From nobody Mon May  4 13:03:50 2026
Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com
 [209.85.128.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 682CD37646B
	for <linux-kernel@vger.kernel.org>; Mon,  4 May 2026 09:17:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777886240; cv=none;
 b=OBHeAFAPXPytIW0bPaA1Anp/CJyLMIkFTs6PoYDEGgNcTb8Qia6n5wWg1dqLWD/FVo+gf3ttUiVyFoWXhiEriE0PNZF85kglIGbxT2+O6T1wirFuGfFHIgdPBAP/D76glNamQCK4n4VP5irLR34NgdF/lwFhwW9wiNuu5R8UQq4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777886240; c=relaxed/simple;
	bh=tPJwSubo7swPdL1tDy2pu7P+QRqOoQO0CNehoGjX6yc=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type;
 b=D2EzQeJA5Zf/Z2pET0zXfOvpMt3cAzaDrg2VtHkoWZ69RwcJsIKZ2vbvOS8YCLBleDkGbpRsJtUuSgIodFwV/nNlBJ3FrK8im0QCBeY4xIalD1TroY/bRYarKF3FqwHa8YtC2Cwgr0RaNqJqQ2sat7ROdi6lF+dqjDEO+UXHCf4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=q57bTu6g; arc=none smtp.client-ip=209.85.128.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="q57bTu6g"
Received: by mail-wm1-f74.google.com with SMTP id
 5b1f17b1804b1-488d3eec9bcso22950905e9.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 04 May 2026 02:17:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1777886237; x=1778491037;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=mIVbu4zBUMdiyUWRLQfWQg/Ct4AM38Hnd9zW9DC/RU4=;
        b=q57bTu6g3tzyhCBKqLO8wKf5UTyqWpFnAJO0oRbCmAIX4H+cnTg/CDi6Ou1XPg8BL4
         02Uff1hgogTVo03spQI07FEr91Obkb+qiJ0Z2spnotgEx+WxG/xEQ3Gm4gQfpXmSF9eC
         lN/2hcRzCv9fiFlMogXG0zR0kenDkQVWzoIRzj+/nVVo300QNElvxrQG6327jh6M3EGG
         bcqxU2uH++zRJ7fB/VRglbJKy2nlOJ41nHwMRsprqqb0dtLDnAt+P+F5AQiy9zUJbVVJ
         GfMoCMCSuz2S08/wAEw/bKt+MCDa1wPQpXu+R89l+Lfwh/Jo/gjI9MNhU3ZFv4tbovb2
         LAfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777886237; x=1778491037;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=mIVbu4zBUMdiyUWRLQfWQg/Ct4AM38Hnd9zW9DC/RU4=;
        b=OVCTDQEc8e0cUhjzTFSRO1fZqMWbhspOZ2n2BaYrTvWR9QlAWWuUohijIqeSViN/D6
         S3lcpzH9e1T2U62zhDbZ3XrObNTeP41TDYKdVVW1ZkDkqQCkd2c1LIhrlplDvilUJ/MP
         8x+8gJSszcIKatRvlROGVmeWj8LeeWaaMiYGVgM52oLFy1ZtZ9zsSmx4Pt+KO3xo+oO+
         irN9woNDu0qs1tnmczx1kHbLceM9oaGYjI2SI/yaQ0K2o+17B79tR36QbTql+1E+H8Hg
         O/3UhTj5MdqpvCnRQiRbRU5G9uiaYG6vs2tjZ418gVdvFjlKI9W7Qtapgfh37+cgQGoG
         Abfw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/7bkw/62RA1NnFrlv+Qm+kISNfeNpXZYSD/6HGNjhbBWfNnHcQhOUSsG1spxvDGhUI0g5KpxwpGXddf7k=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy05PIUNM0wABvSUz3tLQuYyt/+a9Q07lLebS7GgPdbORiZnUxu
	GTMH12TcNkthy++U6uBuuY1X8IiORNQt6+348xUMcODeaLEQEI9Bub5/N83zkJFxkpUkN+8E1r8
	qUO+Fngyj8HvQ4SvQ5A==
X-Received: from wmbjn2.prod.google.com
 ([2002:a05:600c:6b02:b0:485:3a2f:2f7e])
 (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:600c:a290:b0:48a:568f:ae82 with SMTP id
 5b1f17b1804b1-48d0562f139mr44332075e9.10.1777886236636;
 Mon, 04 May 2026 02:17:16 -0700 (PDT)
Date: Mon, 04 May 2026 09:17:09 +0000
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-B4-Tracking: v=1; b=H4sIABRk+GkC/x3MQQqAIBBA0avIrBNUzKCrRAvJyQbKYqwIpLsnL
 d/i/wIZmTBDLwow3pRpTxW6ETAtPkWUFKrBKONUq6yMmNYtR8l4XpykxjY439lgrYIaHYwzPf9
 wGN/3A/of6q1gAAAA
X-Change-Id: 20260504-genlmsg-return-1e5d6a74d440
X-Developer-Key: i=aliceryhl@google.com; a=openpgp;
 fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F
X-Developer-Signature: v=1; a=openpgp-sha256; l=3010; i=aliceryhl@google.com;
 h=from:subject:message-id; bh=tPJwSubo7swPdL1tDy2pu7P+QRqOoQO0CNehoGjX6yc=;
 b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBp+GQXTiHJ3lFBiGx4rlwWKqMXAYPezSJ7zrKBw
 jztIO1S+BSJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCafhkFwAKCRAEWL7uWMY5
 RvVbEACWIpEKA9SpIsMESYtO92MddRkzibjthYQHhobHw/WQXnNOnfZ1C5SEK18rwwjWgl6wquT
 a44mrj10phEPMm3SUUJsJb7W1H3wvlF2zUMQySKzVG4R6iSyujE+9Bl7bSu3+QMLPx5L70gtEK8
 gJv3ldwnbhc57oXpqP2vgDn1jazjJFVqHktEResX4IM+q8F7Efy5OegIEmR17ElZMr4kHG0I259
 UOPYNzBLyao35og+xMv5AQKjFCLWYkJXnJYJFdl1OAiQB+U6t37CNBLO0JTMFw/HEM/askzF7gB
 NkrUs3EV2nmyV2fgDIWsD6B1xGZw+ETOu37wDfTKAvXyjkyit6SDLp9dLwrMVMfFXGtcKP3EmXK
 pUVKTPxmVjewPz0BqcjH86sJbC2ReGy/WgYA5AgVUeMPAtFet8ISA93zyWRF3+/cNWO0j0q4UpJ
 JxaFYMXZ17PWsPihs3woS0NrCjAxGj1lJGae4AXgwFaOK94yAJKJ+yyycyVVsNwwQc47bilZ2mY
 oK+dkAFWiAD0Ms3nZalKWiGi3aLrnXwT6d4so+1vbrbNe6RQLDRXH2d+BcHqKGKoEtCm+HlJyzW
 c3oPoOP6bWB9KExvk6gk5nRNDYZ2QdkqOTTKPUtRUR5BibyXT7qK6NLTA1KuE6FKlRZic7fbvSz
 Nh7OMw/a9Z2vLrw==
X-Mailer: b4 0.14.3
Message-ID: <20260504-genlmsg-return-v1-1-093f3ba970af@google.com>
Subject: [PATCH] genetlink: free the skb on 'group >= family->n_mcgrps'
From: Alice Ryhl <aliceryhl@google.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Simon Horman <horms@kernel.org>,
	Andrew Lunn <andrew@lunn.ch>, Matthew Maurer <mmaurer@google.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Alice Ryhl <aliceryhl@google.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

