Date:   Wed, 25 Sep 2019 18:04:13 -0500
From:   Navid Emamdoost <navid.emamdoost@...il.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     emamd001@....edu, smccaman@....edu, kjlu@....edu,
        Navid Emamdoost <navid.emamdoost@...il.com>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] net: qrtr: fix memory leak in qrtr_tun_read_iter

In qrtr_tun_read_iter we need an error handling path to appropriately
release skb in cases of error.

Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
---
 net/qrtr/tun.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
index e35869e81766..0f6e6d1d2901 100644
--- a/net/qrtr/tun.c
+++ b/net/qrtr/tun.c
@@ -54,19 +54,24 @@ static ssize_t qrtr_tun_read_iter(struct kiocb *iocb, struct iov_iter *to)
 	int count;
 
 	while (!(skb = skb_dequeue(&tun->queue))) {
-		if (filp->f_flags & O_NONBLOCK)
-			return -EAGAIN;
+		if (filp->f_flags & O_NONBLOCK) {
+			count = -EAGAIN;
+			goto out;
+		}
 
 		/* Wait until we get data or the endpoint goes away */
 		if (wait_event_interruptible(tun->readq,
-					     !skb_queue_empty(&tun->queue)))
-			return -ERESTARTSYS;
+					     !skb_queue_empty(&tun->queue))) {
+			count = -ERESTARTSYS;
+			goto out;
+		}
 	}
 
 	count = min_t(size_t, iov_iter_count(to), skb->len);
 	if (copy_to_iter(skb->data, count, to) != count)
 		count = -EFAULT;
 
+out:
 	kfree_skb(skb);
 
 	return count;
-- 
2.17.1

Powered by blists - more mailing lists