Taehee Yoo <ap420073@xxxxxxxxx> wrote:
> There is module leak in the error path of the nf_tables_newrule.
> In order to solve this, a member nft_expr_type *type is added into
> the nft_expr_info. so that, we can make separated error path of the
> nft_expr_ops and the nft_expr_type.
> So that, the nf_tables_rule_destroy is not used in the error path
> of the nf_tables_newrule anymore.
>
> Steps to reproduce:
> $iptables-compat -I OUTPUT -m cpu --cpu 0
> $iptables-compat -F
> $lsmod
> Module Size Used by
> xt_cpu 16384 1
Can not reproduce this here:
$ lsmod|grep xt_cpu
$ nft list ruleset
table ip filter {
[..]
chain OUTPUT {
type filter hook output priority 0; policy accept;
cpu 0 counter packets 27 bytes 3436
}
$ lsmod|grep xt_cpu
xt_cpu 16384 1
$ nft flush ruleset
$ lsmod|grep xt_cpu
xt_cpu 16384 0
Linux 4.16.5.
> if (expr->ops->destroy)
> expr->ops->destroy(ctx, expr);
> - module_put(expr->ops->type->owner);
> + if (expr->ops->type->release)
> + expr->ops->type->release(expr->ops);
> +
> + module_put(module);
The above indeed looks buggy on 4.16.5 (original, not you patch).
->ops can be free'd already in the destroy path with nft_match_destroy,
So I agree, yes, I think we need to at least fetch module pointer first.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
