[062/114] tcp: cookie transactions setsockopt memory leak

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Dmitry Popov <dp@highloadlab.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [062/114] tcp: cookie transactions setsockopt memory leak
Date: Tue, 24 Aug 2010 15:45:07 -0700	[thread overview]
Message-ID: <20100824224506.635112644@clark.site> (raw)
In-Reply-To: <20100824224610.GA5424@kroah.com>

2.6.35-stable review patch.  If anyone has any objections, please let us know.

------------------


From: Dmitry Popov <dp@highloadlab.com>

[ Upstream commit a3bdb549e30e7a263f7a589747c40e9c50110315 ]

There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c),
TCP_COOKIE_TRANSACTIONS case.
In some cases (when tp->cookie_values == NULL) new tcp_cookie_values
structure can be allocated (at cvp), but not bound to
tp->cookie_values. So a memory leak occurs.

Signed-off-by: Dmitry Popov <dp@highloadlab.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/ipv4/tcp.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2176,6 +2176,8 @@ static int do_tcp_setsockopt(struct sock
 				      GFP_KERNEL);
 			if (cvp == NULL)
 				return -ENOMEM;
+
+			kref_init(&cvp->kref);
 		}
 		lock_sock(sk);
 		tp->rx_opt.cookie_in_always =
@@ -2190,12 +2192,11 @@ static int do_tcp_setsockopt(struct sock
 				 */
 				kref_put(&tp->cookie_values->kref,
 					 tcp_cookie_values_release);
-				kref_init(&cvp->kref);
-				tp->cookie_values = cvp;
 			} else {
 				cvp = tp->cookie_values;
 			}
 		}
+
 		if (cvp != NULL) {
 			cvp->cookie_desired = ctd.tcpct_cookie_desired;
 
@@ -2209,6 +2210,8 @@ static int do_tcp_setsockopt(struct sock
 				cvp->s_data_desired = ctd.tcpct_s_data_desired;
 				cvp->s_data_constant = 0; /* false */
 			}
+
+			tp->cookie_values = cvp;
 		}
 		release_sock(sk);
 		return err;

next prev parent reply	other threads:[~2010-08-24 23:14 UTC|newest]

