From: Eric W. Biederman Date: Wed, 1 Feb 2006 01:51:44 +0000 (-0800) Subject: [IPV6] tcp_v6_send_synack: release the destination X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=78b910429e2c037533d2a7bd9e95b4f94f905ef8;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [IPV6] tcp_v6_send_synack: release the destination This patch fix dst reference counting in tcp_v6_send_synack Analysis: Currently tcp_v6_send_synack is never called with a dst entry so dst always comes in as NULL. ip6_dst_lookup calls ip6_route_output which calls dst_hold before it returns the dst entry. Neither xfrm_lookup nor tcp_make_synack consume the dst entry so we still have a dst_entry with a bumped refrence count at the end of this function. Therefore we need to call dst_release just before we return just like tcp_v4_send_synack does. Signed-off-by: Eric W. Biederman Signed-off-by: David S. Miller --- diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 66d04004afda..ca9cf6853755 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -515,6 +515,7 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req, done: if (opt && opt != np->opt) sock_kfree_s(sk, opt, opt->tot_len); + dst_release(dst); return err; }