| From 77ac5e40c44eb78333fbc38482d61fc2af7dda0a Mon Sep 17 00:00:00 2001 |
| From: Louis Peens <louis.peens@corigine.com> |
| Date: Fri, 2 Jul 2021 11:21:38 +0200 |
| Subject: net/sched: act_ct: remove and free nf_table callbacks |
| |
| From: Louis Peens <louis.peens@corigine.com> |
| |
| commit 77ac5e40c44eb78333fbc38482d61fc2af7dda0a upstream. |
| |
| When cleaning up the nf_table in tcf_ct_flow_table_cleanup_work |
| there is no guarantee that the callback list, added to by |
| nf_flow_table_offload_add_cb, is empty. This means that it is |
| possible that the flow_block_cb memory allocated will be lost. |
| |
| Fix this by iterating the list and freeing the flow_block_cb entries |
| before freeing the nf_table entry (via freeing ct_ft). |
| |
| Fixes: 978703f42549 ("netfilter: flowtable: Add API for registering to flow table events") |
| Signed-off-by: Louis Peens <louis.peens@corigine.com> |
| Signed-off-by: Yinjun Zhang <yinjun.zhang@corigine.com> |
| Signed-off-by: Simon Horman <simon.horman@corigine.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sched/act_ct.c | 11 +++++++++++ |
| 1 file changed, 11 insertions(+) |
| |
| --- a/net/sched/act_ct.c |
| +++ b/net/sched/act_ct.c |
| @@ -320,11 +320,22 @@ err_alloc: |
| |
| static void tcf_ct_flow_table_cleanup_work(struct work_struct *work) |
| { |
| + struct flow_block_cb *block_cb, *tmp_cb; |
| struct tcf_ct_flow_table *ct_ft; |
| + struct flow_block *block; |
| |
| ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table, |
| rwork); |
| nf_flow_table_free(&ct_ft->nf_ft); |
| + |
| + /* Remove any remaining callbacks before cleanup */ |
| + block = &ct_ft->nf_ft.flow_block; |
| + down_write(&ct_ft->nf_ft.flow_block_lock); |
| + list_for_each_entry_safe(block_cb, tmp_cb, &block->cb_list, list) { |
| + list_del(&block_cb->list); |
| + flow_block_cb_free(block_cb); |
| + } |
| + up_write(&ct_ft->nf_ft.flow_block_lock); |
| kfree(ct_ft); |
| |
| module_put(THIS_MODULE); |