Commit 02968ccf authored by Xin Long's avatar Xin Long Committed by David S. Miller
Browse files

sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit 



Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the
skb allocked in sctp_packet_transmit and decreases by 1 when freeing
this skb.

But when this skb goes through networking stack, some subcomponents
might change skb->truesize and add the same amount on sk_wmem_alloc.
However sctp doesn't know the amount to decrease by, it would cause
a leak on sk->sk_wmem_alloc and the sock can never be freed.

Xiumei found this issue when it hit esp_output_head() by using sctp
over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc.

Since sctp has used sk_wmem_queued to count for writable space since
Commit cd305c74 ("sctp: use sk_wmem_queued to check for writable
space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize
in sctp_packet_transmit.

Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible")
Reported-by: default avatarXiumei Mu <xmu@redhat.com>
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a36b5444

net/sctp/output.c

+1 −20
Original line number Diff line number Diff line
@@ -396,25 +396,6 @@ finish: 
	return retval;

}



static void sctp_packet_release_owner(struct sk_buff *skb)

{

	sk_free(skb->sk);

}



static void sctp_packet_set_owner_w(struct sk_buff *skb, struct sock *sk)

{

	skb_orphan(skb);

	skb->sk = sk;

	skb->destructor = sctp_packet_release_owner;



	/*

	 * The data chunks have already been accounted for in sctp_sendmsg(),

	 * therefore only reserve a single byte to keep socket around until

	 * the packet has been transmitted.

	 */

	refcount_inc(&sk->sk_wmem_alloc);

}



static void sctp_packet_gso_append(struct sk_buff *head, struct sk_buff *skb)

{

	if (SCTP_OUTPUT_CB(head)->last == head)
@@ -601,7 +582,7 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp) 
	if (!head)

		goto out;

	skb_reserve(head, packet->overhead + MAX_HEADER);

	sctp_packet_set_owner_w(head, sk);

	skb_set_owner_w(head, sk);



	/* set sctp header */

	sh = skb_push(head, sizeof(struct sctphdr));

CRA Git | Maintained and supported by SUSTech CRA and CCSE