linux/net/ipv6
Wei Yongjun 751eb6b604 ipv6: addrconf: fix dev refcont leak when DAD failed
In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:

ndisc_recv_ns
  -> addrconf_dad_failure        <- missing ifp put
     -> addrconf_mod_dad_work
       -> schedule addrconf_dad_work()
         -> addrconf_dad_stop()  <- missing ifp hold before call it

addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.

But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:

IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1

Cc: stable@vger.kernel.org
Fixes: c15b1ccadb ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-09-06 14:17:49 -07:00
..
ila ila: Fix checksum neutral mapping 2016-06-15 21:40:00 -07:00
netfilter netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
addrconf_core.c
addrconf.c ipv6: addrconf: fix dev refcont leak when DAD failed 2016-09-06 14:17:49 -07:00
addrlabel.c
af_inet6.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-07-29 17:38:46 -07:00
ah6.c
anycast.c
calipso.c calipso: fix resource leak on calipso_genopt failure 2016-08-13 14:56:17 -07:00
datagram.c sock: propagate __sock_cmsg_send() error 2016-05-16 13:46:23 -04:00
esp6.c
exthdrs_core.c ipv6: constify the skb pointer of ipv6_find_tlv(). 2016-06-27 15:06:15 -04:00
exthdrs_offload.c
exthdrs.c Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
fib6_rules.c net: Add l3mdev rule 2016-06-08 11:36:02 -07:00
fou6.c fou: add Kconfig options for IPv6 support 2016-05-29 22:24:21 -07:00
icmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
inet6_connection_sock.c soreuseport: fast reuseport TCP socket selection 2016-02-11 03:54:15 -05:00
inet6_hashtables.c net: rename NET_{ADD|INC}_STATS_BH() 2016-04-27 22:48:24 -04:00
ip6_checksum.c ipv6: fix checksum annotation in udp6_csum_init 2016-06-14 15:26:42 -04:00
ip6_fib.c ipv6: Fix mem leak in rt6i_pcpu 2016-07-05 14:09:23 -07:00
ip6_flowlabel.c ipv6: add new struct ipcm6_cookie 2016-05-03 16:08:14 -04:00
ip6_gre.c gre: set inner_protocol on xmit 2016-08-15 13:37:12 -07:00
ip6_icmp.c ipv6: icmp: add a force_saddr param to icmp6_send() 2016-06-18 22:11:38 -07:00
ip6_input.c net: vrf: ipv6 support for local traffic to local addresses 2016-06-08 00:25:38 -07:00
ip6_offload.c ip4ip6: Support for GSO/GRO 2016-05-20 18:03:17 -04:00
ip6_offload.h udp: Add GRO functions to UDP socket 2016-04-07 16:53:29 -04:00
ip6_output.c net: vrf: Implement get_saddr for IPv6 2016-06-17 21:25:29 -07:00
ip6_tunnel.c ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit() 2016-09-01 23:41:24 -07:00
ip6_udp_tunnel.c ip_tunnel: add support for setting flow label via collect metadata 2016-03-11 15:14:26 -05:00
ip6_vti.c net: replace dst_cache ip6_tunnel implementation with the generic one 2016-02-16 20:21:48 -05:00
ip6mr.c net: ipmr/ip6mr: update lastuse on entry change 2016-07-26 15:18:31 -07:00
ipcomp6.c
ipv6_sockglue.c Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
Kconfig fou: fix IPv6 Kconfig options 2016-05-31 14:07:49 -07:00
Makefile Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
mcast_snoop.c
mcast.c mld, igmp: Fix reserved tailroom calculation 2016-03-03 15:41:07 -05:00
mip6.c
ndisc.c ipv6: export several functions 2016-06-15 20:41:23 -07:00
netfilter.c
output_core.c
ping.c ipv6: release dst in ping_v6_sendmsg 2016-09-06 12:54:17 -07:00
proc.c
protocol.c
raw.c ipv6: use TOS marks from sockets for routing decision 2016-06-11 15:33:26 -07:00
reassembly.c ipv6: rename IP6_INC_STATS_BH() 2016-04-27 22:48:24 -04:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
sit.c sit: support MPLS over IPv4 2016-07-09 17:45:56 -04:00
syncookies.c net: rename NET_{ADD|INC}_STATS_BH() 2016-04-27 22:48:24 -04:00
sysctl_net_ipv6.c calipso: Add a label cache. 2016-06-27 15:06:17 -04:00
tcp_ipv6.c tcp: properly scale window in tcp_v[46]_reqsk_send_ack() 2016-08-23 16:55:49 -07:00
tcpv6_offload.c
tunnel6.c
udp_impl.h
udp_offload.c gso: Remove arbitrary checks for unsupported GSO 2016-05-20 18:03:15 -04:00
udp.c udp: get rid of SLAB_DESTROY_BY_RCU allocations 2016-08-23 17:46:17 -07:00
udplite.c udp: get rid of SLAB_DESTROY_BY_RCU allocations 2016-08-23 17:46:17 -07:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c ipv6: update skb->csum when CE mark is propagated 2016-01-15 15:07:23 -05:00
xfrm6_output.c
xfrm6_policy.c net: xfrm: fix old-style declaration 2016-06-16 22:06:30 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c