From e676f197a7a9aae9c75b0d9acc97e07de07dd1f0 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Tue, 22 Apr 2014 17:15:34 +0800 Subject: [PATCH] macvlan: Fix leak and NULL dereference on error path The recent patch that moved broadcasts to process context added a couple of bugs on the error path where we may dereference NULL or leak an skb. This patch fixes them. Reported-by: Dan Carpenter Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- drivers/net/macvlan.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 8b8220fcdd3d..cfb27c865417 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -239,25 +239,28 @@ static void macvlan_process_broadcast(struct work_struct *w) static void macvlan_broadcast_enqueue(struct macvlan_port *port, struct sk_buff *skb) { + struct sk_buff *nskb; int err = -ENOMEM; - skb = skb_clone(skb, GFP_ATOMIC); - if (!skb) + nskb = skb_clone(skb, GFP_ATOMIC); + if (!nskb) goto err; spin_lock(&port->bc_queue.lock); if (skb_queue_len(&port->bc_queue) < skb->dev->tx_queue_len) { - __skb_queue_tail(&port->bc_queue, skb); + __skb_queue_tail(&port->bc_queue, nskb); err = 0; } spin_unlock(&port->bc_queue.lock); if (err) - goto err; + goto free_nskb; schedule_work(&port->bc_work); return; +free_nskb: + kfree_skb(nskb); err: atomic_long_inc(&skb->dev->rx_dropped); }