This is a note to let you know that I've just added the patch titled Revert "ipv4: fix memory leaks in ip_cmsg_send() callers" to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001 From: Yajun Deng <yajun.deng@xxxxxxxxx> Date: Mon, 13 Sep 2021 12:04:42 +0800 Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers" From: Yajun Deng <yajun.deng@xxxxxxxxx> commit d7807a9adf4856171f8441f13078c33941df48ab upstream. This reverts commit 919483096bfe75dda338e98d56da91a263746a0a. There is only when ip_options_get() return zero need to free. It already called kfree() when return error. Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers") Signed-off-by: Yajun Deng <yajun.deng@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ping.c | 5 ++--- net/ipv4/raw.c | 5 ++--- net/ipv4/udp.c | 4 +--- 4 files changed, 6 insertions(+), 10 deletions(-) --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -261,7 +261,7 @@ int ip_cmsg_send(struct sock *sk, struct case IP_RETOPTS: err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)); - /* Our caller is responsible for freeing ipc->opt */ + /* Our caller is responsible for freeing ipc->opt when err = 0 */ err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg), err < 40 ? err : 40); if (err) --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -749,10 +749,9 @@ static int ping_v4_sendmsg(struct sock * if (msg->msg_controllen) { err = ip_cmsg_send(sk, msg, &ipc, false); - if (unlikely(err)) { - kfree(ipc.opt); + if (unlikely(err)) return err; - } + if (ipc.opt) free = 1; } --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -560,10 +560,9 @@ static int raw_sendmsg(struct sock *sk, if (msg->msg_controllen) { err = ip_cmsg_send(sk, msg, &ipc, false); - if (unlikely(err)) { - kfree(ipc.opt); + if (unlikely(err)) goto out; - } + if (ipc.opt) free = 1; } --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -959,10 +959,8 @@ int udp_sendmsg(struct sock *sk, struct if (msg->msg_controllen) { err = ip_cmsg_send(sk, msg, &ipc, sk->sk_family == AF_INET6); - if (unlikely(err)) { - kfree(ipc.opt); + if (unlikely(err)) return err; - } if (ipc.opt) free = 1; connected = 0; Patches currently in stable-queue which might be from yajun.deng@xxxxxxxxx are queue-4.9/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch queue-4.9/netlink-deal-with-esrch-error-in-nlmsg_notify.patch