Re: [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack
From: Tao Chen
Date: Fri Nov 04 2022 - 02:15:52 EST
在 2022/11/3 上午5:39, Jakub Kicinski 写道:
On Wed, 2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
We should clean the skb resource if nlmsg_put/append failed
, so fix it.
The comma should be at the end of the previous line.
But really the entire ", so fix it." is redundant.
Thank you, i will pay attention next time
Fiexs: commit 738136a0e375 ("netlink: split up copies in the
ack construction")
Please look around to see how to correctly format a Fixes tag
(including not line wrapping it).
How did you find this bug? An automated tool? Syzbot?
One more note below on the code itself.
This was found by the coverity tool, i will add it.
Signed-off-by: Tao Chen <chentao.kernel@xxxxxxxxxxxxxxxxx>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c6b8207e..9d73dae 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
if (!skb)
- goto err_bad_put;
+ goto err_skb;
rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
NLMSG_ERROR, sizeof(*errmsg), flags);
@@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
return;
err_bad_put:
+ kfree_skb(skb);
Please use nlmsg_free() since we allocated with nlmsg_new().
Ok, i will send it in v2.
+err_skb:
NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
sk_error_report(NETLINK_CB(in_skb).sk);
}