Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Make sure we don't go over the maximum jump stack boundary,
   from Taehee Yoo.

2) Missing rcu_barrier() in hash and rbtree sets, also from Taehee.

3) Missing check to nul-node in rbtree timeout routine, from Taehee.

4) Use dev->name from flowtable to fix a memleak, from Florian.

5) Oneliner to free flowtable object on removal, from Florian.

6) Memleak in chain rename transaction, again from Florian.

7) Don't allow two chains to use the same name in the same
   transaction, from Florian.

8) handle DCCP SYNC/SYNCACK as invalid, this triggers an
   uninitialized timer in conntrack reported by syzbot, from Florian.

9) Fix leak in case netlink_dump_start() fails, from Florian.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2018-07-24 09:56:50 -07:00
commit 049f56044d
7 changed files with 192 additions and 151 deletions

View File

@ -150,6 +150,7 @@ static inline void nft_data_debug(const struct nft_data *data)
* @portid: netlink portID of the original message * @portid: netlink portID of the original message
* @seq: netlink sequence number * @seq: netlink sequence number
* @family: protocol family * @family: protocol family
* @level: depth of the chains
* @report: notify via unicast netlink message * @report: notify via unicast netlink message
*/ */
struct nft_ctx { struct nft_ctx {
@ -160,6 +161,7 @@ struct nft_ctx {
u32 portid; u32 portid;
u32 seq; u32 seq;
u8 family; u8 family;
u8 level;
bool report; bool report;
}; };
@ -865,7 +867,6 @@ enum nft_chain_flags {
* @table: table that this chain belongs to * @table: table that this chain belongs to
* @handle: chain handle * @handle: chain handle
* @use: number of jump references to this chain * @use: number of jump references to this chain
* @level: length of longest path to this chain
* @flags: bitmask of enum nft_chain_flags * @flags: bitmask of enum nft_chain_flags
* @name: name of the chain * @name: name of the chain
*/ */
@ -878,7 +879,6 @@ struct nft_chain {
struct nft_table *table; struct nft_table *table;
u64 handle; u64 handle;
u32 use; u32 use;
u16 level;
u8 flags:6, u8 flags:6,
genmask:2; genmask:2;
char *name; char *name;
@ -1124,7 +1124,6 @@ struct nft_flowtable {
u32 genmask:2, u32 genmask:2,
use:30; use:30;
u64 handle; u64 handle;
char *dev_name[NFT_FLOWTABLE_DEVICE_MAX];
/* runtime data below here */ /* runtime data below here */
struct nf_hook_ops *ops ____cacheline_aligned; struct nf_hook_ops *ops ____cacheline_aligned;
struct nf_flowtable data; struct nf_flowtable data;

View File

@ -243,14 +243,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] =
* We currently ignore Sync packets * We currently ignore Sync packets
* *
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
}, },
[DCCP_PKT_SYNCACK] = { [DCCP_PKT_SYNCACK] = {
/* /*
* We currently ignore SyncAck packets * We currently ignore SyncAck packets
* *
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
}, },
}, },
[CT_DCCP_ROLE_SERVER] = { [CT_DCCP_ROLE_SERVER] = {
@ -371,14 +371,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] =
* We currently ignore Sync packets * We currently ignore Sync packets
* *
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
}, },
[DCCP_PKT_SYNCACK] = { [DCCP_PKT_SYNCACK] = {
/* /*
* We currently ignore SyncAck packets * We currently ignore SyncAck packets
* *
* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
}, },
}, },
}; };

