• Paolo Abeni's avatar
    udp6: fix socket leak on early demux · 4ec6f731
    Paolo Abeni authored
    
    [ Upstream commit c9f2c1ae ]
    
    When an early demuxed packet reaches __udp6_lib_lookup_skb(), the
    sk reference is retrieved and used, but the relevant reference
    count is leaked and the socket destructor is never called.
    Beyond leaking the sk memory, if there are pending UDP packets
    in the receive queue, even the related accounted memory is leaked.
    
    In the long run, this will cause persistent forward allocation errors
    and no UDP skbs (both ipv4 and ipv6) will be able to reach the
    user-space.
    
    Fix this by explicitly accessing the early demux reference before
    the lookup, and properly decreasing the socket reference count
    after usage.
    
    Also drop the skb_steal_sock() in __udp6_lib_lookup_skb(), and
    the now obsoleted comment about "socket cache".
    
    The newly added code is derived from the current ipv4 code for the
    similar path.
    
    v1 -> v2:
      fixed the __udp6_lib_rcv() return code for resubmission,
      as suggested by Eric
    Reported-by: default avatarSam Edwards <CFSworks@gmail.com>
    Reported-by: default avatarMarc Haber <mh+netdev@zugschlus.de>
    Fixes: 5425077d ("net: ipv6: Add early demux handler for UDP unicast")
    Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    Acked-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    4ec6f731
udp.c 39.1 KB