netfilter pull request 23-07-06
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmSl9YgACgkQ1V2XiooU IOQ4nw//f0ASAgbKUEBQTUPwVvG/wngMy99cfyxwkvWjZJ8dbgh0SBq0vK+fc06Q 9+xixns7i+jIbaMNhgo80SWbdXSNhsAOHoB25F+jv5FkhKPyLWa/HcvjJK2WCs/8 ri05VJ59sWVlgewxn2WFO9NXyrS3vWfgUYKp0Z0R4v7+8NnfV4pRP3UuvIyYGL6r 4A1J7ZfDRa/391cE4uUVv8a4rgcb1CvfEpZaltnRcSZQbBKru5ysjCSnlqELJ/3F sPxAuTN+LAviJf9U/g7PfmLZ8U/YPRZ1bEanwDnO8hk3bMkGjWBm/NIUpBvu/bh6 T7gzIkH0wImerogl2rpIomqt4LgUusyj4FWBePw1BC9zYTuDXXriSzYkQgiI7Vd6 8XVWzYpFtdF9Is3SOEFxkGgu1ZkS3bkD3zTAuaGFNxfIjakUsxLZhez0BocYs97S l9s8x1vwQtJyGtC8PgAcLsqMlYXJZ7ur8LP9st76Ghtc88OYJUMchUI/S8gShWWi tv/xUx8erV2v9abW588LKz1LzUd4lMPR0GXlCLfOOKzT8gjsjHtQbc/1JTAD3s5F HojjAXTC6VccfMrno8EPMx5uFIZV7Kvpw34R/7yRzu6ewm9Myib+bvmcdm5Wu3V+ j8YyO/9eqOPKKMxHeXUg8WCy20RFxH4MdxpR9kJ2VOqSFHsqLmo= =c4IW -----END PGP SIGNATURE----- Merge tag 'nf-23-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix missing overflow use refcount checks in nf_tables. 2) Do not set IPS_ASSURED for IPS_NAT_CLASH entries in GRE tracker, from Florian Westphal. 3) Bail out if nf_ct_helper_hash is NULL before registering helper, from Florent Revest. 4) Use siphash() instead siphash_4u64() to fix performance regression, also from Florian. 5) Do not allow to add rules to removed chains via ID, from Thadeu Lima de Souza Cascardo. 6) Fix oob read access in byteorder expression, also from Thadeu. netfilter pull request 23-07-06 ==================== Link: https://lore.kernel.org/r/20230705230406.52201-1-pablo@netfilter.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
commit
ceb20a3cc5
@ -67,6 +67,9 @@ struct nf_conntrack_tuple {
|
||||
/* The protocol. */
|
||||
u_int8_t protonum;
|
||||
|
||||
/* The direction must be ignored for the tuplehash */
|
||||
struct { } __nfct_hash_offsetend;
|
||||
|
||||
/* The direction (for tuplehash) */
|
||||
u_int8_t dir;
|
||||
} dst;
|
||||
|
@ -1211,6 +1211,29 @@ int __nft_release_basechain(struct nft_ctx *ctx);
|
||||
|
||||
unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
|
||||
|
||||
static inline bool nft_use_inc(u32 *use)
|
||||
{
|
||||
if (*use == UINT_MAX)
|
||||
return false;
|
||||
|
||||
(*use)++;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static inline void nft_use_dec(u32 *use)
|
||||
{
|
||||
WARN_ON_ONCE((*use)-- == 0);
|
||||
}
|
||||
|
||||
/* For error and abort path: restore use counter to previous state. */
|
||||
static inline void nft_use_inc_restore(u32 *use)
|
||||
{
|
||||
WARN_ON_ONCE(!nft_use_inc(use));
|
||||
}
|
||||
|
||||
#define nft_use_dec_restore nft_use_dec
|
||||
|
||||
/**
|
||||
* struct nft_table - nf_tables table
|
||||
*
|
||||
@ -1296,8 +1319,8 @@ struct nft_object {
|
||||
struct list_head list;
|
||||
struct rhlist_head rhlhead;
|
||||
struct nft_object_hash_key key;
