From: Xin Xiong Date: Wed, 10 Aug 2022 15:29:13 +0000 (+0800) Subject: net/sunrpc: fix potential memory leaks in rpc_sysfs_xprt_state_change() X-Git-Tag: v5.19.4~159 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=76fbeb1662b1c56514325118a07fba74dc4c79fe;p=thirdparty%2Fkernel%2Fstable.git net/sunrpc: fix potential memory leaks in rpc_sysfs_xprt_state_change() commit bfc48f1b0505ffcb03a6d749139b7577d6b81ae0 upstream. The issue happens on some error handling paths. When the function fails to grab the object `xprt`, it simply returns 0, forgetting to decrease the reference count of another object `xps`, which is increased by rpc_sysfs_xprt_kobj_get_xprt_switch(), causing refcount leaks. Also, the function forgets to check whether `xps` is valid before using it, which may result in NULL-dereferencing issues. Fix it by adding proper error handling code when either `xprt` or `xps` is NULL. Fixes: 5b7eb78486cd ("SUNRPC: take a xprt offline using sysfs") Signed-off-by: Xin Xiong Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/sunrpc/sysfs.c b/net/sunrpc/sysfs.c index a3a2f8aeb80ea..d1a15c6d3fd9b 100644 --- a/net/sunrpc/sysfs.c +++ b/net/sunrpc/sysfs.c @@ -291,8 +291,10 @@ static ssize_t rpc_sysfs_xprt_state_change(struct kobject *kobj, int offline = 0, online = 0, remove = 0; struct rpc_xprt_switch *xps = rpc_sysfs_xprt_kobj_get_xprt_switch(kobj); - if (!xprt) - return 0; + if (!xprt || !xps) { + count = 0; + goto out_put; + } if (!strncmp(buf, "offline", 7)) offline = 1;