On 05/21/2018 07:44 PM, Martin KaFai Lau wrote:
> On Sun, May 20, 2018 at 02:08:57PM +0100, Mathieu Xhonneux wrote:
>> In bpf_parse_prog, if bpf_prog_get_type fails, the function is
>> immediately terminated without freeing the previously allocated
>> prog->name.
>> This patch adds a kfree before the return.
>>
>> Signed-off-by: Mathieu Xhonneux <m.xhonn...@gmail.com>
>> ---
>> net/core/lwt_bpf.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
>> index e7e626fb87bb..e142a7a32e46 100644
>> --- a/net/core/lwt_bpf.c
>> +++ b/net/core/lwt_bpf.c
>> @@ -223,8 +223,10 @@ static int bpf_parse_prog(struct nlattr *attr, struct
>> bpf_lwt_prog *prog,
>>
>> fd = nla_get_u32(tb[LWT_BPF_PROG_FD]);
>> p = bpf_prog_get_type(fd, type);
>> - if (IS_ERR(p))
>> + if (IS_ERR(p)) {
>> + kfree(prog->name);
> I don't think it is needed.
> The caller, "bpf_build_state()", does bpf_destroy_state() during error
> out and it will eventually free up "name".
Agree, it's not needed in lwt/bpf due to call to destructor in error path.
>> return PTR_ERR(p);
>> + }
>>
>> prog->prog = p;
>>
>> --
>> 2.16.1
>>
