[PATCH] netlink: fix skb refcount leak when dump start fails

Netdev List
 help / color / mirror / Atom feed

* [PATCH] netlink: fix skb refcount leak when dump start fails
@ 2026-05-28  7:36 Wentao Liang
  2026-05-28  8:04 ` Kuniyuki Iwashima
  2026-05-28  8:08 ` Jiayuan Chen
  0 siblings, 2 replies; 3+ messages in thread
From: Wentao Liang @ 2026-05-28  7:36 UTC (permalink / raw)
  To: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
  Cc: Simon Horman, Kuniyuki Iwashima, Kees Cook, Feng Yang,
	Wentao Liang, netdev, linux-kernel, stable

__netlink_dump_start() takes an extra reference on the received skb
via refcount_inc(&skb->users) before storing it in cb->skb for the
dump callback to consume. If the subsequent netlink_dump() call fails
(line 2440), the dump was never started so the completion callback
that would normally release cb->skb will never be invoked.

In this case, the function returns the error directly without calling
kfree_skb(skb) to release the extra reference taken at entry.

Add kfree_skb(skb) before returning when netlink_dump() fails, so the
skb reference is properly released.

Fixes: b44d211e166b ("netlink: handle errors from netlink_dump()")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 net/netlink/af_netlink.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 2aeb0680807d..d904c1aad35d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2441,8 +2441,10 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,

 	sock_put(sk);

-	if (ret)
+	if (ret) {
+		kfree_skb(skb);
 		return ret;
+	}

 	/* We successfully started a dump, by returning -EINTR we
 	 * signal not to send ACK even if it was requested.
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] netlink: fix skb refcount leak when dump start fails
  2026-05-28  7:36 [PATCH] netlink: fix skb refcount leak when dump start fails Wentao Liang
@ 2026-05-28  8:04 ` Kuniyuki Iwashima
  2026-05-28  8:08 ` Jiayuan Chen
  1 sibling, 0 replies; 3+ messages in thread
From: Kuniyuki Iwashima @ 2026-05-28  8:04 UTC (permalink / raw)
  To: Wentao Liang
  Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Kees Cook, Feng Yang, netdev, linux-kernel, stable

On Thu, May 28, 2026 at 12:36 AM Wentao Liang <vulab@iscas.ac.cn> wrote:
>
> __netlink_dump_start() takes an extra reference on the received skb
> via refcount_inc(&skb->users) before storing it in cb->skb for the
> dump callback to consume. If the subsequent netlink_dump() call fails
> (line 2440), the dump was never started so the completion callback
> that would normally release cb->skb will never be invoked.
>
> In this case, the function returns the error directly without calling
> kfree_skb(skb) to release the extra reference taken at entry.
>
> Add kfree_skb(skb) before returning when netlink_dump() fails, so the
> skb reference is properly released.

Isn't consume_skb() in netlink_unicast_kernel() the one to free skb ?


>
> Fixes: b44d211e166b ("netlink: handle errors from netlink_dump()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  net/netlink/af_netlink.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 2aeb0680807d..d904c1aad35d 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2441,8 +2441,10 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
>
>         sock_put(sk);
>
> -       if (ret)
> +       if (ret) {
> +               kfree_skb(skb);
>                 return ret;
> +       }
>
>         /* We successfully started a dump, by returning -EINTR we
>          * signal not to send ACK even if it was requested.
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] netlink: fix skb refcount leak when dump start fails
  2026-05-28  7:36 [PATCH] netlink: fix skb refcount leak when dump start fails Wentao Liang
  2026-05-28  8:04 ` Kuniyuki Iwashima
@ 2026-05-28  8:08 ` Jiayuan Chen
  1 sibling, 0 replies; 3+ messages in thread
From: Jiayuan Chen @ 2026-05-28  8:08 UTC (permalink / raw)
  To: Wentao Liang, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni
  Cc: Simon Horman, Kuniyuki Iwashima, Kees Cook, Feng Yang, netdev,
	linux-kernel, stable


On 5/28/26 3:36 PM, Wentao Liang wrote:
> __netlink_dump_start() takes an extra reference on the received skb
> via refcount_inc(&skb->users) before storing it in cb->skb for the
> dump callback to consume. If the subsequent netlink_dump() call fails
> (line 2440), the dump was never started so the completion callback
> that would normally release cb->skb will never be invoked.
>
> In this case, the function returns the error directly without calling
> kfree_skb(skb) to release the extra reference taken at entry.
>
> Add kfree_skb(skb) before returning when netlink_dump() fails, so the
> skb reference is properly released.
>
> Fixes: b44d211e166b ("netlink: handle errors from netlink_dump()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>   net/netlink/af_netlink.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 2aeb0680807d..d904c1aad35d 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2441,8 +2441,10 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
>   
>   	sock_put(sk);
>   
> -	if (ret)
> +	if (ret) {
> +		kfree_skb(skb);
>   		return ret;
> +	}
>   
>   	/* We successfully started a dump, by returning -EINTR we
>   	 * signal not to send ACK even if it was requested.

static int netlink_release(struct socket *sock) {

     .......

     /* Terminate any outstanding dump */
     if (nlk->cb_running) {
         if (nlk->cb.done)
             nlk->cb.done(&nlk->cb);
         module_put(nlk->cb.module);
         kfree_skb(nlk->cb.skb);  <---- freed here
         WRITE_ONCE(nlk->cb_running, false);
     }

     ......

}


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-28  8:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-28  7:36 [PATCH] netlink: fix skb refcount leak when dump start fails Wentao Liang
2026-05-28  8:04 ` Kuniyuki Iwashima
2026-05-28  8:08 ` Jiayuan Chen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox