All of lore.kernel.org
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Possible device resouce leak in nf_offload infra
Date: Thu, 4 Jun 2026 21:17:42 +0200	[thread overview]
Message-ID: <aiHPPts-fb3oG9Sx@strlen.de> (raw)

Hi Pablo

net/netfilter/nf_dup_netdev.c :

 70 int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
 71                                struct nft_flow_rule *flow,
 72                                enum flow_action_id id, int oif)
 73 {
 74         struct flow_action_entry *entry;
 75         struct net_device *dev;
 76
 77         /* nft_flow_rule_destroy() releases the reference on this device. */

This comment is no longer true.

 78         dev = dev_get_by_index(ctx->net, oif);
 79         if (!dev)
 80                 return -EOPNOTSUPP;
 81
 82         entry = nft_flow_action_entry_next(ctx, flow);
 83         if (!entry)
 84                 return -E2BIG;

... because nft_flow_rule_destroy() cannot drop the device
ref when we return here, as dev is not assigned to entry
yet (and we got no entry).

AFAICS its safe to just swap this and have
lines 77/78 moved after line 82.

nft_fwd_dup_netdev_offload() could also use some debug
check to make sure this doesn't get called for actions
other than FLOW_ACTION_REDIRECT/FLOW_ACTION_MIRRED as
those are the only ones where nft_flow_rule_destroy() takes
action.

(or accessors and comments that say that accesses to the
 hidden union are illegal).

Is the analysis correct?  I can make a patch.

             reply	other threads:[~2026-06-04 19:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04 19:17 Florian Westphal [this message]
2026-06-05  8:54 ` Possible device resouce leak in nf_offload infra Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aiHPPts-fb3oG9Sx@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.