From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 446EA31B114
	for <linux-kernel@vger.kernel.org>; Wed,  6 May 2026 20:10:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778098230; cv=none; b=BjPDbOCTtpJAlzeUtGpFo8HSfBxhUdFHb/yb9s05Y2NPOXtdJcR+FGkqXrfNRNkERiPwYWedXs1CYKf4not8iNERaF/tzhBUDQEcFfVUuBl8ym27Q2SFaru1MdmOYNTAImxS7EjVP0c+M33OSlpwdHnMaKA3DSxBPRow+TJLGiE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778098230; c=relaxed/simple;
	bh=mmSwOQQ6SqZYEo7Sk0LLvpcBOoytWp/guPbzbPLSzxo=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=f9uZun/73pjaKD/CllJI6veY5cUlwllz6H/aASsvohqc/p7nyN9AMZzTAScDYb/jpnsMlK7EtAK/eCFa0rBJ76wx/yHec1qLfMfaFFyOs9jkjIdLxqNikBHPIUFDTnTiTqRznFZaulda3sIQGzWDQn4ZQ2mqInPS3qge7uxnE/4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZRxp04JE; arc=none smtp.client-ip=209.85.128.73
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZRxp04JE"
Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-48d046fac74so10515e9.3
        for <linux-kernel@vger.kernel.org>; Wed, 06 May 2026 13:10:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1778098227; x=1778703027; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=p4R1eFRF2JvRGstmak2opJLn+9gi5L9zotpahfAPurE=;
        b=ZRxp04JEGnGqzJKTNAIypi6335V1t89ZThpxYiiFI8epXLThKQoFgPswgFnldkuDiP
         6xwRVdi78tTihkWCXBsgWGhXEbomtiZJ5HMQYrJ43SfQ8dzqOFVeRT7vLCsbCyF/S2YZ
         5RnYkR5SUuLe5HlVD5Ue87o1fndCtrxUS0+xLX8JRGfWC9AyI64PUk+YZM9jpl3i7RdF
         HYWp+xpRdGUgUo3shmjyEVpc4bxMNPLMSO0EensjTCLpyt2s3JyDjwXLMlDiULytG0FO
         lFS3RRq7/xumujtx10NsJijZsPWtD2D8wQe3NAG+btzhtJKUMM/gW/tIb2fqvjhcAzdC
         W0xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778098227; x=1778703027;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=p4R1eFRF2JvRGstmak2opJLn+9gi5L9zotpahfAPurE=;
        b=niCffZv5Ks3ipurxfook2jYnSpjcRK5kqdJQHhn2tfLCFiX0gqaNiocd4ND3rgLlrN
         J3Msf8Xn4TCZwpFoxpkZUKPB5OLiLbDIeD+jRqHVFtPHHraun5xZKTQZvgfU60Z9BbsW
         4vrC3U854BPFWclwNrnz5T8syGyoiopieq36rK+86yPfbrqYrKN5gL2nu1bUOOzU7GwI
         xI+rrK/p+sanmSodQRkzu/1BUJyKTwYkMY5ha+8ZUzcHvb+SwvCE2eGXQF7gESn9afJW
         KoVagV+qc/sX5KD46N4emhJYg2KU1QFAC1N+oOiaF9kwulUu+pBtzOROEYNklJopiL6M
         1MKw==
X-Forwarded-Encrypted: i=1; AFNElJ/HHMtEtShZa1VZe+Noboy37fW8lA290yOVoEPd989oALjE/Q6ZSSGA75VvruEoLGMwo2PhNhX/rqAL2Jo=@vger.kernel.org
X-Gm-Message-State: AOJu0YzplCvoiyriQS1yPlkSiicU7i463pI8k2i+D8ifqUq/8lUpVm6i
	i2k/yz5nBlY4RlBCurr2rADCiJwa808f+pgPus4AgZ+BJDaAVTarJTNANIMFxpFNos1fGw/JWHf
	RMWWRXZFCx7F8JayvAQ==
X-Received: from wmng10.prod.google.com ([2002:a05:600c:308a:b0:485:3a2f:2f7e])
 (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:600c:1d18:b0:489:149a:f9e6 with SMTP id 5b1f17b1804b1-48e51f46dcfmr78527745e9.28.1778098226619;
 Wed, 06 May 2026 13:10:26 -0700 (PDT)
Date: Wed, 06 May 2026 20:07:13 +0000
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-B4-Tracking: v=1; b=H4sIAIWf+2kC/3XMQQ6DIBCF4auYWZcGEDV21Xs0LqgMSKJgBmvaG
 O5e6r7L/yXvOyAheUxwqw4g3H3yMZSQlwrGSQeHzJvSILlsecMVcxjmJTlGuL0oMIGNaXWnjFI cymkltP59go+h9OTTFulz+rv4rX+pXTDBeF/b+qn7jmt7dzG6Ga9jXGDIOX8BbtX5za0AAAA=
X-Change-Id: 20260504-genlmsg-return-1e5d6a74d440
X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F
X-Developer-Signature: v=1; a=openpgp-sha256; l=3249; i=aliceryhl@google.com;
 h=from:subject:message-id; bh=mmSwOQQ6SqZYEo7Sk0LLvpcBOoytWp/guPbzbPLSzxo=;
 b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBp+6AsnzGehC8YXvYAW+I7udAe01e55U0yn1tsq
 UGTRLOIYYGJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCafugLAAKCRAEWL7uWMY5
 RqkpD/48sXj7f7tTHJ5H4aoeNaLQqiVUZVKlrJuR75rK0/HxjJdY7eDzvaGxL2gor+gvgJ2P57C
 +DwbEn2lP+s9J/4dWYrEz81bpZXQOnnnmk3nvmJ4wM3Hdp67UNLtcBL4LNHetSerf/9gFrSZOV7
 tt2nlVaNbvRLDcrkf7ciQuy4lHsq+ZrgNQ85iLUZP7lq2Kd1clHhB4We3nRIn49HudEJqY09ios
 poPFguc9vwVneedcFenqL4HIXX0f4T1+SV7GZRd5v1VK/ArH/yaHYOfCGjwNICfkHQNyMBv0Jdh
 p2YRIbpgasdXrQWAOqmwK4dXjBpVKVll4P48CR2/5aFIhLXUlDk8BxojJe4aDvORwrK4dBsT0eP
 690OOEbeymywMENqveK4xyNMvzu42+6cNI7DwBgPDCKZfzYaXHZpKcZ3873czDKojiyoiOMICod
 UE7DGT3Xfw1VMZOX8DxYOc1RrwrhcrOi82AF6//jUxkRMaSIYT6h5XXHDqRFmiDf+HixhOXX/MH
 wePfLXbXPbFbYNBN7fVJ3Ah90tnyBxsZ0LGLOL35tsTOcB/T+hpJysflYnFAWN9qQww37uyazJq
 JmxH8z0AcCSvLZmksBlOIlx2+XlVqpiUKZxjOiO4owJfkO6vl+T8VOONHOzHh2a2fSTwk2vgzBO PdxXImi6OZJfX5g==
X-Mailer: b4 0.14.3
Message-ID: <20260506-genlmsg-return-v2-1-a63ee2a055d6@google.com>
Subject: [PATCH net v2] genetlink: free the skb on 'group >= family->n_mcgrps'
From: Alice Ryhl <aliceryhl@google.com>
To: "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, 
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>, 
	Andrew Lunn <andrew@lunn.ch>, Matthew Maurer <mmaurer@google.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, 
	Alice Ryhl <aliceryhl@google.com>
Content-Type: text/plain; charset="utf-8"

