From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV
 sockets in tcp_abort
Date: Sun, 08 Jul 2018 10:57:05 +0900 (KST)
Message-ID: <20180708.105705.1482010806994204196.davem@davemloft.net>
References: <20180707073140.202004-1-lorenzo@google.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, astrachan@google.com,
        subashab@codeaurora.org, eric.dumazet@gmail.com,
        dsa@cumulusnetworks.com
To: lorenzo@google.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([23.128.96.9]:36294 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754408AbeGHB5I (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sat, 7 Jul 2018 21:57:08 -0400
In-Reply-To: <20180707073140.202004-1-lorenzo@google.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Lorenzo Colitti <lorenzo@google.com>
Date: Sat,  7 Jul 2018 16:31:40 +0900

> When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first
> frees it by calling inet_csk_reqsk_queue_drop_and_and_put in
> tcp_abort, and then frees it again by calling sock_gen_put.
> 
> Since tcp_abort only has one caller, and all the other codepaths
> in tcp_abort don't free the socket, just remove the free in that
> function.
> 
> Cc: David Ahern <dsa@cumulusnetworks.com>
> Tested: passes Android sock_diag_test.py, which exercises this codepath
> Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket")
> Signed-off-by: Lorenzo Colitti <lorenzo@google.com>

Applied and queued up for -stable, thanks!