Received: by 2002:a05:6358:16cd:b0:dc:6189:e246 with SMTP id r13csp313315rwl; Fri, 4 Nov 2022 00:11:34 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7tmD0ctEma32NAhvrgV9zrsySaAsdvlPf5q6prtUNeHVhPmZqZ2fiD5D5PcstmRJrNAkRr X-Received: by 2002:a05:6402:2b8d:b0:43a:5410:a9fc with SMTP id fj13-20020a0564022b8d00b0043a5410a9fcmr35032652edb.99.1667545894130; Fri, 04 Nov 2022 00:11:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667545894; cv=none; d=google.com; s=arc-20160816; b=B8TwQ75TDwzbcgYYmVRl/l6C5L1evCj+iBYM3qmRoV16eZ9yG4ubAQ2UkDDRk90Lw5 XB7FZfOsk0R0JIJM6TPsl4b5+c2jEeJTbL3Q+vXi48uP7FSqTKZqvnfNvYaP7qRY6EYk Dw36zE+/mfGMxscv282imoqtlPMtWVUDp+zd01wIGeFr63ZL7w4J2XUyW8HWu1LIDXwj Xcmi2bZN+exs2dES49eiC2Q8PuQEh+cQMuD2kdLzKU5koRzCOnkZf779UPCBdVeOZrkz L9axiSnWWm31Sxx48L8f2LsoqZ6U27muwXGtGxo6Uhxtse5suXFncHAqiMjrwFphTQr8 OgjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=v4xIVt2Xx77uQeCmSub6hmAHcWpXNRCmNpZmids93pA=; b=POej0nU1UFpmv7hYmoT9A2Di6uBQ6ajyDDljMLGC5FLhDxN6/D2pRk0jj9q5Qcxh6q nbl4hwwB/WJhKUS6RCeYtWgQWIEMh1unGB2AWqo36uSl88yemmGQJY5Nm0gaaZcE6E6S rOj4v67B/AHyOUTYdp9NiCvNJESFF60pHiCVKmh2kq93fXOsEECJiZWihmQ3b+t72fkR wRXtfAuytcvYnoF8KcBMrAbsB97dM+2aPY1qbobmUXy8JboPVlkIWYqDQgTZ17gFujiV z0QU+i6NnsDR5ukcNb47GilBat88o7I5nLA4uZebjfQ62FGIaR1FD/4UqOvMMX0p/9At NhYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hb38-20020a170907162600b007a39ad3da43si4112265ejc.714.2022.11.04.00.11.10; Fri, 04 Nov 2022 00:11:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230074AbiKDGPt (ORCPT + 95 others); Fri, 4 Nov 2022 02:15:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229666AbiKDGPq (ORCPT ); Fri, 4 Nov 2022 02:15:46 -0400 Received: from out30-57.freemail.mail.aliyun.com (out30-57.freemail.mail.aliyun.com [115.124.30.57]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D44B127DC6; Thu, 3 Nov 2022 23:15:44 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R271e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045192;MF=chentao.kernel@linux.alibaba.com;NM=1;PH=DS;RN=11;SR=0;TI=SMTPD_---0VTvV9Ei_1667542539; Received: from 30.221.117.118(mailfrom:chentao.kernel@linux.alibaba.com fp:SMTPD_---0VTvV9Ei_1667542539) by smtp.aliyun-inc.com; Fri, 04 Nov 2022 14:15:40 +0800 Message-ID: Date: Fri, 4 Nov 2022 14:15:39 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.3 Subject: Re: [PATCH net-next] netlink: Fix potential skb memleak in netlink_ack To: Jakub Kicinski Cc: "David S. Miller" , Eric Dumazet , Paolo Abeni , Johannes Berg , Oliver Hartkopp , Petr Machata , Kees Cook , Harshit Mogalapalli , netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <7a382b9503d10d235238ca55938bc933d92a1de7.1667389213.git.chentao.kernel@linux.alibaba.com> <20221102143953.001f1247@kernel.org> From: Tao Chen In-Reply-To: <20221102143953.001f1247@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE, SPF_PASS,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2022/11/3 上午5:39, Jakub Kicinski 写道: > On Wed, 2 Nov 2022 20:08:20 +0800 Tao Chen wrote: >> We should clean the skb resource if nlmsg_put/append failed >> , so fix it. > > The comma should be at the end of the previous line. > But really the entire ", so fix it." is redundant. > Thank you, i will pay attention next time >> Fiexs: commit 738136a0e375 ("netlink: split up copies in the >> ack construction") > > Please look around to see how to correctly format a Fixes tag > (including not line wrapping it). > > How did you find this bug? An automated tool? Syzbot? > > One more note below on the code itself. > This was found by the coverity tool, i will add it. >> Signed-off-by: Tao Chen >> --- >> net/netlink/af_netlink.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c >> index c6b8207e..9d73dae 100644 >> --- a/net/netlink/af_netlink.c >> +++ b/net/netlink/af_netlink.c >> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, >> >> skb = nlmsg_new(payload + tlvlen, GFP_KERNEL); >> if (!skb) >> - goto err_bad_put; >> + goto err_skb; >> >> rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, >> NLMSG_ERROR, sizeof(*errmsg), flags); >> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, >> return; >> >> err_bad_put: >> + kfree_skb(skb); > > Please use nlmsg_free() since we allocated with nlmsg_new(). > Ok, i will send it in v2. >> +err_skb: >> NETLINK_CB(in_skb).sk->sk_err = ENOBUFS; >> sk_error_report(NETLINK_CB(in_skb).sk); >> }