linux/net/ipv6
Eric Dumazet 3257d8b12f inet: fix possible request socket leak
In commit b357a364c5 ("inet: fix possible panic in
reqsk_queue_unlink()"), I missed fact that tcp_check_req()
can return the listener socket in one case, and that we must
release the request socket refcount or we leak it.

Tested:

 Following packetdrill test template shows the issue

0     socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0    setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0    bind(3, ..., ...) = 0
+0    listen(3, 1) = 0

+0    < S 0:0(0) win 2920 <mss 1460,sackOK,nop,nop>
+0    > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
+.002 < . 1:1(0) ack 21 win 2920
+0    > R 21:21(0)

Fixes: b357a364c5 ("inet: fix possible panic in reqsk_queue_unlink()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-08-10 21:17:45 -07:00
..
netfilter netfilter: SYNPROXY: fix sending window update to client 2015-08-10 13:55:07 +02:00
addrconf_core.c ipv6: fix possible use after free of dev stats 2015-06-08 12:12:45 -07:00
addrconf.c ipv6: Consider RTF_CACHE when searching the fib6 tree 2015-05-01 20:57:06 -04:00
addrlabel.c netlink: implement nla_put_in_addr and nla_put_in6_addr 2015-03-31 13:58:35 -04:00
af_inet6.c inet: add IP_BIND_ADDRESS_NO_PORT to overcome bind(0) limitations 2015-06-06 23:57:12 -07:00
ah6.c ipv6: coding style: comparison for equality with NULL 2015-03-31 13:51:54 -04:00
anycast.c ipv6: coding style: comparison for equality with NULL 2015-03-31 13:51:54 -04:00
datagram.c ipv6: lock socket in ip6_datagram_connect() 2015-07-15 17:25:51 -07:00
esp6.c esp6: Switch to new AEAD interface 2015-05-28 11:23:20 +08:00
exthdrs_core.c ipv6: coding style: comparison for equality with NULL 2015-03-31 13:51:54 -04:00
exthdrs_offload.c
exthdrs.c net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited 2014-11-11 14:10:31 -05:00
fib6_rules.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-06 22:34:15 -04:00
icmp.c ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST 2015-05-25 13:25:33 -04:00
inet6_connection_sock.c net: convert syn_wait_lock to a spinlock 2015-03-23 16:52:26 -04:00
inet6_hashtables.c tcp: connect() from bound sockets can be faster 2015-05-27 14:30:10 -04:00
ip6_checksum.c udp: Generic functions to set checksum 2014-06-04 22:46:38 -07:00
ip6_fib.c ipv6: Create percpu rt6_info 2015-05-25 13:25:35 -04:00
ip6_flowlabel.c ipv6: Flow label state ranges 2015-05-03 21:58:01 -04:00
ip6_gre.c ip6_gre: use netdev_alloc_pcpu_stats() 2015-04-22 15:39:05 -04:00
ip6_icmp.c ipv6: White-space cleansing : Line Layouts 2014-08-24 22:37:52 -07:00
ip6_input.c ipv6: Make MLD packets to only be processed locally 2015-07-03 09:52:38 -07:00
ip6_offload.c Revert "sit: Add gro callbacks to sit_offload" 2015-07-20 16:52:28 -07:00
ip6_offload.h
ip6_output.c ipv6: don't increase size when refragmenting forwarded ipv6 skbs 2015-05-25 17:22:23 -04:00
ip6_tunnel.c ipv6: Add rt6_get_cookie() function 2015-05-25 13:25:34 -04:00
ip6_udp_tunnel.c net: Modify sk_alloc to not reference count the netns of kernel sockets. 2015-05-11 10:50:18 -04:00
ip6_vti.c vti6: Add pmtu handling to vti6_xmit. 2015-06-01 16:03:43 -07:00
ip6mr.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
ipcomp6.c ipv6: White-space cleansing : Structure layouts 2014-08-24 22:37:52 -07:00
ipv6_sockglue.c ipv6: coding style: comparison for equality with NULL 2015-03-31 13:51:54 -04:00
Kconfig
Makefile net: Export IGMP/MLD message validation code 2015-05-04 14:49:23 -04:00
mcast_snoop.c net: fix two sparse warnings introduced by IGMP/MLD parsing exports 2015-05-04 19:19:54 -04:00
mcast.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
mip6.c net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited 2014-11-11 14:10:31 -05:00
ndisc.c ipv6: flush nd cache on IFF_NOARP change 2015-07-29 23:01:39 -07:00
netfilter.c netfilter: bridge: forward IPv6 fragmented packets 2015-06-12 14:10:12 +02:00
output_core.c netfilter: don't pull include/linux/netfilter.h from netns headers 2015-06-18 21:14:31 +02:00
ping.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-03-09 23:38:02 -04:00
proc.c udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts 2014-11-07 15:45:50 -05:00
protocol.c net: Export inet_offloads and inet6_offloads 2014-09-19 17:15:31 -04:00
raw.c ipv6: drop unneeded goto 2015-05-30 23:48:36 -07:00
reassembly.c inet: frags: remove INET_FRAG_EVICTED and use list_evictor for the test 2015-07-26 21:00:15 -07:00
route.c ipv6: don't reject link-local nexthop on other interface 2015-08-10 13:29:22 -07:00
sit.c ipv6: call iptunnel_xmit with NULL sock pointer if no tunnel sock is available 2015-04-08 12:09:43 -04:00
syncookies.c tcp: get_cookie_sock() consolidation 2015-06-07 15:19:52 -07:00
sysctl_net_ipv6.c ipv6: Flow label state ranges 2015-05-03 21:58:01 -04:00
tcp_ipv6.c inet: fix possible request socket leak 2015-08-10 21:17:45 -07:00
tcpv6_offload.c tcp: cleanup static functions 2015-02-28 16:56:51 -05:00
tunnel6.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00
udp_impl.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
udp_offload.c ipv6: hash net ptr into fragmentation bucket selection 2015-03-25 14:07:04 -04:00
udp.c udp: fix behavior of wrong checksums 2015-05-31 21:42:18 -07:00
udplite.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
xfrm6_input.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
xfrm6_mode_beet.c xfrm: simplify xfrm_address_t use 2015-03-31 13:58:35 -04:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
xfrm6_policy.c ipv6: Add rt6_get_cookie() function 2015-05-25 13:25:34 -04:00
xfrm6_protocol.c
xfrm6_state.c ipv6: White-space cleansing : Line Layouts 2014-08-24 22:37:52 -07:00
xfrm6_tunnel.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00