diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2026-06-06 04:21:24 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-06-09 03:40:20 +0300 |
| commit | c849de7d8757a7af801fc4a4058f71d481d367f2 (patch) | |
| tree | 78b57e6acb055bae16559984441371c4b7f42457 | |
| parent | 71de0177b28da751f407581a4515cf4d762f6296 (diff) | |
| download | linux-c849de7d8757a7af801fc4a4058f71d481d367f2.tar.xz | |
netdev: fix double-free in netdev_nl_bind_rx_doit()
Sashiko flags that genlmsg_reply() always consumes the skb.
The error path calls nlmsg_free(rsp) so we can't jump directly
to it. Let's not unbind, just propagate the error to the user.
This is the typical way of handling genlmsg_reply() failures.
They shouldn't happen unless user does something silly like
calling the kernel with an already-full rcvbuf.
Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 170aafe35cb9 ("netdev: support binding dma-buf to netdevice")
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | net/core/netdev-genl.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c index b8f6076d8007..119eaa6501d5 100644 --- a/net/core/netdev-genl.c +++ b/net/core/netdev-genl.c @@ -1095,8 +1095,6 @@ int netdev_nl_bind_rx_doit(struct sk_buff *skb, struct genl_info *info) genlmsg_end(rsp, hdr); err = genlmsg_reply(rsp, info); - if (err) - goto err_unbind; bitmap_free(rxq_bitmap); @@ -1104,7 +1102,7 @@ int netdev_nl_bind_rx_doit(struct sk_buff *skb, struct genl_info *info) mutex_unlock(&priv->lock); - return 0; + return err < 0 ? err : 0; err_unbind: net_devmem_unbind_dmabuf(binding); |