From: David S. Miller <davem@davemloft.net>
Date: Fri, 18 Apr 2008 08:46:19 +0000 (-0700)
Subject: [IPV6]: Fix dangling references on error in fib6_add().
X-Git-Tag: v2.6.26-rc1~1138^2~1
X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=3c051235a7f115c34e675c9cf55820bd3435f860;p=linux-2.6-omap-h63xx.git

[IPV6]: Fix dangling references on error in fib6_add().

Fixes bugzilla #8895

If a super-tree leaf has 'rt' assigned to it and we
get an error from fib6_add_rt2node(), we'll leave
a reference to 'rt' in pn->leaf and then do an
unconditional dst_free().

We should prune such references.

Based upon a report by Vincent Perrier.

Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index b3f6e03c454..50f3f8f8a59 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -772,6 +772,10 @@ out:
 		 * If fib6_add_1 has cleared the old leaf pointer in the
 		 * super-tree leaf node we have to find a new one for it.
 		 */
+		if (pn != fn && pn->leaf == rt) {
+			pn->leaf = NULL;
+			atomic_dec(&rt->rt6i_ref);
+		}
 		if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO)) {
 			pn->leaf = fib6_find_prefix(info->nl_net, pn);
 #if RT6_DEBUG >= 2