Commit 57885276 authored Mar 09, 2026 by Paul Moses Committed by Jakub Kicinski Mar 10, 2026

net-shapers: don't free reply skb after genlmsg_reply()



genlmsg_reply() hands the reply skb to netlink, and
netlink_unicast() consumes it on all return paths, whether the
skb is queued successfully or freed on an error path.

net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
currently jump to free_msg after genlmsg_reply() fails and call
nlmsg_free(msg), which can hit the same skb twice.

Return the genlmsg_reply() error directly and keep free_msg
only for pre-reply failures.

Fixes: 4b623f9f ("net-shapers: implement NL get operation")
Fixes: 553ea9f1 ("net: shaper: implement introspection support")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Link: https://patch.msgid.link/20260309173450.538026-2-p@1g4.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent f441b489

net/shaper/shaper.c

+2 −9

Original line number	Diff line number	Diff line
		@@ -759,11 +759,7 @@ int net_shaper_nl_get_doit(struct sk_buff skb, struct genl_info info)
		if (ret)
		goto free_msg;

		ret = genlmsg_reply(msg, info);
		if (ret)
		goto free_msg;

		return 0;
		return genlmsg_reply(msg, info);

		free_msg:
		nlmsg_free(msg);
		@@ -1313,10 +1309,7 @@ int net_shaper_nl_cap_get_doit(struct sk_buff skb, struct genl_info info)
		if (ret)
		goto free_msg;

		ret = genlmsg_reply(msg, info);
		if (ret)
		goto free_msg;
		return 0;
		return genlmsg_reply(msg, info);

		free_msg:
		nlmsg_free(msg);