From patchwork Fri Sep  2 18:39:50 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dave Jones <davej@codemonkey.org.uk>
X-Patchwork-Id: 665286
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3sQnwt6J88z9sBg
	for <patchwork-incoming@ozlabs.org>;
	Sat,  3 Sep 2016 04:39:58 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754129AbcIBSjy (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 2 Sep 2016 14:39:54 -0400
Received: from arcturus.aphlor.org ([188.246.204.175]:37736 "EHLO
	arcturus.aphlor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752253AbcIBSjy (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 2 Sep 2016 14:39:54 -0400
Received: from c-65-96-118-216.hsd1.ma.comcast.net ([65.96.118.216]
	helo=wopr.kernelslacker.org) by arcturus.aphlor.org with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87)
	(envelope-from <davej@codemonkey.org.uk>)
	id 1bftNY-0007gz-CP; Fri, 02 Sep 2016 19:39:52 +0100
Received: by wopr.kernelslacker.org (Postfix, from userid 1000)
	id 7F49B97; Fri,  2 Sep 2016 14:39:50 -0400 (EDT)
Date: Fri, 2 Sep 2016 14:39:50 -0400
From: Dave Jones <davej@codemonkey.org.uk>
To: netdev@vger.kernel.org
Cc: kafai@fb.com
Subject: ipv6: release dst in ping_v6_sendmsg
Message-ID: <20160902183950.p3iv25jnuwmq74sg@codemonkey.org.uk>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: NeoMutt/ (1.7.0)
X-Spam-Flag: skipped (authorised relay user)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Neither the failure or success paths of ping_v6_sendmsg release
the dst it acquires.  This leads to a flood of warnings from
"net/core/dst.c:288 dst_release" on older kernels that
don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.

That patch optimistically hoped this had been fixed post 3.10, but
it seems at least one case wasn't, where I've seen this triggered
a lot from machines doing unprivileged icmp sockets.

Cc: Martin Lau <kafai@fb.com>
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Acked-by: Martin KaFai Lau <kafai@fb.com>

diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index 0900352c924c..0e983b694ee8 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -126,8 +126,10 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 	rt = (struct rt6_info *) dst;
 
 	np = inet6_sk(sk);
-	if (!np)
-		return -EBADF;
+	if (!np) {
+		err = -EBADF;
+		goto dst_err_out;
+	}
 
 	if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
 		fl6.flowi6_oif = np->mcast_oif;
@@ -163,6 +165,9 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 	}
 	release_sock(sk);
 
+dst_err_out:
+	dst_release(dst);
+
 	if (err)
 		return err;