Commit a995a68
netfilter: nf_tables: fix memleak when more than 255 elements expired
commit cf5000a upstream.
When more than 255 elements expired we're supposed to switch to a new gc
container structure.
This never happens: u8 type will wrap before reaching the boundary
and nft_trans_gc_space() always returns true.
This means we recycle the initial gc container structure and
lose track of the elements that came before.
While at it, don't deref 'gc' after we've passed it to call_rcu.
Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>1 parent b95d7af commit a995a68
File tree
2 files changed
+9
-3
lines changed- include/net/netfilter
- net/netfilter
2 files changed
+9
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1440 | 1440 | | |
1441 | 1441 | | |
1442 | 1442 | | |
1443 | | - | |
| 1443 | + | |
1444 | 1444 | | |
1445 | 1445 | | |
1446 | 1446 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7089 | 7089 | | |
7090 | 7090 | | |
7091 | 7091 | | |
| 7092 | + | |
| 7093 | + | |
7092 | 7094 | | |
7093 | 7095 | | |
7094 | 7096 | | |
| 7097 | + | |
7095 | 7098 | | |
7096 | 7099 | | |
7097 | | - | |
| 7100 | + | |
7098 | 7101 | | |
7099 | 7102 | | |
7100 | 7103 | | |
| |||
7111 | 7114 | | |
7112 | 7115 | | |
7113 | 7116 | | |
| 7117 | + | |
| 7118 | + | |
7114 | 7119 | | |
7115 | 7120 | | |
7116 | 7121 | | |
7117 | 7122 | | |
7118 | 7123 | | |
7119 | 7124 | | |
| 7125 | + | |
7120 | 7126 | | |
7121 | 7127 | | |
7122 | | - | |
| 7128 | + | |
7123 | 7129 | | |
7124 | 7130 | | |
7125 | 7131 | | |
| |||
0 commit comments