From: Julia Lawall <redacted>

At this point, the new_param that has just been allocated has not been
stored in the list, so it and new_param->name, once it is defined, have to
be freed separately.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@exists@
local idexpression x;
statement S,S1;
expression E;
identifier fl;
expression *ptr != NULL;
@@

x = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x = NULL) S
<... when != x
     when != if (...) { <+...kfree(x)...+> }
     when any
     when != true x = NULL
x->fl
...>
(
if (x = NULL) S1
|
if (...) { ... when != x
               when forall
(
 return \(0\|<+...x...+>\|ptr\);
|
* return ...;
)
}
)
// </smpl>

Signed-off-by: Julia Lawall <redacted>

---
 drivers/target/iscsi/iscsi_target_parameters.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
index 252e246..b8dbe44 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c

@@ -584,6 +584,7 @@ int iscsi_copy_param_list(
 		if (!new_param->name) {
 			pr_err("Unable to allocate memory for"
 				" parameter name.\n");
+			kfree(new_param);
 			goto err_out;
 		}
 

@@ -592,6 +593,8 @@ int iscsi_copy_param_list(
 		if (!new_param->value) {
 			pr_err("Unable to allocate memory for"
 				" parameter value.\n");
+			kfree(new_param->name);
+			kfree(new_param);
 			goto err_out;
 		}