diff options
| author | Xin Long <lucien.xin@gmail.com> | 2017-07-26 02:19:09 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-07-27 03:01:05 -0400 |
| commit | 0c2232b0a71db0ac1d22f751aa1ac0cadb950fd2 (patch) | |
| tree | 2f4a859da0fc7891d6e06e923e2405b16b2938e0 | |
| parent | d777b2ddbecf509bc61ee4f0fe0d3b5a909d698a (diff) | |
dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
In dccp_v6_conn_request, after reqsk gets alloced and hashed into
ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer,
one is for hlist, and the other one is for current using.
The problem is when dccp_v6_conn_request returns and finishes using
reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and
reqsk obj never gets freed.
Jianlin found this issue when running dccp_memleak.c in a loop, the
system memory would run out.
dccp_memleak.c:
int s1 = socket(PF_INET6, 6, IPPROTO_IP);
bind(s1, &sa1, 0x20);
listen(s1, 0x9);
int s2 = socket(PF_INET6, 6, IPPROTO_IP);
connect(s2, &sa1, 0x20);
close(s1);
close(s2);
This patch is to put the reqsk before dccp_v6_conn_request returns,
just as what tcp_conn_request does.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/dccp/ipv6.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index c376af5bfdfb..1b58eac8aad3 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c | |||
| @@ -380,6 +380,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 380 | goto drop_and_free; | 380 | goto drop_and_free; |
| 381 | 381 | ||
| 382 | inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); | 382 | inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); |
| 383 | reqsk_put(req); | ||
| 383 | return 0; | 384 | return 0; |
| 384 | 385 | ||
| 385 | drop_and_free: | 386 | drop_and_free: |