From 8ade06c616b34b4237c0ed77d1ff0ce04ad7d056 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 29 Dec 2011 18:51:57 -0500 Subject: [PATCH] ipv6: Fix neigh lookup using NULL device. In some of the rt6_bind_neighbour() call sites, it hasn't hooked up the rt->dst.dev pointer yet, so we'd deref a NULL pointer when obtaining dev->ifindex for the neighbour hash function computation. Just pass the netdevice explicitly in to fix this problem. Reported-by: Bjarke Istrup Pedersen Signed-off-by: David S. Miller --- net/ipv6/route.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 30de9e74a813..4a62c47599b4 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -129,11 +129,14 @@ static struct neighbour *ip6_neigh_lookup(const struct dst_entry *dst, const voi return neigh_create(&nd_tbl, daddr, dst->dev); } -static int rt6_bind_neighbour(struct rt6_info *rt) +static int rt6_bind_neighbour(struct rt6_info *rt, struct net_device *dev) { - struct neighbour *n = ip6_neigh_lookup(&rt->dst, &rt->rt6i_gateway); - if (IS_ERR(n)) - return PTR_ERR(n); + struct neighbour *n = __ipv6_neigh_lookup(&nd_tbl, dev, &rt->rt6i_gateway); + if (!n) { + n = neigh_create(&nd_tbl, &rt->rt6i_gateway, dev); + if (IS_ERR(n)) + return PTR_ERR(n); + } dst_set_neighbour(&rt->dst, n); return 0; @@ -746,7 +749,7 @@ static struct rt6_info *rt6_alloc_cow(const struct rt6_info *ort, #endif retry: - if (rt6_bind_neighbour(rt)) { + if (rt6_bind_neighbour(rt, rt->dst.dev)) { struct net *net = dev_net(rt->dst.dev); int saved_rt_min_interval = net->ipv6.sysctl.ip6_rt_gc_min_interval; @@ -1397,7 +1400,7 @@ int ip6_route_add(struct fib6_config *cfg) rt->rt6i_prefsrc.plen = 0; if (cfg->fc_flags & (RTF_GATEWAY | RTF_NONEXTHOP)) { - err = rt6_bind_neighbour(rt); + err = rt6_bind_neighbour(rt, dev); if (err) goto out; } @@ -2084,7 +2087,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev, rt->rt6i_flags |= RTF_ANYCAST; else rt->rt6i_flags |= RTF_LOCAL; - err = rt6_bind_neighbour(rt); + err = rt6_bind_neighbour(rt, rt->dst.dev); if (err) { dst_free(&rt->dst); return ERR_PTR(err); -- 2.34.1