From: Thomas Graf <tgraf@redhat.com>
Date: Tue, 26 Jan 2010 20:46:48 -0500
Subject: [net] ipv6: fix OOPS in ip6_dst_lookup_tail
Message-id: <20100126204648.GA8165@lsx.localdomain>
Patchwork-id: 22911
O-Subject: [RHEL5.5 PATCH] ipv6: Fix OOPS in ip6_dst_lookup_tail() (bz 552354)
Bugzilla: 552354
RH-Acked-by: John Linville <linville@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: David S. Miller <davem@redhat.com>

Hi all -

This is a back port of commit:

commit e550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Sep 9 13:51:35 2008 -0700

    ipv6: Fix OOPS in ip6_dst_lookup_tail().

    This fixes kernel bugzilla 11469: "TUN with 1024 neighbours:
    ip6_dst_lookup_tail NULL crash"

    dst->neighbour is not necessarily hooked up at this point
    in the processing path, so blindly dereferencing it is
    the wrong thing to do.  This NULL check exists in other
    similar paths and this case was just an oversight.

    Also fix the completely wrong and confusing indentation
    here while we're at it.

    Based upon a patch by Evgeniy Polyakov.

    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

I did not back port the indentation fix in order to keep it simple.

Satisfies BZ552354

Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 56b1c1a..b965a61 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -831,7 +831,7 @@ static int ip6_dst_lookup_tail(struct sock *sk,
 		 * dst entry and replace it instead with the
 		 * dst entry of the nexthop router
 		 */
-		if (!((*dst)->neighbour->nud_state & NUD_VALID)) {
+		if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) {
 			struct inet6_ifaddr *ifp;
 			struct flowi fl_gw;
 			int redirect;