net: ipv6: fix dst ref loop on input in seg6 lwt

JIRA: https://issues.redhat.com/browse/RHEL-84573
Upstream Status: net.git commit c64a072

Conflicts: context conflicts due to missing commit 40475b6
("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue").

commit c64a072
Author: Justin Iurman <justin.iurman@uliege.be>
Date:   Tue Feb 25 18:51:38 2025 +0100

    net: ipv6: fix dst ref loop on input in seg6 lwt

    Prevent a dst ref loop on input in seg6_iptunnel.

    Fixes: af4a220 ("ipv6: sr: use dst_cache in seg6_input")
    Cc: David Lebrun <dlebrun@google.com>
    Cc: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Hangbin Liu <haliu@redhat.com>

Author: Hangbin Liu

net/ipv6/seg6_iptunnel.c

@@ -455,22 +455,32 @@ static int seg6_input_core(struct net *net, struct sock *sk,
 {
 	struct dst_entry *orig_dst = skb_dst(skb);
 	struct dst_entry *dst = NULL;
+	struct lwtunnel_state *lwtst;
 	struct seg6_lwt *slwt;
 	int err;
 
 	err = seg6_do_srh(skb);
 	if (unlikely(err))
 		goto drop;
 
-	slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
+	/* We cannot dereference "orig_dst" once ip6_route_input() or
+	 * skb_dst_drop() is called. However, in order to detect a dst loop, we
+	 * need the address of its lwtstate. So, save the address of lwtstate
+	 * now and use it later as a comparison.
+	 */
+	lwtst = orig_dst->lwtstate;
+
+	slwt = seg6_lwt_lwtunnel(lwtst);
 
 	local_bh_disable();
 	dst = dst_cache_get(&slwt->cache);
 
 	if (!dst) {
 		ip6_route_input(skb);
 		dst = skb_dst(skb);
-		if (!dst->error) {
+
+		/* cache only if we don't create a dst reference loop */
+		if (!dst->error && lwtst != dst->lwtstate) {
 			dst_cache_set_ip6(&slwt->cache, dst,
 					  &ipv6_hdr(skb)->saddr);
 		}