• Eric Dumazet's avatar
    inet: fix possible request socket leak · d36f8434
    Eric Dumazet authored
    [ Upstream commit 3257d8b1 ]
    
    In commit b357a364 ("inet: fix possible panic in
    reqsk_queue_unlink()"), I missed fact that tcp_check_req()
    can return the listener socket in one case, and that we must
    release the request socket refcount or we leak it.
    
    Tested:
    
     Following packetdrill test template shows the issue
    
    0     socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
    +0    setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
    +0    bind(3, ..., ...) = 0
    +0    listen(3, 1) = 0
    
    +0    < S 0:0(0) win 2920 <mss 1460,sackOK,nop,nop>
    +0    > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
    +.002 < . 1:1(0) ack 21 win 2920
    +0    > R 21:21(0)
    
    Fixes: b357a364 ("inet: fix possible panic in reqsk_queue_unlink()")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    d36f8434
tcp_ipv6.c 49.4 KB