On 01/11/2018 04:50 AM, Cong Wang wrote:
> When tipc_node_find_by_name() fails, the nlmsg is not
> freed.
>
> While on it, switch to a goto label to properly
> free it.
>
> Fixes: be9c086715c ("tipc: narrow down exposure of struct tipc_node")
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
> Cc: Jon Maloy <jon.ma...@ericsson.com>
> Cc: Ying Xue <ying....@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Acked-by: Ying Xue <ying....@windriver.com>
> ---
> net/tipc/node.c | 26 ++++++++++++++------------
> 1 file changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/net/tipc/node.c b/net/tipc/node.c
> index 507017fe0f1b..9036d8756e73 100644
> --- a/net/tipc/node.c
> +++ b/net/tipc/node.c
> @@ -1880,36 +1880,38 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct
> genl_info *info)
>
> if (strcmp(name, tipc_bclink_name) == 0) {
> err = tipc_nl_add_bc_link(net, &msg);
> - if (err) {
> - nlmsg_free(msg.skb);
> - return err;
> - }
> + if (err)
> + goto err_free;
> } else {
> int bearer_id;
> struct tipc_node *node;
> struct tipc_link *link;
>
> node = tipc_node_find_by_name(net, name, &bearer_id);
> - if (!node)
> - return -EINVAL;
> + if (!node) {
> + err = -EINVAL;
> + goto err_free;
> + }
>
> tipc_node_read_lock(node);
> link = node->links[bearer_id].link;
> if (!link) {
> tipc_node_read_unlock(node);
> - nlmsg_free(msg.skb);
> - return -EINVAL;
> + err = -EINVAL;
> + goto err_free;
> }
>
> err = __tipc_nl_add_link(net, &msg, link, 0);
> tipc_node_read_unlock(node);
> - if (err) {
> - nlmsg_free(msg.skb);
> - return err;
> - }
> + if (err)
> + goto err_free;
> }
>
> return genlmsg_reply(msg.skb, info);
> +
> +err_free:
> + nlmsg_free(msg.skb);
> + return err;
> }
>
> int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info
> *info)
>
