Message ID | 20191008053507.252202-1-zenczykowski@gmail.com |
---|---|
State | Not Applicable, archived |
Headers | show |
Series | [1/2] netfilter: fix a memory leak in nf_conntrack_in | expand |
Maciej Żenczykowski <zenczykowski@gmail.com> wrote: > From: Maciej Żenczykowski <maze@google.com> > > Cc: Cong Wang <xiyou.wangcong@gmail.com> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Pablo Neira Ayuso <pablo@netfilter.org> > Signed-off-by: Maciej Żenczykowski <maze@google.com> > --- > net/netfilter/nf_conntrack_core.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c > index 0c63120b2db2..35459d04a050 100644 > --- a/net/netfilter/nf_conntrack_core.c > +++ b/net/netfilter/nf_conntrack_core.c > @@ -1679,7 +1679,8 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state) > if ((tmpl && !nf_ct_is_template(tmpl)) || > ctinfo == IP_CT_UNTRACKED) { > NF_CT_STAT_INC_ATOMIC(state->net, ignore); > - return NF_ACCEPT; > + ret = NF_ACCEPT; This looks wrong. > + goto out; This puts tmpl, causing underflow of skb->nfct. When we enter nf_conntrack_in and this branch, then 'tmpl' is already assigned to skb->nfct, it will be put when skb is free'd. nf_ct_get() doesn't increment the refcnt. tmpl only needs to be put in case of ... > } > skb->_nfct = 0; ...this.
On Mon, Oct 7, 2019 at 10:35 PM Maciej Żenczykowski <zenczykowski@gmail.com> wrote: > > From: Maciej Żenczykowski <maze@google.com> Please, at least a simple copy-n-paste of kmemleak report will help a lot here. A changelog would save your time and mine too. Thanks.
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 0c63120b2db2..35459d04a050 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1679,7 +1679,8 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state) if ((tmpl && !nf_ct_is_template(tmpl)) || ctinfo == IP_CT_UNTRACKED) { NF_CT_STAT_INC_ATOMIC(state->net, ignore); - return NF_ACCEPT; + ret = NF_ACCEPT; + goto out; } skb->_nfct = 0; }