These methods generally consume ownership of the provided skb, so even
if an error path is encountered, the skb is freed. This is because the
very first thing they do after some initial setup is to unconditionally
consume the skb via consume_skb(skb). Any subsequent errors lead to the
core netlink layer freeing the skb.

However, there is one check that occurs before ownership is passed,
which is the check for the group index. So if this error condition is
encountered, then the skb is leaked. This error condition is generally
considered a violation of the netlink API, so it's not expected to occur
under normal circumstances. For the same reason, no callers check for
this error condition, and no callers need to be adjusted. However, we
should still follow the same ownership semantics of the rest of the
function. Thus, free the skb in this codepath.

Assisted-by: Antigravity:gemini
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Suggested-by: Matthew Maurer <mmaurer@google.com>
Link: https://lore.kernel.org/r/845b36ba-7b3a-41f2-acb2-b284f253e2ca@lunn.ch
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 include/net/genetlink.h | 4 +++-
 net/netlink/genetlink.c | 8 ++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/net/genetlink.h b/include/net/genetlink.h
index 7b84f2cef8b1..d70510ac31ab 100644
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -489,8 +489,10 @@ genlmsg_multicast_netns_filtered(const struct genl_fam=
ily *family,
 				 netlink_filter_fn filter,
 				 void *filter_data)
 {
-	if (WARN_ON_ONCE(group >=3D family->n_mcgrps))
+	if (WARN_ON_ONCE(group >=3D family->n_mcgrps)) {
+		nlmsg_free(skb);
 		return -EINVAL;
+	}
 	group =3D family->mcgrp_offset + group;
 	return nlmsg_multicast_filtered(net->genl_sock, skb, portid, group,
 					flags, filter, filter_data);
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index d251d894afd4..0da39eaed255 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1972,8 +1972,10 @@ int genlmsg_multicast_allns(const struct genl_family=
 *family,
 			    struct sk_buff *skb, u32 portid,
 			    unsigned int group)
 {
-	if (WARN_ON_ONCE(group >=3D family->n_mcgrps))
+	if (WARN_ON_ONCE(group >=3D family->n_mcgrps)) {
+		kfree_skb(skb);
 		return -EINVAL;
+	}
=20
 	group =3D family->mcgrp_offset + group;
 	return genlmsg_mcast(skb, portid, group);
@@ -1986,8 +1988,10 @@ void genl_notify(const struct genl_family *family, s=
truct sk_buff *skb,
 	struct net *net =3D genl_info_net(info);
 	struct sock *sk =3D net->genl_sock;
=20
-	if (WARN_ON_ONCE(group >=3D family->n_mcgrps))
+	if (WARN_ON_ONCE(group >=3D family->n_mcgrps)) {
+		kfree_skb(skb);
 		return;
+	}
=20
 	group =3D family->mcgrp_offset + group;
 	nlmsg_notify(sk, skb, info->snd_portid, group,

---
base-commit: 7fd2df204f342fc17d1a0bfcd474b24232fb0f32
change-id: 20260504-genlmsg-return-1e5d6a74d440

Best regards,
--=20
Alice Ryhl <aliceryhl@google.com>