Skip to content

Commit 5c3398a

Browse files
zhangjian3032kuba-moo
zhangjian3032
authored and
kuba-moo
committed
net: ncsi: fix skb leak in error paths
Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. CC: [email protected] Fixes: 7a82ecf ("net/ncsi: NCSI AEN packet handler") Fixes: 138635c ("net/ncsi: NCSI response packet handler") Signed-off-by: Jian Zhang <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>
1 parent 63f428c commit 5c3398a

2 files changed

Lines changed: 14 additions & 5 deletions

File tree

net/ncsi/ncsi-aen.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struct sk_buff *skb)
224224
if (!nah) {
225225
netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
226226
h->type);
227-
return -ENOENT;
227+
ret = -ENOENT;
228+
goto out;
228229
}
229230

230231
ret = ncsi_validate_aen_pkt(h, nah->payload);

net/ncsi/ncsi-rsp.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
11761176
/* Find the NCSI device */
11771177
nd = ncsi_find_dev(orig_dev);
11781178
ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
1179-
if (!ndp)
1180-
return -ENODEV;
1179+
if (!ndp) {
1180+
ret = -ENODEV;
1181+
goto err_free_skb;
1182+
}
11811183

11821184
/* Check if it is AEN packet */
11831185
hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,15 +1201,17 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
11991201
if (!nrh) {
12001202
netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
12011203
hdr->type);
1202-
return -ENOENT;
1204+
ret = -ENOENT;
1205+
goto err_free_skb;
12031206
}
12041207

12051208
/* Associate with the request */
12061209
spin_lock_irqsave(&ndp->lock, flags);
12071210
nr = &ndp->requests[hdr->id];
12081211
if (!nr->used) {
12091212
spin_unlock_irqrestore(&ndp->lock, flags);
1210-
return -ENODEV;
1213+
ret = -ENODEV;
1214+
goto err_free_skb;
12111215
}
12121216

12131217
nr->rsp = skb;
@@ -1261,4 +1265,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
12611265
out:
12621266
ncsi_free_request(nr);
12631267
return ret;
1268+
1269+
err_free_skb:
1270+
kfree_skb(skb);
1271+
return ret;
12641272
}

0 commit comments

Comments
 (0)