SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails

commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream.

Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 1f28171..48b608c 100644 (file)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1162,18 +1162,23 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
                return res;
 
        inlen = svc_getnl(argv);
-       if (inlen > (argv->iov_len + rqstp->rq_arg.page_len))
+       if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) {
+               kfree(in_handle->data);
                return SVC_DENIED;
+       }
 
        pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
        in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
-       if (!in_token->pages)
+       if (!in_token->pages) {
+               kfree(in_handle->data);
                return SVC_DENIED;
+       }
        in_token->page_base = 0;
        in_token->page_len = inlen;
        for (i = 0; i < pages; i++) {
                in_token->pages[i] = alloc_page(GFP_KERNEL);
                if (!in_token->pages[i]) {
+                       kfree(in_handle->data);
                        gss_free_in_token_pages(in_token);
                        return SVC_DENIED;
                }