[PATCH net] net: ncsi: fix skb leak in error paths

[PATCH net] net: ncsi: fix skb leak in error paths

[Jian Zhang]

Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.

Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.

Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
---
 net/ncsi/ncsi-aen.c |  3 ++-
 net/ncsi/ncsi-rsp.c | 16 ++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/ncsi/ncsi-aen.c b/net/ncsi/ncsi-aen.c
index 62fb1031763d..040a31557201 100644
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struct sk_buff *skb)
 	if (!nah) {
 		netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
 			    h->type);
-		return -ENOENT;
+		ret = -ENOENT;
+		goto out;
 	}
 
 	ret = ncsi_validate_aen_pkt(h, nah->payload);
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 271ec6c3929e..9d3ca1c020b6 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
 	/* Find the NCSI device */
 	nd = ncsi_find_dev(orig_dev);
 	ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
-	if (!ndp)
-		return -ENODEV;
+	if (!ndp) {
+		ret = -ENODEV;
+		goto bail;
+	}
 
 	/* Check if it is AEN packet */
 	hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
 	if (!nrh) {
 		netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
 			   hdr->type);
-		return -ENOENT;
+		ret = -ENOENT;
+		goto bail;
 	}
 
 	/* Associate with the request */
@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
 	nr = &ndp->requests[hdr->id];
 	if (!nr->used) {
 		spin_unlock_irqrestore(&ndp->lock, flags);
-		return -ENODEV;
+		ret = -ENODEV;
+		goto bail;
 	}
 
 	nr->rsp = skb;
@@ -1261,4 +1265,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
 out:
 	ncsi_free_request(nr);
 	return ret;
+
+bail:
+	consume_skb(skb);
+	return ret;
 }
-- 
2.20.1

Re: [PATCH net] net: ncsi: fix skb leak in error paths

[Simon Horman]

On Mon, Mar 02, 2026 at 01:46:29PM +0800, Jian Zhang wrote:
> Early return paths in NCSI RX and AEN handlers fail to release
> the received skb, resulting in a memory leak.
> 
> Specifically, ncsi_aen_handler() returns on invalid AEN packets
> without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
> when failing to resolve the NCSI device, response handler, or
> request, leaving the skb unfreed.
> 
> Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>

As fixes for Networking code these should have fixes tags.
I think the following are appropriate.

Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")

As they seem to be commits from the same patch-set,
included in the same release - v4.8-rc1, I think
we can keep this as a single patch.

If you agree then it shouldn't be necessary to post a new version because
of this, as patchwork should pick up the tags above. But for future
reference, assuming these are backporting candidates, it's best to CC
stable on bugfixes for net.

Overall, this looks good to me.

Reviewed-by: Simon Horman <horms@kernel.org>

Re: [PATCH net] net: ncsi: fix skb leak in error paths

[ByteDance]

> 2026年3月4日 19:16，Simon Horman <horms@kernel.org> 写道：
> 
> On Mon, Mar 02, 2026 at 01:46:29PM +0800, Jian Zhang wrote:
>> Early return paths in NCSI RX and AEN handlers fail to release
>> the received skb, resulting in a memory leak.
>> 
>> Specifically, ncsi_aen_handler() returns on invalid AEN packets
>> without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
>> when failing to resolve the NCSI device, response handler, or
>> request, leaving the skb unfreed.
>> 
>> Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
> 
> As fixes for Networking code these should have fixes tags.
> I think the following are appropriate.
> 
> Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
> Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
> 
> As they seem to be commits from the same patch-set,
> included in the same release - v4.8-rc1, I think
> we can keep this as a single patch.
> 
> If you agree then it shouldn't be necessary to post a new version because
Agreed, thanks for the review, 
> of this, as patchwork should pick up the tags above. But for future
> reference, assuming these are backporting candidates, it's best to CC
> stable on bugfixes for net.
Got it, Thanks,  will do for future fixes.
> 
> Overall, this looks good to me.
> 
> Reviewed-by: Simon Horman <horms@kernel.org>

Re: [PATCH net] net: ncsi: fix skb leak in error paths

[Jakub Kicinski]

On Mon,  2 Mar 2026 13:46:29 +0800 Jian Zhang wrote:
> +bail:

please give meaningful names to the labels, eg:

err_free_skb:

> +	consume_skb(skb);

since this is a drop condition kfree_skb() seems more appropriate.

> +	return ret;
-- 
pw-bot: cr

Re: [PATCH net] net: ncsi: fix skb leak in error paths

[ByteDance]

Thanks for the review. I will send a v2 with these changes


> 2026年3月5日 08:45，Jakub Kicinski <kuba@kernel.org> 写道：
> 
> On Mon,  2 Mar 2026 13:46:29 +0800 Jian Zhang wrote:
>> +bail:
> 
> please give meaningful names to the labels, eg:
> 
> err_free_skb:
> 
>> + consume_skb(skb);
> 
> since this is a drop condition kfree_skb() seems more appropriate.
> 
>> + return ret;
> -- 
> pw-bot: cr