ipv6: call dst_hold_safe() properly

Similar as ipv4, ipv6 path also needs to call dst_hold_safe() when
necessary to avoid double free issue on the dst.

Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 0aa36b0..2a63977 100644 (file)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5576,8 +5576,8 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
                                ip6_del_rt(rt);
                }
                if (ifp->rt) {
-                       dst_hold(&ifp->rt->dst);
-                       ip6_del_rt(ifp->rt);
+                       if (dst_hold_safe(&ifp->rt->dst))
+                               ip6_del_rt(ifp->rt);
                }
                rt_genid_bump_ipv6(net);
                break;

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 908b711..c52c519 100644 (file)
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1366,8 +1366,8 @@ static void ip6_link_failure(struct sk_buff *skb)
        rt = (struct rt6_info *) skb_dst(skb);
        if (rt) {
                if (rt->rt6i_flags & RTF_CACHE) {
-                       dst_hold(&rt->dst);
-                       ip6_del_rt(rt);
+                       if (dst_hold_safe(&rt->dst))
+                               ip6_del_rt(rt);
                } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) {
                        rt->rt6i_node->fn_sernum = -1;
                }