sctp: fix sockets_allocated imbalance after sk_clone()

sk_clone() increments sockets_allocated and sets the socket refcount to 2.
SCTP performs additional accounting in sctp_clone_sock(), so the clone-time
increment must be undone to avoid double counting.

Note we cannot simply remove the SCTP-side increment, because the SCTP
destroy path in sctp_destroy_sock() only decrements sockets_allocated when
sp->ep is set, which may not be true for all failure paths in
sctp_clone_sock().

Fixes: 16942cf4d3e3 ("sctp: Use sk_clone() in sctp_accept().")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/af8d66f928dec3e9fcbee8d4a85b7d5a6b86f515.1776460180.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index f52fe90d3e00c8226666eb5bab57d75417812ff7..58d0d9747f0b395b9dc32ce471a1e0bb87136377 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4855,8 +4855,9 @@ static struct sock *sctp_clone_sock(struct sock *sk,
        if (!newsk)
                return ERR_PTR(err);
 
-       /* sk_clone() sets refcnt to 2 */
+       /* sk_clone() sets refcnt to 2 and increments sockets_allocated */
        sock_put(newsk);
+       sk_sockets_allocated_dec(newsk);
 
        newinet = inet_sk(newsk);
        newsp = sctp_sk(newsk);