From: Xin Long <[email protected]> Date: Wed, 26 Jul 2017 14:19:09 +0800
> In dccp_v6_conn_request, after reqsk gets alloced and hashed into > ehash table, reqsk's refcnt is set 3. one is for req->rsk_timer, > one is for hlist, and the other one is for current using. > > The problem is when dccp_v6_conn_request returns and finishes using > reqsk, it doesn't put reqsk. This will cause reqsk refcnt leaks and > reqsk obj never gets freed. > > Jianlin found this issue when running dccp_memleak.c in a loop, the > system memory would run out. > > dccp_memleak.c: > int s1 = socket(PF_INET6, 6, IPPROTO_IP); > bind(s1, &sa1, 0x20); > listen(s1, 0x9); > int s2 = socket(PF_INET6, 6, IPPROTO_IP); > connect(s2, &sa1, 0x20); > close(s1); > close(s2); > > This patch is to put the reqsk before dccp_v6_conn_request returns, > just as what tcp_conn_request does. > > Reported-by: Jianlin Shi <[email protected]> > Signed-off-by: Xin Long <[email protected]> Applied and queued up for -stable.
