diff options
| author | Xin Long <lucien.xin@gmail.com> | 2017-07-26 14:19:09 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-08-11 08:49:33 -0700 |
| commit | 9ffa6727f5712b8774b265b0a3c020acb9da726e (patch) | |
| tree | f826f2ac77a5fb2147fba43c4775dfcfbf67efbf /net/dccp/ipv6.c | |
| parent | c0c8688f0debfef57af1f3a48cee4027ef7f50ab (diff) | |
| download | linux-rt-9ffa6727f5712b8774b265b0a3c020acb9da726e.tar.gz | |
dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
[ Upstream commit 0c2232b0a71db0ac1d22f751aa1ac0cadb950fd2 ]
In dccp_v6_conn_request, after reqsk gets alloced and hashed into
ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer,
one is for hlist, and the other one is for current using.
The problem is when dccp_v6_conn_request returns and finishes using
reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and
reqsk obj never gets freed.
Jianlin found this issue when running dccp_memleak.c in a loop, the
system memory would run out.
dccp_memleak.c:
int s1 = socket(PF_INET6, 6, IPPROTO_IP);
bind(s1, &sa1, 0x20);
listen(s1, 0x9);
int s2 = socket(PF_INET6, 6, IPPROTO_IP);
connect(s2, &sa1, 0x20);
close(s1);
close(s2);
This patch is to put the reqsk before dccp_v6_conn_request returns,
just as what tcp_conn_request does.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/dccp/ipv6.c')
| -rw-r--r-- | net/dccp/ipv6.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 2ac9d2a1aaab..28e8252cc5ea 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -380,6 +380,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) goto drop_and_free; inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); + reqsk_put(req); return 0; drop_and_free: |