nf_tables: nft_dynset: fix possible stateful expression memleak in error path

If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.

   unreferenced object (percpu) 0x607b97e9cab8 (size 16):
     comm "softirq", pid 0, jiffies 4294931867
     hex dump (first 16 bytes on cpu 3):
       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     backtrace (crc 0):
       pcpu_alloc_noprof+0x453/0xd80
       nft_counter_clone+0x9c/0x190 [nf_tables]
       nft_expr_clone+0x8f/0x1b0 [nf_tables]
       nft_dynset_new+0x2cb/0x5f0 [nf_tables]
       nft_rhash_update+0x236/0x11c0 [nf_tables]
       nft_dynset_eval+0x11f/0x670 [nf_tables]
       nft_do_chain+0x253/0x1700 [nf_tables]
       nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
       nf_hook_slow+0xaa/0x1e0
       ip_local_deliver+0x209/0x330

Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 6299af4ef4237f18fd92d7b576285d54aabe6daf..ec8a8ec9c0aa69b769e9fca57bdf6cb4f118547f 100644 (file)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -874,6 +874,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
                                        u64 timeout, u64 expiration, gfp_t gfp);
 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
                            struct nft_expr *expr_array[]);
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+                              struct nft_set_elem_expr *elem_expr);
 void nft_set_elem_destroy(const struct nft_set *set,
                          const struct nft_elem_priv *elem_priv,
                          bool destroy_expr);

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4ccdd33cf13389e24fcac1587f8961d528455ce6..9b1c8d0a35fb2a43719c6b2ee6890f7dbf15181f 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6744,8 +6744,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
        }
 }
 
-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
-                                     struct nft_set_elem_expr *elem_expr)
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+                              struct nft_set_elem_expr *elem_expr)
 {
        struct nft_expr *expr;
        u32 size;

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 7807d812966464908b44911b79b8eb2efa097a27..9123277be03cedc9bbfef0e2e6c67cf7ce2c8cba 100644 (file)
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
                                 const struct nft_set_ext *ext)
 {
        struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
+       struct nft_ctx ctx = {
+               .net    = read_pnet(&priv->set->net),
+               .family = priv->set->table->family,
+       };
        struct nft_expr *expr;
        int i;
 
        for (i = 0; i < priv->num_exprs; i++) {
                expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
                if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
-                       return -1;
+                       goto err_out;
 
                elem_expr->size += priv->expr_array[i]->ops->size;
        }
 
        return 0;
+err_out:
+       nft_set_elem_expr_destroy(&ctx, elem_expr);
+
+       return -1;
 }
 
 struct nft_elem_priv *nft_dynset_new(struct nft_set *set,