openvswitch: Fix skb leak in ovs_fragment()

If ovs_fragment() was unable to fragment the skb due to an L2 header
that exceeds the supported length, skbs would be leaked. Fix the bug.

Fixes: 7f8a436eaa2c "openvswitch: Add conntrack action"
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 4 deletions

diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index e23a61cc3d5c..4cb93f92d6be 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -684,7 +684,7 @@ static void ovs_fragment(struct vport *vport, struct sk_buff *skb, u16 mru,
 {
         if (skb_network_offset(skb) > MAX_L2_LEN) {
                 OVS_NLERR(1, "L2 header too long to fragment");
-                return;
+                goto err;
         }
 
         if (ethertype == htons(ETH_P_IP)) {
@@ -708,8 +708,7 @@ static void ovs_fragment(struct vport *vport, struct sk_buff *skb, u16 mru,
                 struct rt6_info ovs_rt;
 
                 if (!v6ops) {
-                        kfree_skb(skb);
-                        return;
+                        goto err;
                 }
 
                 prepare_frag(vport, skb);
@@ -728,8 +727,12 @@ static void ovs_fragment(struct vport *vport, struct sk_buff *skb, u16 mru,
                 WARN_ONCE(1, "Failed fragment ->%s: eth=%04x, MRU=%d, MTU=%d.",
                           ovs_vport_name(vport), ntohs(ethertype), mru,
                           vport->dev->mtu);
-                kfree_skb(skb);
+                goto err;
         }
+
+        return;
+err:
+        kfree_skb(skb);
 }
 
 static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,