• E
    inet: fix possible request socket leak · 3257d8b1
    Eric Dumazet 提交于
    In commit b357a364 ("inet: fix possible panic in
    reqsk_queue_unlink()"), I missed fact that tcp_check_req()
    can return the listener socket in one case, and that we must
    release the request socket refcount or we leak it.
    
    Tested:
    
     Following packetdrill test template shows the issue
    
    0     socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
    +0    setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
    +0    bind(3, ..., ...) = 0
    +0    listen(3, 1) = 0
    
    +0    < S 0:0(0) win 2920 <mss 1460,sackOK,nop,nop>
    +0    > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
    +.002 < . 1:1(0) ack 21 win 2920
    +0    > R 21:21(0)
    
    Fixes: b357a364 ("inet: fix possible panic in reqsk_queue_unlink()")
    Signed-off-by: NEric Dumazet <edumazet@google.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    3257d8b1
tcp_ipv6.c 49.2 KB