| From 7570705b7637b719edb11eaf1a04cd8d4fbed989 Mon Sep 17 00:00:00 2001 |
| From: Taehee Yoo <ap420073@gmail.com> |
| Date: Tue, 19 Mar 2019 13:22:41 +0900 |
| Subject: netfilter: nf_tables: add missing ->release_ops() in error path of |
| newrule() |
| |
| [ Upstream commit b25a31bf0ca091aa8bdb9ab329b0226257568bbe ] |
| |
| ->release_ops() callback releases resources and this is used in error path. |
| If nf_tables_newrule() fails after ->select_ops(), it should release |
| resources. but it can not call ->destroy() because that should be called |
| after ->init(). |
| At this point, ->release_ops() should be used for releasing resources. |
| |
| Test commands: |
| modprobe -rv xt_tcpudp |
| iptables-nft -I INPUT -m tcp <-- error command |
| lsmod |
| |
| Result: |
| Module Size Used by |
| xt_tcpudp 20480 2 <-- it should be 0 |
| |
| Fixes: b8e204006340 ("netfilter: nft_compat: use .release_ops and remove list of extension") |
| Signed-off-by: Taehee Yoo <ap420073@gmail.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/netfilter/nf_tables_api.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c |
| index f20b904873c6..acb124ce92ec 100644 |
| --- a/net/netfilter/nf_tables_api.c |
| +++ b/net/netfilter/nf_tables_api.c |
| @@ -2753,8 +2753,11 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, |
| nf_tables_rule_release(&ctx, rule); |
| err1: |
| for (i = 0; i < n; i++) { |
| - if (info[i].ops != NULL) |
| + if (info[i].ops) { |
| module_put(info[i].ops->type->owner); |
| + if (info[i].ops->type->release_ops) |
| + info[i].ops->type->release_ops(info[i].ops); |
| + } |
| } |
| kvfree(info); |
| return err; |
| -- |
| 2.19.1 |
| |
