nf_tables: nft_dynset: fix possible stateful expression memleak in error path

[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]

If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.

   unreferenced object (percpu) 0x607b97e9cab8 (size 16):
     comm "softirq", pid 0, jiffies 4294931867
     hex dump (first 16 bytes on cpu 3):
       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     backtrace (crc 0):
       pcpu_alloc_noprof+0x453/0xd80
       nft_counter_clone+0x9c/0x190 [nf_tables]
       nft_expr_clone+0x8f/0x1b0 [nf_tables]
       nft_dynset_new+0x2cb/0x5f0 [nf_tables]
       nft_rhash_update+0x236/0x11c0 [nf_tables]
       nft_dynset_eval+0x11f/0x670 [nf_tables]
       nft_do_chain+0x253/0x1700 [nf_tables]
       nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
       nf_hook_slow+0xaa/0x1e0
       ip_local_deliver+0x209/0x330

Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 79296ed87b9b3009e0634a1b705b7509bc5757e7..36964b86d336ddbf7f0a31b6dc48c0e17c324c93 100644 (file)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -873,6 +873,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
                                        u64 timeout, u64 expiration, gfp_t gfp);
 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
                            struct nft_expr *expr_array[]);
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+                              struct nft_set_elem_expr *elem_expr);
 void nft_set_elem_destroy(const struct nft_set *set,
                          const struct nft_elem_priv *elem_priv,
                          bool destroy_expr);

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 268d00ffee0cb3aec7af5943c6e888250efa63c4..0c12560e94f3b44838c414b2325b50ab9b62f840 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6637,8 +6637,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
        }
 }
 
-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
-                                     struct nft_set_elem_expr *elem_expr)
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+                              struct nft_set_elem_expr *elem_expr)
 {
        struct nft_expr *expr;
        u32 size;

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index e24493d9e7761561e611a39da86e97b560ecf9ba..0b3c4f6a8decd03ab7840a45242817882cdc0030 100644 (file)
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
                                 const struct nft_set_ext *ext)
 {
        struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
+       struct nft_ctx ctx = {
+               .net    = read_pnet(&priv->set->net),
+               .family = priv->set->table->family,
+       };
        struct nft_expr *expr;
        int i;
 
        for (i = 0; i < priv->num_exprs; i++) {
                expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
                if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
-                       return -1;
+                       goto err_out;
 
                elem_expr->size += priv->expr_array[i]->ops->size;
        }
 
        return 0;
+err_out:
+       nft_set_elem_expr_destroy(&ctx, elem_expr);
+
+       return -1;
 }
 
 static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,