Message ID | 9616212b5203dac35d55d67b25963487a8276191.1550834953.git.dcaratti@redhat.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] net/sched: act_ipt: fix refcount leak when replace fails | expand |
From: Davide Caratti <dcaratti@redhat.com> Date: Fri, 22 Feb 2019 12:33:25 +0100 > After commit 4e8ddd7f1758 ("net: sched: don't release reference on action > overwrite"), the error path of all actions was converted to drop refcount > also when the action was being overwritten. But we forgot act_ipt_init(), > in case allocation of 'tname' was not successful: > > # tc action add action xt -j LOG --log-prefix hello index 100 > tablename: mangle hook: NF_IP_POST_ROUTING > target: LOG level warning prefix "hello" index 100 > # tc action show action xt > total acts 1 > > action order 0: tablename: mangle hook: NF_IP_POST_ROUTING > target LOG level warning prefix "hello" > index 100 ref 1 bind 0 > # tc action replace action xt -j LOG --log-prefix world index 100 > tablename: mangle hook: NF_IP_POST_ROUTING > target: LOG level warning prefix "world" index 100 > RTNETLINK answers: Cannot allocate memory > We have an error talking to the kernel > # tc action show action xt > total acts 1 > > action order 0: tablename: mangle hook: NF_IP_POST_ROUTING > target LOG level warning prefix "hello" > index 100 ref 2 bind 0 > > Ensure we call tcf_idr_release(), in case 'tname' allocation failed, also > when the action is being replaced. > > Fixes: 4e8ddd7f1758 ("net: sched: don't release reference on action overwrite") > Signed-off-by: Davide Caratti <dcaratti@redhat.com> Applied and queued up for -stable.
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c index 8af6c11d2482..faa1addf89b3 100644 --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c @@ -199,8 +199,7 @@ static int __tcf_ipt_init(struct net *net, unsigned int id, struct nlattr *nla, err2: kfree(tname); err1: - if (ret == ACT_P_CREATED) - tcf_idr_release(*a, bind); + tcf_idr_release(*a, bind); return err; }
After commit 4e8ddd7f1758 ("net: sched: don't release reference on action overwrite"), the error path of all actions was converted to drop refcount also when the action was being overwritten. But we forgot act_ipt_init(), in case allocation of 'tname' was not successful: # tc action add action xt -j LOG --log-prefix hello index 100 tablename: mangle hook: NF_IP_POST_ROUTING target: LOG level warning prefix "hello" index 100 # tc action show action xt total acts 1 action order 0: tablename: mangle hook: NF_IP_POST_ROUTING target LOG level warning prefix "hello" index 100 ref 1 bind 0 # tc action replace action xt -j LOG --log-prefix world index 100 tablename: mangle hook: NF_IP_POST_ROUTING target: LOG level warning prefix "world" index 100 RTNETLINK answers: Cannot allocate memory We have an error talking to the kernel # tc action show action xt total acts 1 action order 0: tablename: mangle hook: NF_IP_POST_ROUTING target LOG level warning prefix "hello" index 100 ref 2 bind 0 Ensure we call tcf_idr_release(), in case 'tname' allocation failed, also when the action is being replaced. Fixes: 4e8ddd7f1758 ("net: sched: don't release reference on action overwrite") Signed-off-by: Davide Caratti <dcaratti@redhat.com> --- net/sched/act_ipt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)