View File

@ -75,6 +75,7 @@ static void nft_ctx_init(struct nft_ctx *ctx,
{ {
ctx->net = net; ctx->net = net;
ctx->family = family; ctx->family = family;
ctx->level = 0;
ctx->table = table; ctx->table = table;
ctx->chain = chain; ctx->chain = chain;
ctx->nla = nla; ctx->nla = nla;
@ -1597,7 +1598,6 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
struct nft_base_chain *basechain; struct nft_base_chain *basechain;
struct nft_stats *stats = NULL; struct nft_stats *stats = NULL;
struct nft_chain_hook hook; struct nft_chain_hook hook;
const struct nlattr *name;
struct nf_hook_ops *ops; struct nf_hook_ops *ops;
struct nft_trans *trans; struct nft_trans *trans;
int err; int err;
@ -1645,12 +1645,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
return PTR_ERR(stats); return PTR_ERR(stats);
} }
err = -ENOMEM;
trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
sizeof(struct nft_trans_chain)); sizeof(struct nft_trans_chain));
if (trans == NULL) { if (trans == NULL)
free_percpu(stats); goto err;
return -ENOMEM;
}
nft_trans_chain_stats(trans) = stats; nft_trans_chain_stats(trans) = stats;
nft_trans_chain_update(trans) = true; nft_trans_chain_update(trans) = true;
@ -1660,19 +1659,37 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
else else
nft_trans_chain_policy(trans) = -1; nft_trans_chain_policy(trans) = -1;
name = nla[NFTA_CHAIN_NAME]; if (nla[NFTA_CHAIN_HANDLE] &&
if (nla[NFTA_CHAIN_HANDLE] && name) { nla[NFTA_CHAIN_NAME]) {
nft_trans_chain_name(trans) = struct nft_trans *tmp;
nla_strdup(name, GFP_KERNEL); char *name;
if (!nft_trans_chain_name(trans)) {
kfree(trans); err = -ENOMEM;
free_percpu(stats); name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
return -ENOMEM; if (!name)
goto err;
err = -EEXIST;
list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
tmp->ctx.table == table &&
nft_trans_chain_update(tmp) &&
nft_trans_chain_name(tmp) &&
strcmp(name, nft_trans_chain_name(tmp)) == 0) {
kfree(name);
goto err;
}
} }
nft_trans_chain_name(trans) = name;
} }
list_add_tail(&trans->list, &ctx->net->nft.commit_list); list_add_tail(&trans->list, &ctx->net->nft.commit_list);
return 0; return 0;
err:
free_percpu(stats);
kfree(trans);
return err;
} }
static int nf_tables_newchain(struct net *net, struct sock *nlsk, static int nf_tables_newchain(struct net *net, struct sock *nlsk,
@ -2254,6 +2271,39 @@ done:
return skb->len; return skb->len;
} }
static int nf_tables_dump_rules_start(struct netlink_callback *cb)
{
const struct nlattr * const *nla = cb->data;
struct nft_rule_dump_ctx *ctx = NULL;
if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
if (!ctx)
return -ENOMEM;
if (nla[NFTA_RULE_TABLE]) {
ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
GFP_ATOMIC);
if (!ctx->table) {
kfree(ctx);
return -ENOMEM;
}
}
if (nla[NFTA_RULE_CHAIN]) {
ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
GFP_ATOMIC);
if (!ctx->chain) {
kfree(ctx->table);
kfree(ctx);
return -ENOMEM;
}
}
}
cb->data = ctx;
return 0;
}
static int nf_tables_dump_rules_done(struct netlink_callback *cb) static int nf_tables_dump_rules_done(struct netlink_callback *cb)
{ {
struct nft_rule_dump_ctx *ctx = cb->data; struct nft_rule_dump_ctx *ctx = cb->data;
@ -2283,38 +2333,13 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_DUMP) { if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = { struct netlink_dump_control c = {
.start= nf_tables_dump_rules_start,
.dump = nf_tables_dump_rules, .dump = nf_tables_dump_rules,
.done = nf_tables_dump_rules_done, .done = nf_tables_dump_rules_done,
.module = THIS_MODULE, .module = THIS_MODULE,
.data = (void *)nla,
}; };
if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
struct nft_rule_dump_ctx *ctx;
ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
if (!ctx)
return -ENOMEM;
