Commit 7891cc81 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

ipv6: Fix fib6_dump_table walker leak

When a fib6 table dump is prematurely ended, we won't unlink
its walker from the list.  This causes all sorts of grief for
other users of the list later.
Reported-by: default avatarChris Caputo <ccaputo@alt.net>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 33966dd0
...@@ -298,6 +298,10 @@ static void fib6_dump_end(struct netlink_callback *cb) ...@@ -298,6 +298,10 @@ static void fib6_dump_end(struct netlink_callback *cb)
struct fib6_walker_t *w = (void*)cb->args[2]; struct fib6_walker_t *w = (void*)cb->args[2];
if (w) { if (w) {
if (cb->args[4]) {
cb->args[4] = 0;
fib6_walker_unlink(w);
}
cb->args[2] = 0; cb->args[2] = 0;
kfree(w); kfree(w);
} }
...@@ -330,15 +334,12 @@ static int fib6_dump_table(struct fib6_table *table, struct sk_buff *skb, ...@@ -330,15 +334,12 @@ static int fib6_dump_table(struct fib6_table *table, struct sk_buff *skb,
read_lock_bh(&table->tb6_lock); read_lock_bh(&table->tb6_lock);
res = fib6_walk_continue(w); res = fib6_walk_continue(w);
read_unlock_bh(&table->tb6_lock); read_unlock_bh(&table->tb6_lock);
if (res != 0) { if (res <= 0) {
if (res < 0) fib6_walker_unlink(w);
fib6_walker_unlink(w); cb->args[4] = 0;
goto end;
} }
fib6_walker_unlink(w);
cb->args[4] = 0;
} }
end:
return res; return res;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment