[PATCH] genetlink: free the skb on 'group >= family->n

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] genetlink: free the skb on 'group >= family->n_mcgrps'
@ 2026-05-04  9:17 Alice Ryhl
  2026-05-04 10:20 ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: Alice Ryhl @ 2026-05-04  9:17 UTC (permalink / raw)
  To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Andrew Lunn, Matthew Maurer
  Cc: netdev, linux-kernel, Alice Ryhl

These methods generally consume ownership of the provided skb, so even
if an error path is encountered, the skb is freed. This is because the
very first thing they do after some initial setup is to unconditionally
consume the skb via consume_skb(skb). Any subsequent errors lead to the
core netlink layer freeing the skb.

However, there is one check that occurs before ownership is passed,
which is the check for the group index. So if this error condition is
encountered, then the skb is leaked. This error condition is generally
considered a violation of the netlink API, so it's not expected to occur
under normal circumstances. For the same reason, no callers check for
this error condition, and no callers need to be adjusted. However, we
should still follow the same ownership semantics of the rest of the
function. Thus, free the skb in this codepath.

Assisted-by: Antigravity:gemini
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Suggested-by: Matthew Maurer <mmaurer@google.com>
Link: https://lore.kernel.org/r/845b36ba-7b3a-41f2-acb2-b284f253e2ca@lunn.ch
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 include/net/genetlink.h | 4 +++-
 net/netlink/genetlink.c | 8 ++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/net/genetlink.h b/include/net/genetlink.h
index 7b84f2cef8b1..d70510ac31ab 100644
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -489,8 +489,10 @@ genlmsg_multicast_netns_filtered(const struct genl_family *family,
 				 netlink_filter_fn filter,
 				 void *filter_data)
 {
-	if (WARN_ON_ONCE(group >= family->n_mcgrps))
+	if (WARN_ON_ONCE(group >= family->n_mcgrps)) {
+		nlmsg_free(skb);
 		return -EINVAL;
+	}
 	group = family->mcgrp_offset + group;
 	return nlmsg_multicast_filtered(net->genl_sock, skb, portid, group,
 					flags, filter, filter_data);
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index d251d894afd4..0da39eaed255 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1972,8 +1972,10 @@ int genlmsg_multicast_allns(const struct genl_family *family,
 			    struct sk_buff *skb, u32 portid,
 			    unsigned int group)
 {
-	if (WARN_ON_ONCE(group >= family->n_mcgrps))
+	if (WARN_ON_ONCE(group >= family->n_mcgrps)) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
 
 	group = family->mcgrp_offset + group;
 	return genlmsg_mcast(skb, portid, group);
@@ -1986,8 +1988,10 @@ void genl_notify(const struct genl_family *family, struct sk_buff *skb,
 	struct net *net = genl_info_net(info);
 	struct sock *sk = net->genl_sock;
 
-	if (WARN_ON_ONCE(group >= family->n_mcgrps))
+	if (WARN_ON_ONCE(group >= family->n_mcgrps)) {
+		kfree_skb(skb);
 		return;
+	}
 
 	group = family->mcgrp_offset + group;
 	nlmsg_notify(sk, skb, info->snd_portid, group,

---
base-commit: 7fd2df204f342fc17d1a0bfcd474b24232fb0f32
change-id: 20260504-genlmsg-return-1e5d6a74d440

Best regards,
-- 
Alice Ryhl <aliceryhl@google.com>


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] genetlink: free the skb on 'group >= family->n_mcgrps'
  2026-05-04  9:17 [PATCH] genetlink: free the skb on 'group >= family->n_mcgrps' Alice Ryhl
@ 2026-05-04 10:20 ` Eric Dumazet
  2026-05-04 10:45   ` Alice Ryhl
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Dumazet @ 2026-05-04 10:20 UTC (permalink / raw)
  To: Alice Ryhl
  Cc: David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Andrew Lunn, Matthew Maurer, netdev, linux-kernel

On Mon, May 4, 2026 at 2:17 AM Alice Ryhl <aliceryhl@google.com> wrote:
>
> These methods generally consume ownership of the provided skb, so even
> if an error path is encountered, the skb is freed. This is because the
> very first thing they do after some initial setup is to unconditionally
> consume the skb via consume_skb(skb). Any subsequent errors lead to the
> core netlink layer freeing the skb.
>
> However, there is one check that occurs before ownership is passed,
> which is the check for the group index. So if this error condition is
> encountered, then the skb is leaked. This error condition is generally
> considered a violation of the netlink API, so it's not expected to occur
> under normal circumstances. For the same reason, no callers check for
> this error condition, and no callers need to be adjusted. However, we
> should still follow the same ownership semantics of the rest of the
> function. Thus, free the skb in this codepath.
>
> Assisted-by: Antigravity:gemini
> Suggested-by: Andrew Lunn <andrew@lunn.ch>
> Suggested-by: Matthew Maurer <mmaurer@google.com>
> Link: https://lore.kernel.org/r/845b36ba-7b3a-41f2-acb2-b284f253e2ca@lunn.ch
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>

1) This looks like a fix meant for net tree ?

2) We require a Fixes: tag for bug fixes.

For more details I highly recommend reading at least the tl;dr part of:

Documentation/process/maintainer-netdev.rst

Thank you.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] genetlink: free the skb on 'group >= family->n_mcgrps'
  2026-05-04 10:20 ` Eric Dumazet
@ 2026-05-04 10:45   ` Alice Ryhl
  0 siblings, 0 replies; 3+ messages in thread
From: Alice Ryhl @ 2026-05-04 10:45 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Andrew Lunn, Matthew Maurer, netdev, linux-kernel

On Mon, May 04, 2026 at 03:20:25AM -0700, Eric Dumazet wrote:
> On Mon, May 4, 2026 at 2:17 AM Alice Ryhl <aliceryhl@google.com> wrote:
> >
> > These methods generally consume ownership of the provided skb, so even
> > if an error path is encountered, the skb is freed. This is because the
> > very first thing they do after some initial setup is to unconditionally
> > consume the skb via consume_skb(skb). Any subsequent errors lead to the
> > core netlink layer freeing the skb.
> >
> > However, there is one check that occurs before ownership is passed,
> > which is the check for the group index. So if this error condition is
> > encountered, then the skb is leaked. This error condition is generally
> > considered a violation of the netlink API, so it's not expected to occur
> > under normal circumstances. For the same reason, no callers check for
> > this error condition, and no callers need to be adjusted. However, we
> > should still follow the same ownership semantics of the rest of the
> > function. Thus, free the skb in this codepath.
> >
> > Assisted-by: Antigravity:gemini
> > Suggested-by: Andrew Lunn <andrew@lunn.ch>
> > Suggested-by: Matthew Maurer <mmaurer@google.com>
> > Link: https://lore.kernel.org/r/845b36ba-7b3a-41f2-acb2-b284f253e2ca@lunn.ch
> > Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> 
> 1) This looks like a fix meant for net tree ?
> 
> 2) We require a Fixes: tag for bug fixes.
> 
> For more details I highly recommend reading at least the tl;dr part of:
> 
> Documentation/process/maintainer-netdev.rst

Sorry I forgot that the net subsystem has special rules.

I do not believe any callers actually excercise this codepath, but I
will add a Fixes: tag and indicate 'net' tree for the next version in a
few days.

Alice

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-04 10:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04  9:17 [PATCH] genetlink: free the skb on 'group >= family->n_mcgrps' Alice Ryhl
2026-05-04 10:20 ` Eric Dumazet
2026-05-04 10:45   ` Alice Ryhl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox