From: Jakub Kicinski <kuba@kernel.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: Zhao Dongdong <winter91@foxmail.com>, <davem@davemloft.net>,
<edumazet@google.com>, <pabeni@redhat.com>,
<netdev@vger.kernel.org>, Zhao Dongdong <zhaodongdong@kylinos.cn>
Subject: Re: [PATCH] net: page_pool: check nla_nest_start() return value in page_pool_nl_stats_fill()
Date: Tue, 26 May 2026 16:27:36 -0700 [thread overview]
Message-ID: <20260526162736.5e95b928@kernel.org> (raw)
In-Reply-To: <3a16e1ec-313d-431e-8960-abf55701ac5a@intel.com>
On Tue, 26 May 2026 18:04:44 +0200 Alexander Lobakin wrote:
> From: Zhao Dongdong <winter91@foxmail.com>
> Date: Tue, 26 May 2026 14:51:56 +0800
>
> > From: Zhao Dongdong <zhaodongdong@kylinos.cn>
> >
> > nla_nest_start() can return NULL if the skb runs out of space.
> > page_pool_nl_stats_fill() does not check the return value before
> > calling nla_nest_end(), which can lead to a NULL pointer dereference.
> > Add a NULL check after nla_nest_start() and abort the message if it fails.
> >
> > Fixes: d49010adae73 ("net: page_pool: expose page pool stats via netlink")
>
> A "Cc: stable@vger.kernel.org" candidate?
Not really, the thinking is that if nla_nest_start() failed then the
very next nla_put* will also fail (nla_nest_start() is a zero-length
attr, any attr we put after must be >= in length).
IOW the commit message is lying, there's no way for us to reach
nla_nest_end(). We will jump to nla_nest_cancel() which handles
nest=NULL just fine.
Zhao Dongdong please confirm this and respin the patch without a Fixes
tag and with an updated commit message. I think we got such a patch
in the past, so we should merge it to avoid confusing bots.
But please make it very clear that this code can't crash..
--
pw-bot: cr
next prev parent reply other threads:[~2026-05-26 23:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 6:51 [PATCH] net: page_pool: check nla_nest_start() return value in page_pool_nl_stats_fill() Zhao Dongdong
2026-05-26 16:04 ` Alexander Lobakin
2026-05-26 23:27 ` Jakub Kicinski [this message]
2026-05-27 7:51 ` [PATCH] net: page_pool: check nla_nest_start() return value in Zhao Dongdong
2026-05-28 0:41 ` Jakub Kicinski
2026-05-28 6:01 ` Zhao Dongdong
2026-05-28 0:50 ` [PATCH] net: page_pool: check nla_nest_start() return value in page_pool_nl_stats_fill() patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526162736.5e95b928@kernel.org \
--to=kuba@kernel.org \
--cc=aleksander.lobakin@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=winter91@foxmail.com \
--cc=zhaodongdong@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.