Received: by 10.213.65.68 with SMTP id h4csp4036048imn; Tue, 10 Apr 2018 08:17:56 -0700 (PDT) X-Google-Smtp-Source: AIpwx48idcKdDUz8P466E2Cfw4Hegq2ZlEvP4LnHOZt1Ln9vN5lVX7+2ZqZIc6hRWqJVuwrNKu3s X-Received: by 2002:a17:902:d90e:: with SMTP id c14-v6mr922313plz.352.1523373476527; Tue, 10 Apr 2018 08:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523373476; cv=none; d=google.com; s=arc-20160816; b=GZJ6Z5BCnHA+PWWSEtLdZCN6EAQRTi4Prvl38yKkB/OcWbywBJwRd3mkxi+Qi+Zwkl e89CsjXjWBprb+iWUDTaP/pxxy4BbpTVwlW6gdMXILS485WjuIWDcrvToHqWOWN6F3BW 8sWnvnjeW4oHKzZ4L1pFSG9rDnZAZ9n6R1JL5TkTsnPlEigzp+G+sguI7DE0BQtmSzF5 dnhDv3LocmLJVsZ6p18ZvO1xAp2Miib++JA9+O1QaoGBginLGRSNdWlq64Ki+Mv0V90p eelLcA/j1fbE2WhmX+HxfWBmvw2KvMH2jNRFEtQ0tWAp8mXQEekbZy2FD0N6ERcwpdDm 5iIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:arc-authentication-results; bh=RuiNjVURI/aIgkCAFWRGk9X7aUMT2asovB69KdwFzEo=; b=s0x3ZRoo6ksEDIEOGW1xVJvXQOCAClxx716GX6sgeRDPY8yOPayEkCOgAsREq7I4+8 5og0/oMko6GgL+8fm43cRxaGVr48KFm6I9L65VbO8dgCcP93pLASdu4RTaTH7r3irlcm VVXNie3OwvbcE6+42R/sNlW9GZwecclNj7GGp6L4ySkNwozsan4b31wA9+XMgxUno1uU bjvP9QMfkrYuv/O5OFDvk5hpQmIMXgKLxdXhrqjrCSphgtvFZqh6uLAo+8deEs/BCylT VycC7pODu5VB3HQZ6h3imYqZRIuT3LgBczpQSnqlB/GKs5VaVQRqc4AnIqXAx2tUkxZQ qtkw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70si1917173pgd.172.2018.04.10.08.17.17; Tue, 10 Apr 2018 08:17:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754106AbeDJPOO (ORCPT + 99 others); Tue, 10 Apr 2018 11:14:14 -0400 Received: from imap1.codethink.co.uk ([176.9.8.82]:58755 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753685AbeDJPOM (ORCPT ); Tue, 10 Apr 2018 11:14:12 -0400 Received: from 167-98-27-229.cust-167.exponential-e.net ([167.98.27.229] helo=xylophone) by imap1.codethink.co.uk with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1f5uyD-0002l5-NT; Tue, 10 Apr 2018 16:14:05 +0100 Message-ID: <1523373245.2654.182.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 38/97] netfilter: xt_CT: fix refcnt leak on error path From: Ben Hutchings To: Gao Feng , Liping Zhang , Pablo Neira Ayuso Cc: stable@vger.kernel.org, Sasha Levin , Greg Kroah-Hartman , LKML Date: Tue, 10 Apr 2018 16:14:05 +0100 In-Reply-To: <1522777564.2654.115.camel@codethink.co.uk> References: <20180323094157.535925724@linuxfoundation.org> <20180323094159.781131756@linuxfoundation.org> <1522777564.2654.115.camel@codethink.co.uk> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-04-03 at 18:46 +0100, Ben Hutchings wrote: > On Fri, 2018-03-23 at 10:54 +0100, Greg Kroah-Hartman wrote: > > 4.4-stable review patch.  If anyone has any objections, please let me know. > > > > ------------------ > > > > From: Gao Feng > > > > > > [ Upstream commit 470acf55a021713869b9bcc967268ac90c8a0fac ] [...]  > > @@ -249,7 +252,7 @@ static int xt_ct_tg_check(const struct x > >   if (info->timeout[0]) { > >   ret = xt_ct_set_timeout(ct, par, info->timeout); > >   if (ret < 0) > > - goto err3; > > + goto err4; > >   } > >   __set_bit(IPS_CONFIRMED_BIT, &ct->status); > >   nf_conntrack_get(&ct->ct_general); > > @@ -257,6 +260,10 @@ out: > >   info->ct = ct; > >   return 0; > >   > > +err4: > > + help = nfct_help(ct); > > + if (help) > > + module_put(help->helper->me); > >  err3: > >   nf_ct_tmpl_free(ct); > >  err2: > > This does not.  nf_ct_tmpl_free() calls nf_ct_ext_destroy() which I > think will call back into xt_ct_tg_destroy().  So I think the module > reference is already dropped here and we mustn't do it twice.  Am I > missing something? I still don't understand this code, but I have verified that the module_put() is needed on this error path to balance the module reference count. I.e. this fix is good. Ben. -- Ben Hutchings Software Developer, Codethink Ltd.