In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable
resolved by ip_route_output_flow() are not released or put before return.
It may cause the refcount leak, so fix it.
Link: https://lore.kernel.org/r/[email protected]
Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment")
Signed-off-by: Wen Gu <[email protected]>
---
v2->v1
- call ip_rt_put() to release rt as well.
---
net/smc/smc_ib.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index 97704a9e84c7..9297dc20bfe2 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -209,13 +209,18 @@ int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
if (IS_ERR(rt))
goto out;
if (rt->rt_uses_gateway && rt->rt_gw_family != AF_INET)
- goto out;
- neigh = rt->dst.ops->neigh_lookup(&rt->dst, NULL, &fl4.daddr);
- if (neigh) {
- memcpy(nexthop_mac, neigh->ha, ETH_ALEN);
- *uses_gateway = rt->rt_uses_gateway;
- return 0;
- }
+ goto out_rt;
+ neigh = dst_neigh_lookup(&rt->dst, &fl4.daddr);
+ if (!neigh)
+ goto out_rt;
+ memcpy(nexthop_mac, neigh->ha, ETH_ALEN);
+ *uses_gateway = rt->rt_uses_gateway;
+ neigh_release(neigh);
+ ip_rt_put(rt);
+ return 0;
+
+out_rt:
+ ip_rt_put(rt);
out:
return -ENOENT;
}
--
2.32.0.3.g01195cf9f
On 07.05.24 14:53, Wen Gu wrote:
> In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable
> resolved by ip_route_output_flow() are not released or put before return.
> It may cause the refcount leak, so fix it.
>
> Link: https://lore.kernel.org/r/[email protected]
> Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment")
> Signed-off-by: Wen Gu <[email protected]>
> ---
> v2->v1
> - call ip_rt_put() to release rt as well.
> ---
> net/smc/smc_ib.c | 19 ++++++++++++-------
> 1 file changed, 12 insertions(+), 7 deletions(-)
>
> diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
> index 97704a9e84c7..9297dc20bfe2 100644
> --- a/net/smc/smc_ib.c
> +++ b/net/smc/smc_ib.c
> @@ -209,13 +209,18 @@ int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
> if (IS_ERR(rt))
> goto out;
> if (rt->rt_uses_gateway && rt->rt_gw_family != AF_INET)
> - goto out;
> - neigh = rt->dst.ops->neigh_lookup(&rt->dst, NULL, &fl4.daddr);
> - if (neigh) {
> - memcpy(nexthop_mac, neigh->ha, ETH_ALEN);
> - *uses_gateway = rt->rt_uses_gateway;
> - return 0;
> - }
> + goto out_rt;
> + neigh = dst_neigh_lookup(&rt->dst, &fl4.daddr);
> + if (!neigh)
> + goto out_rt;
> + memcpy(nexthop_mac, neigh->ha, ETH_ALEN);
> + *uses_gateway = rt->rt_uses_gateway;
> + neigh_release(neigh);
> + ip_rt_put(rt);
> + return 0;
> +
> +out_rt:
> + ip_rt_put(rt);
> out:
> return -ENOENT;
> }
Thank you for fixing it!
Reviewed-and-tested-by: Wenjia Zhang <[email protected]>
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <[email protected]>:
On Tue, 7 May 2024 20:53:31 +0800 you wrote:
> In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable
> resolved by ip_route_output_flow() are not released or put before return.
> It may cause the refcount leak, so fix it.
>
> Link: https://lore.kernel.org/r/[email protected]
> Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment")
> Signed-off-by: Wen Gu <[email protected]>
>
> [...]
Here is the summary with links:
- [net,v2] net/smc: fix neighbour and rtable leak in smc_ib_find_route()
https://git.kernel.org/netdev/net/c/2ddc0dd7fec8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html