Commit 5663b854 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

This is fixing up the use without proper initialization in patch 5/5

-o-

Hi,

The following patchset contains Netfilter fixes for net:

1) Missing #ifdef CONFIG_IP6_NF_IPTABLES in recent xt_socket fix.

2) Fix incorrect flow action array size in nf_tables.

3) Unregister flowtable hooks from netns exit path.

4) Fix missing limit object release, from Florian Westphal.

5) Memleak in nf_tables object update path, also from Florian.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents b6ad6261 dad3bdee

include/net/netfilter/nf_tables.h

+1 −1
Original line number Diff line number Diff line
@@ -905,9 +905,9 @@ struct nft_expr_ops { 
	int				(*offload)(struct nft_offload_ctx *ctx,

						   struct nft_flow_rule *flow,

						   const struct nft_expr *expr);

	bool				(*offload_action)(const struct nft_expr *expr);

	void				(*offload_stats)(struct nft_expr *expr,

							 const struct flow_stats *stats);

	u32				offload_flags;

	const struct nft_expr_type	*type;

	void				*data;

};

include/net/netfilter/nf_tables_offload.h

+0 −2
Original line number Diff line number Diff line
@@ -67,8 +67,6 @@ struct nft_flow_rule { 
	struct flow_rule	*rule;

};



#define NFT_OFFLOAD_F_ACTION	(1 << 0)



void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,

				 enum flow_dissector_key_id addr_type);

net/netfilter/nf_tables_api.c

+12 −4
Original line number Diff line number Diff line
@@ -6551,12 +6551,15 @@ static int nf_tables_updobj(const struct nft_ctx *ctx, 
{

	struct nft_object *newobj;

	struct nft_trans *trans;

	int err;

	int err = -ENOMEM;



	if (!try_module_get(type->owner))

		return -ENOENT;



	trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,

				sizeof(struct nft_trans_obj));

	if (!trans)

		return -ENOMEM;

		goto err_trans;



	newobj = nft_obj_init(ctx, type, attr);

	if (IS_ERR(newobj)) {
@@ -6573,6 +6576,8 @@ static int nf_tables_updobj(const struct nft_ctx *ctx, 


err_free_trans:

	kfree(trans);

err_trans:

	module_put(type->owner);

	return err;

}
@@ -8185,7 +8190,7 @@ static void nft_obj_commit_update(struct nft_trans *trans) 
	if (obj->ops->update)

		obj->ops->update(obj, newobj);



	kfree(newobj);

	nft_obj_destroy(&trans->ctx, newobj);

}



static void nft_commit_release(struct nft_trans *trans)
@@ -8976,7 +8981,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 
			break;

		case NFT_MSG_NEWOBJ:

			if (nft_trans_obj_update(trans)) {

				kfree(nft_trans_obj_newobj(trans));

				nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));

				nft_trans_destroy(trans);

			} else {

				trans->ctx.table->use--;
@@ -9636,10 +9641,13 @@ EXPORT_SYMBOL_GPL(__nft_release_basechain); 


static void __nft_release_hook(struct net *net, struct nft_table *table)

{

	struct nft_flowtable *flowtable;

	struct nft_chain *chain;



	list_for_each_entry(chain, &table->chains, list)

		nf_tables_unregister_hook(net, table, chain);

	list_for_each_entry(flowtable, &table->flowtables, list)

		nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list);

}



static void __nft_release_hooks(struct net *net)

net/netfilter/nf_tables_offload.c

+2 −1
Original line number Diff line number Diff line
@@ -94,7 +94,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, 


	expr = nft_expr_first(rule);

	while (nft_expr_more(rule, expr)) {

		if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)

		if (expr->ops->offload_action &&

		    expr->ops->offload_action(expr))

			num_actions++;



		expr = nft_expr_next(expr);

net/netfilter/nft_dup_netdev.c

+6 −0
Original line number Diff line number Diff line
@@ -67,6 +67,11 @@ static int nft_dup_netdev_offload(struct nft_offload_ctx *ctx, 
	return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_MIRRED, oif);

}



static bool nft_dup_netdev_offload_action(const struct nft_expr *expr)

{

	return true;

}



static struct nft_expr_type nft_dup_netdev_type;

static const struct nft_expr_ops nft_dup_netdev_ops = {

	.type		= &nft_dup_netdev_type,
@@ -75,6 +80,7 @@ static const struct nft_expr_ops nft_dup_netdev_ops = { 
	.init		= nft_dup_netdev_init,

	.dump		= nft_dup_netdev_dump,

	.offload	= nft_dup_netdev_offload,

	.offload_action	= nft_dup_netdev_offload_action,

};



static struct nft_expr_type nft_dup_netdev_type __read_mostly = {