git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Alice Ryhl <aliceryhl@google.com>
	Wed, 6 May 2026 20:07:13 +0000 (20:07 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Fri, 8 May 2026 22:43:29 +0000 (15:43 -0700)
commit	efda25ee84325385f859d10872590e90ce837243
tree	924a49ed5c7971050853b51961cd8fcb640f5369	tree \| snapshot
parent	f2ab4fd02777c4081be38c35f939e4dc529b8952	commit \| diff

genetlink: free the skb on 'group >= family->n_mcgrps'

These methods generally consume ownership of the provided skb, so even
if an error path is encountered, the skb is freed. This is because the
very first thing they do after some initial setup is to unconditionally
consume the skb via consume_skb(skb). Any subsequent errors lead to the
core netlink layer freeing the skb.

However, there is one check that occurs before ownership is passed,
which is the check for the group index. So if this error condition is
encountered, then the skb is leaked. This error condition is generally
considered a violation of the netlink API, so it's not expected to occur
under normal circumstances. For the same reason, no callers check for
this error condition, and no callers need to be adjusted. However, we
should still follow the same ownership semantics of the rest of the
function. Thus, free the skb in this codepath.

Suggested-by: Andrew Lunn <andrew@lunn.ch>
Suggested-by: Matthew Maurer <mmaurer@google.com>
Fixes: 2a94fe48f32c ("genetlink: make multicast groups const, prevent abuse")
Link: https://lore.kernel.org/r/845b36ba-7b3a-41f2-acb2-b284f253e2ca@lunn.ch
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260506-genlmsg-return-v2-1-a63ee2a055d6@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

include/net/genetlink.h		diff \| blob \| blame \| history
net/netlink/genetlink.c		diff \| blob \| blame \| history