[PATCH AUTOSEL for 4.9 086/293] ip6_tunnel: fix potential issue in __ip6_tnl_rcv
From: Sasha Levin
Date: Sun Apr 08 2018 - 22:27:16 EST
From: Haishuang Yan <yanhaishuang@xxxxxxxxxxxxxxxxxxxx>
[ Upstream commit f1925ca50deb48eddafc01bc12c2a17bfbf54425 ]
When __ip6_tnl_rcv fails, the tun_dst won't be freed, so call
dst_release to free it in error code path.
Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
CC: Alexei Starovoitov <ast@xxxxxx>
Tested-by: Zhang Shengju <zhangshengju@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Haishuang Yan <yanhaishuang@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxxxx>
---
net/ipv6/ip6_tunnel.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index a2fcf7bdb597..5a009807ac2f 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -859,6 +859,8 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
return 0;
drop:
+ if (tun_dst)
+ dst_release((struct dst_entry *)tun_dst);
kfree_skb(skb);
return 0;
}
--
2.15.1