[PATCH] netlink: fix skb refcount leak when dump start fails

Next message: Krzysztof Kozlowski: "Re: [PATCH v23 5/8] dt-bindings: display: bridge: Add Cadence MHDP8501"
Previous message: Cen Zhang: "Re: [PATCH v3] Bluetooth: 6lowpan: Fix peer and channel lifetime during teardown"
Next in thread: Kuniyuki Iwashima: "Re: [PATCH] netlink: fix skb refcount leak when dump start fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Thu May 28 2026 - 03:38:33 EST

__netlink_dump_start() takes an extra reference on the received skb
via refcount_inc(&skb->users) before storing it in cb->skb for the
dump callback to consume. If the subsequent netlink_dump() call fails
(line 2440), the dump was never started so the completion callback
that would normally release cb->skb will never be invoked.

In this case, the function returns the error directly without calling
kfree_skb(skb) to release the extra reference taken at entry.

Add kfree_skb(skb) before returning when netlink_dump() fails, so the
skb reference is properly released.

Fixes: b44d211e166b ("netlink: handle errors from netlink_dump()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 2aeb0680807d..d904c1aad35d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2441,8 +2441,10 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,

sock_put(sk);

- if (ret)
+ if (ret) {
+ kfree_skb(skb);
return ret;
+ }

/* We successfully started a dump, by returning -EINTR we
* signal not to send ACK even if it was requested.
--
2.34.1