|
||||
u32 genmask:2,
|
||||
use:30;
|
||||
u32 genmask:2;
|
||||
u32 use;
|
||||
u64 handle;
|
||||
u16 udlen;
|
||||
u8 *udata;
|
||||
@ -1399,8 +1422,8 @@ struct nft_flowtable {
|
||||
char *name;
|
||||
int hooknum;
|
||||
int ops_len;
|
||||
u32 genmask:2,
|
||||
use:30;
|
||||
u32 genmask:2;
|
||||
u32 use;
|
||||
u64 handle;
|
||||
/* runtime data below here */
|
||||
struct list_head hook_list ____cacheline_aligned;
|
||||
|
@ -211,24 +211,18 @@ static u32 hash_conntrack_raw(const struct nf_conntrack_tuple *tuple,
|
||||
unsigned int zoneid,
|
||||
const struct net *net)
|
||||
{
|
||||
u64 a, b, c, d;
|
||||
siphash_key_t key;
|
||||
|
||||
get_random_once(&nf_conntrack_hash_rnd, sizeof(nf_conntrack_hash_rnd));
|
||||
|
||||
/* The direction must be ignored, handle usable tuplehash members manually */
|
||||
a = (u64)tuple->src.u3.all[0] << 32 | tuple->src.u3.all[3];
|
||||
b = (u64)tuple->dst.u3.all[0] << 32 | tuple->dst.u3.all[3];
|
||||
key = nf_conntrack_hash_rnd;
|
||||
|
||||
c = (__force u64)tuple->src.u.all << 32 | (__force u64)tuple->dst.u.all << 16;
|
||||
c |= tuple->dst.protonum;
|
||||
key.key[0] ^= zoneid;
|
||||
key.key[1] ^= net_hash_mix(net);
|
||||
|
||||
d = (u64)zoneid << 32 | net_hash_mix(net);
|
||||
|
||||
/* IPv4: u3.all[1,2,3] == 0 */
|
||||
c ^= (u64)tuple->src.u3.all[1] << 32 | tuple->src.u3.all[2];
|
||||
d += (u64)tuple->dst.u3.all[1] << 32 | tuple->dst.u3.all[2];
|
||||
|
||||
return (u32)siphash_4u64(a, b, c, d, &nf_conntrack_hash_rnd);
|
||||
return siphash((void *)tuple,
|
||||
offsetofend(struct nf_conntrack_tuple, dst.__nfct_hash_offsetend),
|
||||
&key);
|
||||
}
|
||||
|
||||
static u32 scale_hash(u32 hash)
|
||||
|
@ -360,6 +360,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
|
||||
BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
|
||||
BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
|
||||
|
||||
if (!nf_ct_helper_hash)
|
||||
return -ENOENT;
|
||||
|
||||
if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
|
||||
return -EINVAL;
|
||||
|
||||
@ -515,4 +518,5 @@ int nf_conntrack_helper_init(void)
|
||||
void nf_conntrack_helper_fini(void)
|
||||
{
|
||||
kvfree(nf_ct_helper_hash);
|
||||
nf_ct_helper_hash = NULL;
|
||||
}
|
||||
|
@ -205,6 +205,8 @@ int nf_conntrack_gre_packet(struct nf_conn *ct,
|
||||
enum ip_conntrack_info ctinfo,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
unsigned long status;
|
||||
|
||||
if (!nf_ct_is_confirmed(ct)) {
|
||||
unsigned int *timeouts = nf_ct_timeout_lookup(ct);
|
||||
|
||||
@ -217,11 +219,17 @@ int nf_conntrack_gre_packet(struct nf_conn *ct,
|
||||
ct->proto.gre.timeout = timeouts[GRE_CT_UNREPLIED];
|
||||
}
|
||||
|
||||
status = READ_ONCE(ct->status);
|
||||
/* If we've seen traffic both ways, this is a GRE connection.
