From: Wang Hai wanghai38@huawei.com
stable inclusion from stable-v4.19.268 commit 8b14bd0b500aec1458b51cb621c8e5fab3304260 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRIX CVE: CVE-2022-49020
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ]
Both p9_fd_create_tcp() and p9_fd_create_unix() will call p9_socket_open(). If the creation of p9_trans_fd fails, p9_fd_create_tcp() and p9_fd_create_unix() will return an error directly instead of releasing the cscoket, which will result in a socket leak.
This patch adds sock_release() to fix the leak issue.
Fixes: 6b18662e239a ("9p connect fixes") Signed-off-by: Wang Hai wanghai38@huawei.com ACKed-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- net/9p/trans_fd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index f868cf6fba79..cbca035837df 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -840,8 +840,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) struct file *file;
p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); - if (!p) + if (!p) { + sock_release(csocket); return -ENOMEM; + }
csocket->sk->sk_allocation = GFP_NOIO; file = sock_alloc_file(csocket, 0, NULL);