Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3011054ybi; Mon, 17 Jun 2019 14:38:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxv5WrULQ+y3lijRN/p3TUGs/E4C87lSpSDCrsqgXFBGmgbZqe+eZNeT0J5qy2dMXzZHngl X-Received: by 2002:a62:cf07:: with SMTP id b7mr58335499pfg.217.1560807493760; Mon, 17 Jun 2019 14:38:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560807493; cv=none; d=google.com; s=arc-20160816; b=U/04hJLOn7JmD04hFX3H/l1YtUpj6Cj+iA4F97K4b6G1NCtayChHEOG3dc0dCOLHhp FACuyGS5ebdK+lSElompDhjEXei1XUGOZyrf+g6hVdGkp47R6M/d7fcuIuICi9iTL4Hw uWeXyLrNJIiu4yL0Fpob8h3d+4xReqcxy9Bxm5wXuG79MNJ8+LJ/Gr4FaBTXUQy5KG6S ZPd7ROQe5c438WG3GbxO5UFw0/zAIMsZlWQ6SPhsEPsCFp3xhuXpKKB9dwOD0+oe88rr C0/WSUhbShuk3w6bATlLH6EiC/gN6Z/cXt990XF3ZfzVrRXg1fPWVjavPwcqrXSAhzp5 8q3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jr9zWaqQwp11HGAIKo4QQbYbsl8sDdbXwWibxv3tOb4=; b=Xg6ZItH3moB3pbx7uawEU19mh2YGGm7nt60mzWfymr83jFRODRn7QwuSKFb1YBPO+N +qxFtoAnKu1pjSeWFSV4kZTeQfO9BtBKl57cw0Xzu4xwa7HsWnz8CqKLJL8bpzQlqh9O 5PGtzlyaNmyNsifrVVT3XBv+92VbbNae4ZAi3HYt492jW7lSYAbvRv+u6f4Oq6WDIlat e43Y8aLhRpNlJicVdnAzhrJaIlRaoj0pVGMqGDQNeXeIMEcdyr3qCfC/F69rp6uec/CG rfxpJiId9eQIoXUKelekl/lMiMLzPBsidFWm/I1Dto25cUPTevgt/A+ZIcHGI+EwC3d2 Sfrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ngsD5aXx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d8si398833pjw.3.2019.06.17.14.37.59; Mon, 17 Jun 2019 14:38:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ngsD5aXx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729275AbfFQVhz (ORCPT + 99 others); Mon, 17 Jun 2019 17:37:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:42846 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728701AbfFQVTJ (ORCPT ); Mon, 17 Jun 2019 17:19:09 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 96CEA208E4; Mon, 17 Jun 2019 21:19:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560806349; bh=SCld0zSsIOCbRLLWcUjRzOClR/Ij2Y1Q73j4IBFa4Zs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ngsD5aXxoZZ6BNXv5APmhL5CvXryR5VkJeseoi9BYBkKCOi4dWv1WNnlwVK+fOY5Z NUxJF9dRlM7ByipXQ0TylkN1TynZTgaU2LNwaJI0wsYAG8PX0V2wHLAEOXNsyGYTRs UpoTTx22S8Ft77BwUtLczPbLpawAHBAy/5UxyrRI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com, Eric Biggers , Jens Axboe Subject: [PATCH 5.1 021/115] io_uring: fix memory leak of UNIX domain socket inode Date: Mon, 17 Jun 2019 23:08:41 +0200 Message-Id: <20190617210800.989101879@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190617210759.929316339@linuxfoundation.org> References: <20190617210759.929316339@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 355e8d26f719c207aa2e00e6f3cfab3acf21769b upstream. Opening and closing an io_uring instance leaks a UNIX domain socket inode. This is because the ->file of the io_uring instance's internal UNIX domain socket is set to point to the io_uring file, but then sock_release() sees the non-NULL ->file and assumes the inode reference is held by the file so doesn't call iput(). That's not the case here, since the reference is still meant to be held by the socket; the actual inode of the io_uring file is different. Fix this leak by NULL-ing out ->file before releasing the socket. Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com Fixes: 2b188cc1bb85 ("Add io_uring IO interface") Cc: # v5.1+ Signed-off-by: Eric Biggers Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- fs/io_uring.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2633,8 +2633,10 @@ static void io_ring_ctx_free(struct io_r io_sqe_files_unregister(ctx); #if defined(CONFIG_UNIX) - if (ctx->ring_sock) + if (ctx->ring_sock) { + ctx->ring_sock->file = NULL; /* so that iput() is called */ sock_release(ctx->ring_sock); + } #endif io_mem_free(ctx->sq_ring);