|
||||
* Extend timeout. */
|
||||
if (ct->status & IPS_SEEN_REPLY) {
|
||||
if (status & IPS_SEEN_REPLY) {
|
||||
nf_ct_refresh_acct(ct, ctinfo, skb,
|
||||
ct->proto.gre.stream_timeout);
|
||||
|
||||
/* never set ASSURED for IPS_NAT_CLASH, they time out soon */
|
||||
if (unlikely((status & IPS_NAT_CLASH)))
|
||||
return NF_ACCEPT;
|
||||
|
||||
/* Also, more likely to be important, and not a probe. */
|
||||
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
|
||||
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||
|
@ -253,8 +253,10 @@ int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
|
||||
if (chain->bound)
|
||||
return -EBUSY;
|
||||
|
||||
if (!nft_use_inc(&chain->use))
|
||||
return -EMFILE;
|
||||
|
||||
chain->bound = true;
|
||||
chain->use++;
|
||||
nft_chain_trans_bind(ctx, chain);
|
||||
|
||||
return 0;
|
||||
@ -437,7 +439,7 @@ static int nft_delchain(struct nft_ctx *ctx)
|
||||
if (IS_ERR(trans))
|
||||
return PTR_ERR(trans);
|
||||
|
||||
ctx->table->use--;
|
||||
nft_use_dec(&ctx->table->use);
|
||||
nft_deactivate_next(ctx->net, ctx->chain);
|
||||
|
||||
return 0;
|
||||
@ -476,7 +478,7 @@ nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
|
||||
/* You cannot delete the same rule twice */
|
||||
if (nft_is_active_next(ctx->net, rule)) {
|
||||
nft_deactivate_next(ctx->net, rule);
|
||||
ctx->chain->use--;
|
||||
nft_use_dec(&ctx->chain->use);
|
||||
return 0;
|
||||
}
|
||||
return -ENOENT;
|
||||
@ -644,7 +646,7 @@ static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
|
||||
nft_map_deactivate(ctx, set);
|
||||
|
||||
nft_deactivate_next(ctx->net, set);
|
||||
ctx->table->use--;
|
||||
nft_use_dec(&ctx->table->use);
|
||||
|
||||
return err;
|
||||
}
|
||||
@ -676,7 +678,7 @@ static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
|
||||
return err;
|
||||
|
||||
nft_deactivate_next(ctx->net, obj);
|
||||
ctx->table->use--;
|
||||
nft_use_dec(&ctx->table->use);
|
||||
|
||||
return err;
|
||||
}
|
||||
@ -711,7 +713,7 @@ static int nft_delflowtable(struct nft_ctx *ctx,
|
||||
return err;
|
||||
|
||||
nft_deactivate_next(ctx->net, flowtable);
|
||||
ctx->table->use--;
|
||||
nft_use_dec(&ctx->table->use);
|
||||
|
||||
return err;
|
||||
}
|
||||
@ -2396,9 +2398,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||
struct nft_chain *chain;
|
||||
int err;
|
||||
|
||||
if (table->use == UINT_MAX)
|
||||
return -EOVERFLOW;
|
||||
|
||||
if (nla[NFTA_CHAIN_HOOK]) {
|
||||
struct nft_stats __percpu *stats = NULL;
|
||||
struct nft_chain_hook hook = {};
|
||||
@ -2494,6 +2493,11 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||
if (err < 0)
|
||||
goto err_destroy_chain;
|
||||
|
||||
if (!nft_use_inc(&table->use)) {
|
||||
err = -EMFILE;
|
||||
goto err_use;
|
||||
}
|
||||
|
||||
trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
|
||||
if (IS_ERR(trans)) {
|
||||
err = PTR_ERR(trans);
|
||||
@ -2510,10 +2514,11 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||
goto err_unregister_hook;
|
||||
}
|
||||
|
||||
table->use++;
|
||||
|
||||
return 0;
|
||||
|
||||
err_unregister_hook:
|
||||
nft_use_dec_restore(&table->use);
|
||||
err_use:
|
||||
nf_tables_unregister_hook(net, table, chain);
|
||||
err_destroy_chain:
|
||||
nf_tables_chain_destroy(ctx);
|
||||
@ -2694,7 +2699,7 @@ err_hooks:
|
||||
|
||||
static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
|
||||
const struct nft_table *table,
|
||||
const struct nlattr *nla)
|
||||
const struct nlattr *nla, u8 genmask)
|
||||
{
|
||||
struct nftables_pernet *nft_net = nft_pernet(net);
|
||||
u32 id = ntohl(nla_get_be32(nla));
|
||||
@ -2705,7 +2710,8 @@ static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
|
||||
|
||||
if (trans->msg_type == NFT_MSG_NEWCHAIN &&
|
||||
chain->table == table &&
|
||||
id == nft_trans_chain_id(trans))
|
||||
id == nft_trans_chain_id(trans) &&
|
||||
nft_active_genmask(chain, genmask))
|
||||
return chain;
|
||||
}
|
||||
return ERR_PTR(-ENOENT);
|
