netfilter: nf_tables: fix memory leak in nf_tables_newrule()

In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to
the err_release_rule label without freeing the allocated flow, leading
to a memory leak.

Fix this by adding a new label err_destroy_flow and jumping to it when
nft_use_inc() fails. This ensures that the flow is properly released
in this error case.

Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 618af6e90773fff3b951e92fd3ee65f927ae33ca..729a92781a1a4702298ba3fbda97b80cf3b51b18 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4439,7 +4439,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
 
        if (!nft_use_inc(&chain->use)) {
                err = -EMFILE;
-               goto err_release_rule;
+               goto err_destroy_flow;
        }
 
        if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
@@ -4489,6 +4489,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
 
 err_destroy_flow_rule:
        nft_use_dec_restore(&chain->use);
+err_destroy_flow:
        if (flow)
                nft_flow_rule_destroy(flow);
 err_release_rule: