netfilter: nf_tables_offload: drop device refcount on error

Reported by sashiko:
If nft_flow_action_entry_next() returns NULL, dev reference leaks.

Fixes: c6f85577584b ("netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it")
Reported-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index 3b0a70e154cd8fcc6d96d531902e60fdfb2b69bc..3d88ef927f31cbbf61e1cd29f932d38bca320972 100644 (file)
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -74,16 +74,18 @@ int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
        struct flow_action_entry *entry;
        struct net_device *dev;
 
-       /* nft_flow_rule_destroy() releases the reference on this device. */
        dev = dev_get_by_index(ctx->net, oif);
        if (!dev)
                return -EOPNOTSUPP;
 
        entry = nft_flow_action_entry_next(ctx, flow);
-       if (!entry)
+       if (!entry) {
+               dev_put(dev);
                return -E2BIG;
+       }
 
        entry->id = id;
+       /* nft_flow_rule_destroy() releases the reference on this device. */
        entry->dev = dev;
 
        return 0;