From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757605AbeAIUxL (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Tue, 9 Jan 2018 15:53:11 -0500
Received: from zeniv.linux.org.uk ([195.92.253.2]:48482 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1757643AbeAIUxK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Jan 2018 15:53:10 -0500
Date: Tue, 9 Jan 2018 20:53:03 +0000
From: Al Viro <viro@ZenIV.linux.org.uk>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Eric Dumazet <edumazet@google.com>,
        Willem de Bruijn <willemb@google.com>,
        syzkaller <syzkaller@googlegroups.com>,
        Dmitry Vyukov <dvyukov@google.com>
Subject: Re: net: memory leak in socket
Message-ID: <20180109205303.GF13338@ZenIV.linux.org.uk>
References: <CACT4Y+afcR2=wsmG_DObzG04JvVX-8X-4_zK4WYp1EAMhbbGEg@mail.gmail.com>
 <20180109185351.GE13338@ZenIV.linux.org.uk>
 <CACT4Y+Yi=CNxCo0Fg5kuTOpDjjAx1WxMzW74GDP975bJuUhdiA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+Yi=CNxCo0Fg5kuTOpDjjAx1WxMzW74GDP975bJuUhdiA@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Tue, Jan 09, 2018 at 07:58:08PM +0100, Dmitry Vyukov wrote:
> > Argh...  Got broken by "make sock_alloc_file() do sock_release() on failures" -
> > cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
> > but it used to serve the case when sock_map_fd() failed *before* getting to
> > sock_alloc_file().
> >
> > Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
> > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> 
> Please add:
> 
> Reported-by: Dmitry Vyukov <dvyukov@google.com>

Sure, no problem.  Dave, which tree should that go through?  Do you pick it, or
should I send the below directly to Linus?
----
Fix a leak in socket(2) when we fail to allocate a file descriptor.

Got broken by "make sock_alloc_file() do sock_release() on failures" -
cleanup after sock_map_fd() failure got pulled all the way into
sock_alloc_file(), but it used to serve the case when sock_map_fd()
failed *before* getting to sock_alloc_file() as well, and that got
lost.  Trivial to fix, fortunately.

Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/net/socket.c b/net/socket.c
index bbd2e9ceb692..1536515b6437 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
 {
 	struct file *newfile;
 	int fd = get_unused_fd_flags(flags);
-	if (unlikely(fd < 0))
+	if (unlikely(fd < 0)) {
+		sock_release(sock);
 		return fd;
+	}
 
 	newfile = sock_alloc_file(sock, flags, NULL);
 	if (likely(!IS_ERR(newfile))) {