crypto: af_alg - Fix socket double-free when accept fails

Orabug: 23330749

[ Upstream commit a383292c86663bbc31ac62cc0c04fc77504636a6 ]

When we fail an accept(2) call we will end up freeing the socket
twice, once due to the direct sk_free call and once again through
newsock.

This patch fixes this by removing the sk_free call.

Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit fa988b35c2e40f38e57388a1a3f48de056e81dd3)

Signed-off-by: Dan Duval <dan.duval@oracle.com>

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 2cf64ae17aa8aa16bedac725c1a7ca837b43dde5..153dc85e04f1a6f19399d6dc3ab31d0151dfc3f0 100644 (file)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -282,10 +282,8 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
        security_sk_clone(sk, sk2);
 
        err = type->accept(ask->private, sk2);
-       if (err) {
-               sk_free(sk2);
+       if (err)
                goto unlock;
-       }
 
        sk2->sk_family = PF_ALG;