Commit 8d2e82ee authored Nov 01, 2024 by Wang Hai Committed by Yongqiang Liu Nov 01, 2024

net/9p: Fix a potential socket leak in p9_socket_open

stable inclusion
from stable-v4.19.268
commit 8b14bd0b500aec1458b51cb621c8e5fab3304260
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRIX
CVE: CVE-2022-49020

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8b14bd0b500aec1458b51cb621c8e5fab3304260



--------------------------------

[ Upstream commit dcc14cfd ]

Both p9_fd_create_tcp() and p9_fd_create_unix() will call
p9_socket_open(). If the creation of p9_trans_fd fails,
p9_fd_create_tcp() and p9_fd_create_unix() will return an
error directly instead of releasing the cscoket, which will
result in a socket leak.

This patch adds sock_release() to fix the leak issue.

Fixes: 6b18662e ("9p connect fixes")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
ACKed-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent fc269dcb

net/9p/trans_fd.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -840,8 +840,10 @@ static int p9_socket_open(struct p9_client client, struct socket csocket)
		struct file *file;

		p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL);
		if (!p)
		if (!p) {
		sock_release(csocket);
		return -ENOMEM;
		}

		csocket->sk->sk_allocation = GFP_NOIO;
		file = sock_alloc_file(csocket, 0, NULL);