From: Wang Hai wanghai38@huawei.com
stable inclusion from stable-v5.10.158 commit e01c1542379fb395e7da53706df598f38905dfbf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRIX CVE: CVE-2022-49020
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ]
Both p9_fd_create_tcp() and p9_fd_create_unix() will call p9_socket_open(). If the creation of p9_trans_fd fails, p9_fd_create_tcp() and p9_fd_create_unix() will return an error directly instead of releasing the cscoket, which will result in a socket leak.
This patch adds sock_release() to fix the leak issue.
Fixes: 6b18662e239a ("9p connect fixes") Signed-off-by: Wang Hai wanghai38@huawei.com ACKed-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- net/9p/trans_fd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 8f528e783a6c..33ea665982c2 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -846,8 +846,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) struct file *file;
p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); - if (!p) + if (!p) { + sock_release(csocket); return -ENOMEM; + }
csocket->sk->sk_allocation = GFP_NOIO; file = sock_alloc_file(csocket, 0, NULL);