if (nla[NFTA_RULE_TABLE]) {
ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
GFP_ATOMIC);
if (!ctx->table) {
kfree(ctx);
return -ENOMEM;
}
}
if (nla[NFTA_RULE_CHAIN]) {
ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
GFP_ATOMIC);
if (!ctx->chain) {
kfree(ctx->table);
kfree(ctx);
return -ENOMEM;
}
}
c.data = ctx;
}
return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
} }
@ -2384,6 +2409,9 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
struct nft_rule *rule; struct nft_rule *rule;
int err; int err;
if (ctx->level == NFT_JUMP_STACK_SIZE)
return -EMLINK;
list_for_each_entry(rule, &chain->rules, list) { list_for_each_entry(rule, &chain->rules, list) {
if (!nft_is_active_next(ctx->net, rule)) if (!nft_is_active_next(ctx->net, rule))
continue; continue;
@ -3161,6 +3189,18 @@ done:
return skb->len; return skb->len;
} }
static int nf_tables_dump_sets_start(struct netlink_callback *cb)
{
struct nft_ctx *ctx_dump = NULL;
ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
if (ctx_dump == NULL)
return -ENOMEM;
cb->data = ctx_dump;
return 0;
}
static int nf_tables_dump_sets_done(struct netlink_callback *cb) static int nf_tables_dump_sets_done(struct netlink_callback *cb)
{ {
kfree(cb->data); kfree(cb->data);
@ -3188,18 +3228,12 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_DUMP) { if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = { struct netlink_dump_control c = {
.start = nf_tables_dump_sets_start,
.dump = nf_tables_dump_sets, .dump = nf_tables_dump_sets,
.done = nf_tables_dump_sets_done, .done = nf_tables_dump_sets_done,
.data = &ctx,
.module = THIS_MODULE, .module = THIS_MODULE,
}; };
struct nft_ctx *ctx_dump;
ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_ATOMIC);
if (ctx_dump == NULL)
return -ENOMEM;
*ctx_dump = ctx;
c.data = ctx_dump;
return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
} }
@ -3849,6 +3883,15 @@ nla_put_failure:
return -ENOSPC; return -ENOSPC;
} }
static int nf_tables_dump_set_start(struct netlink_callback *cb)
{
struct nft_set_dump_ctx *dump_ctx = cb->data;
cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
return cb->data ? 0 : -ENOMEM;
}
static int nf_tables_dump_set_done(struct netlink_callback *cb) static int nf_tables_dump_set_done(struct netlink_callback *cb)
{ {
kfree(cb->data); kfree(cb->data);
@ -4002,20 +4045,17 @@ static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_DUMP) { if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = { struct netlink_dump_control c = {
.start = nf_tables_dump_set_start,
.dump = nf_tables_dump_set, .dump = nf_tables_dump_set,
.done = nf_tables_dump_set_done, .done = nf_tables_dump_set_done,
.module = THIS_MODULE, .module = THIS_MODULE,
}; };
struct nft_set_dump_ctx *dump_ctx; struct nft_set_dump_ctx dump_ctx = {
.set = set,
.ctx = ctx,
};
dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_ATOMIC); c.data = &dump_ctx;
if (!dump_ctx)
return -ENOMEM;
dump_ctx->set = set;
dump_ctx->ctx = ctx;
c.data = dump_ctx;
return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
} }
@ -4975,6 +5015,32 @@ done:
return skb->len; return skb->len;
} }
static int nf_tables_dump_obj_start(struct netlink_callback *cb)
{
const struct nlattr * const *nla = cb->data;
struct nft_obj_filter *filter = NULL;
if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
if (!filter)
return -ENOMEM;
if (nla[NFTA_OBJ_TABLE]) {
filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
if (!filter->table) {
kfree(filter);
return -ENOMEM;
}
}
if (nla[NFTA_OBJ_TYPE])
filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
}
cb->data = filter;
return 0;
}
static int nf_tables_dump_obj_done(struct netlink_callback *cb) static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{ {
struct nft_obj_filter *filter = cb->data; struct nft_obj_filter *filter = cb->data;
@ -4987,28 +5053,6 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
return 0; return 0;
} }
static struct nft_obj_filter *
nft_obj_filter_alloc(const struct nlattr * const nla[])
{
struct nft_obj_filter *filter;
filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
if (!filter)
return ERR_PTR(-ENOMEM);
if (nla[NFTA_OBJ_TABLE]) {
filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
if (!filter->table) {
kfree(filter);
return ERR_PTR(-ENOMEM);
}
}
if (nla[NFTA_OBJ_TYPE])
filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
return filter;
}
/* called with rcu_read_lock held */ /* called with rcu_read_lock held */
static int nf_tables_getobj(struct net *net, struct sock *nlsk, static int nf_tables_getobj(struct net *net, struct sock *nlsk,
struct sk_buff *skb, const struct nlmsghdr *nlh, struct sk_buff *skb, const struct nlmsghdr *nlh,
@ -5027,21 +5071,13 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_DUMP) { if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = { struct netlink_dump_control c = {
.start = nf_tables_dump_obj_start,
.dump = nf_tables_dump_obj, .dump = nf_tables_dump_obj,
.done = nf_tables_dump_obj_done, .done = nf_tables_dump_obj_done,
.module = THIS_MODULE, .module = THIS_MODULE,
.data = (void *)nla,
}; };
if (nla[NFTA_OBJ_TABLE] ||
nla[NFTA_OBJ_TYPE]) {
struct nft_obj_filter *filter;
filter = nft_obj_filter_alloc(nla);
if (IS_ERR(filter))
return -ENOMEM;
c.data = filter;
}
return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
} }
@ -5320,8 +5356,6 @@ static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
flowtable->ops[i].priv = &flowtable->data; flowtable->ops[i].priv = &flowtable->data;
flowtable->ops[i].hook = flowtable->data.type->hook; flowtable->ops[i].hook = flowtable->data.type->hook;
flowtable->ops[i].dev = dev_array[i]; flowtable->ops[i].dev = dev_array[i];
flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
GFP_KERNEL);
} }
return err; return err;
@ -5479,10 +5513,8 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
err6: err6:
i = flowtable->ops_len; i = flowtable->ops_len;
err5: err5:
for (k = i - 1; k >= 0; k--) { for (k = i - 1; k >= 0; k--)
kfree(flowtable->dev_name[k]);
nf_unregister_net_hook(net, &flowtable->ops[k]); nf_unregister_net_hook(net, &flowtable->ops[k]);
}
kfree(flowtable->ops); kfree(flowtable->ops);
err4: err4:
@ -5581,9 +5613,10 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
goto nla_put_failure; goto nla_put_failure;
for (i = 0; i < flowtable->ops_len; i++) { for (i = 0; i < flowtable->ops_len; i++) {
if (flowtable->dev_name[i][0] && const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
nla_put_string(skb, NFTA_DEVICE_NAME,
flowtable->dev_name[i])) if (dev &&
nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
goto nla_put_failure; goto nla_put_failure;
} }
nla_nest_end(skb, nest_devs); nla_nest_end(skb, nest_devs);
@ -5650,6 +5683,28 @@ done:
return skb->len; return skb->len;
} }
static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
{
const struct nlattr * const *nla = cb->data;
struct nft_flowtable_filter *filter = NULL;
if (nla[NFTA_FLOWTABLE_TABLE]) {
filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
if (!filter)
return -ENOMEM;
filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
GFP_ATOMIC);
if (!filter->table) {
kfree(filter);
return -ENOMEM;
}
}
cb->data = filter;
return 0;
}
static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
{ {
struct nft_flowtable_filter *filter = cb->data; struct nft_flowtable_filter *filter = cb->data;
@ -5663,26 +5718,6 @@ static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
return 0; return 0;
} }
static struct nft_flowtable_filter *
nft_flowtable_filter_alloc(const struct nlattr * const nla[])
{
struct nft_flowtable_filter *filter;
filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
if (!filter)
return ERR_PTR(-ENOMEM);
if (nla[NFTA_FLOWTABLE_TABLE]) {
filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
GFP_ATOMIC);
if (!filter->table) {
kfree(filter);
return ERR_PTR(-ENOMEM);
}
}
return filter;
}
/* called with rcu_read_lock held */ /* called with rcu_read_lock held */
static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
struct sk_buff *skb, struct sk_buff *skb,
@ -5700,20 +5735,13 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_DUMP) { if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = { struct netlink_dump_control c = {
.start = nf_tables_dump_flowtable_start,
.dump = nf_tables_dump_flowtable, .dump = nf_tables_dump_flowtable,
.done = nf_tables_dump_flowtable_done, .done = nf_tables_dump_flowtable_done,
.module = THIS_MODULE, .module = THIS_MODULE,
.data = (void *)nla,
}; };
if (nla[NFTA_FLOWTABLE_TABLE]) {
struct nft_flowtable_filter *filter;
filter = nft_flowtable_filter_alloc(nla);
if (IS_ERR(filter))
return -ENOMEM;
c.data = filter;
}
return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
} }
@ -5783,6 +5811,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
kfree(flowtable->name); kfree(flowtable->name);
flowtable->data.type->free(&flowtable->data); flowtable->data.type->free(&flowtable->data);
module_put(flowtable->data.type->owner); module_put(flowtable->data.type->owner);
kfree(flowtable);
} }
static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
@ -5825,7 +5854,6 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev,
continue; continue;
nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]); nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
flowtable->dev_name[i][0] = '\0';
flowtable->ops[i].dev = NULL; flowtable->ops[i].dev = NULL;
break; break;
} }
@ -6086,6 +6114,9 @@ static void nft_commit_release(struct nft_trans *trans)
case NFT_MSG_DELTABLE: case NFT_MSG_DELTABLE:
nf_tables_table_destroy(&trans->ctx); nf_tables_table_destroy(&trans->ctx);
break; break;
case NFT_MSG_NEWCHAIN:
kfree(nft_trans_chain_name(trans));
break;
case NFT_MSG_DELCHAIN: case NFT_MSG_DELCHAIN:
nf_tables_chain_destroy(&trans->ctx); nf_tables_chain_destroy(&trans->ctx);
break; break;
@ -6315,13 +6346,15 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
break; break;
case NFT_MSG_NEWCHAIN: case NFT_MSG_NEWCHAIN:
if (nft_trans_chain_update(trans)) if (nft_trans_chain_update(trans)) {
nft_chain_commit_update(trans); nft_chain_commit_update(trans);
else nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
/* trans destroyed after rcu grace period */
} else {
nft_clear(net, trans->ctx.chain); nft_clear(net, trans->ctx.chain);
nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); nft_trans_destroy(trans);
nft_trans_destroy(trans); }
break; break;
case NFT_MSG_DELCHAIN: case NFT_MSG_DELCHAIN:
nft_chain_del(trans->ctx.chain); nft_chain_del(trans->ctx.chain);
@ -6471,7 +6504,7 @@ static int __nf_tables_abort(struct net *net)
case NFT_MSG_NEWCHAIN: case NFT_MSG_NEWCHAIN:
if (nft_trans_chain_update(trans)) { if (nft_trans_chain_update(trans)) {
free_percpu(nft_trans_chain_stats(trans)); free_percpu(nft_trans_chain_stats(trans));
kfree(nft_trans_chain_name(trans));
nft_trans_destroy(trans); nft_trans_destroy(trans);
} else { } else {
trans->ctx.table->use--; trans->ctx.table->use--;
@ -6837,13 +6870,6 @@ int nft_validate_register_store(const struct nft_ctx *ctx,
err = nf_tables_check_loops(ctx, data->verdict.chain); err = nf_tables_check_loops(ctx, data->verdict.chain);
if (err < 0) if (err < 0)
return err; return err;
if (ctx->chain->level + 1 >
data->verdict.chain->level) {
if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
return -EMLINK;
data->verdict.chain->level = ctx->chain->level + 1;
}
} }
return 0; return 0;