||||
@ -3809,7 +3815,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
} else if (nla[NFTA_RULE_CHAIN_ID]) {
|
||||
chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
|
||||
chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
|
||||
genmask);
|
||||
if (IS_ERR(chain)) {
|
||||
NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
|
||||
return PTR_ERR(chain);
|
||||
@ -3840,9 +3847,6 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
return -EINVAL;
|
||||
handle = nf_tables_alloc_handle(table);
|
||||
|
||||
if (chain->use == UINT_MAX)
|
||||
return -EOVERFLOW;
|
||||
|
||||
if (nla[NFTA_RULE_POSITION]) {
|
||||
pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
|
||||
old_rule = __nft_rule_lookup(chain, pos_handle);
|
||||
@ -3936,6 +3940,11 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
}
|
||||
}
|
||||
|
||||
if (!nft_use_inc(&chain->use)) {
|
||||
err = -EMFILE;
|
||||
goto err_release_rule;
|
||||
}
|
||||
|
||||
if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
|
||||
err = nft_delrule(&ctx, old_rule);
|
||||
if (err < 0)
|
||||
@ -3967,7 +3976,6 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
}
|
||||
}
|
||||
kvfree(expr_info);
|
||||
chain->use++;
|
||||
|
||||
if (flow)
|
||||
nft_trans_flow_rule(trans) = flow;
|
||||
@ -3978,6 +3986,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
return 0;
|
||||
|
||||
err_destroy_flow_rule:
|
||||
nft_use_dec_restore(&chain->use);
|
||||
if (flow)
|
||||
nft_flow_rule_destroy(flow);
|
||||
err_release_rule:
|
||||
@ -5014,9 +5023,15 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
alloc_size = sizeof(*set) + size + udlen;
|
||||
if (alloc_size < size || alloc_size > INT_MAX)
|
||||
return -ENOMEM;
|
||||
|
||||
if (!nft_use_inc(&table->use))
|
||||
return -EMFILE;
|
||||
|
||||
set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
|
||||
if (!set)
|
||||
return -ENOMEM;
|
||||
if (!set) {
|
||||
err = -ENOMEM;
|
||||
goto err_alloc;
|
||||
}
|
||||
|
||||
name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
|
||||
if (!name) {
|
||||
@ -5074,7 +5089,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
goto err_set_expr_alloc;
|
||||
|
||||
list_add_tail_rcu(&set->list, &table->sets);
|
||||
table->use++;
|
||||
|
||||
return 0;
|
||||
|
||||
err_set_expr_alloc:
|
||||
@ -5086,6 +5101,9 @@ err_set_init:
|
||||
kfree(set->name);
|
||||
err_set_name:
|
||||
kvfree(set);
|
||||
err_alloc:
|
||||
nft_use_dec_restore(&table->use);
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
@ -5224,9 +5242,6 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
|
||||
struct nft_set_binding *i;
|
||||
struct nft_set_iter iter;
|
||||
|
||||
if (set->use == UINT_MAX)
|
||||
return -EOVERFLOW;
|
||||
|
||||
if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
|
||||
return -EBUSY;
|
||||
|
||||
@ -5254,10 +5269,12 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
|
||||
return iter.err;
|
||||
}
|
||||
bind:
|
||||
if (!nft_use_inc(&set->use))
|
||||
return -EMFILE;
|
||||
|
||||
binding->chain = ctx->chain;
|
||||
list_add_tail_rcu(&binding->list, &set->bindings);
|
||||
nft_set_trans_bind(ctx, set);
|
||||
set->use++;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -5331,7 +5348,7 @@ void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
|
||||
nft_clear(ctx->net, set);
|
||||
}
|
||||
|
||||
set->use++;
|
||||
nft_use_inc_restore(&set->use);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nf_tables_activate_set);
|
||||
|
||||
@ -5347,7 +5364,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
|
||||
else
|
||||
list_del_rcu(&binding->list);
|
||||
|
||||
set->use--;
|
||||
nft_use_dec(&set->use);
|
||||
break;
|
||||
case NFT_TRANS_PREPARE:
|
||||
if (nft_set_is_anonymous(set)) {
|
||||
@ -5356,7 +5373,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
|
||||
|
||||
nft_deactivate_next(ctx->net, set);
|
||||
}
|
||||
set->use--;
|
||||
nft_use_dec(&set->use);
|
||||
return;
|
||||
case NFT_TRANS_ABORT:
