• Eric Biggers's avatar
    io_uring: fix memory leak of UNIX domain socket inode · 3d61202e
    Eric Biggers authored
    commit 355e8d26 upstream.
    
    Opening and closing an io_uring instance leaks a UNIX domain socket
    inode.  This is because the ->file of the io_uring instance's internal
    UNIX domain socket is set to point to the io_uring file, but then
    sock_release() sees the non-NULL ->file and assumes the inode reference
    is held by the file so doesn't call iput().  That's not the case here,
    since the reference is still meant to be held by the socket; the actual
    inode of the io_uring file is different.
    
    Fix this leak by NULL-ing out ->file before releasing the socket.
    
    Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com
    Fixes: 2b188cc1 ("Add io_uring IO interface")
    Cc: <stable@vger.kernel.org> # v5.1+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    3d61202e
io_uring.c 72.4 KB