View File

@ -98,6 +98,7 @@ static int nft_immediate_validate(const struct nft_ctx *ctx,
const struct nft_data **d) const struct nft_data **d)
{ {
const struct nft_immediate_expr *priv = nft_expr_priv(expr); const struct nft_immediate_expr *priv = nft_expr_priv(expr);
struct nft_ctx *pctx = (struct nft_ctx *)ctx;
const struct nft_data *data; const struct nft_data *data;
int err; int err;
@ -109,9 +110,11 @@ static int nft_immediate_validate(const struct nft_ctx *ctx,
switch (data->verdict.code) { switch (data->verdict.code) {
case NFT_JUMP: case NFT_JUMP:
case NFT_GOTO: case NFT_GOTO:
pctx->level++;
err = nft_chain_validate(ctx, data->verdict.chain); err = nft_chain_validate(ctx, data->verdict.chain);
if (err < 0) if (err < 0)
return err; return err;
pctx->level--;
break; break;
default: default:
break; break;

View File

@ -155,7 +155,9 @@ static int nft_lookup_validate_setelem(const struct nft_ctx *ctx,
struct nft_set_elem *elem) struct nft_set_elem *elem)
{ {
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_ctx *pctx = (struct nft_ctx *)ctx;
const struct nft_data *data; const struct nft_data *data;
int err;
if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
*nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
@ -165,10 +167,17 @@ static int nft_lookup_validate_setelem(const struct nft_ctx *ctx,
switch (data->verdict.code) { switch (data->verdict.code) {
case NFT_JUMP: case NFT_JUMP:
case NFT_GOTO: case NFT_GOTO:
return nft_chain_validate(ctx, data->verdict.chain); pctx->level++;
err = nft_chain_validate(ctx, data->verdict.chain);
if (err < 0)
return err;
pctx->level--;
break;
default: default:
return 0; break;
} }
return 0;
} }
static int nft_lookup_validate(const struct nft_ctx *ctx, static int nft_lookup_validate(const struct nft_ctx *ctx,

View File

@ -387,6 +387,7 @@ static void nft_rhash_destroy(const struct nft_set *set)
struct nft_rhash *priv = nft_set_priv(set); struct nft_rhash *priv = nft_set_priv(set);
cancel_delayed_work_sync(&priv->gc_work); cancel_delayed_work_sync(&priv->gc_work);
rcu_barrier();
rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy, rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy,
(void *)set); (void *)set);
} }

View File

@ -381,7 +381,7 @@ static void nft_rbtree_gc(struct work_struct *work)
gcb = nft_set_gc_batch_check(set, gcb, GFP_ATOMIC); gcb = nft_set_gc_batch_check(set, gcb, GFP_ATOMIC);
if (!gcb) if (!gcb)
goto out; break;
atomic_dec(&set->nelems); atomic_dec(&set->nelems);
nft_set_gc_batch_add(gcb, rbe); nft_set_gc_batch_add(gcb, rbe);
@ -390,10 +390,12 @@ static void nft_rbtree_gc(struct work_struct *work)
rbe = rb_entry(prev, struct nft_rbtree_elem, node); rbe = rb_entry(prev, struct nft_rbtree_elem, node);
atomic_dec(&set->nelems); atomic_dec(&set->nelems);
nft_set_gc_batch_add(gcb, rbe); nft_set_gc_batch_add(gcb, rbe);
prev = NULL;
} }
node = rb_next(node); node = rb_next(node);
if (!node)
break;
} }
out:
if (gcb) { if (gcb) {
for (i = 0; i < gcb->head.cnt; i++) { for (i = 0; i < gcb->head.cnt; i++) {
rbe = gcb->elems[i]; rbe = gcb->elems[i];
@ -440,6 +442,7 @@ static void nft_rbtree_destroy(const struct nft_set *set)
struct rb_node *node; struct rb_node *node;
cancel_delayed_work_sync(&priv->gc_work); cancel_delayed_work_sync(&priv->gc_work);
rcu_barrier();
while ((node = priv->root.rb_node) != NULL) { while ((node = priv->root.rb_node) != NULL) {
rb_erase(node, &priv->root); rb_erase(node, &priv->root);
rbe = rb_entry(node, struct nft_rbtree_elem, node); rbe = rb_entry(node, struct nft_rbtree_elem, node);