diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index b7a10048a32c..260ff1fce63d 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -273,7 +273,23 @@ static long seccomp_attach_filter(struct sock_fprog *fprog)
 	/* Check and rewrite the fprog for seccomp use */
 	ret = seccomp_check_filter(filter->insns, filter->len);
 	if (ret)
-		goto fail;
+		goto free_prog;
+
+	/* Allocate a new seccomp_filter */
+	ret = -ENOMEM;
+	filter = kzalloc(sizeof(struct seccomp_filter) +
+			 sizeof(struct sock_filter_int) * new_len,
+			 GFP_KERNEL|__GFP_NOWARN);
+	if (!filter)
+		goto free_prog;
+
+	ret = sk_convert_filter(fp, fprog->len, filter->insnsi, &new_len);
+	if (ret)
+		goto free_filter;
+	kfree(fp);
+
+	atomic_set(&filter->usage, 1);
+	filter->len = new_len;
 
 	/*
 	 * If there is an existing filter, make it the prev and don't drop its