This is a note to let you know that I've just added the patch titled dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly to the 4.12-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: dccp-fix-a-memleak-that-dccp_ipv6-doesn-t-put-reqsk-properly.patch and it can be found in the queue-4.12 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Tue Aug 8 16:27:29 PDT 2017 From: Xin Long <lucien.xin@xxxxxxxxx> Date: Wed, 26 Jul 2017 14:19:09 +0800 Subject: dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly From: Xin Long <lucien.xin@xxxxxxxxx> [ Upstream commit 0c2232b0a71db0ac1d22f751aa1ac0cadb950fd2 ] In dccp_v6_conn_request, after reqsk gets alloced and hashed into ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer, one is for hlist, and the other one is for current using. The problem is when dccp_v6_conn_request returns and finishes using reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and reqsk obj never gets freed. Jianlin found this issue when running dccp_memleak.c in a loop, the system memory would run out. dccp_memleak.c: int s1 = socket(PF_INET6, 6, IPPROTO_IP); bind(s1, &sa1, 0x20); listen(s1, 0x9); int s2 = socket(PF_INET6, 6, IPPROTO_IP); connect(s2, &sa1, 0x20); close(s1); close(s2); This patch is to put the reqsk before dccp_v6_conn_request returns, just as what tcp_conn_request does. Reported-by: Jianlin Shi <jishi@xxxxxxxxxx> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/dccp/ipv6.c | 1 + 1 file changed, 1 insertion(+) --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -380,6 +380,7 @@ static int dccp_v6_conn_request(struct s goto drop_and_free; inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); + reqsk_put(req); return 0; drop_and_free: Patches currently in stable-queue which might be from lucien.xin@xxxxxxxxx are queue-4.12/sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch queue-4.12/dccp-fix-a-memleak-that-dccp_ipv6-doesn-t-put-reqsk-properly.patch queue-4.12/dccp-fix-a-memleak-that-dccp_ipv4-doesn-t-put-reqsk-properly.patch queue-4.12/dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch queue-4.12/sctp-fix-an-array-overflow-when-all-ext-chunks-are-set.patch