Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp267341pxx; Thu, 29 Oct 2020 02:01:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxS0TznqsX+Mr3Mnt2S/bWptV9tHIq9pnSAOVzvQefDsj61BgmXpTnlve3qNGxgf3wJeR3r X-Received: by 2002:a17:906:d9c1:: with SMTP id qk1mr3127522ejb.426.1603962115192; Thu, 29 Oct 2020 02:01:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603962115; cv=none; d=google.com; s=arc-20160816; b=FNxMp7Gaeoh5mzaTa1QltMb8Yveo1fkeLKv18bbFbDsFEeseI2MEZrB5JrZsEQRjZN F+qSy1GFJUKEFPWHUV79zJqQgsDyK+hj7DzzXA2/NtV6RlUC3lXF5ifrvcvT6IdMu4tw B/4gtr+f+S8xZPIJSkyQWXiqtlXrtNbbyk2WAox4qBuVM2l+rIicO2tQTFM3y+JXuQN5 cgb0ss5zT+VCakJJaGL0yJ/6OuSXPcsTpD9rLwggNVp8H76CfWJ8XsjTDeELaFwAuvxa ifijxf0M1lOikijFYsQMYXgzYWks/ZE/vTouRIFNyvAo0JXF1CAuOU6ij1y0PVyC1C14 rX/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=TKHDfEbwZklKgC7/1h/0yedn6DyCOfbe8Y3w4gpE2P0=; b=VqbeB1jYygFVF5NnUU7OX/GvbJ6PSLjxjDXf51SirvnRXus6A95HbyuUOGF/gzPI9K Cmudpsh9RvuiyYVPkg3AsrMliRVqN5FUh2XgR4rv7D95bp4JyFHjY5y1BlJOV6EB4J53 WanL4W30TykAS0wfO4yLZBB2UEW8qHuDKc3PYflD/ZwvxHRmcjLXE1toOJFzCSS9hJ6D s3BIWLuBpW3whKv9OlKkO1sWql4HkAEmpxMvkOUh1bydkoZfbVnIyA6c9TTYpEdafIcj qT/D5bX+68WSY46WhUc2XU+4oVDGZViqQGbXChHcZ2IaK9UL+ezNCLUdKpCJT5os4R/E 46sg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d2si1461622edn.245.2020.10.29.02.01.32; Thu, 29 Oct 2020 02:01:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728349AbgJ2HeB (ORCPT + 99 others); Thu, 29 Oct 2020 03:34:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728241AbgJ2HY7 (ORCPT ); Thu, 29 Oct 2020 03:24:59 -0400 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B478DC0613D5; Wed, 28 Oct 2020 19:47:39 -0700 (PDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kXcY1-00AMVG-SL; Wed, 28 Oct 2020 03:54:53 +0000 Date: Wed, 28 Oct 2020 03:54:53 +0000 From: Al Viro To: Zhiqiang Liu Cc: linux-fsdevel@vger.kernel.org, "linux-kernel@vger.kernel.org" , cai@redhat.com Subject: Re: [PATCH] pipe: fix potential inode leak in create_pipe_files() Message-ID: <20201028035453.GI3576660@ZenIV.linux.org.uk> References: <779f767d-c08b-0c03-198e-06270100d529@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <779f767d-c08b-0c03-198e-06270100d529@huawei.com> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 28, 2020 at 11:03:52AM +0800, Zhiqiang Liu wrote: > > In create_pipe_files(), if alloc_file_clone() fails, we will call > put_pipe_info to release pipe, and call fput() to release f. > However, we donot call iput() to free inode. Huh? Have you actually tried to trigger that failure exit? > Signed-off-by: Zhiqiang Liu > Signed-off-by: Feilong Lin > --- > fs/pipe.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/pipe.c b/fs/pipe.c > index 0ac197658a2d..8856607fde65 100644 > --- a/fs/pipe.c > +++ b/fs/pipe.c > @@ -924,6 +924,7 @@ int create_pipe_files(struct file **res, int flags) > if (IS_ERR(res[0])) { > put_pipe_info(inode, inode->i_pipe); > fput(f); > + iput(inode); > return PTR_ERR(res[0]); No. That inode is created with refcount 1. If alloc_file_pseudo() succeeds, the reference we'd been holding has been transferred into dentry allocated by alloc_file_pseudo() (and attached to f). From that point on we do *NOT* own a reference to inode and no subsequent failure exits have any business releasing it. In particular, alloc_file_clone() DOES NOT create extra references to inode, whether it succeeds or fails. Dropping the reference to f will take care of everything. If you tried to trigger that failure exit with your patch applied, you would've seen double iput(), as soon as you return from sys_pipe() to userland and task_work is processed (which is where the real destructor of struct file will happen). NAK.