On Wed, Aug 23, 2023 at 09:27:47AM +0200, Florian Westphal wrote:
> Several instances of pipapo_resize() don't propagate allocation failures,
> this causes a crash when fault injection is used with
>
> echo Y > /sys/kernel/debug/failslab/ignore-gfp-wait
>
> Cc: Stefano Brivio <sbrivio@xxxxxxxxxx>
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> net/netfilter/nft_set_pipapo.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
> index 3757fcc55723..6af9c9ed4b5c 100644
> --- a/net/netfilter/nft_set_pipapo.c
> +++ b/net/netfilter/nft_set_pipapo.c
> @@ -902,12 +902,14 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f)
> static int pipapo_insert(struct nft_pipapo_field *f, const uint8_t *k,
> int mask_bits)
> {
> - int rule = f->rules++, group, ret, bit_offset = 0;
> + int rule = f->rules, group, ret, bit_offset = 0;
>
> - ret = pipapo_resize(f, f->rules - 1, f->rules);
> + ret = pipapo_resize(f, f->rules, f->rules + 1);
> if (ret)
> return ret;
>
> + f->rules++;
> +
> for (group = 0; group < f->groups; group++) {
> int i, v;
> u8 mask;
> @@ -1052,7 +1054,9 @@ static int pipapo_expand(struct nft_pipapo_field *f,
> step++;
> if (step >= len) {
> if (!masks) {
> - pipapo_insert(f, base, 0);
> + err = pipapo_insert(f, base, 0);
> + if (err < 0)
> + return err;
> masks = 1;
> }
> goto out;
> @@ -1235,6 +1239,9 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
> else
> ret = pipapo_expand(f, start, end, f->groups * f->bb);
>
> + if (ret < 0)
> + return ret;
> +
> if (f->bsize > bsize_max)
> bsize_max = f->bsize;
>
> --
> 2.41.0
>
