git.baikalelectronics.ru Git - kernel.git/commit

author	Ido Schimmel <idosch@mellanox.com>
	Wed, 17 Jul 2019 20:39:33 +0000 (23:39 +0300)
committer	David S. Miller <davem@davemloft.net>
	Thu, 18 Jul 2019 19:01:43 +0000 (12:01 -0700)
commit	b0115eda68d5620d1577221c392f93a94c0d7e78
tree	fba907d148c12907775359f71496f2aded27f53f	tree \| snapshot
parent	ee9e433611b5e7b1d2bef0a26810c9c0870e96b2	commit \| diff

ipv6: Unlink sibling route in case of failure

When a route needs to be appended to an existing multipath route,
fib6_add_rt2node() first appends it to the siblings list and increments
the number of sibling routes on each sibling.

Later, the function notifies the route via call_fib6_entry_notifiers().
In case the notification is vetoed, the route is not unlinked from the
siblings list, which can result in a use-after-free.

Fix this by unlinking the route from the siblings list before returning
an error.

Audited the rest of the call sites from which the FIB notification chain
is called and could not find more problems.

Fixes: 49968f9c75d9 ("net/ipv6: Move call_fib6_entry_notifiers up for route adds")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>