• Xin Long's avatar
    dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly · 01c23dff
    Xin Long authored
    
    [ Upstream commit 0c2232b0 ]
    
    In dccp_v6_conn_request, after reqsk gets alloced and hashed into
    ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer,
    one is for hlist, and the other one is for current using.
    
    The problem is when dccp_v6_conn_request returns and finishes using
    reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and
    reqsk obj never gets freed.
    
    Jianlin found this issue when running dccp_memleak.c in a loop, the
    system memory would run out.
    
    dccp_memleak.c:
      int s1 = socket(PF_INET6, 6, IPPROTO_IP);
      bind(s1, &sa1, 0x20);
      listen(s1, 0x9);
      int s2 = socket(PF_INET6, 6, IPPROTO_IP);
      connect(s2, &sa1, 0x20);
      close(s1);
      close(s2);
    
    This patch is to put the reqsk before dccp_v6_conn_request returns,
    just as what tcp_conn_request does.
    Reported-by: default avatarJianlin Shi <jishi@redhat.com>
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    01c23dff
ipv6.c 29.6 KB