redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net
History
Tommi Rantala 9f02a069bf sctp: fix dst refcnt leak in sctp_v4_get_dst 
[ Upstream commit 4a31a6b19f ]

Fix dst reference count leak in sctp_v4_get_dst() introduced in commit
410f03831 ("sctp: add routing output fallback"):

When walking the address_list, successive ip_route_output_key() calls
may return the same rt->dst with the reference incremented on each call.

The code would not decrement the dst refcount when the dst pointer was
identical from the previous iteration, causing the dst refcnt leak.

Testcase:
  ip netns add TEST
  ip netns exec TEST ip link set lo up
  ip link add dummy0 type dummy
  ip link add dummy1 type dummy
  ip link add dummy2 type dummy
  ip link set dev dummy0 netns TEST
  ip link set dev dummy1 netns TEST
  ip link set dev dummy2 netns TEST
  ip netns exec TEST ip addr add 192.168.1.1/24 dev dummy0
  ip netns exec TEST ip link set dummy0 up
  ip netns exec TEST ip addr add 192.168.1.2/24 dev dummy1
  ip netns exec TEST ip link set dummy1 up
  ip netns exec TEST ip addr add 192.168.1.3/24 dev dummy2
  ip netns exec TEST ip link set dummy2 up
  ip netns exec TEST sctp_test -H 192.168.1.2 -P 20002 -h 192.168.1.1 -p 20000 -s -B 192.168.1.3
  ip netns del TEST

In 4.4 and 4.9 kernels this results to:
  [  354.179591] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  364.419674] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  374.663664] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  384.903717] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  395.143724] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  405.383645] unregister_netdevice: waiting for lo to become free. Usage count = 1
  ...

Fixes: 410f03831 ("sctp: add routing output fallback")
Fixes: 0ca50d12f ("sctp: fix src address selection if using secondary addresses")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-03-08 22:41:11 -08:00
..
6lowpan
9p 9p/trans_virtio: discard zero-length reply 2018-02-22 15:42:30 +01:00
802
8021q 8021q: fix a memory leak for VLAN 0 device 2018-01-17 09:45:20 +01:00
appletalk
atm
ax25
batman-adv
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2018-01-17 09:45:26 +01:00
bpf
bridge bridge: check brport attr show in brport_show 2018-03-08 22:41:07 -08:00
caif
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-23 19:58:17 +01:00
ceph
core net: fix race on decreasing number of TX queues 2018-03-08 22:41:09 -08:00
dcb
dccp dccp: CVE-2017-8824: use-after-free in DCCP code 2018-02-16 20:22:45 +01:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver
dsa
ethernet
hsr
ieee802154
ife
ipv4 udplite: fix partial checksum initialization 2018-03-08 22:41:10 -08:00
ipv6 udplite: fix partial checksum initialization 2018-03-08 22:41:10 -08:00
ipx
iucv
kcm kcm: Only allow TCP sockets to be attached to a KCM mux 2018-02-25 11:07:45 +01:00
key af_key: fix buffer overread in parse_exthdrs() 2018-01-23 19:58:12 +01:00
l2tp
l3mdev
lapb
llc
mac80211 mac80211: mesh: drop frames appearing to be from us 2018-03-03 10:24:35 +01:00
mac802154
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-02-22 15:42:28 +01:00
ncsi
netfilter netfilter: nf_tables: fix potential NULL-ptr deref in nf_tables_dump_obj_done() 2018-03-03 10:24:30 +01:00
netlabel
netlink netlink: ensure to loop over all netns in genlmsg_multicast_allns() 2018-03-08 22:41:09 -08:00
netrom
nfc
nsh
openvswitch openvswitch: fix the incorrect flow action alloc size 2018-02-03 17:39:03 +01:00
packet
phonet
psample
qrtr
rds rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete 2018-02-25 11:07:51 +01:00
rfkill
rose
rxrpc rxrpc: Fix service endpoint expiry 2018-02-03 17:39:01 +01:00
sched net: sched: report if filter is too large to dump 2018-03-08 22:41:10 -08:00
sctp sctp: fix dst refcnt leak in sctp_v4_get_dst 2018-03-08 22:41:11 -08:00
smc
strparser
sunrpc xprtrdma: Fix BUG after a device removal 2018-02-22 15:42:29 +01:00
switchdev
tipc tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path 2018-03-03 10:24:30 +01:00
tls tls: reset crypto_info when do_tls_setsockopt_tx fails 2018-01-31 14:03:48 +01:00
unix
vmw_vsock VSOCK: fix outdated sk_state value in hvs_release() 2018-02-25 11:07:59 +01:00
wimax
wireless nl80211: Check for the required netlink attribute presence 2018-03-03 10:24:34 +01:00
x25
xfrm xfrm: Reinject transport-mode packets through tasklet 2018-03-03 10:24:25 +01:00
compat.c
Kconfig
Makefile
socket.c kmemcheck: remove annotations 2018-02-22 15:42:23 +01:00
sysctl_net.c