[PATCH] Fix potential memory leak in tipc_named_node_up()

From: Jesper Juhl
Date: Mon May 28 2007 - 16:57:41 EST

Next message: Jon Smirl: "Re: [RFC] enhancing the kernel's graphics subsystem"
Previous message: Maximilian Engelhardt: "Re: b44: regression in 2.6.22 (resend)"
Next in thread: Björn Steinbrink: "Re: [PATCH] Fix potential memory leak in tipc_named_node_up()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There seems to be a memory leak in net/tipc/name_distr.c::tipc_named_node_up()

The function, with comments, is this :

void tipc_named_node_up(unsigned long node)
{
struct publication *publ;
struct distr_item *item = NULL;
struct sk_buff *buf = NULL;
u32 left = 0;
u32 rest;
u32 max_item_buf;

read_lock_bh(&tipc_nametbl_lock);
max_item_buf = TIPC_MAX_USER_MSG_SIZE / ITEM_SIZE;
max_item_buf *= ITEM_SIZE;
rest = publ_cnt * ITEM_SIZE;

list_for_each_entry(publ, &publ_root, local_list) {
-----> If we stop processing here after doing 1, 2 & 3 below we end up at (4) (below).
if (!buf) {
left = (rest <= max_item_buf) ? rest : max_item_buf;
rest -= left;
buf = named_prepare_buf(PUBLICATION, left, node);
-----> (1) here we allocate memory and store a pointer to it in 'buf'.

if (!buf) {
-----> (2) This test needs to fail, meaning we did allocate some memory.
warn("Bulk publication distribution failure\n");
goto exit;
}
item = (struct distr_item *)msg_data(buf_msg(buf));
}
publ_to_item(item, publ);
item++;
left -= ITEM_SIZE;
if (!left) {
-----> (3) If this test fails we loop and do nothing to 'buf'.
msg_set_link_selector(buf_msg(buf), node);
dbg("tipc_named_node_up: sending publish msg to "
"<%u.%u.%u>\n", tipc_zone(node),
tipc_cluster(node), tipc_node(node));
tipc_link_send(buf, node, node);
buf = NULL;
}
}
exit:
read_unlock_bh(&tipc_nametbl_lock);
-----> (4) here we return without freeing 'buf' - memory leak.
}

Luckily this is easy to fix, since we can only leave the function with 'buf'
either set to NULL or (in the leak case) set to a valid address, and since
kfree() handles being passed NULL gracefully we can simply kfree(buf) just
before we leave the function.

The patch below frees 'buf' before leaving the function, thus avoiding the
potential leak.

Fix a potential memory leak in tipc_named_node_up()

Signed-off-by: Jesper Juhl <jesper.juhl@xxxxxxxxx>
---

net/tipc/name_distr.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 39fd161..228ccfe 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -204,6 +204,7 @@ void tipc_named_node_up(unsigned long node)
}
exit:
read_unlock_bh(&tipc_nametbl_lock);
+ kfree(buf);
}

/**

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jon Smirl: "Re: [RFC] enhancing the kernel's graphics subsystem"
Previous message: Maximilian Engelhardt: "Re: b44: regression in 2.6.22 (resend)"
Next in thread: Björn Steinbrink: "Re: [PATCH] Fix potential memory leak in tipc_named_node_up()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]