We should clean the skb resource if nlmsg_put/append failed
, so fix it.
Fiexs: commit 738136a0e375 ("netlink: split up copies in the
ack construction")
Signed-off-by: Tao Chen <[email protected]>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c6b8207e..9d73dae 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
if (!skb)
- goto err_bad_put;
+ goto err_skb;
rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
NLMSG_ERROR, sizeof(*errmsg), flags);
@@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
return;
err_bad_put:
+ kfree_skb(skb);
+err_skb:
NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
sk_error_report(NETLINK_CB(in_skb).sk);
}
--
2.2.1
On November 2, 2022 5:08:20 AM PDT, Tao Chen <[email protected]> wrote:
>We should clean the skb resource if nlmsg_put/append failed
>, so fix it.
>
>Fiexs: commit 738136a0e375 ("netlink: split up copies in the
>ack construction")
>Signed-off-by: Tao Chen <[email protected]>
>---
> net/netlink/af_netlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>index c6b8207e..9d73dae 100644
>--- a/net/netlink/af_netlink.c
>+++ b/net/netlink/af_netlink.c
>@@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>
> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
> if (!skb)
>- goto err_bad_put;
>+ goto err_skb;
>
> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
> NLMSG_ERROR, sizeof(*errmsg), flags);
>@@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
> return;
>
> err_bad_put:
>+ kfree_skb(skb);
>+err_skb:
> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
> sk_error_report(NETLINK_CB(in_skb).sk);
> }
It didn't do this before... Is this right?
--
Kees Cook
On Wed, 2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
> We should clean the skb resource if nlmsg_put/append failed
> , so fix it.
The comma should be at the end of the previous line.
But really the entire ", so fix it." is redundant.
> Fiexs: commit 738136a0e375 ("netlink: split up copies in the
> ack construction")
Please look around to see how to correctly format a Fixes tag
(including not line wrapping it).
How did you find this bug? An automated tool? Syzbot?
One more note below on the code itself.
> Signed-off-by: Tao Chen <[email protected]>
> ---
> net/netlink/af_netlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index c6b8207e..9d73dae 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>
> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
> if (!skb)
> - goto err_bad_put;
> + goto err_skb;
>
> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
> NLMSG_ERROR, sizeof(*errmsg), flags);
> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
> return;
>
> err_bad_put:
> + kfree_skb(skb);
Please use nlmsg_free() since we allocated with nlmsg_new().
> +err_skb:
> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
> sk_error_report(NETLINK_CB(in_skb).sk);
> }
在 2022/11/3 上午5:39, Jakub Kicinski 写道:
> On Wed, 2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
>> We should clean the skb resource if nlmsg_put/append failed
>> , so fix it.
>
> The comma should be at the end of the previous line.
> But really the entire ", so fix it." is redundant.
>
Thank you, i will pay attention next time
>> Fiexs: commit 738136a0e375 ("netlink: split up copies in the
>> ack construction")
>
> Please look around to see how to correctly format a Fixes tag
> (including not line wrapping it).
>
> How did you find this bug? An automated tool? Syzbot?
>
> One more note below on the code itself.
>
This was found by the coverity tool, i will add it.
>> Signed-off-by: Tao Chen <[email protected]>
>> ---
>> net/netlink/af_netlink.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>> index c6b8207e..9d73dae 100644
>> --- a/net/netlink/af_netlink.c
>> +++ b/net/netlink/af_netlink.c
>> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>>
>> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
>> if (!skb)
>> - goto err_bad_put;
>> + goto err_skb;
>>
>> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
>> NLMSG_ERROR, sizeof(*errmsg), flags);
>> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>> return;
>>
>> err_bad_put:
>> + kfree_skb(skb);
>
> Please use nlmsg_free() since we allocated with nlmsg_new().
>
Ok, i will send it in v2.
>> +err_skb:
>> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
>> sk_error_report(NETLINK_CB(in_skb).sk);
>> }