netdev: fix double-free in netdev_nl_bind_rx_doit()

Sashiko flags that genlmsg_reply() always consumes the skb.
The error path calls nlmsg_free(rsp) so we can't jump directly
to it. Let's not unbind, just propagate the error to the user.
This is the typical way of handling genlmsg_reply() failures.
They shouldn't happen unless user does something silly like
calling the kernel with an already-full rcvbuf.

Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 170aafe35cb9 ("netdev: support binding dma-buf to netdevice")
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c
index b8f6076d80072fd1114ef4d4000647c18416a8bb..119eaa6501d5e1b9a7fce8554444f05ffad358dc 100644 (file)
--- a/net/core/netdev-genl.c
+++ b/net/core/netdev-genl.c
@@ -1095,8 +1095,6 @@ int netdev_nl_bind_rx_doit(struct sk_buff *skb, struct genl_info *info)
        genlmsg_end(rsp, hdr);
 
        err = genlmsg_reply(rsp, info);
-       if (err)
-               goto err_unbind;
 
        bitmap_free(rxq_bitmap);
 
@@ -1104,7 +1102,7 @@ int netdev_nl_bind_rx_doit(struct sk_buff *skb, struct genl_info *info)
 
        mutex_unlock(&priv->lock);
 
-       return 0;
+       return err < 0 ? err : 0;
 
 err_unbind:
        net_devmem_unbind_dmabuf(binding);