Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7891cc81 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

ipv6: Fix fib6_dump_table walker leak 



When a fib6 table dump is prematurely ended, we won't unlink
its walker from the list.  This causes all sorts of grief for
other users of the list later.

Reported-by: default avatarChris Caputo <ccaputo@alt.net>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 33966dd0

net/ipv6/ip6_fib.c

+8 −7
Original line number Diff line number Diff line
@@ -298,6 +298,10 @@ static void fib6_dump_end(struct netlink_callback *cb) 
	struct fib6_walker_t *w = (void*)cb->args[2];



	if (w) {

		if (cb->args[4]) {

			cb->args[4] = 0;

			fib6_walker_unlink(w);

		}

		cb->args[2] = 0;

		kfree(w);

	}
@@ -330,15 +334,12 @@ static int fib6_dump_table(struct fib6_table *table, struct sk_buff *skb, 
		read_lock_bh(&table->tb6_lock);

		res = fib6_walk_continue(w);

		read_unlock_bh(&table->tb6_lock);

		if (res != 0) {

			if (res < 0)

				fib6_walker_unlink(w);

			goto end;

		}

		if (res <= 0) {

			fib6_walker_unlink(w);

			cb->args[4] = 0;

		}

end:

	}



	return res;

}