All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Christian Brauner <brauner@kernel.org>
Cc: linux-sctp@vger.kernel.org
Subject: [bug report] net/sctp: convert sctp_getsockopt_peeloff_common() to FD_PREPARE()
Date: Wed, 26 Nov 2025 11:34:31 +0300	[thread overview]
Message-ID: <aSa7l8aK1cHv1GEI@stanley.mountain> (raw)

Hello Christian Brauner,

Commit 859ceac73090 ("net/sctp: convert
sctp_getsockopt_peeloff_common() to FD_PREPARE()") from Nov 23, 2025
(linux-next), leads to the following Smatch static checker warning:

	net/sctp/socket.c:5733 sctp_getsockopt_peeloff_common()
	warn: 'newsock' was already freed. (line 5731)

net/sctp/socket.c
    5719 static int sctp_getsockopt_peeloff_common(struct sock *sk,
    5720                                           sctp_peeloff_arg_t *peeloff, int len,
    5721                                           char __user *optval,
    5722                                           int __user *optlen, unsigned flags)
    5723 {
    5724         struct socket *newsock;
    5725         int retval;
    5726 
    5727         retval = sctp_do_peeloff(sk, peeloff->associd, &newsock);
    5728         if (retval < 0)
    5729                 return retval;
    5730 
    5731         FD_PREPARE(fdf, flags & SOCK_CLOEXEC, sock_alloc_file(newsock, 0, NULL));
                                                                       ^^^^^^^
sock_alloc_file() calls sock_release() on error.

    5732         if (fdf.err) {
--> 5733                 sock_release(newsock);
                         ^^^^^^^^^^^^^^^^^^^^^
double free.

    5734                 return fdf.err;
    5735         }
    5736 
    5737         pr_debug("%s: sk:%p, newsk:%p, sd:%d\n", __func__, sk, newsock->sk,
    5738                  fd_prepare_fd(fdf));
    5739 
    5740         if (flags & SOCK_NONBLOCK)
    5741                 fd_prepare_file(fdf)->f_flags |= O_NONBLOCK;
    5742 
    5743         /* Return the fd mapped to the new socket.  */
    5744         if (put_user(len, optlen))
    5745                 return -EFAULT;
    5746 
    5747         peeloff->sd = fd_prepare_fd(fdf);
    5748         if (copy_to_user(optval, peeloff, len))
    5749                 return -EFAULT;
    5750 
    5751         return fd_publish(fdf);
    5752 }

regards,
dan carpenter

             reply	other threads:[~2025-11-26  8:34 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-26  8:34 Dan Carpenter [this message]
2025-11-26  8:37 ` [bug report] net/sctp: convert sctp_getsockopt_peeloff_common() to FD_PREPARE() Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aSa7l8aK1cHv1GEI@stanley.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=brauner@kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.