diff options
| author | Taehee Yoo <ap420073@gmail.com> | 2019-03-19 13:22:41 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-05-16 19:41:26 +0200 |
| commit | c18731c2786c032ed618ebb4cbc04af71595e56c (patch) | |
| tree | 2b318a5a42199d090ef2d73a9b0b541b129acaf3 /net | |
| parent | 5014aa93742293b4622b8d766ad0b08db2611f7f (diff) | |
| download | linux-rpi3-c18731c2786c032ed618ebb4cbc04af71595e56c.tar.gz linux-rpi3-c18731c2786c032ed618ebb4cbc04af71595e56c.tar.bz2 linux-rpi3-c18731c2786c032ed618ebb4cbc04af71595e56c.zip | |
netfilter: nf_tables: add missing ->release_ops() in error path of newrule()
[ Upstream commit b25a31bf0ca091aa8bdb9ab329b0226257568bbe ]
->release_ops() callback releases resources and this is used in error path.
If nf_tables_newrule() fails after ->select_ops(), it should release
resources. but it can not call ->destroy() because that should be called
after ->init().
At this point, ->release_ops() should be used for releasing resources.
Test commands:
modprobe -rv xt_tcpudp
iptables-nft -I INPUT -m tcp <-- error command
lsmod
Result:
Module Size Used by
xt_tcpudp 20480 2 <-- it should be 0
Fixes: b8e204006340 ("netfilter: nft_compat: use .release_ops and remove list of extension")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index ef7ff13a7b99..ebfcfe1dcbdb 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2719,8 +2719,11 @@ err2: nf_tables_rule_release(&ctx, rule); err1: for (i = 0; i < n; i++) { - if (info[i].ops != NULL) + if (info[i].ops) { module_put(info[i].ops->type->owner); + if (info[i].ops->type->release_ops) + info[i].ops->type->release_ops(info[i].ops); + } } kvfree(info); return err; |