From: Al Viro <viro@ZenIV.linux.org.uk>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>,
syzkaller <syzkaller@googlegroups.com>,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: net: memory leak in socket
Date: Tue, 9 Jan 2018 20:53:03 +0000 [thread overview]
Message-ID: <20180109205303.GF13338@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CACT4Y+Yi=CNxCo0Fg5kuTOpDjjAx1WxMzW74GDP975bJuUhdiA@mail.gmail.com>
On Tue, Jan 09, 2018 at 07:58:08PM +0100, Dmitry Vyukov wrote:
> > Argh... Got broken by "make sock_alloc_file() do sock_release() on failures" -
> > cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
> > but it used to serve the case when sock_map_fd() failed *before* getting to
> > sock_alloc_file().
> >
> > Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
> > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
>
> Please add:
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
Sure, no problem. Dave, which tree should that go through? Do you pick it, or
should I send the below directly to Linus?
----
Fix a leak in socket(2) when we fail to allocate a file descriptor.
Got broken by "make sock_alloc_file() do sock_release() on failures" -
cleanup after sock_map_fd() failure got pulled all the way into
sock_alloc_file(), but it used to serve the case when sock_map_fd()
failed *before* getting to sock_alloc_file() as well, and that got
lost. Trivial to fix, fortunately.
Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/net/socket.c b/net/socket.c
index bbd2e9ceb692..1536515b6437 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
{
struct file *newfile;
int fd = get_unused_fd_flags(flags);
- if (unlikely(fd < 0))
+ if (unlikely(fd < 0)) {
+ sock_release(sock);
return fd;
+ }
newfile = sock_alloc_file(sock, flags, NULL);
if (likely(!IS_ERR(newfile))) {
next prev parent reply other threads:[~2018-01-09 20:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 18:39 net: memory leak in socket Dmitry Vyukov
2018-01-09 18:53 ` Al Viro
2018-01-09 18:58 ` Dmitry Vyukov
2018-01-09 20:53 ` Al Viro [this message]
2018-01-10 9:30 ` Sergei Shtylyov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180109205303.GF13338@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.