Herbert Xu <[EMAIL PROTECTED]> writes: > On Wed, Jan 25, 2006 at 08:12:02PM +0000, Eric W. Biederman wrote: >> >> Unfortunately because we have already call rt6_ifdown() the route is >> not found in the routing table, the dst_free does not decrement the >> count and is therefore unable to free the dst entry because the count >> is still elevated. > > If rt6_ifdown has already kicked the route out, then the dst ref count > should be zero. Even if someone is still holding onto it dst_free will > attach the entry to the GC list which means that it'll be freed when it > eventually does hit zero. > > The ref count held by ipv6_ifa_notify is dropped by ip6_del_rt in case > of an error.
That probably explains the dst_free in there, but we may also need a dst_release as well. The problem is that struct ifa holds a reference. When we call ipv6_ifa_notify that reference is decremented, if and only if the route is in the routing table. ip6_del_rt does unconditionally decrement the reference count however we just called dst_hold (which incremented the reference count) just prior to calling ip6_del_rt. So it does not remove the reference from the ifa. ip6_del_rt can't do anything else because the route is not in the routing table. I don't know if my fix is correct, and fixing ipv6_ifa_notify is quite possibly better but I haven't been through all of the paths that call it to know what needs to happen there. However I do know I have correctly found the leak. Eric - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html