|
||||
case NFT_TRANS_RELEASE:
|
||||
@ -5364,7 +5381,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
|
||||
set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
|
||||
nft_map_deactivate(ctx, set);
|
||||
|
||||
set->use--;
|
||||
nft_use_dec(&set->use);
|
||||
fallthrough;
|
||||
default:
|
||||
nf_tables_unbind_set(ctx, set, binding,
|
||||
@ -6155,7 +6172,7 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem,
|
||||
nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
|
||||
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
|
||||
(*nft_set_ext_obj(ext))->use--;
|
||||
nft_use_dec(&(*nft_set_ext_obj(ext))->use);
|
||||
kfree(elem);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
|
||||
@ -6657,8 +6674,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
set->objtype, genmask);
|
||||
if (IS_ERR(obj)) {
|
||||
err = PTR_ERR(obj);
|
||||
obj = NULL;
|
||||
goto err_parse_key_end;
|
||||
}
|
||||
|
||||
if (!nft_use_inc(&obj->use)) {
|
||||
err = -EMFILE;
|
||||
obj = NULL;
|
||||
goto err_parse_key_end;
|
||||
}
|
||||
|
||||
err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
|
||||
if (err < 0)
|
||||
goto err_parse_key_end;
|
||||
@ -6727,10 +6752,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
if (flags)
|
||||
*nft_set_ext_flags(ext) = flags;
|
||||
|
||||
if (obj) {
|
||||
if (obj)
|
||||
*nft_set_ext_obj(ext) = obj;
|
||||
obj->use++;
|
||||
}
|
||||
|
||||
if (ulen > 0) {
|
||||
if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
|
||||
err = -EINVAL;
|
||||
@ -6798,12 +6822,13 @@ err_element_clash:
|
||||
kfree(trans);
|
||||
err_elem_free:
|
||||
nf_tables_set_elem_destroy(ctx, set, elem.priv);
|
||||
if (obj)
|
||||
obj->use--;
|
||||
err_parse_data:
|
||||
if (nla[NFTA_SET_ELEM_DATA] != NULL)
|
||||
nft_data_release(&elem.data.val, desc.type);
|
||||
err_parse_key_end:
|
||||
if (obj)
|
||||
nft_use_dec_restore(&obj->use);
|
||||
|
||||
nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
|
||||
err_parse_key:
|
||||
nft_data_release(&elem.key.val, NFT_DATA_VALUE);
|
||||
@ -6883,7 +6908,7 @@ void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
|
||||
case NFT_JUMP:
|
||||
case NFT_GOTO:
|
||||
chain = data->verdict.chain;
|
||||
chain->use++;
|
||||
nft_use_inc_restore(&chain->use);
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -6898,7 +6923,7 @@ static void nft_setelem_data_activate(const struct net *net,
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
|
||||
nft_data_hold(nft_set_ext_data(ext), set->dtype);
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
|
||||
(*nft_set_ext_obj(ext))->use++;
|
||||
nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
|
||||
}
|
||||
|
||||
static void nft_setelem_data_deactivate(const struct net *net,
|
||||
@ -6910,7 +6935,7 @@ static void nft_setelem_data_deactivate(const struct net *net,
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
|
||||
nft_data_release(nft_set_ext_data(ext), set->dtype);
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
|
||||
(*nft_set_ext_obj(ext))->use--;
|
||||
nft_use_dec(&(*nft_set_ext_obj(ext))->use);
|
||||
}
|
||||
|
||||
static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
@ -7453,9 +7478,14 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
|
||||
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
|
||||
|
||||
if (!nft_use_inc(&table->use))
|
||||
return -EMFILE;
|
||||
|
||||
type = nft_obj_type_get(net, objtype);
|
||||
if (IS_ERR(type))
|
||||
return PTR_ERR(type);
|
||||
if (IS_ERR(type)) {
|
||||
err = PTR_ERR(type);
|
||||
goto err_type;
|
||||
}
|
||||
|
||||
obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
|
||||
if (IS_ERR(obj)) {
|
||||
@ -7489,7 +7519,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
goto err_obj_ht;
|
||||
|
||||
list_add_tail_rcu(&obj->list, &table->objects);
|
||||
table->use++;
|
||||
|
||||
return 0;
|
||||
err_obj_ht:
|
||||
/* queued in transaction log */
|
||||
@ -7505,6 +7535,9 @@ err_strdup:
|
||||
kfree(obj);
|
||||
err_init:
|
||||
module_put(type->owner);
|
||||
err_type:
|
||||
nft_use_dec_restore(&table->use);
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
@ -7906,7 +7939,7 @@ void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
|
||||
case NFT_TRANS_PREPARE:
|
||||
case NFT_TRANS_ABORT:
|
||||
case NFT_TRANS_RELEASE:
|
||||
flowtable->use--;
|
||||
nft_use_dec(&flowtable->use);
|
||||
fallthrough;
|
||||
default:
|
||||
return;
|
||||
@ -8260,9 +8293,14 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
|
||||
|
||||
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
|
||||
|
||||
if (!nft_use_inc(&table->use))
|
||||
return -EMFILE;
|
||||
|
||||
flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
|
||||
if (!flowtable)
|
||||
return -ENOMEM;
|
||||
if (!flowtable) {
|
||||
err = -ENOMEM;
|
||||
goto flowtable_alloc;
|
||||
}
|
||||
|
||||
flowtable->table = table;
|
||||
flowtable->handle = nf_tables_alloc_handle(table);
|
||||
@ -8317,7 +8355,6 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
|
||||
goto err5;
|
||||
|
||||
list_add_tail_rcu(&flowtable->list, &table->flowtables);
|
||||
table->use++;
|
||||
|
||||
return 0;
|
||||
err5:
|
||||
@ -8334,6 +8371,9 @@ err2:
|
||||
kfree(flowtable->name);
|
||||
err1:
|
||||
kfree(flowtable);
|
||||
flowtable_alloc:
|
||||
nft_use_dec_restore(&table->use);
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
@ -9713,7 +9753,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
|
||||
*/
|
||||
if (nft_set_is_anonymous(nft_trans_set(trans)) &&
|
||||
!list_empty(&nft_trans_set(trans)->bindings))
|
||||
trans->ctx.table->use--;
|
||||
nft_use_dec(&trans->ctx.table->use);
|
||||
}
|
||||
nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
|
||||
NFT_MSG_NEWSET, GFP_KERNEL);
|
||||
@ -9943,7 +9983,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
}
|
||||
trans->ctx.table->use--;
|
||||
nft_use_dec_restore(&trans->ctx.table->use);
|
||||
nft_chain_del(trans->ctx.chain);
|
||||
nf_tables_unregister_hook(trans->ctx.net,
|
||||
trans->ctx.table,
|
||||
@ -9956,7 +9996,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
list_splice(&nft_trans_chain_hooks(trans),
|
||||
&nft_trans_basechain(trans)->hook_list);
|
||||
} else {
|
||||
trans->ctx.table->use++;
|
||||
nft_use_inc_restore(&trans->ctx.table->use);
|
||||
nft_clear(trans->ctx.net, trans->ctx.chain);
|
||||
}
|
||||
nft_trans_destroy(trans);
|
||||
@ -9966,7 +10006,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
}
|
||||
trans->ctx.chain->use--;
|
||||
nft_use_dec_restore(&trans->ctx.chain->use);
|
||||
list_del_rcu(&nft_trans_rule(trans)->list);
|
||||
nft_rule_expr_deactivate(&trans->ctx,
|
||||
nft_trans_rule(trans),
|
||||
@ -9976,7 +10016,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
break;
|
||||
case NFT_MSG_DELRULE:
|
||||
case NFT_MSG_DESTROYRULE:
|
||||
trans->ctx.chain->use++;
|
||||
nft_use_inc_restore(&trans->ctx.chain->use);
|
||||
nft_clear(trans->ctx.net, nft_trans_rule(trans));
|
||||
nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
|
||||
if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
|
||||
@ -9989,7 +10029,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
}
|
||||
trans->ctx.table->use--;
|
||||
nft_use_dec_restore(&trans->ctx.table->use);
|
||||
if (nft_trans_set_bound(trans)) {
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
@ -9998,7 +10038,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
break;
|
||||
case NFT_MSG_DELSET:
|
||||
case NFT_MSG_DESTROYSET:
|
||||
trans->ctx.table->use++;
|
||||
nft_use_inc_restore(&trans->ctx.table->use);
|
||||
nft_clear(trans->ctx.net, nft_trans_set(trans));
|
||||
if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
|
||||
nft_map_activate(&trans->ctx, nft_trans_set(trans));
|
||||
@ -10042,13 +10082,13 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
|
||||
nft_trans_destroy(trans);
|
||||
} else {
|
||||
trans->ctx.table->use--;
|
||||
nft_use_dec_restore(&trans->ctx.table->use);
|
||||
nft_obj_del(nft_trans_obj(trans));
|
||||
}
|
||||
break;
|
||||
case NFT_MSG_DELOBJ:
|
||||
case NFT_MSG_DESTROYOBJ:
|
||||
trans->ctx.table->use++;
|
||||
nft_use_inc_restore(&trans->ctx.table->use);
|
||||
nft_clear(trans->ctx.net, nft_trans_obj(trans));
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
@ -10057,7 +10097,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
nft_unregister_flowtable_net_hooks(net,
|
||||
&nft_trans_flowtable_hooks(trans));
|
||||
} else {
|
||||
trans->ctx.table->use--;
|
||||
nft_use_dec_restore(&trans->ctx.table->use);
|
||||
list_del_rcu(&nft_trans_flowtable(trans)->list);
|
||||
nft_unregister_flowtable_net_hooks(net,
|
||||
&nft_trans_flowtable(trans)->hook_list);
|
||||
@ -10069,7 +10109,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
list_splice(&nft_trans_flowtable_hooks(trans),
|
||||
&nft_trans_flowtable(trans)->hook_list);
|
||||
} else {
|
||||
trans->ctx.table->use++;
|
||||
nft_use_inc_restore(&trans->ctx.table->use);
|
||||
nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
|
||||
}
|
||||
nft_trans_destroy(trans);
|
||||
@ -10502,7 +10542,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
|
||||
genmask);
|
||||
} else if (tb[NFTA_VERDICT_CHAIN_ID]) {
|
||||
chain = nft_chain_lookup_byid(ctx->net, ctx->table,
|
||||
tb[NFTA_VERDICT_CHAIN_ID]);
|
||||
tb[NFTA_VERDICT_CHAIN_ID],
|
||||
genmask);
|
||||
if (IS_ERR(chain))
|
||||
return PTR_ERR(chain);
|
||||
} else {
|
||||
@ -10518,8 +10559,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
|
||||
if (desc->flags & NFT_DATA_DESC_SETELEM &&
|
||||
chain->flags & NFT_CHAIN_BINDING)
|
||||
return -EINVAL;
|
||||
if (!nft_use_inc(&chain->use))
|
||||
return -EMFILE;
|
||||
|
||||
chain->use++;
|
||||
data->verdict.chain = chain;
|
||||
break;
|
||||
}
|
||||
@ -10537,7 +10579,7 @@ static void nft_verdict_uninit(const struct nft_data *data)
|
||||
case NFT_JUMP:
|
||||
case NFT_GOTO:
|
||||
chain = data->verdict.chain;
|
||||
chain->use--;
|
||||
nft_use_dec(&chain->use);
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -10706,11 +10748,11 @@ int __nft_release_basechain(struct nft_ctx *ctx)
|
||||
nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
|
||||
list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
|
||||
list_del(&rule->list);
|
||||
ctx->chain->use--;
|
||||
nft_use_dec(&ctx->chain->use);
|
||||
nf_tables_rule_release(ctx, rule);
|
||||
}
|
||||
nft_chain_del(ctx->chain);
|
||||
ctx->table->use--;
|
||||
nft_use_dec(&ctx->table->use);
|
||||
nf_tables_chain_destroy(ctx);
|
||||
|
||||
return 0;
|
||||
@ -10760,18 +10802,18 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
|
||||
ctx.chain = chain;
|
||||
list_for_each_entry_safe(rule, nr, &chain->rules, list) {
|
||||
list_del(&rule->list);
|
||||
chain->use--;
|
||||
nft_use_dec(&chain->use);
|
||||
nf_tables_rule_release(&ctx, rule);
|
||||
}
|
||||
}
|
||||
list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
|
||||
list_del(&flowtable->list);
|
||||
table->use--;
|
||||
nft_use_dec(&table->use);
|
||||
nf_tables_flowtable_destroy(flowtable);
|
||||
}
|
||||
list_for_each_entry_safe(set, ns, &table->sets, list) {
|
||||
list_del(&set->list);
|
||||
table->use--;
|
||||
nft_use_dec(&table->use);
|
||||
if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
|
||||
nft_map_deactivate(&ctx, set);
|
||||
|
||||
@ -10779,13 +10821,13 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
|
||||
}
|
||||
list_for_each_entry_safe(obj, ne, &table->objects, list) {
|
||||
nft_obj_del(obj);
|
||||
table->use--;
|
||||
nft_use_dec(&table->use);
|
||||
nft_obj_destroy(&ctx, obj);
|
||||
}
|
||||
list_for_each_entry_safe(chain, nc, &table->chains, list) {
|
||||
ctx.chain = chain;
|
||||
nft_chain_del(chain);
|
||||
table->use--;
|
||||
nft_use_dec(&table->use);
|
||||
nf_tables_chain_destroy(&ctx);
|
||||
}
|
||||
nf_tables_table_destroy(&ctx);
|
||||
|
