4.4-stable review patch. If anyone has any objections, please let me know.
From: Xin Long <lucien....@gmail.com>
[ Upstream commit 0c2232b0a71db0ac1d22f751aa1ac0cadb950fd2 ]
In dccp_v6_conn_request, after reqsk gets alloced and hashed into
ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer,
one is for hlist, and the other one is for current using.
The problem is when dccp_v6_conn_request returns and finishes using
reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and
reqsk obj never gets freed.
Jianlin found this issue when running dccp_memleak.c in a loop, the
system memory would run out.
int s1 = socket(PF_INET6, 6, IPPROTO_IP);
bind(s1, &sa1, 0x20);
int s2 = socket(PF_INET6, 6, IPPROTO_IP);
connect(s2, &sa1, 0x20);
This patch is to put the reqsk before dccp_v6_conn_request returns,
just as what tcp_conn_request does.
Reported-by: Jianlin Shi <ji...@redhat.com>
Signed-off-by: Xin Long <lucien....@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
net/dccp/ipv6.c | 1 +
1 file changed, 1 insertion(+)
@@ -376,6 +376,7 @@ static int dccp_v6_conn_request(struct s
inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT);