net/sched: act_ct: fix ref leak when switching zones

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When switching zones or network namespaces without doing a ct clear in
between, it is now leaking a reference to the old ct entry. That's
because tcf_ct_skb_nfct_cached() returns false and
tcf_ct_flow_table_lookup() may simply overwrite it.

The fix is to, as the ct entry is not reusable, free it already at
tcf_ct_skb_nfct_cached().

Reported-by: Florian Westphal <fw@strlen.de>
Fixes: 2f131de361f6 ("net/sched: act_ct: Fix flow table lookup after ct clear or switching zones")
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Marcelo Ricardo Leitner and committed by

David S. Miller 4 years ago bcb74e13 5ae6acf1

+9 -6

1 changed file

expand all

net

sched

act_ct.c

+9 -6

net/sched/act_ct.c

··· 666 666 if (!ct) 667 667 return false; 668 668 if (!net_eq(net, read_pnet(&ct->ct_net))) 669 - return false; 669 + goto drop_ct; 670 670 if (nf_ct_zone(ct)->id != zone_id) 671 - return false; 671 + goto drop_ct; 672 672 673 673 /* Force conntrack entry direction. */ 674 674 if (force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { 675 675 if (nf_ct_is_confirmed(ct)) 676 676 nf_ct_kill(ct); 677 677 678 - nf_ct_put(ct); 679 - nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 680 - 681 - return false; 678 + goto drop_ct; 682 679 } 683 680 684 681 return true; 682 + 683 + drop_ct: 684 + nf_ct_put(ct); 685 + nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 686 + 687 + return false; 685 688 } 686 689 687 690 /* Trim the skb to the length specified by the IP/IPv6 header,