[PATCH 1/3] ipv6: fix a refcnt leak with peer addr

[Tim Gardner]

From: Nicolas Dichtel <nicolas.dichtel at 6wind.com>

BugLink: http://bugs.launchpad.net/bugs/1662096

There is no reason to take a refcnt before deleting the peer address route.
It's done some lines below for the local prefix route because
inet6_ifa_finish_destroy() will release it at the end.
For the peer address route, we want to free it right now.

This bug has been introduced by commit
caeaba79009c ("ipv6: add support of peer address").

Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit f24062b07dda89b0e24fa48e7bc3865a725f5ee6)
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 net/ipv6/addrconf.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 00191a1..8ae7618 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4579,11 +4579,8 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
 
 			rt = rt6_lookup(dev_net(dev), &ifp->peer_addr, NULL,
 					dev->ifindex, 1);
-			if (rt) {
-				dst_hold(&rt->dst);
-				if (ip6_del_rt(rt))
-					dst_free(&rt->dst);
-			}
+			if (rt && ip6_del_rt(rt))
+				dst_free(&rt->dst);
 		}
 		dst_hold(&ifp->rt->dst);
 
-- 
2.7.4