David, I was looking at addrconf_permanent_addr() and wondered
if there is not some problem with it.
It seems we need to increment ifp refcount before calling
ipv6_del_addr()
Could you double check if this patch is needed, I am guessing you have a
test suite exercising this code path ?
Thanks.
PS : Presumably CONFIG_REFCOUNT_FULL=y should have warned you of the
problem.
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index
4a96ebbf8eda5f59a6ff88e836d666a404d2bf0d..8a1c846d3df949a4638589f187120db22a3525ba
100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3335,6 +3335,7 @@ static void addrconf_permanent_addr(struct net_device
*dev)
if ((ifp->flags & IFA_F_PERMANENT) &&
fixup_permanent_addr(idev, ifp) < 0) {
write_unlock_bh(&idev->lock);
+ in6_ifa_hold(ifp);
ipv6_del_addr(ifp);
write_lock_bh(&idev->lock);
