From: Pablo Neira Ayuso <pablo@netfilter.org>
To: stable@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH -stable] netfilter: nf_tables: fix error handling of rule replacement
Date: Sat, 16 May 2015 20:50:45 +0200 [thread overview]
Message-ID: <1431802251-4781-1-git-send-email-pablo@netfilter.org> (raw)
[ upstream commit 59900e0a019e7c2bdb7809a03ed5742d311b15b3 ]
In general, if a transaction object is added to the list successfully,
we can rely on the abort path to undo what we've done. This allows us to
simplify the error handling of the rule replacement path in
nf_tables_newrule().
This implicitly fixes an unnecessary removal of the old rule, which
needs to be left in place if we fail to replace.
Cc: <stable@vger.kernel.org> # 3.18.x
Cc: <stable@vger.kernel.org> # 3.19.x
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 74e4b87..6ab7779 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2045,12 +2045,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
err3:
list_del_rcu(&rule->list);
- if (trans) {
- list_del_rcu(&nft_trans_rule(trans)->list);
- nft_rule_clear(net, nft_trans_rule(trans));
- nft_trans_destroy(trans);
- chain->use++;
- }
err2:
nf_tables_rule_destroy(&ctx, rule);
err1:
--
1.7.10.4
next reply other threads:[~2015-05-16 18:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-16 18:50 Pablo Neira Ayuso [this message]
2015-05-16 18:50 ` [PATCH -stable] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() Pablo Neira Ayuso
2015-05-19 11:31 ` Jiri Slaby
2015-05-16 18:50 ` [PATCH -stable] netfilter: nf_tables: check for overflow of rule dlen field Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: restore rule tracing via nfnetlink_log Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: nf_tables: allow to change chain policy without hook if it exists Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: nft_rbtree: fix locking Pablo Neira Ayuso
2015-06-29 23:00 ` Greg KH
2015-07-01 11:38 ` Pablo Neira Ayuso
2015-05-20 12:12 ` [PATCH -stable] netfilter: nf_tables: fix error handling of rule replacement Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1431802251-4781-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).