* [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack
@ 2022-11-02 12:08 Tao Chen
2022-11-02 15:05 ` Kees Cook
2022-11-02 21:39 ` Jakub Kicinski
0 siblings, 2 replies; 4+ messages in thread
From: Tao Chen @ 2022-11-02 12:08 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Johannes Berg, Oliver Hartkopp, Petr Machata, Kees Cook,
Harshit Mogalapalli
Cc: netdev, linux-kernel, Tao Chen
We should clean the skb resource if nlmsg_put/append failed
, so fix it.
Fiexs: commit 738136a0e375 ("netlink: split up copies in the
ack construction")
Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c6b8207e..9d73dae 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
if (!skb)
- goto err_bad_put;
+ goto err_skb;
rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
NLMSG_ERROR, sizeof(*errmsg), flags);
@@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
return;
err_bad_put:
+ kfree_skb(skb);
+err_skb:
NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
sk_error_report(NETLINK_CB(in_skb).sk);
}
--
2.2.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack
2022-11-02 12:08 [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack Tao Chen
@ 2022-11-02 15:05 ` Kees Cook
2022-11-02 21:39 ` Jakub Kicinski
1 sibling, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-11-02 15:05 UTC (permalink / raw)
To: Tao Chen, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Johannes Berg, Oliver Hartkopp, Petr Machata,
Kees Cook, Harshit Mogalapalli
Cc: netdev, linux-kernel
On November 2, 2022 5:08:20 AM PDT, Tao Chen <chentao.kernel@linux.alibaba.com> wrote:
>We should clean the skb resource if nlmsg_put/append failed
>, so fix it.
>
>Fiexs: commit 738136a0e375 ("netlink: split up copies in the
>ack construction")
>Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
>---
> net/netlink/af_netlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>index c6b8207e..9d73dae 100644
>--- a/net/netlink/af_netlink.c
>+++ b/net/netlink/af_netlink.c
>@@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>
> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
> if (!skb)
>- goto err_bad_put;
>+ goto err_skb;
>
> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
> NLMSG_ERROR, sizeof(*errmsg), flags);
>@@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
> return;
>
> err_bad_put:
>+ kfree_skb(skb);
>+err_skb:
> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
> sk_error_report(NETLINK_CB(in_skb).sk);
> }
It didn't do this before... Is this right?
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack
2022-11-02 12:08 [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack Tao Chen
2022-11-02 15:05 ` Kees Cook
@ 2022-11-02 21:39 ` Jakub Kicinski
2022-11-04 6:15 ` Tao Chen
1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2022-11-02 21:39 UTC (permalink / raw)
To: Tao Chen
Cc: David S. Miller, Eric Dumazet, Paolo Abeni, Johannes Berg,
Oliver Hartkopp, Petr Machata, Kees Cook, Harshit Mogalapalli,
netdev, linux-kernel
On Wed, 2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
> We should clean the skb resource if nlmsg_put/append failed
> , so fix it.
The comma should be at the end of the previous line.
But really the entire ", so fix it." is redundant.
> Fiexs: commit 738136a0e375 ("netlink: split up copies in the
> ack construction")
Please look around to see how to correctly format a Fixes tag
(including not line wrapping it).
How did you find this bug? An automated tool? Syzbot?
One more note below on the code itself.
> Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
> ---
> net/netlink/af_netlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index c6b8207e..9d73dae 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>
> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
> if (!skb)
> - goto err_bad_put;
> + goto err_skb;
>
> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
> NLMSG_ERROR, sizeof(*errmsg), flags);
> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
> return;
>
> err_bad_put:
> + kfree_skb(skb);
Please use nlmsg_free() since we allocated with nlmsg_new().
> +err_skb:
> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
> sk_error_report(NETLINK_CB(in_skb).sk);
> }
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack
2022-11-02 21:39 ` Jakub Kicinski
@ 2022-11-04 6:15 ` Tao Chen
0 siblings, 0 replies; 4+ messages in thread
From: Tao Chen @ 2022-11-04 6:15 UTC (permalink / raw)
To: Jakub Kicinski
Cc: David S. Miller, Eric Dumazet, Paolo Abeni, Johannes Berg,
Oliver Hartkopp, Petr Machata, Kees Cook, Harshit Mogalapalli,
netdev, linux-kernel
在 2022/11/3 上午5:39, Jakub Kicinski 写道:
> On Wed, 2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
>> We should clean the skb resource if nlmsg_put/append failed
>> , so fix it.
>
> The comma should be at the end of the previous line.
> But really the entire ", so fix it." is redundant.
>
Thank you, i will pay attention next time
>> Fiexs: commit 738136a0e375 ("netlink: split up copies in the
>> ack construction")
>
> Please look around to see how to correctly format a Fixes tag
> (including not line wrapping it).
>
> How did you find this bug? An automated tool? Syzbot?
>
> One more note below on the code itself.
>
This was found by the coverity tool, i will add it.
>> Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
>> ---
>> net/netlink/af_netlink.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>> index c6b8207e..9d73dae 100644
>> --- a/net/netlink/af_netlink.c
>> +++ b/net/netlink/af_netlink.c
>> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>>
>> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
>> if (!skb)
>> - goto err_bad_put;
>> + goto err_skb;
>>
>> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
>> NLMSG_ERROR, sizeof(*errmsg), flags);
>> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>> return;
>>
>> err_bad_put:
>> + kfree_skb(skb);
>
> Please use nlmsg_free() since we allocated with nlmsg_new().
>
Ok, i will send it in v2.
>> +err_skb:
>> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
>> sk_error_report(NETLINK_CB(in_skb).sk);
>> }
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-04 6:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-02 12:08 [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack Tao Chen
2022-11-02 15:05 ` Kees Cook
2022-11-02 21:39 ` Jakub Kicinski
2022-11-04 6:15 ` Tao Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).