Re: [PATCH] netlink: fix skb refcount leak when dump start fails

From: Kuniyuki Iwashima

Date: Thu May 28 2026 - 04:06:19 EST


On Thu, May 28, 2026 at 12:36 AM Wentao Liang <vulab@xxxxxxxxxxx> wrote:
>
> __netlink_dump_start() takes an extra reference on the received skb
> via refcount_inc(&skb->users) before storing it in cb->skb for the
> dump callback to consume. If the subsequent netlink_dump() call fails
> (line 2440), the dump was never started so the completion callback
> that would normally release cb->skb will never be invoked.
>
> In this case, the function returns the error directly without calling
> kfree_skb(skb) to release the extra reference taken at entry.
>
> Add kfree_skb(skb) before returning when netlink_dump() fails, so the
> skb reference is properly released.

Isn't consume_skb() in netlink_unicast_kernel() the one to free skb ?


>
> Fixes: b44d211e166b ("netlink: handle errors from netlink_dump()")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
> ---
> net/netlink/af_netlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 2aeb0680807d..d904c1aad35d 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2441,8 +2441,10 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
>
> sock_put(sk);
>
> - if (ret)
> + if (ret) {
> + kfree_skb(skb);
> return ret;
> + }
>
> /* We successfully started a dump, by returning -EINTR we
> * signal not to send ACK even if it was requested.
> --
> 2.34.1
>