Message ID | 20220813124907.3396-1-xiongx18@fudan.edu.cn (mailing list archive) |
---|---|
State | Accepted |
Commit | 7396ba87f1edf549284869451665c7c4e74ecd4f |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net: fix potential refcount leak in ndisc_router_discovery() | expand |
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Sat, 13 Aug 2022 20:49:08 +0800 you wrote: > The issue happens on specific paths in the function. After both the > object `rt` and `neigh` are grabbed successfully, when `lifetime` is > nonzero but the metric needs change, the function just deletes the > route and set `rt` to NULL. Then, it may try grabbing `rt` and `neigh` > again if above conditions hold. The function simply overwrite `neigh` > if succeeds or returns if fails, without decreasing the reference > count of previous `neigh`. This may result in memory leaks. > > [...] Here is the summary with links: - net: fix potential refcount leak in ndisc_router_discovery() https://git.kernel.org/netdev/net/c/7396ba87f1ed You are awesome, thank you!
Hi Xin Any reason why you are not adding this code under the if (rt && (lifetime == 0 || rt->fib6_metric != defrtr_usr_metric)) block ? i.e. while route deletion.
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 98453693e400..3a553494ff16 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -1378,6 +1378,9 @@ static void ndisc_router_discovery(struct sk_buff *skb) if (!rt && lifetime) { ND_PRINTK(3, info, "RA: adding default router\n"); + if (neigh) + neigh_release(neigh); + rt = rt6_add_dflt_router(net, &ipv6_hdr(skb)->saddr, skb->dev, pref, defrtr_usr_metric); if (!rt) {