From: Liping Zhang <zlpnobody@xxxxxxxxx>
Suppose that the user input the following nft rules, then a dynset expr is
created:
# nft add rule filter output flow table test { ip daddr counter }
But actually, there are some bugs exist in kernel:
1. If CONFIG_NFT_SET_HASH is not enabled, kernel panic will happen
2. In extreme case, i.e. memory is exhausted, then expr clone will
fail, this will cause module refcnt leak, memory leak and incorrect
set's nelems
3. Packets may race when create the new element, and these *racing*
packets will not be handled properly.
This patch set is aimed to fix these problems.
Liping Zhang (3):
netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled
netfilter: nf_tables: fix *leak* when expr clone fail
netfilter: nf_tables: fix race when create new element in dynset
include/net/netfilter/nf_tables.h | 6 ++++--
net/netfilter/nf_tables_api.c | 11 ++++++-----
net/netfilter/nft_dynset.c | 19 +++++++++++++------
net/netfilter/nft_set_hash.c | 19 ++++++++++++++-----
net/netfilter/nft_set_rbtree.c | 2 +-
5 files changed, 38 insertions(+), 19 deletions(-)
--
2.5.5
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
