handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests") Reviewed-by: Chuck Lever chuck.lever@oracle.com Cc: stable@vger.kernel.org Signed-off-by: caoping caoping@cmss.chinamobile.com --- net/handshake/request.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/handshake/request.c b/net/handshake/request.c index 274d2c89b6b2..89435ed755cd 100644 --- a/net/handshake/request.c +++ b/net/handshake/request.c @@ -276,6 +276,8 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req, out_unlock: spin_unlock(&hn->hn_lock); out_err: + /* Restore original destructor so socket teardown still runs on failure */ + req->hr_sk->sk_destruct = req->hr_odestruct; trace_handshake_submit_err(net, req, req->hr_sk, ret); handshake_req_destroy(req); return ret;
base-commit: 4a26e7032d7d57c998598c08a034872d6f0d3945
On Thu, Dec 04, 2025 at 01:10:58AM -0800, caoping wrote:
handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests") Reviewed-by: Chuck Lever chuck.lever@oracle.com Cc: stable@vger.kernel.org Signed-off-by: caoping caoping@cmss.chinamobile.com
Please slow down a bit.
When posting patches to netdev ML please allow at least 24h to elapse between revisions. This is to allow time for review. And ease load on shared CI infrastructure. Thanks!
Link: https://docs.kernel.org/process/maintainer-netdev.html
Hello:
This patch was applied to netdev/net.git (main) by Jakub Kicinski kuba@kernel.org:
On Thu, 4 Dec 2025 01:10:58 -0800 you wrote:
handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests") Reviewed-by: Chuck Lever chuck.lever@oracle.com Cc: stable@vger.kernel.org Signed-off-by: caoping caoping@cmss.chinamobile.com
[...]
Here is the summary with links: - [v3] net/handshake: restore destructor on submit failure https://git.kernel.org/netdev/net/c/6af2a01d65f8
You are awesome, thank you!
linux-stable-mirror@lists.linaro.org
-
caoping -
patchwork-bot+netdevbpf@kernel.org -
Simon Horman