diff options
| author | Eric Biggers <ebiggers@google.com> | 2019-06-12 14:58:43 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-19 08:00:02 +0200 |
| commit | 3d61202e8a4c021af12a564d8ed42d08ff03ac14 (patch) | |
| tree | 3fe6916b81d7eebbfed96ac0c348205c8b3366b4 /fs/io_uring.c | |
| parent | b8833542a91e16b3ff1d4853f846080d656db3bd (diff) | |
io_uring: fix memory leak of UNIX domain socket inode
commit 355e8d26f719c207aa2e00e6f3cfab3acf21769b upstream.
Opening and closing an io_uring instance leaks a UNIX domain socket
inode. This is because the ->file of the io_uring instance's internal
UNIX domain socket is set to point to the io_uring file, but then
sock_release() sees the non-NULL ->file and assumes the inode reference
is held by the file so doesn't call iput(). That's not the case here,
since the reference is still meant to be held by the socket; the actual
inode of the io_uring file is different.
Fix this leak by NULL-ing out ->file before releasing the socket.
Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com
Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
Cc: <stable@vger.kernel.org> # v5.1+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/io_uring.c')
| -rw-r--r-- | fs/io_uring.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index 28269a0c5037..4e32a033394c 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2633,8 +2633,10 @@ static void io_ring_ctx_free(struct io_ring_ctx *ctx) io_sqe_files_unregister(ctx); #if defined(CONFIG_UNIX) - if (ctx->ring_sock) + if (ctx->ring_sock) { + ctx->ring_sock->file = NULL; /* so that iput() is called */ sock_release(ctx->ring_sock); + } #endif io_mem_free(ctx->sq_ring); |