On Thu, 2017-07-27 at 14:45 +0200, Paolo Abeni wrote: > When an early demuxed packet reaches __udp6_lib_lookup_skb(), the > sk reference is retrieved and used, but the relevant reference > count is leaked and the socket destructor is never called. > Beyond leaking the sk memory, if there are pending UDP packets > in the receive queue, even the related accounted memory is leaked. > > In the long run, this will cause persistent forward allocation errors > and no UDP skbs (both ipv4 and ipv6) will be able to reach the > user-space. > > Fix this by explicitly accessing the early demux reference before > the lookup, and properly decreasing the socket reference count > after usage. > > Also drop the skb_steal_sock() in __udp6_lib_lookup_skb(), and > the now obsoleted comment about "socket cache". > > The newly added code is derived from the current ipv4 code for the > similar path. > > v1 -> v2: > fixed the __udp6_lib_rcv() return code for resubmission, > as suggested by Eric > > Reported-by: Sam Edwards <[email protected]> > Reported-by: Marc Haber <[email protected]> > Fixes: 5425077d73e0 ("net: ipv6: Add early demux handler for UDP unicast") > Signed-off-by: Paolo Abeni <[email protected]> > ---
Acked-by: Eric Dumazet <[email protected]>