Thread overview: 115+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-24 22:46 [000/114] 2.6.35.4-stable review Greg KH
2010-08-24 22:44 ` [001/114] memstick: init sysfs attributes Greg KH
2010-08-24 22:44 ` [002/114] memstick: fix hangs on unexpected device removal in mspro_blk Greg KH
2010-08-24 22:44 ` [003/114] acpi: fix bogus preemption logic Greg KH
2010-08-24 22:44 ` [004/114] ASoC: Fix inverted mute controls for WM8580 Greg KH
2010-08-24 22:44 ` [005/114] ASoC: Remove DSP mode support for WM8776 Greg KH
2010-08-24 22:44 ` [006/114] ASoC: register cache should be 1 byte aligned for 1 byte long register Greg KH
2010-08-24 22:44 ` [007/114] regulator: Default GPIO controlled WM8994 regulators to disabled Greg KH
2010-08-24 22:44 ` [008/114] ALSA: riptide - Fix detection / load of firmware files Greg KH
2010-08-24 22:44 ` [009/114] ALSA: emu10k1 - delay the PCM interrupts (add pcm_irq_delay parameter) Greg KH
2010-08-24 22:44 ` [010/114] ALSA: hda - Fix missing stream for second ADC on Realtek ALC260 HDA codec Greg KH
2010-08-24 22:44 ` [011/114] ALSA: hda - Add quirk for Dell Vostro 1220 Greg KH
2010-08-24 22:44 ` [012/114] ocfs2: do not overwrite error codes in ocfs2_init_acl Greg KH
2010-08-24 22:44 ` [013/114] ocfs2/dlm: fix a dead lock Greg KH
2010-08-24 22:44 ` [014/114] ocfs2 fix o2dlm dlm run purgelist (rev 3) Greg KH
2010-08-24 22:44 ` [015/114] ocfs2: Count more refcount records in file system fragmentation Greg KH
2010-08-24 22:44 ` [016/114] ocfs2/dlm: avoid incorrect bit set in refmap on recovery master Greg KH
2010-08-24 22:44 ` [017/114] ocfs2/dlm: remove potential deadlock -V3 Greg KH
2010-08-24 22:44 ` [018/114] wl1251: fix trigger scan timeout usage Greg KH
2010-08-24 22:44 ` [019/114] nilfs2: fix list corruption after ifile creation failure Greg KH
2010-08-24 22:44 ` [020/114] tracing: Fix an unallocated memory access in function_graph Greg KH
2010-08-24 22:44 ` [021/114] tracing: Fix ring_buffer_read_page reading out of page boundary Greg KH
2010-08-24 22:44 ` [022/114] cfg80211: fix locking in action frame TX Greg KH
2010-08-24 22:44 ` [023/114] x86, asm: Refactor atomic64_386_32.S to support old binutils and be cleaner Greg KH
2010-08-24 22:44 ` [024/114] perf, x86: P4 PMU -- update nmi irq statistics and unmask lvt entry properly Greg KH
2010-08-24 22:44 ` [025/114] x86, apic: Map the local apic when parsing the MP table Greg KH
2010-08-24 22:44 ` [026/114] platform/x86: move rfkill for Dell Mini 1012 to compal-laptop Greg KH
2010-08-24 22:44 ` [027/114] x86, hotplug: Serialize CPU hotplug to avoid bringup concurrency issues Greg KH
2010-08-24 22:44 ` [028/114] perf, x86: Fix Intel-nhm PMU programming errata workaround Greg KH
2010-08-24 22:44 ` [029/114] x86, apic: Fix apic=debug boot crash Greg KH
2010-08-24 22:44 ` [030/114] Fix the nested PR lock calling issue in ACL Greg KH
2010-08-24 22:44 ` [031/114] drm/radeon/kms: add additional quirk for Acer rv620 laptop Greg KH
2010-08-24 22:44 ` [032/114] drm/radeon/kms: add missing copy from user Greg KH
2010-08-24 22:44 ` [033/114] hwmon: (pc87360) Fix device resource declaration Greg KH
2010-08-24 22:44 ` [034/114] ARM: Tighten check for allowable CPSR values Greg KH
2010-08-24 22:44 ` [035/114] ARM: Fix gen_nand probe structures contents Greg KH
2010-08-24 22:44 ` [036/114] BFIN: " Greg KH
2010-08-24 22:44 ` [037/114] ath9k_htc: fix panic on packet injection using airbase-ng tool Greg KH
2010-08-24 22:44 ` [038/114] nfs: Add "lookupcache" to displayed mount options Greg KH
2010-08-24 22:44 ` [039/114] NFS: Fix an Oops in the NFSv4 atomic open code Greg KH
2010-08-24 22:44 ` [040/114] ath5k: disable ASPM L0s for all cards Greg KH
2010-08-24 22:44 ` [041/114] pxa3xx: fix ns2cycle equation Greg KH
2010-08-24 22:44 ` [042/114] matroxfb: fix incorrect use of memcpy_toio() Greg KH
2010-08-24 22:44 ` [043/114] mtd: nand: Fix probe of Samsung NAND chips Greg KH
2010-08-24 22:44 ` [044/114] mtd: change struct flchip_shared spinlock locking into mutex Greg KH
2010-08-24 22:44 ` [045/114] drm/i915: fixup pageflip ringbuffer commands for i8xx Greg KH
2010-08-24 22:44 ` [046/114] drm/i915: i8xx also doesnt like multiple oustanding pageflips Greg KH
2010-08-24 22:44 ` [047/114] drm/i915/edp: Flush the write before waiting for PLLs Greg KH
2010-08-24 22:44 ` [048/114] dm snapshot: iterate origin and cow devices Greg KH
2010-08-24 22:44 ` [049/114] dm snapshot: test chunk size against both origin and snapshot Greg KH
2010-08-24 22:44 ` [050/114] dm: prevent access to md being deleted Greg KH
2010-08-24 22:44 ` [051/114] dm ioctl: release _hash_lock between devices in remove_all Greg KH
2010-08-24 22:44 ` [052/114] mm: make the vma list be doubly linked Greg KH
2010-08-24 22:44 ` [053/114] mm: make the mlock() stack guard page checks stricter Greg KH
2010-08-24 22:44 ` [054/114] mm: make stack guard page logic use vm_prev pointer Greg KH
2010-08-24 22:45 ` [055/114] x86, asm: Clean up and simplify set_64bit() Greg KH
2010-08-24 22:45 ` [056/114] slab: fix object alignment Greg KH
