diff mbox series

net: sched: act_ct: fix possible refcount leak in tcf_ct_init()

Message ID 20220921090600.29673-1-hbh25y@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series net: sched: act_ct: fix possible refcount leak in tcf_ct_init() | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 9 of 9 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Hangyu Hua Sept. 21, 2022, 9:06 a.m. UTC 
nf_ct_put need to be called to put the refcount got by tcf_ct_fill_params
to avoid possible refcount leak when tcf_ct_flow_table_get fails.

Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 net/sched/act_ct.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jakub Kicinski Sept. 22, 2022, 2:14 p.m. UTC | #1 
On Wed, 21 Sep 2022 17:06:00 +0800 Hangyu Hua wrote:
> Subject: [PATCH] net: sched: act_ct: fix possible refcount leak in tcf_ct_init()

[PATCH net] please

> nf_ct_put need to be called to put the refcount got by tcf_ct_fill_params
> to avoid possible refcount leak when tcf_ct_flow_table_get fails.
> 
> Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone")
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> ---
>  net/sched/act_ct.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index d55afb8d14be..3646956fc717 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -1412,6 +1412,8 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
>  cleanup:
>  	if (goto_ch)
>  		tcf_chain_put_by_act(goto_ch);
> +	if (params->tmpl)
> +		nf_ct_put(params->tmpl);

This is buggy, params could be NULL here. Please add a new label above
cleanup (cleanup_params for example) and make the
tcf_ct_flow_table_get() failure path jump there instead.
diff mbox series

Patch

diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index d55afb8d14be..3646956fc717 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1412,6 +1412,8 @@  static int tcf_ct_init(struct net *net, struct nlattr *nla,
 cleanup:
 	if (goto_ch)
 		tcf_chain_put_by_act(goto_ch);
+	if (params->tmpl)
+		nf_ct_put(params->tmpl);
 	kfree(params);
 	tcf_idr_release(*a, bind);
 	return err;