Re: [patch 23/28] ipv6: Fix OOPS in ip6_dst_lookup_tail().
From: Neil Horman
Date: Mon Oct 06 2008 - 19:53:39 EST
On Mon, Oct 06, 2008 at 04:17:50PM -0700, Greg KH wrote:
> 2.6.25-stable review patch. If anyone has any objections, please let us
> know.
>
Ack, Thanks Greg.
Neil
> ------------------
> From: Neil Horman <nhorman@xxxxxxxxxxxxx>
>
> [ Upstream commit e550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b ]
>
> This fixes kernel bugzilla 11469: "TUN with 1024 neighbours:
> ip6_dst_lookup_tail NULL crash"
>
> dst->neighbour is not necessarily hooked up at this point
> in the processing path, so blindly dereferencing it is
> the wrong thing to do. This NULL check exists in other
> similar paths and this case was just an oversight.
>
> Also fix the completely wrong and confusing indentation
> here while we're at it.
>
> Based upon a patch by Evgeniy Polyakov.
>
> Signed-off-by: Neil Horman <nhorman@xxxxxxxxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
>
> ---
> net/ipv6/ip6_output.c | 64 +++++++++++++++++++++++++-------------------------
> 1 file changed, 32 insertions(+), 32 deletions(-)
>
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -930,39 +930,39 @@ static int ip6_dst_lookup_tail(struct so
> }
>
> #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
> - /*
> - * Here if the dst entry we've looked up
> - * has a neighbour entry that is in the INCOMPLETE
> - * state and the src address from the flow is
> - * marked as OPTIMISTIC, we release the found
> - * dst entry and replace it instead with the
> - * dst entry of the nexthop router
> - */
> - if (!((*dst)->neighbour->nud_state & NUD_VALID)) {
> - struct inet6_ifaddr *ifp;
> - struct flowi fl_gw;
> - int redirect;
> -
> - ifp = ipv6_get_ifaddr(&init_net, &fl->fl6_src,
> - (*dst)->dev, 1);
> -
> - redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
> - if (ifp)
> - in6_ifa_put(ifp);
> -
> - if (redirect) {
> - /*
> - * We need to get the dst entry for the
> - * default router instead
> - */
> - dst_release(*dst);
> - memcpy(&fl_gw, fl, sizeof(struct flowi));
> - memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
> - *dst = ip6_route_output(sk, &fl_gw);
> - if ((err = (*dst)->error))
> - goto out_err_release;
> - }
> + /*
> + * Here if the dst entry we've looked up
> + * has a neighbour entry that is in the INCOMPLETE
> + * state and the src address from the flow is
> + * marked as OPTIMISTIC, we release the found
> + * dst entry and replace it instead with the
> + * dst entry of the nexthop router
> + */
> + if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) {
> + struct inet6_ifaddr *ifp;
> + struct flowi fl_gw;
> + int redirect;
> +
> + ifp = ipv6_get_ifaddr(&init_net, &fl->fl6_src,
> + (*dst)->dev, 1);
> +
> + redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
> + if (ifp)
> + in6_ifa_put(ifp);
> +
> + if (redirect) {
> + /*
> + * We need to get the dst entry for the
> + * default router instead
> + */
> + dst_release(*dst);
> + memcpy(&fl_gw, fl, sizeof(struct flowi));
> + memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
> + *dst = ip6_route_output(sk, &fl_gw);
> + if ((err = (*dst)->error))
> + goto out_err_release;
> }
> + }
> #endif
>
> return 0;
>
> --
>
--
/****************************************************
* Neil Horman <nhorman@xxxxxxxxxxxxx>
* Software Engineer, Red Hat
****************************************************/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/