net: ncsi: fix skb leak in error paths

Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.

Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.

CC: stable@vger.kernel.org
Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ncsi/ncsi-aen.c b/net/ncsi/ncsi-aen.c
index 62fb1031763d14f82dcfee50191a21cb38ad8cf9..040a31557201bc1d8824d2811560a33fc5cc616d 100644 (file)
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struct sk_buff *skb)
        if (!nah) {
                netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
                            h->type);
-               return -ENOENT;
+               ret = -ENOENT;
+               goto out;
        }
 
        ret = ncsi_validate_aen_pkt(h, nah->payload);

diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 271ec6c3929e8525605fec0abb99aabaad461fc5..fbd84bc8026a3983ff147b583f72352411297315 100644 (file)
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
        /* Find the NCSI device */
        nd = ncsi_find_dev(orig_dev);
        ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
-       if (!ndp)
-               return -ENODEV;
+       if (!ndp) {
+               ret = -ENODEV;
+               goto err_free_skb;
+       }
 
        /* Check if it is AEN packet */
        hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
        if (!nrh) {
                netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
                           hdr->type);
-               return -ENOENT;
+               ret = -ENOENT;
+               goto err_free_skb;
        }
 
        /* Associate with the request */
@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
        nr = &ndp->requests[hdr->id];
        if (!nr->used) {
                spin_unlock_irqrestore(&ndp->lock, flags);
-               return -ENODEV;
+               ret = -ENODEV;
+               goto err_free_skb;
        }
 
        nr->rsp = skb;
@@ -1261,4 +1265,8 @@ out_netlink:
 out:
        ncsi_free_request(nr);
        return ret;
+
+err_free_skb:
+       kfree_skb(skb);
+       return ret;
 }