Skip to content

Commit 92964c7

Browse files
herbertxdavem330
authored andcommitted
netlink: Fix dump skb leak/double free
When we free cb->skb after a dump, we do it after releasing the lock. This means that a new dump could have started in the time being and we'll end up freeing their skb instead of ours. This patch saves the skb and module before we unlock so we free the right memory. Fixes: 16b304f ("netlink: Eliminate kmalloc in netlink dump operation.") Reported-by: Baozeng Ding <sploving1@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 45e093a commit 92964c7

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

Diff for: net/netlink/af_netlink.c

+5-2
Original file line numberDiff line numberDiff line change
@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk)
20592059
struct netlink_callback *cb;
20602060
struct sk_buff *skb = NULL;
20612061
struct nlmsghdr *nlh;
2062+
struct module *module;
20622063
int len, err = -ENOBUFS;
20632064
int alloc_min_size;
20642065
int alloc_size;
@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk)
21342135
cb->done(cb);
21352136

21362137
nlk->cb_running = false;
2138+
module = cb->module;
2139+
skb = cb->skb;
21372140
mutex_unlock(nlk->cb_mutex);
2138-
module_put(cb->module);
2139-
consume_skb(cb->skb);
2141+
module_put(module);
2142+
consume_skb(skb);
21402143
return 0;
21412144

21422145
errout_skb:

0 commit comments

Comments
 (0)