[PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[Gao feng]

as we hold dst_entry before we call __ip6_del_rt,
so we should alse call dst_release not only return
-ENOENT when the rt6_info is ip6_null_entry.

and we already hold the dst entry, so I think it's
safe to call dst_release out of the write-read lock.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/ipv6/route.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 854e401..46eff42 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1589,17 +1589,18 @@ static int __ip6_del_rt(struct rt6_info *rt, struct nl_info *info)
 	struct fib6_table *table;
 	struct net *net = dev_net(rt->dst.dev);
 
-	if (rt == net->ipv6.ip6_null_entry)
-		return -ENOENT;
+	if (rt == net->ipv6.ip6_null_entry) {
+		err = -ENOENT;
+		goto out;
+	}
 
 	table = rt->rt6i_table;
 	write_lock_bh(&table->tb6_lock);
-
 	err = fib6_del(rt, info);
-	dst_release(&rt->dst);
-
 	write_unlock_bh(&table->tb6_lock);
 
+out:
+	dst_release(&rt->dst);
 	return err;
 }
 
-- 
1.7.7.6

Re: [PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[David Miller]

From: Gao feng <gaofeng@cn.fujitsu.com>
Date: Thu, 20 Sep 2012 13:25:34 +0800

> as we hold dst_entry before we call __ip6_del_rt,
> so we should alse call dst_release not only return
> -ENOENT when the rt6_info is ip6_null_entry.
> 
> and we already hold the dst entry, so I think it's
> safe to call dst_release out of the write-read lock.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>

I cannot find a code path where we can actually end up
with an ip6_null_entry here and I'd much rather declare
this condition as a bug.

Patrick McHardy added this check back in 2006:

	commit 6c813a7297e3af4cd7c3458e09e9ee3d161c6830
	Author: Patrick McHardy <kaber@trash.net>
	Date:   Sun Aug 6 22:22:47 2006 -0700

	    [IPV6]: Fix crash in ip6_del_rt

But the ipv6 code has changed substantially since then.

Re: [PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[Gao feng]

于 2012年09月22日 01:16, David Miller 写道:
> From: Gao feng <gaofeng@cn.fujitsu.com>
> Date: Thu, 20 Sep 2012 13:25:34 +0800
> 
>> as we hold dst_entry before we call __ip6_del_rt,
>> so we should alse call dst_release not only return
>> -ENOENT when the rt6_info is ip6_null_entry.
>>
>> and we already hold the dst entry, so I think it's
>> safe to call dst_release out of the write-read lock.
>>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> 
> I cannot find a code path where we can actually end up
> with an ip6_null_entry here and I'd much rather declare
> this condition as a bug.
> 
> Patrick McHardy added this check back in 2006:
> 
> 	commit 6c813a7297e3af4cd7c3458e09e9ee3d161c6830
> 	Author: Patrick McHardy <kaber@trash.net>
> 	Date:   Sun Aug 6 22:22:47 2006 -0700
> 
> 	    [IPV6]: Fix crash in ip6_del_rt
> 
> But the ipv6 code has changed substantially since then.

ip -6 route del ::/0 will end up with an ip6_null_entry.
so I think this checking and this patch is needed .

Re: [PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[Gao feng]

于 2012年09月24日 12:32, Gao feng 写道:
> 于 2012年09月22日 01:16, David Miller 写道:
>> From: Gao feng <gaofeng@cn.fujitsu.com>
>> Date: Thu, 20 Sep 2012 13:25:34 +0800
>>
>>> as we hold dst_entry before we call __ip6_del_rt,
>>> so we should alse call dst_release not only return
>>> -ENOENT when the rt6_info is ip6_null_entry.
>>>
>>> and we already hold the dst entry, so I think it's
>>> safe to call dst_release out of the write-read lock.
>>>
>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>>
>> I cannot find a code path where we can actually end up
>> with an ip6_null_entry here and I'd much rather declare
>> this condition as a bug.
>>
>> Patrick McHardy added this check back in 2006:
>>
>> 	commit 6c813a7297e3af4cd7c3458e09e9ee3d161c6830
>> 	Author: Patrick McHardy <kaber@trash.net>
>> 	Date:   Sun Aug 6 22:22:47 2006 -0700
>>
>> 	    [IPV6]: Fix crash in ip6_del_rt
>>
>> But the ipv6 code has changed substantially since then.
> 
> ip -6 route del ::/0 will end up with an ip6_null_entry.
> so I think this checking and this patch is needed .
> 

Hi David

Can you apply this patch?
thanks!

Re: [PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[David Miller]

From: Gao feng <gaofeng@cn.fujitsu.com>
Date: Thu, 04 Oct 2012 10:55:18 +0800

> 于 2012年09月24日 12:32, Gao feng 写道:
>> 于 2012年09月22日 01:16, David Miller 写道:
>>> From: Gao feng <gaofeng@cn.fujitsu.com>
>>> Date: Thu, 20 Sep 2012 13:25:34 +0800
>>>
>>>> as we hold dst_entry before we call __ip6_del_rt,
>>>> so we should alse call dst_release not only return
>>>> -ENOENT when the rt6_info is ip6_null_entry.
>>>>
>>>> and we already hold the dst entry, so I think it's
>>>> safe to call dst_release out of the write-read lock.
>>>>
>>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
 ...
> Can you apply this patch?

Sorry, I've been really busy this week.  I will try to get to
this soon.

Thanks.

Re: [PATCH] ipv6: release referenct of ip6_null_entry's dst entry in __ip6_del_rt

[David Miller]

From: Gao feng <gaofeng@cn.fujitsu.com>
Date: Thu, 04 Oct 2012 10:55:18 +0800

> 于 2012年09月24日 12:32, Gao feng 写道:
>> 于 2012年09月22日 01:16, David Miller 写道:
>>> From: Gao feng <gaofeng@cn.fujitsu.com>
>>> Date: Thu, 20 Sep 2012 13:25:34 +0800
>>>
>>>> as we hold dst_entry before we call __ip6_del_rt,
>>>> so we should alse call dst_release not only return
>>>> -ENOENT when the rt6_info is ip6_null_entry.
>>>>
>>>> and we already hold the dst entry, so I think it's
>>>> safe to call dst_release out of the write-read lock.
>>>>
>>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
 ...
> Can you apply this patch?

Applied and queued up for -stable, thanks.