| From foo@baz Tue Aug 8 16:51:58 PDT 2017 |
| From: Xin Long <lucien.xin@gmail.com> |
| Date: Wed, 26 Jul 2017 14:19:09 +0800 |
| Subject: dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| |
| [ Upstream commit 0c2232b0a71db0ac1d22f751aa1ac0cadb950fd2 ] |
| |
| In dccp_v6_conn_request, after reqsk gets alloced and hashed into |
| ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer, |
| one is for hlist, and the other one is for current using. |
| |
| The problem is when dccp_v6_conn_request returns and finishes using |
| reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and |
| reqsk obj never gets freed. |
| |
| Jianlin found this issue when running dccp_memleak.c in a loop, the |
| system memory would run out. |
| |
| dccp_memleak.c: |
| int s1 = socket(PF_INET6, 6, IPPROTO_IP); |
| bind(s1, &sa1, 0x20); |
| listen(s1, 0x9); |
| int s2 = socket(PF_INET6, 6, IPPROTO_IP); |
| connect(s2, &sa1, 0x20); |
| close(s1); |
| close(s2); |
| |
| This patch is to put the reqsk before dccp_v6_conn_request returns, |
| just as what tcp_conn_request does. |
| |
| Reported-by: Jianlin Shi <jishi@redhat.com> |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/dccp/ipv6.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/dccp/ipv6.c |
| +++ b/net/dccp/ipv6.c |
| @@ -376,6 +376,7 @@ static int dccp_v6_conn_request(struct s |
| goto drop_and_free; |
| |
| inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); |
| + reqsk_put(req); |
| return 0; |
| |
| drop_and_free: |