routing, the function forgets to decrease the refcnt increased by > nexthop_get(), causing a refcnt leak. > > Fix this issue by pulling up the error source routing handling when > nexthops can not be used with source routing. > Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info") > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> > --- > net/ipv6/route.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > Reviewed-by: David Ahern <dsahern@kernel.org>
From: Xiyu Yang <xiyuyang19@fudan.edu.cn> Date: Sat, 25 Jul 2020 16:02:18 +0800 > ip6_route_info_create() invokes nexthop_get(), which increases the > refcount of the "nh". > > When ip6_route_info_create() returns, local variable "nh" becomes > invalid, so the refcount should be decreased to keep refcount balanced. > > The reference counting issue happens in one exception handling path of > ip6_route_info_create(). When nexthops can not be used with source > routing, the function forgets to decrease the refcnt increased by > nexthop_get(), causing a refcnt leak. > > Fix this issue by pulling up the error source routing handling when > nexthops can not be used with source routing. > > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Applied and queued up for -stable, thanks.
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 82cbb46a2a4f..427ecd7032bd 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -3682,14 +3682,14 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, rt->fib6_src.plen = cfg->fc_src_len; #endif if (nh) { - if (!nexthop_get(nh)) { - NL_SET_ERR_MSG(extack, "Nexthop has been deleted"); - goto out; - } if (rt->fib6_src.plen) { NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing"); goto out; } + if (!nexthop_get(nh)) { + NL_SET_ERR_MSG(extack, "Nexthop has been deleted"); + goto out; + } rt->nh = nh; fib6_nh = nexthop_fib6_nh(rt->nh); } else {