Spotted by Coverity's checker. netlink_recvmsg calls netlink_cmsg_recv_pktinfo(msg, skb) on an skb that the checker claims may already have been freed by the preceding call to skb_free_datagram. It seems possible to me that this isn't a valid bug, because the refcount on the skb may not permit it to ever get freed through this code path.
bugme-daemon@bugzilla.kernel.org wrote: > > http://bugzilla.kernel.org/show_bug.cgi?id=6187 > > Summary: netlink: possible use after free in netlink_recvmsg > Kernel Version: 2.6.16-git > Status: NEW > Severity: normal > Owner: acme@conectiva.com.br > Submitter: bos@serpentine.com > > > Spotted by Coverity's checker. > > netlink_recvmsg calls netlink_cmsg_recv_pktinfo(msg, skb) on an skb that the > checker claims may already have been freed by the preceding call to > skb_free_datagram. > > It seems possible to me that this isn't a valid bug, because the refcount on the > skb may not permit it to ever get freed through this code path. >
Bryan, There were several fixes, including this one submitted shortly after your report: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=net/netlink/af_netlink.c;h=59dc7d140600d95ec10a495beaed0f37f4f390e5;hp=6b9772d95872245b71cd305eda34f57335ac406c;hb=cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85;hpb=f8dc01f543f28253abeef649987249210d8db3cc Have you tested with later kernels, does it work now? Thanks.
Closing the bug. Please reopen if still happens with newest kernel.