ppp: fix memory leak in pad_compress_skb

If alloc_skb() fails in pad_compress_skb(), it returns NULL without
releasing the old skb. The caller does:

    skb = pad_compress_skb(ppp, skb);
    if (!skb)
        goto drop;

drop:
    kfree_skb(skb);

When pad_compress_skb() returns NULL, the reference to the old skb is
lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.

Align pad_compress_skb() semantics with realloc(): only free the old
skb if allocation and compression succeed.  At the call site, use the
new_skb variable so the original skb is not lost when pad_compress_skb()
fails.

Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 824c8dc4120b33d0d637abc50f48ab0dc2cf1a86..702a7f7183ce291d190f8c90067815699e0e73c0 100644 (file)
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1744,7 +1744,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
                 */
                if (net_ratelimit())
                        netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
-               kfree_skb(skb);
                consume_skb(new_skb);
                new_skb = NULL;
        }
@@ -1845,9 +1844,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
                                           "down - pkt dropped.\n");
                        goto drop;
                }
-               skb = pad_compress_skb(ppp, skb);
-               if (!skb)
+               new_skb = pad_compress_skb(ppp, skb);
+               if (!new_skb)
                        goto drop;
+               skb = new_skb;
        }
 
        /*