net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels

commit c71a192976ded2f2f416d03c4f595cdd4478b825 upstream.

dst_cache_get() gives us a reference, we need to release it.

Discovered by the ioam6.sh test, kmemleak was recently fixed
to catch per-cpu memory leaks.

Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue")
Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue")
Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue")
Reviewed-by: Justin Iurman <justin.iurman@uliege.be>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250130031519.2716843-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
index fb6cb540cd1bc82f4fd1ef3c553715af7c81648d..4215cebe7d85a9ebc2c1c462357c64a4109c2642 100644 (file)
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -338,7 +338,7 @@ static int ioam6_do_encap(struct net *net, struct sk_buff *skb,
 
 static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-       struct dst_entry *dst = skb_dst(skb), *cache_dst;
+       struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
        struct in6_addr orig_daddr;
        struct ioam6_lwt *ilwt;
        int err = -EINVAL;
@@ -409,7 +409,6 @@ do_encap:
                cache_dst = ip6_route_output(net, NULL, &fl6);
                if (cache_dst->error) {
                        err = cache_dst->error;
-                       dst_release(cache_dst);
                        goto drop;
                }
 
@@ -431,8 +430,10 @@ do_encap:
                return dst_output(net, sk, skb);
        }
 out:
+       dst_release(cache_dst);
        return dst->lwtstate->orig_output(net, sk, skb);
 drop:
+       dst_release(cache_dst);
        kfree_skb(skb);
        return err;
 }

diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
index be084089ec783a9ce735e98518e2bda730e5fa19..0ac4283acdf20c2f2c10cd0f9ec586a0645c129e 100644 (file)
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -232,7 +232,6 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
                dst = ip6_route_output(net, NULL, &fl6);
                if (dst->error) {
                        err = dst->error;
-                       dst_release(dst);
                        goto drop;
                }
 
@@ -254,6 +253,7 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
        return dst_output(net, sk, skb);
 
 drop:
+       dst_release(dst);
        kfree_skb(skb);
        return err;
 }
@@ -272,8 +272,10 @@ static int rpl_input(struct sk_buff *skb)
        local_bh_enable();
 
        err = rpl_do_srh(skb, rlwt, dst);
-       if (unlikely(err))
+       if (unlikely(err)) {
+               dst_release(dst);
                goto drop;
+       }
 
        if (!dst) {
                ip6_route_input(skb);

diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 316dbc2694f2aa1d4434ffc4290b1edaafbcb8f2..33833b2064c072b7f1647cc41392bccbb11eb275 100644 (file)
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -482,8 +482,10 @@ static int seg6_input_core(struct net *net, struct sock *sk,
        local_bh_enable();
 
        err = seg6_do_srh(skb, dst);
-       if (unlikely(err))
+       if (unlikely(err)) {
+               dst_release(dst);
                goto drop;
+       }
 
        if (!dst) {
                ip6_route_input(skb);
@@ -571,7 +573,6 @@ static int seg6_output_core(struct net *net, struct sock *sk,
                dst = ip6_route_output(net, NULL, &fl6);
                if (dst->error) {
                        err = dst->error;
-                       dst_release(dst);
                        goto drop;
                }
 
@@ -596,6 +597,7 @@ static int seg6_output_core(struct net *net, struct sock *sk,
 
        return dst_output(net, sk, skb);
 drop:
+       dst_release(dst);
        kfree_skb(skb);
        return err;
 }