These methods generally consume ownership of the provided skb, so even
if an error path is encountered, the skb is freed. This is because the
very first thing they do after some initial setup is to unconditionally
consume the skb via consume_skb(skb). Any subsequent errors lead to the
core netlink layer freeing the skb.

However, there is one check that occurs before ownership is passed,
which is the check for the group index. So if this error condition is
encountered, then the skb is leaked. This error condition is generally
considered a violation of the netlink API, so it's not expected to occur
under normal circumstances. For the same reason, no callers check for
this error condition, and no callers need to be adjusted. However, we
should still follow the same ownership semantics of the rest of the
function. Thus, free the skb in this codepath.

Assisted-by: Antigravity:gemini
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Suggested-by: Matthew Maurer <mmaurer@google.com>
Fixes: 2a94fe48f32c ("genetlink: make multicast groups const, prevent abuse")
Link: https://lore.kernel.org/r/845b36ba-7b3a-41f2-acb2-b284f253e2ca@lunn.ch
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
Changes in v2:
- Add Fixes: tag.
- Specify target branch.
- Link to v1: https://lore.kernel.org/r/20260504-genlmsg-return-v1-1-093f3ba970af@google.com
---
 include/net/genetlink.h | 4 +++-
 net/netlink/genetlink.c | 8 ++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/net/genetlink.h b/include/net/genetlink.h
index 7b84f2cef8b1..d70510ac31ab 100644
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -489,8 +489,10 @@ genlmsg_multicast_netns_filtered(const struct genl_family *family,
 				 netlink_filter_fn filter,
 				 void *filter_data)
 {
-	if (WARN_ON_ONCE(group >= family->n_mcgrps))
+	if (WARN_ON_ONCE(group >= family->n_mcgrps)) {
+		nlmsg_free(skb);
 		return -EINVAL;
+	}
 	group = family->mcgrp_offset + group;
 	return nlmsg_multicast_filtered(net->genl_sock, skb, portid, group,
 					flags, filter, filter_data);
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index d251d894afd4..0da39eaed255 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1972,8 +1972,10 @@ int genlmsg_multicast_allns(const struct genl_family *family,
 			    struct sk_buff *skb, u32 portid,
 			    unsigned int group)
 {
-	if (WARN_ON_ONCE(group >= family->n_mcgrps))
+	if (WARN_ON_ONCE(group >= family->n_mcgrps)) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
 
 	group = family->mcgrp_offset + group;
 	return genlmsg_mcast(skb, portid, group);
@@ -1986,8 +1988,10 @@ void genl_notify(const struct genl_family *family, struct sk_buff *skb,
 	struct net *net = genl_info_net(info);
 	struct sock *sk = net->genl_sock;
 
-	if (WARN_ON_ONCE(group >= family->n_mcgrps))
+	if (WARN_ON_ONCE(group >= family->n_mcgrps)) {
+		kfree_skb(skb);
 		return;
+	}
 
 	group = family->mcgrp_offset + group;
 	nlmsg_notify(sk, skb, info->snd_portid, group,

---
base-commit: 7fd2df204f342fc17d1a0bfcd474b24232fb0f32
change-id: 20260504-genlmsg-return-1e5d6a74d440

Best regards,
-- 
Alice Ryhl <aliceryhl@google.com>