[IPV6]: Fix races in ip6_route_{input,output}()

We need to hold refcnt before releasing rt6_lock.
Signed-off-by: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv6/route.c

@@ -476,13 +476,19 @@ void ip6_route_input(struct sk_buff *skb)
 	BACKTRACK();
 
 	if (!rt->rt6i_nexthop && !(rt->rt6i_flags & RTF_NONEXTHOP)) {
+		struct rt6_info *nrt;
+		dst_hold(&rt->u.dst);
 		read_unlock_bh(&rt6_lock);
 
-		rt = rt6_cow(rt, &skb->nh.ipv6h->daddr,
-			     &skb->nh.ipv6h->saddr);
-			
+		nrt = rt6_cow(rt, &skb->nh.ipv6h->daddr,
+			      &skb->nh.ipv6h->saddr);
+
+		dst_release(&rt->u.dst);
+		rt = nrt;
+
 		if (rt->u.dst.error != -EEXIST || --attempts <= 0)
 			goto out2;
+
 		/* Race condition! In the gap, when rt6_lock was
 		   released someone could insert this route.  Relookup.
 		*/
@@ -531,9 +537,14 @@ struct dst_entry * ip6_route_output(struct sock *sk, struct flowi *fl)
 	}
 
 	if (!rt->rt6i_nexthop && !(rt->rt6i_flags & RTF_NONEXTHOP)) {
+		struct rt6_info *nrt;
+		dst_hold(&rt->u.dst);
 		read_unlock_bh(&rt6_lock);
 
-		rt = rt6_cow(rt, &fl->fl6_dst, &fl->fl6_src);
+		nrt = rt6_cow(rt, &fl->fl6_dst, &fl->fl6_src);
+
+		dst_release(&rt->u.dst);
+		rt = nrt;
 
 		if (rt->u.dst.error != -EEXIST || --attempts <= 0)
 			goto out2;