> On Jul 16, 2023, at 3:39 PM, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> From: Chuck Lever <chuck.lever@xxxxxxxxxx>
>
> [ Upstream commit f921bd41001ccff2249f5f443f2917f7ef937daf ]
>
> If user space never calls DONE, sock->file's reference count remains
> elevated. Enable sock->file to be freed eventually in this case.
>
> Reported-by: Jakub Kacinski <kuba@xxxxxxxxxx>
> Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> net/handshake/handshake.h | 1 +
> net/handshake/request.c | 4 ++++
> 2 files changed, 5 insertions(+)
>
> diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h
> index 4dac965c99df0..8aeaadca844fd 100644
> --- a/net/handshake/handshake.h
> +++ b/net/handshake/handshake.h
> @@ -31,6 +31,7 @@ struct handshake_req {
> struct list_head hr_list;
> struct rhash_head hr_rhash;
> unsigned long hr_flags;
> + struct file *hr_file;
> const struct handshake_proto *hr_proto;
> struct sock *hr_sk;
> void (*hr_odestruct)(struct sock *sk);
> diff --git a/net/handshake/request.c b/net/handshake/request.c
> index 94d5cef3e048b..d78d41abb3d99 100644
> --- a/net/handshake/request.c
> +++ b/net/handshake/request.c
> @@ -239,6 +239,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
> }
> req->hr_odestruct = req->hr_sk->sk_destruct;
> req->hr_sk->sk_destruct = handshake_sk_destruct;
> + req->hr_file = sock->file;
>
> ret = -EOPNOTSUPP;
> net = sock_net(req->hr_sk);
> @@ -334,6 +335,9 @@ bool handshake_req_cancel(struct sock *sk)
> return false;
> }
>
> + /* Request accepted and waiting for DONE */
> + fput(req->hr_file);
> +
> out_true:
> trace_handshake_cancel(net, req, sk);
>
> --
> 2.39.2
>
>
>
Don't take this one. It's fixed by a later commit:
361b6889ae636926cdff517add240c3c8e24593a
that reverts it.
--
Chuck Lever
