Patch "dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly" has been added to the 4.12-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly

to the 4.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     dccp-fix-a-memleak-that-dccp_ipv6-doesn-t-put-reqsk-properly.patch
and it can be found in the queue-4.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Tue Aug  8 16:27:29 PDT 2017
From: Xin Long <lucien.xin@xxxxxxxxx>
Date: Wed, 26 Jul 2017 14:19:09 +0800
Subject: dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly

From: Xin Long <lucien.xin@xxxxxxxxx>


[ Upstream commit 0c2232b0a71db0ac1d22f751aa1ac0cadb950fd2 ]

In dccp_v6_conn_request, after reqsk gets alloced and hashed into
ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer,
one is for hlist, and the other one is for current using.

The problem is when dccp_v6_conn_request returns and finishes using
reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and
reqsk obj never gets freed.

Jianlin found this issue when running dccp_memleak.c in a loop, the
system memory would run out.

dccp_memleak.c:
  int s1 = socket(PF_INET6, 6, IPPROTO_IP);
  bind(s1, &sa1, 0x20);
  listen(s1, 0x9);
  int s2 = socket(PF_INET6, 6, IPPROTO_IP);
  connect(s2, &sa1, 0x20);
  close(s1);
  close(s2);

This patch is to put the reqsk before dccp_v6_conn_request returns,
just as what tcp_conn_request does.

Reported-by: Jianlin Shi <jishi@xxxxxxxxxx>
Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/dccp/ipv6.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -380,6 +380,7 @@ static int dccp_v6_conn_request(struct s
 		goto drop_and_free;
 
 	inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT);
+	reqsk_put(req);
 	return 0;
 
 drop_and_free:


Patches currently in stable-queue which might be from lucien.xin@xxxxxxxxx are

queue-4.12/sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch
queue-4.12/dccp-fix-a-memleak-that-dccp_ipv6-doesn-t-put-reqsk-properly.patch
queue-4.12/dccp-fix-a-memleak-that-dccp_ipv4-doesn-t-put-reqsk-properly.patch
queue-4.12/dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch
queue-4.12/sctp-fix-an-array-overflow-when-all-ext-chunks-are-set.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]