From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Taehee Yoo <ap420073@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 17/34] netfilter: nf_tables: fix leaking object reference count
Date: Tue, 12 Feb 2019 21:39:35 -0500 [thread overview]
Message-ID: <20190213023952.21311-17-sashal@kernel.org> (raw)
In-Reply-To: <20190213023952.21311-1-sashal@kernel.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit b91d9036883793122cf6575ca4dfbfbdd201a83d ]
There is no code that decreases the reference count of stateful objects
in error path of the nft_add_set_elem(). this causes a leak of reference
count of stateful objects.
Test commands:
$nft add table ip filter
$nft add counter ip filter c1
$nft add map ip filter m1 { type ipv4_addr : counter \;}
$nft add element ip filter m1 { 1 : c1 }
$nft add element ip filter m1 { 1 : c1 }
$nft delete element ip filter m1 { 1 }
$nft delete counter ip filter c1
Result:
Error: Could not process rule: Device or resource busy
delete counter ip filter c1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At the second 'nft add element ip filter m1 { 1 : c1 }', the reference
count of the 'c1' is increased then it tries to insert into the 'm1'. but
the 'm1' already has same element so it returns -EEXIST.
But it doesn't decrease the reference count of the 'c1' in the error path.
Due to a leak of the reference count of the 'c1', the 'c1' can't be
removed by 'nft delete counter ip filter c1'.
Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 623ec29ade26..bf26e27ca456 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4046,6 +4046,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
err5:
kfree(trans);
err4:
+ if (obj)
+ obj->use--;
kfree(elem.priv);
err3:
if (nla[NFTA_SET_ELEM_DATA] != NULL)
--
2.19.1
next prev parent reply other threads:[~2019-02-13 2:39 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 2:39 [PATCH AUTOSEL 4.14 01/34] mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 02/34] pvcalls-back: set -ENOTCONN in pvcalls_conn_back_read Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 03/34] mfd: twl-core: Fix section annotations on {,un}protect_pm_master Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 04/34] mfd: db8500-prcmu: Fix some section annotations Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 05/34] mfd: mt6397: Do not call irq_domain_remove if PMIC unsupported Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 06/34] mfd: ab8500-core: Return zero in get_register_interruptible() Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 07/34] mfd: bd9571mwv: Add volatile register to make DVFS work Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 08/34] mfd: qcom_rpm: write fw_version to CTRL_REG Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 09/34] mfd: wm5110: Add missing ASRC rate register Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 10/34] mfd: tps65218: Use devm_regmap_add_irq_chip and clean up error path in probe() Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 11/34] mfd: mc13xxx: Fix a missing check of a register-read failure Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 12/34] xen/pvcalls: remove set but not used variable 'intf' Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 13/34] qed: Fix qed_chain_set_prod() for PBL chains with non power of 2 page count Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 14/34] qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 15/34] net: hns: Fix use after free identified by SLUB debug Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 16/34] MIPS: ath79: Enable OF serial ports in the default config Sasha Levin
2019-02-13 2:39 ` Sasha Levin [this message]
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 18/34] scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 19/34] scsi: isci: initialize shost fully before calling scsi_add_host() Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 20/34] MIPS: jazz: fix 64bit build Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 21/34] bpf: correctly set initial window on active Fast Open sender Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 22/34] net: stmmac: Fix PCI module removal leak Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 23/34] isdn: i4l: isdn_tty: Fix some concurrency double-free bugs Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 24/34] scsi: ufs: Fix system suspend status Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 25/34] scsi: qedi: Add ep_state for login completion on un-reachable targets Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 26/34] always clear the X2APIC_ENABLE bit for PV guest Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 27/34] drm/meson: add missing of_node_put Sasha Levin
2019-02-13 2:39 ` Sasha Levin
2019-02-13 2:39 ` Sasha Levin via dri-devel
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 28/34] atm: he: fix sign-extension overflow on large shift Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 29/34] hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 30/34] leds: lp5523: fix a missing check of return value of lp55xx_read Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 31/34] bpf: bpf_setsockopt: reset sock dst on SO_MARK changes Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 32/34] mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 33/34] net/mlx5e: Fix wrong (zero) TX drop counter indication for representor Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 34/34] isdn: avm: Fix string plus integer warning from Clang Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213023952.21311-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ap420073@gmail.com \
--cc=coreteam@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.