releases/5.1.12/io_uring-fix-memory-leak-of-unix-domain-socket-inode.patch

   1 From 355e8d26f719c207aa2e00e6f3cfab3acf21769b Mon Sep 17 00:00:00 2001
   2 From: Eric Biggers <ebiggers@google.com>
   3 Date: Wed, 12 Jun 2019 14:58:43 -0700
   4 Subject: io_uring: fix memory leak of UNIX domain socket inode
   5
   6 From: Eric Biggers <ebiggers@google.com>
   7
   8 commit 355e8d26f719c207aa2e00e6f3cfab3acf21769b upstream.
   9
  10 Opening and closing an io_uring instance leaks a UNIX domain socket
  11 inode.  This is because the ->file of the io_uring instance's internal
  12 UNIX domain socket is set to point to the io_uring file, but then
  13 sock_release() sees the non-NULL ->file and assumes the inode reference
  14 is held by the file so doesn't call iput().  That's not the case here,
  15 since the reference is still meant to be held by the socket; the actual
  16 inode of the io_uring file is different.
  17
  18 Fix this leak by NULL-ing out ->file before releasing the socket.
  19
  20 Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com
  21 Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
  22 Cc: <stable@vger.kernel.org> # v5.1+
  23 Signed-off-by: Eric Biggers <ebiggers@google.com>
  24 Signed-off-by: Jens Axboe <axboe@kernel.dk>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26
  27 ---
  28  fs/io_uring.c |    4 +++-
  29  1 file changed, 3 insertions(+), 1 deletion(-)
  30
  31 --- a/fs/io_uring.c
  32 +++ b/fs/io_uring.c
  33 @@ -2633,8 +2633,10 @@ static void io_ring_ctx_free(struct io_r
  34         io_sqe_files_unregister(ctx);
  35
  36  #if defined(CONFIG_UNIX)
  37 -       if (ctx->ring_sock)
  38 +       if (ctx->ring_sock) {
  39 +               ctx->ring_sock->file = NULL; /* so that iput() is called */
  40                 sock_release(ctx->ring_sock);
  41 +       }
  42  #endif
  43
  44         io_mem_free(ctx->sq_ring);