ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

JIRA: https://issues.redhat.com/browse/RHEL-84573
Upstream Status: net.git commit 9740890
CVE: CVE-2025-22005

commit 9740890
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Mar 11 18:03:25 2025 -0700

    ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

    fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything
    when it fails.

    Commit 7dd7316 ("ipv6: Always allocate pcpu memory in a fib6_nh")
    moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()
    but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in
    case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak.

    Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the
    error path.

    Note that we can remove the fib6_nh_release() call in nh_create_ipv6()
    later in net-next.git.

    Fixes: 7dd7316 ("ipv6: Always allocate pcpu memory in a fib6_nh")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://patch.msgid.link/20250312010333.56001-1-kuniyu@amazon.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Hangbin Liu <haliu@redhat.com>

Author: Hangbin Liu

net/ipv6/route.c

@@ -3650,7 +3650,8 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
 		in6_dev_put(idev);
 
 	if (err) {
-		lwtstate_put(fib6_nh->fib_nh_lws);
+		fib_nh_common_release(&fib6_nh->nh_common);
+		fib6_nh->nh_common.nhc_pcpu_rth_output = NULL;
 		fib6_nh->fib_nh_lws = NULL;
 		netdev_put(dev, dev_tracker);
 	}