On Wed, Dec 18, 2019 at 10:59:11PM +0800, wenxu@xxxxxxxxx wrote:
> From: wenxu <wenxu@xxxxxxxxx>
>
> The err2 failed path in nf_tables_newrule fail err2 should only destory this new rule
> without deactivate it. Because the rule is not been activated.
>
> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index a8caf73..27e6a6f 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -3130,7 +3130,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
>
> return 0;
> err2:
> - nf_tables_rule_release(&ctx, rule);
> + nf_tables_rule_destroy(&ctx, rule);
This is not correct, the rule might have a reference to a chain jump,
nft_data_release() needs to be called in that case.
> err1:
> for (i = 0; i < n; i++) {
> if (info[i].ops) {
> --
> 1.8.3.1
>