@ -30,11 +30,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||
const struct nft_byteorder *priv = nft_expr_priv(expr);
|
||||
u32 *src = ®s->data[priv->sreg];
|
||||
u32 *dst = ®s->data[priv->dreg];
|
||||
union { u32 u32; u16 u16; } *s, *d;
|
||||
u16 *s16, *d16;
|
||||
unsigned int i;
|
||||
|
||||
s = (void *)src;
|
||||
d = (void *)dst;
|
||||
s16 = (void *)src;
|
||||
d16 = (void *)dst;
|
||||
|
||||
switch (priv->size) {
|
||||
case 8: {
|
||||
@ -62,11 +62,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||
switch (priv->op) {
|
||||
case NFT_BYTEORDER_NTOH:
|
||||
for (i = 0; i < priv->len / 4; i++)
|
||||
d[i].u32 = ntohl((__force __be32)s[i].u32);
|
||||
dst[i] = ntohl((__force __be32)src[i]);
|
||||
break;
|
||||
case NFT_BYTEORDER_HTON:
|
||||
for (i = 0; i < priv->len / 4; i++)
|
||||
d[i].u32 = (__force __u32)htonl(s[i].u32);
|
||||
dst[i] = (__force __u32)htonl(src[i]);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@ -74,11 +74,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||
switch (priv->op) {
|
||||
case NFT_BYTEORDER_NTOH:
|
||||
for (i = 0; i < priv->len / 2; i++)
|
||||
d[i].u16 = ntohs((__force __be16)s[i].u16);
|
||||
d16[i] = ntohs((__force __be16)s16[i]);
|
||||
break;
|
||||
case NFT_BYTEORDER_HTON:
|
||||
for (i = 0; i < priv->len / 2; i++)
|
||||
d[i].u16 = (__force __u16)htons(s[i].u16);
|
||||
d16[i] = (__force __u16)htons(s16[i]);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
@ -408,8 +408,10 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx,
|
||||
if (IS_ERR(flowtable))
|
||||
return PTR_ERR(flowtable);
|
||||
|
||||
if (!nft_use_inc(&flowtable->use))
|
||||
return -EMFILE;
|
||||
|
||||
priv->flowtable = flowtable;
|
||||
flowtable->use++;
|
||||
|
||||
return nf_ct_netns_get(ctx->net, ctx->family);
|
||||
}
|
||||
@ -428,7 +430,7 @@ static void nft_flow_offload_activate(const struct nft_ctx *ctx,
|
||||
{
|
||||
struct nft_flow_offload *priv = nft_expr_priv(expr);
|
||||
|
||||
priv->flowtable->use++;
|
||||
nft_use_inc_restore(&priv->flowtable->use);
|
||||
}
|
||||
|
||||
static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
|
||||
|
@ -159,7 +159,7 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx,
|
||||
default:
|
||||
nft_chain_del(chain);
|
||||
chain->bound = false;
|
||||
chain->table->use--;
|
||||
nft_use_dec(&chain->table->use);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@ -198,7 +198,7 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
|
||||
* let the transaction records release this chain and its rules.
|
||||
*/
|
||||
if (chain->bound) {
|
||||
chain->use--;
|
||||
nft_use_dec(&chain->use);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -206,9 +206,9 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
|
||||
chain_ctx = *ctx;
|
||||
chain_ctx.chain = chain;
|
||||
|
||||
chain->use--;
|
||||
nft_use_dec(&chain->use);
|
||||
list_for_each_entry_safe(rule, n, &chain->rules, list) {
|
||||
chain->use--;
|
||||
nft_use_dec(&chain->use);
|
||||
list_del(&rule->list);
|
||||
nf_tables_rule_destroy(&chain_ctx, rule);
|
||||
}
|
||||
|
@ -41,8 +41,10 @@ static int nft_objref_init(const struct nft_ctx *ctx,
|
||||
if (IS_ERR(obj))
|
||||
return -ENOENT;
|
||||
|
||||
if (!nft_use_inc(&obj->use))
|
||||
return -EMFILE;
|
||||
|
||||
nft_objref_priv(expr) = obj;
|
||||
obj->use++;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -72,7 +74,7 @@ static void nft_objref_deactivate(const struct nft_ctx *ctx,
|
||||
if (phase == NFT_TRANS_COMMIT)
|
||||
return;
|
||||
|
||||
obj->use--;
|
||||
nft_use_dec(&obj->use);
|
||||
}
|
||||
|
||||
static void nft_objref_activate(const struct nft_ctx *ctx,
|
||||
@ -80,7 +82,7 @@ static void nft_objref_activate(const struct nft_ctx *ctx,
|
||||
{
|
||||
struct nft_object *obj = nft_objref_priv(expr);
|
||||
|
||||
obj->use++;
|
||||
nft_use_inc_restore(&obj->use);
|
||||
}
|
||||
|
||||
static const struct nft_expr_ops nft_objref_ops = {
|
||||
|
Loading…
Reference in New Issue
Block a user