From nobody Thu Apr 9 23:26:31 2026 Received: from sg-1-104.ptr.blmpb.com (sg-1-104.ptr.blmpb.com [118.26.132.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6442D27A107 for ; Thu, 5 Mar 2026 06:07:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=118.26.132.104 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772690849; cv=none; b=CgEdQWg0E+CCjta9CN8k3NRxfVA+8vnpNLekUdG4VlS/ZYW3ni9Jd89PCKp45sB27Bd+wBKH0mnHrphMmY6ugIxZeq9/dkqJnQml+v0Ylxa3uVIuwqp2nc0/zs27D3gwGl2Yv4OsEdqvgt6Ai5hdrbUFTBLwt88jC1xwYNgSsD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772690849; c=relaxed/simple; bh=VdK0MxFWy5AfGNYLihOKrAnjVOE1LOhw9JAhmBD1dcU=; h=Message-Id:Mime-Version:Content-Type:Date:Cc:Subject:From:To; b=Eg+zb/M1uXFujnoCJbwy2o7AqmsxYC7/iPDVvMqHMKgbMms54AyzVp5OA8KDlcdTMM1f2Ejf4jNIkogKI8zOTjztHFSCs57fMUy14WfGuW1TkPRVmfg8MJ7Kvjeaa+Sw5wSAG51fXFeYgnzI9d5EyHsPYeneCz6aprSRzGqEPyg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=NXZgrmKw; arc=none smtp.client-ip=118.26.132.104 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="NXZgrmKw" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=2212171451; d=bytedance.com; t=1772690835; h=from:subject: mime-version:from:date:message-id:subject:to:cc:reply-to:content-type: mime-version:in-reply-to:message-id; bh=+xwQncdlXd0oSQ9jRHnvWwWoA100zQbea6T6LlMtF0Q=; b=NXZgrmKwQN9wuizvHU05yAhhsRoyb2M9tQdh0iH3XCmJ28gNYRdXrPuFr/jS1NnIn/hpu6 a4FV9Em1vTV5S5Ekku+BE2pGEgF9aoNMtLifqtMaCwlQBq2lfYQdh1aEO3h3hkhPvOohLj uKaibpeyem92w9OMlGEgRRZuRJlw7WXmf27xgmH5KE9fq+62PXLG6wuxVXr48PlNqc5yHy wSTxFmbI+9yjKowz0IZFb29FAzOTuZb2A6OaLKTsys2aUmIIg/27PsNNOwKf5h2P2SZilG sQmjcMmpdMCTAIWDGN4XqddOFR/ylTr631idPE3o+vyCbNFJjGnvXUwW4aBn6g== Message-Id: <20260305060656.3357250-1-zhangjian.3032@bytedance.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Date: Thu, 5 Mar 2026 14:06:55 +0800 X-Mailer: git-send-email 2.20.1 Cc: Subject: [PATCH net v2] net: ncsi: fix skb leak in error paths Content-Transfer-Encoding: quoted-printable From: "Jian Zhang" X-Lms-Return-Path: X-Original-From: Jian Zhang To: "Samuel Mendoza-Jonas" , "Paul Fertser" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Joel Stanley" , "Gavin Shan" , , Content-Type: text/plain; charset="utf-8" Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. CC: stable@vger.kernel.org Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler") Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") Signed-off-by: Jian Zhang --- Changes in v2: - use meaningful label - use kfree_skb to free skb in error paths - add Fixes label v1: https://lore.kernel.org/all/20260302054629.1347119-1-zhangjian.3032@byt= edance.com/ --- net/ncsi/ncsi-aen.c | 3 ++- net/ncsi/ncsi-rsp.c | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/net/ncsi/ncsi-aen.c b/net/ncsi/ncsi-aen.c index 62fb1031763d..040a31557201 100644 --- a/net/ncsi/ncsi-aen.c +++ b/net/ncsi/ncsi-aen.c @@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struct = sk_buff *skb) if (!nah) { netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n", h->type); - return -ENOENT; + ret =3D -ENOENT; + goto out; } =20 ret =3D ncsi_validate_aen_pkt(h, nah->payload); diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c index 271ec6c3929e..fbd84bc8026a 100644 --- a/net/ncsi/ncsi-rsp.c +++ b/net/ncsi/ncsi-rsp.c @@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_dev= ice *dev, /* Find the NCSI device */ nd =3D ncsi_find_dev(orig_dev); ndp =3D nd ? TO_NCSI_DEV_PRIV(nd) : NULL; - if (!ndp) - return -ENODEV; + if (!ndp) { + ret =3D -ENODEV; + goto err_free_skb; + } =20 /* Check if it is AEN packet */ hdr =3D (struct ncsi_pkt_hdr *)skb_network_header(skb); @@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_devi= ce *dev, if (!nrh) { netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n", hdr->type); - return -ENOENT; + ret =3D -ENOENT; + goto err_free_skb; } =20 /* Associate with the request */ @@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_devi= ce *dev, nr =3D &ndp->requests[hdr->id]; if (!nr->used) { spin_unlock_irqrestore(&ndp->lock, flags); - return -ENODEV; + ret =3D -ENODEV; + goto err_free_skb; } =20 nr->rsp =3D skb; @@ -1261,4 +1265,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_devi= ce *dev, out: ncsi_free_request(nr); return ret; + +err_free_skb: + kfree_skb(skb); + return ret; } --=20 2.20.1