Re: [PATCH v3 1/4] rust: netlink: add raw netlink abstraction

[Andrew Lunn]

On Thu, Apr 16, 2026 at 01:06:42PM -0700, Matthew Maurer wrote:
> > +    /// Sends the generic netlink message as a multicast message.
> > +    #[inline]
> > +    pub fn multicast(
> > +        self,
> > +        family: &'static Family,
> > +        portid: u32,
> > +        group: u32,
> > +        flags: alloc::Flags,
> > +    ) -> Result {
> > +        let me = ManuallyDrop::new(self);
> > +        // SAFETY: The `skb` and `family` pointers are valid. We pass ownership of the `skb` to
> > +        // `genlmsg_multicast` by not dropping `self`.

Hi Matthew

Please trim when replying, to just the needed context.

> I think if genlmsg_multicast returns an error code we may need to drop
> to avoid leaking. Specifically, there is at least this path:
> 1. Set group to a large number (that's an unconstrained public parameter)
> 2. We suppress drop
> 3. We call genlmsg_multicast
> 4. We call genlmsg_multicast_netns
> 4. We call genlmsg_multicast_netns_filtered, which does an inbounds
> check for the `group`. If it is too large, it returns EINVAL without
> consuming the SKB - include/net/genetlink.h:493
> 5. We leak the skb
> 
> However, at the same time, if we pass that check and descend into
> `netlink_broadcast_filtered`, it will unconditionally consume the SKB,
> and possibly return an error code in other situations.

A quick grep of the code suggests very few callers of
genlmsg_multicast look at the return code.

drivers/scsi/pmcraid.c prints an error message, but does nothing with
the skb.

drivers/regulator/event.c returns the error code to its caller, which
discards is, and the skb is leaked.

net/ieee802154/netlink.c returns the error code up the call stack but
leaks the skb.

net/nfc/netlink.c returns the error code up the call stack but leaks
the skb.

So i would agree with you, freeing it on error somewhere within
genlmsg_multicast() would make sense.

	Andrew