From: Louis Peens louis.peens@corigine.com
stable inclusion from stable-5.10.53 commit 7b5a2910e782f29f26558c0dde87af6052031469 bugzilla: 175574 https://gitee.com/openeuler/kernel/issues/I4DTUX
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 77ac5e40c44eb78333fbc38482d61fc2af7dda0a upstream.
When cleaning up the nf_table in tcf_ct_flow_table_cleanup_work there is no guarantee that the callback list, added to by nf_flow_table_offload_add_cb, is empty. This means that it is possible that the flow_block_cb memory allocated will be lost.
Fix this by iterating the list and freeing the flow_block_cb entries before freeing the nf_table entry (via freeing ct_ft).
Fixes: 978703f42549 ("netfilter: flowtable: Add API for registering to flow table events") Signed-off-by: Louis Peens louis.peens@corigine.com Signed-off-by: Yinjun Zhang yinjun.zhang@corigine.com Signed-off-by: Simon Horman simon.horman@corigine.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Chen Jun chenjun102@huawei.com Acked-by: Weilong Chen chenweilong@huawei.com Signed-off-by: Chen Jun chenjun102@huawei.com --- net/sched/act_ct.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index f1088599fafd..812c3c70a53a 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -320,11 +320,22 @@ static int tcf_ct_flow_table_get(struct tcf_ct_params *params)
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work) { + struct flow_block_cb *block_cb, *tmp_cb; struct tcf_ct_flow_table *ct_ft; + struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table, rwork); nf_flow_table_free(&ct_ft->nf_ft); + + /* Remove any remaining callbacks before cleanup */ + block = &ct_ft->nf_ft.flow_block; + down_write(&ct_ft->nf_ft.flow_block_lock); + list_for_each_entry_safe(block_cb, tmp_cb, &block->cb_list, list) { + list_del(&block_cb->list); + flow_block_cb_free(block_cb); + } + up_write(&ct_ft->nf_ft.flow_block_lock); kfree(ct_ft);
module_put(THIS_MODULE);