Re: [PATCH] netlink: fix skb refcount leak when dump start fails
From: Jiayuan Chen
Date: Thu May 28 2026 - 04:08:59 EST
On 5/28/26 3:36 PM, Wentao Liang wrote:
__netlink_dump_start() takes an extra reference on the received skb
via refcount_inc(&skb->users) before storing it in cb->skb for the
dump callback to consume. If the subsequent netlink_dump() call fails
(line 2440), the dump was never started so the completion callback
that would normally release cb->skb will never be invoked.
In this case, the function returns the error directly without calling
kfree_skb(skb) to release the extra reference taken at entry.
Add kfree_skb(skb) before returning when netlink_dump() fails, so the
skb reference is properly released.
Fixes: b44d211e166b ("netlink: handle errors from netlink_dump()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 2aeb0680807d..d904c1aad35d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2441,8 +2441,10 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
sock_put(sk);
- if (ret)
+ if (ret) {
+ kfree_skb(skb);
return ret;
+ }
/* We successfully started a dump, by returning -EINTR we
* signal not to send ACK even if it was requested.
static int netlink_release(struct socket *sock) {
.......
/* Terminate any outstanding dump */
if (nlk->cb_running) {
if (nlk->cb.done)
nlk->cb.done(&nlk->cb);
module_put(nlk->cb.module);
kfree_skb(nlk->cb.skb); <---- freed here
WRITE_ONCE(nlk->cb_running, false);
}
......
}