Commit 77ac5e40 authored Jul 02, 2021 by Louis Peens Committed by David S. Miller Jul 02, 2021

net/sched: act_ct: remove and free nf_table callbacks



When cleaning up the nf_table in tcf_ct_flow_table_cleanup_work
there is no guarantee that the callback list, added to by
nf_flow_table_offload_add_cb, is empty. This means that it is
possible that the flow_block_cb memory allocated will be lost.

Fix this by iterating the list and freeing the flow_block_cb entries
before freeing the nf_table entry (via freeing ct_ft).

Fixes: 978703f4 ("netfilter: flowtable: Add API for registering to flow table events")
Signed-off-by: Louis Peens <louis.peens@corigine.com>
Signed-off-by: Yinjun Zhang <yinjun.zhang@corigine.com>
Signed-off-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a019abd8

net/sched/act_ct.c

+11 −0

Original line number	Diff line number	Diff line
		@@ -322,11 +322,22 @@ static int tcf_ct_flow_table_get(struct tcf_ct_params *params)

		static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
		{
		struct flow_block_cb block_cb, tmp_cb;
		struct tcf_ct_flow_table *ct_ft;
		struct flow_block *block;

		ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
		rwork);
		nf_flow_table_free(&ct_ft->nf_ft);

		/* Remove any remaining callbacks before cleanup */
		block = &ct_ft->nf_ft.flow_block;
		down_write(&ct_ft->nf_ft.flow_block_lock);
		list_for_each_entry_safe(block_cb, tmp_cb, &block->cb_list, list) {
		list_del(&block_cb->list);
		flow_block_cb_free(block_cb);
		}
		up_write(&ct_ft->nf_ft.flow_block_lock);
		kfree(ct_ft);

		module_put(THIS_MODULE);