From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ying Xue <ying.xue@windriver.com>
Subject: Re: [Patch net] tipc: fix a memory leak in tipc_nl_node_get_link()
Date: Thu, 11 Jan 2018 18:21:23 +0800
Message-ID: <d97e5215-09f6-696e-cfd4-c5796136ac6b@windriver.com>
References: <20180110205025.7124-1-xiyou.wangcong@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Cc: <dvyukov@google.com>, Jon Maloy <jon.maloy@ericsson.com>
To: Cong Wang <xiyou.wangcong@gmail.com>, <netdev@vger.kernel.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail1.windriver.com ([147.11.146.13]:37495 "EHLO
        mail1.windriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932986AbeAKKYL (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 11 Jan 2018 05:24:11 -0500
In-Reply-To: <20180110205025.7124-1-xiyou.wangcong@gmail.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On 01/11/2018 04:50 AM, Cong Wang wrote:
> When tipc_node_find_by_name() fails, the nlmsg is not
> freed.
> 
> While on it, switch to a goto label to properly
> free it.
> 
> Fixes: be9c086715c ("tipc: narrow down exposure of struct tipc_node")
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Jon Maloy <jon.maloy@ericsson.com>
> Cc: Ying Xue <ying.xue@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Acked-by: Ying Xue <ying.xue@windriver.com>

> ---
>  net/tipc/node.c | 26 ++++++++++++++------------
>  1 file changed, 14 insertions(+), 12 deletions(-)
> 
> diff --git a/net/tipc/node.c b/net/tipc/node.c
> index 507017fe0f1b..9036d8756e73 100644
> --- a/net/tipc/node.c
> +++ b/net/tipc/node.c
> @@ -1880,36 +1880,38 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
>  
>  	if (strcmp(name, tipc_bclink_name) == 0) {
>  		err = tipc_nl_add_bc_link(net, &msg);
> -		if (err) {
> -			nlmsg_free(msg.skb);
> -			return err;
> -		}
> +		if (err)
> +			goto err_free;
>  	} else {
>  		int bearer_id;
>  		struct tipc_node *node;
>  		struct tipc_link *link;
>  
>  		node = tipc_node_find_by_name(net, name, &bearer_id);
> -		if (!node)
> -			return -EINVAL;
> +		if (!node) {
> +			err = -EINVAL;
> +			goto err_free;
> +		}
>  
>  		tipc_node_read_lock(node);
>  		link = node->links[bearer_id].link;
>  		if (!link) {
>  			tipc_node_read_unlock(node);
> -			nlmsg_free(msg.skb);
> -			return -EINVAL;
> +			err = -EINVAL;
> +			goto err_free;
>  		}
>  
>  		err = __tipc_nl_add_link(net, &msg, link, 0);
>  		tipc_node_read_unlock(node);
> -		if (err) {
> -			nlmsg_free(msg.skb);
> -			return err;
> -		}
> +		if (err)
> +			goto err_free;
>  	}
>  
>  	return genlmsg_reply(msg.skb, info);
> +
> +err_free:
> +	nlmsg_free(msg.skb);
> +	return err;
>  }
>  
>  int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info)
>