From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net 6/7] netfilter: nf_nat: Fix possible memory leak in nf_nat_init()
Date: Wed, 2 Nov 2022 19:46:58 +0100 [thread overview]
Message-ID: <20221102184659.2502-7-pablo@netfilter.org> (raw)
In-Reply-To: <20221102184659.2502-1-pablo@netfilter.org>
From: Chen Zhongjin <chenzhongjin@huawei.com>
In nf_nat_init(), register_nf_nat_bpf() can fail and return directly
without any error handling.
Then nf_nat_bysource will leak and registering of &nat_net_ops,
&follow_master_nat and nf_nat_hook won't be reverted.
This leaves wild ops in linkedlists and when another module tries to
call register_pernet_operations() or nf_ct_helper_expectfn_register()
it triggers page fault:
BUG: unable to handle page fault for address: fffffbfff81b964c
RIP: 0010:register_pernet_operations+0x1b9/0x5f0
Call Trace:
<TASK>
register_pernet_subsys+0x29/0x40
ebtables_init+0x58/0x1000 [ebtables]
...
Fixes: 820dc0523e05 ("net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_nat_core.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 18319a6e6806..e29e4ccb5c5a 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -1152,7 +1152,16 @@ static int __init nf_nat_init(void)
WARN_ON(nf_nat_hook != NULL);
RCU_INIT_POINTER(nf_nat_hook, &nat_hook);
- return register_nf_nat_bpf();
+ ret = register_nf_nat_bpf();
+ if (ret < 0) {
+ RCU_INIT_POINTER(nf_nat_hook, NULL);
+ nf_ct_helper_expectfn_unregister(&follow_master_nat);
+ synchronize_net();
+ unregister_pernet_subsys(&nat_net_ops);
+ kvfree(nf_nat_bysource);
+ }
+
+ return ret;
}
static void __exit nf_nat_cleanup(void)
--
2.30.2
next prev parent reply other threads:[~2022-11-02 18:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-02 18:46 [PATCH net 0/7] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 1/7] netfilter: nf_tables: netlink notifier might race to release objects Pablo Neira Ayuso
2022-11-03 3:00 ` patchwork-bot+netdevbpf
2022-11-02 18:46 ` [PATCH net 2/7] netfilter: nf_tables: release flow rule object from commit path Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 3/7] ipvs: use explicitly signed chars Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 4/7] ipvs: fix WARNING in __ip_vs_cleanup_batch() Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 5/7] ipvs: fix WARNING in ip_vs_app_net_cleanup() Pablo Neira Ayuso
2022-11-02 18:46 ` Pablo Neira Ayuso [this message]
2022-11-02 18:46 ` [PATCH net 7/7] netfilter: ipset: enforce documented limit to prevent allocating huge memory Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221102184659.2502-7-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.