Commit 0548a13b authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Florian Westphal
Browse files

nf_tables: nft_dynset: fix possible stateful expression memleak in error path 



If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.

   unreferenced object (percpu) 0x607b97e9cab8 (size 16):
     comm "softirq", pid 0, jiffies 4294931867
     hex dump (first 16 bytes on cpu 3):
       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     backtrace (crc 0):
       pcpu_alloc_noprof+0x453/0xd80
       nft_counter_clone+0x9c/0x190 [nf_tables]
       nft_expr_clone+0x8f/0x1b0 [nf_tables]
       nft_dynset_new+0x2cb/0x5f0 [nf_tables]
       nft_rhash_update+0x236/0x11c0 [nf_tables]
       nft_dynset_eval+0x11f/0x670 [nf_tables]
       nft_do_chain+0x253/0x1700 [nf_tables]
       nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
       nf_hook_slow+0xaa/0x1e0
       ip_local_deliver+0x209/0x330

Fixes: 563125a7 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: default avatarGurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
parent 1e3a3593

include/net/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -874,6 +874,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, 
					u64 timeout, u64 expiration, gfp_t gfp);

int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,

			    struct nft_expr *expr_array[]);

void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,

			       struct nft_set_elem_expr *elem_expr);

void nft_set_elem_destroy(const struct nft_set *set,

			  const struct nft_elem_priv *elem_priv,

			  bool destroy_expr);

net/netfilter/nf_tables_api.c

+2 −2
Original line number Diff line number Diff line
@@ -6744,7 +6744,7 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 
	}

}



static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,

void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,

			       struct nft_set_elem_expr *elem_expr)

{

	struct nft_expr *expr;

net/netfilter/nft_dynset.c

+9 −1
Original line number Diff line number Diff line
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv, 
				 const struct nft_set_ext *ext)

{

	struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);

	struct nft_ctx ctx = {

		.net	= read_pnet(&priv->set->net),

		.family	= priv->set->table->family,

	};

	struct nft_expr *expr;

	int i;



	for (i = 0; i < priv->num_exprs; i++) {

		expr = nft_setelem_expr_at(elem_expr, elem_expr->size);

		if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)

			return -1;

			goto err_out;



		elem_expr->size += priv->expr_array[i]->ops->size;

	}



	return 0;

err_out:

	nft_set_elem_expr_destroy(&ctx, elem_expr);



	return -1;

}



struct nft_elem_priv *nft_dynset_new(struct nft_set *set,