Hi!
From: Xiyu Yang xiyuyang19@fudan.edu.cn
commit 6107c5da0fca8b50b4d3215e94d619d38cc4a18c upstream.
batadv_show_throughput_override() invokes batadv_hardif_get_by_netdev(), which gets a batadv_hard_iface object from net_dev with increased refcnt and its reference is assigned to a local pointer 'hard_iface'.
When batadv_store_throughput_override() returns, "hard_iface" becomes invalid, so the refcount should be decreased to keep refcount balanced.
The issue happens in one error path of batadv_store_throughput_override(). When batadv_parse_throughput() returns NULL, the refcnt increased by batadv_hardif_get_by_netdev() is not decreased, causing a refcnt leak.
Fix this issue by jumping to "out" label when batadv_parse_throughput() returns NULL.
Ok, this fixes the issue, but it brings up a question:
--- a/net/batman-adv/sysfs.c +++ b/net/batman-adv/sysfs.c @@ -1093,7 +1093,7 @@ static ssize_t batadv_store_throughput_o ret = batadv_parse_throughput(net_dev, buff, "throughput_override", &tp_override); if (!ret)
return count;
goto out;
If parsing of value from userspace failed we are currently returning success. That seems wrong. Should we return -EINVAL instead?
Best regards, Pavel