2010-08-24 22:45 ` [057/114] sparc64: Add missing ID to parport probing code Greg KH
2010-08-24 22:45 ` [058/114] sparc64: Fix rwsem constant bug leading to hangs Greg KH
2010-08-24 22:45 ` [059/114] sparc64: Fix atomic64_t routine return values Greg KH
2010-08-24 22:45 ` [060/114] sparc: Really fix "console=" for serial consoles Greg KH
2010-08-24 22:45 ` [061/114] bridge: add rcu_read_lock on transmit Greg KH
2010-08-24 22:45 ` Greg KH [this message]
2010-08-24 22:45 ` [063/114] bridge: Fix skb leak when multicast parsing fails on TX Greg KH
2010-08-24 22:45 ` [064/114] act_nat: the checksum of ICMP doesnt have pseudo header Greg KH
2010-08-24 22:45 ` [065/114] can: add limit for nframes and clean up signed/unsigned variables Greg KH
2010-08-24 22:45 ` [066/114] isdn: fix information leak Greg KH
2010-08-24 22:45 ` [067/114] net: Fix napi_gro_frags vs netpoll path Greg KH
2010-08-24 22:45 ` [068/114] net: Fix a memmove bug in dev_gro_receive() Greg KH
2010-08-24 22:45 ` [069/114] pkt_sched: Fix sch_sfq vs tcf_bind_filter oops Greg KH
2010-08-24 22:45 ` [070/114] pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops Greg KH
2010-08-24 22:45 ` [071/114] net: disable preemption before call smp_processor_id() Greg KH
2010-08-24 22:45 ` [072/114] act_nat: fix wild pointer Greg KH
2010-08-24 22:45 ` [073/114] Fix init ordering of /dev/console vs callers of modprobe Greg KH
2010-08-24 22:45 ` [074/114] gen_nand: Test if nr_chips field is valid Greg KH
2010-08-24 22:45 ` [075/114] isdn/gigaset: reduce syslog spam Greg KH
2010-08-24 22:45 ` [076/114] isdn: gigaset: add missing unlock Greg KH
2010-08-24 22:45 ` [077/114] Oprofile: Change CPUIDS from decimal to hex, and add some comments Greg KH
2010-08-24 22:45 ` [078/114] oprofile: add support for Intel processor model 30 Greg KH
2010-08-24 22:45 ` [079/114] drm/agp/i915: trim stolen space to 32M Greg KH
2010-08-24 22:45 ` [080/114] timekeeping: Fix overflow in rawtime tv_nsec on 32 bit archs Greg KH
2010-08-24 22:45 ` [081/114] time: Workaround gcc loop optimization that causes 64bit div errors Greg KH
2010-08-24 22:45 ` [082/114] can-raw: Fix skb_orphan_try handling Greg KH
2010-08-24 22:45 ` [083/114] iwlagn: fix rts cts protection Greg KH
2010-08-24 22:45 ` [084/114] dm: separate device deletion from dm_put Greg KH
2010-08-24 22:45 ` [085/114] e1000e: disable ASPM L1 on 82573 Greg KH
2010-08-24 22:45 ` [086/114] e1000e: dont check for alternate MAC addr on parts that dont support it Greg KH
2010-08-24 22:45 ` [087/114] iwlwifi: fix 3945 filter flags Greg KH
2010-08-24 22:45 ` [088/114] fixes for using make 3.82 Greg KH
2010-08-24 22:45 ` [089/114] ALSA: intel8x0: Mute External Amplifier by default for ThinkPad X31 Greg KH
2010-08-24 22:45 ` [090/114] netlink: fix compat recvmsg Greg KH
2010-08-24 22:45 ` [091/114] drm/radeon/kms: dont enable MSIs on AGP boards Greg KH
2010-08-24 22:45 ` [092/114] drm/radeon/kms/pm: bail early if nothings changing Greg KH
2010-08-24 22:45 ` [093/114] drm/radeon/kms: fix typo in radeon_compute_pll_gain Greg KH
2010-08-24 22:45 ` [094/114] drm/radeon/kms/DCE3+: switch pads to ddc mode when going i2c Greg KH
2010-08-24 22:45 ` [095/114] drm/radeon/kms: fix sideport detection on newer rs880 boards Greg KH
2010-08-24 22:45 ` [096/114] drm/radeon/kms: fix GTT/VRAM overlapping test Greg KH
2010-08-24 22:45 ` [097/114] drm: stop information leak of old kernel stack Greg KH
2010-08-24 22:45 ` [098/114] Staging: batman-adv: unify orig_hash_lock spinlock handling to avoid deadlocks Greg KH
2010-08-24 22:45 ` [099/114] Staging: batman-adv: Create batman_if only on register event Greg KH
2010-08-24 22:45 ` [100/114] Staging: batman-adv: Dont use net_dev after dev_put Greg KH
2010-08-24 22:45 ` [101/114] Staging: batman-adv: Dont write in not allocated packet_buff Greg KH
2010-08-24 22:45 ` [102/114] powerpc: Fix typo in uImage target Greg KH
2010-08-24 22:45 ` [103/114] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-08-24 22:45 ` [104/114] USB: option: add Celot CT-650 Greg KH
2010-08-24 22:45 ` [105/114] USB: add device IDs for igotu to navman Greg KH
2010-08-24 22:45 ` [106/114] USB: pl2303: New vendor and product id Greg KH
2010-08-24 22:45 ` [107/114] USB: CP210x Fix Break On/Off Greg KH
2010-08-24 22:45 ` [108/114] USB: ftdi_sio: fix endianess of max packet size Greg KH
2010-08-24 22:45 ` [109/114] USB: io_ti: check firmware version before updating Greg KH
2010-08-24 22:45 ` [110/114] USB: xhci: Remove buggy assignment in next_trb() Greg KH
2010-08-24 22:45 ` [111/114] USB: ftdi_sio: Add ID for Ionics PlugComputer Greg KH
2010-08-24 22:45 ` [112/114] USB: ftdi_sio: add product ID for Lenz LI-USB Greg KH
2010-08-24 22:45 ` [113/114] mutex: Improve the scalability of optimistic spinning Greg KH
2010-08-24 22:45 ` [114/114] tracing: Fix timer tracing Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100824224506.635112644@clark.site \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=davem@davemloft.net \
    --cc=dp@highloadlab.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox