Message ID | 20220921090600.29673-1-hbh25y@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net: sched: act_ct: fix possible refcount leak in tcf_ct_init() | expand |
On Wed, 21 Sep 2022 17:06:00 +0800 Hangyu Hua wrote: > Subject: [PATCH] net: sched: act_ct: fix possible refcount leak in tcf_ct_init() [PATCH net] please > nf_ct_put need to be called to put the refcount got by tcf_ct_fill_params > to avoid possible refcount leak when tcf_ct_flow_table_get fails. > > Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") > Signed-off-by: Hangyu Hua <hbh25y@gmail.com> > --- > net/sched/act_ct.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c > index d55afb8d14be..3646956fc717 100644 > --- a/net/sched/act_ct.c > +++ b/net/sched/act_ct.c > @@ -1412,6 +1412,8 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla, > cleanup: > if (goto_ch) > tcf_chain_put_by_act(goto_ch); > + if (params->tmpl) > + nf_ct_put(params->tmpl); This is buggy, params could be NULL here. Please add a new label above cleanup (cleanup_params for example) and make the tcf_ct_flow_table_get() failure path jump there instead.
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index d55afb8d14be..3646956fc717 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -1412,6 +1412,8 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla, cleanup: if (goto_ch) tcf_chain_put_by_act(goto_ch); + if (params->tmpl) + nf_ct_put(params->tmpl); kfree(params); tcf_idr_release(*a, bind); return err;
nf_ct_put need to be called to put the refcount got by tcf_ct_fill_params to avoid possible refcount leak when tcf_ct_flow_table_get fails. Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> --- net/sched/act_ct.c | 2 ++ 1 file changed, 2 insertions(+)