Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

neigh: let neigh_xmit take skb ownership

neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).

sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't
xmit or free skb.

Fixes: 4fd3d7d9e868 ("neigh: Add helper function neigh_xmit")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260424145843.74055-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Florian Westphal and committed by
Jakub Kicinski
4438113b b3b6babf

+5 -5
+5 -5
net/core/neighbour.c
··· 3210 3210 3211 3211 rcu_read_lock(); 3212 3212 tbl = rcu_dereference(neigh_tables[index]); 3213 - if (!tbl) 3214 - goto out_unlock; 3213 + if (!tbl) { 3214 + rcu_read_unlock(); 3215 + goto out_kfree_skb; 3216 + } 3215 3217 if (index == NEIGH_ARP_TABLE) { 3216 3218 u32 key = *((u32 *)addr); 3217 3219 ··· 3229 3227 goto out_kfree_skb; 3230 3228 } 3231 3229 err = READ_ONCE(neigh->output)(neigh, skb); 3232 - out_unlock: 3233 3230 rcu_read_unlock(); 3234 3231 } 3235 3232 else if (index == NEIGH_LINK_TABLE) { ··· 3238 3237 goto out_kfree_skb; 3239 3238 err = dev_queue_xmit(skb); 3240 3239 } 3241 - out: 3242 3240 return err; 3243 3241 out_kfree_skb: 3244 3242 kfree_skb(skb); 3245 - goto out; 3243 + return err; 3246 3244 } 3247 3245 EXPORT_SYMBOL(neigh_xmit); 3248 3246