Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752601AbdC0VVi (ORCPT ); Mon, 27 Mar 2017 17:21:38 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:38864 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751629AbdC0VVg (ORCPT ); Mon, 27 Mar 2017 17:21:36 -0400 Date: Mon, 27 Mar 2017 22:21:27 +0100 From: Al Viro To: Vito Caputo Cc: hughd@google.com, linux-kernel , linux-mm@kvack.org Subject: Re: [PATCH] shmem: fix __shmem_file_setup error path leaks Message-ID: <20170327212127.GF29622@ZenIV.linux.org.uk> References: <20170327170534.GA16903@shells.gnugeneration.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170327170534.GA16903@shells.gnugeneration.com> User-Agent: Mutt/1.7.1 (2016-10-04) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 882 Lines: 19 On Mon, Mar 27, 2017 at 10:05:34AM -0700, Vito Caputo wrote: > The existing path and memory cleanups appear to be in reverse order, and > there's no iput() potentially leaking the inode in the last two error gotos. > > Also make put_memory shmem_unacct_size() conditional on !inode since if we > entered cleanup at put_inode, shmem_evict_inode() occurs via > iput()->iput_final(), which performs the shmem_unacct_size() for us. > > Signed-off-by: Vito Caputo > --- > > This caught my eye while looking through the memfd_create() implementation. > Included patch was compile tested only... Obviously so, since you've just introduced a double iput() there. After d_instantiate(path.dentry, inode); dropping the reference to path.dentry (done by path_put(&path)) will drop the reference to inode transferred into that dentry by d_instantiate(). NAK.