Bug #347

Description

———- Forwarded message ———-
From: Eric Dumazet eric.dumazet@gmail.com
Date: Tue, Mar 27, 2012 at 12:53 PM
Subject: [PATCH] net: fix a potential rcu_read_lock() imbalance in
rt6_fill_node()
To: Ben Greear greearb@candelatech.com
Cc: David Miller davem@davemloft.net, netdev@vger.kernel.org,
gregkh@linuxfoundation.org, “Paul E. McKenney” paulmck@linux.vnet.ibm.com,
Dave Jones davej@redhat.com

Commit f2c31e32b378 (net: fix NULL dereferences in check_peer_redir() )
added a regression in rt6_fill_node(), leading to rcu_read_lock()
imbalance.

Thats because NLA_PUT() can make a jump to nla_put_failure label.

Fix this by using nla_put()

Many thanks to Ben Greear for his help

Reported-by: Ben Greear greearb@candelatech.com
Reported-by: Dave Jones davej@redhat.com
Signed-off-by: Eric Dumazet eric.dumazet@gmail.com
—
net/ipv6/route.c | 8 **–
1 file changed, 6 insertions(+), 2 deletions(-)

diff –git a/net/ipv6/route.c b/net/ipv6/route.c
index 24c456e..496b627 100644
— a/net/ipv6/route.c
**+ b/net/ipv6/route.c
@ -2474,8 +2474,12@ static int rt6_fill_node(struct net *net,

rcu_read_lock();
n = dst_get_neighbour_noref(&rt->dst);
- if (n)
- NLA_PUT(skb, RTA_GATEWAY, 16, &n->primary_key);
+ if (n) {
+ if (nla_put(skb, RTA_GATEWAY, 16, &n->primary_key) < 0) {
+ rcu_read_unlock();
+ goto nla_put_failure;
+ }
+ }
rcu_read_unlock();

if (rt->dst.dev)