Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp508368pxv;
        Thu, 24 Jun 2021 12:59:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy6YQs56bD2hu/6EYLAybnE6sVUAvC10ZxktCoWoXn5P35upqxmAPfWtAEAFsyBzPztnT0j
X-Received: by 2002:a6b:3b16:: with SMTP id i22mr5491400ioa.36.1624564783785;
        Thu, 24 Jun 2021 12:59:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624564783; cv=none;
        d=google.com; s=arc-20160816;
        b=zdasGcfO8aBczrfZsxB7jWm33/cGGQIiX1NuHjbu14PC9ZorjKdnI1x8haSUBfPzzY
         kEj3XIuzSktJCKMNjMZCHJ7GoYJYuNsbTu7kznTJy7hVf+PRcv8vPa90iXWBosqMleYl
         UVklqKTppUJwb9LdrixcA3M15mX89mK5d2uQrOUpZen0AKrtshXX6ce78kbTs+WwUefU
         qstw1VFPldaLZYlnse3bRZk4HAYxZyY1Cz4WE6lImvvWPcC4dYg6/5B+G7+Hdtb/7ejL
         khmHe0ebpYPZ2rWXaSBxsiI3SpEOnktWDk5mPcUD/1ZRUnlkfVSxxjH+lo/Ya4pjFXRk
         Z2hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=iL/nnx22po4e16GfIybOVTU2bET9WEBRKU87sa3ZR28=;
        b=wzx8umxxhDjLQtD3V0ekAtUwAnccpJyJzHYp3xqXew2aurJgLHAJADYI1Wg+BVd5+f
         0kuHPBRxQ8dcocLnqjuLvb6sAnpaIaWV4sGrr7KcGR7NMoa2XHGab5zUhzrDIYT+vydv
         KmTqkPUicMLmqQjffflz2kUV4YMvE7Rl+PI2VX028oh0opFH/1iTJJxj95ANagvsi17/
         hSOaDStW/ogfPUXwbs5ry3KwTErzbHN5UDC88OrIYQat0c4liTq9vXOAmFGLgLnwEWRb
         Zaf5XsW63wlB81W8xSfWLg2Nu2bVOinGSIqe8b9LfENlddMxXesghH+O1yOjuxwXud2C
         bcEQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h5si4026747iol.44.2021.06.24.12.59.27;
        Thu, 24 Jun 2021 12:59:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232797AbhFXT7p (ORCPT <rfc822;mafatlaija@gmail.com> + 99 others);
        Thu, 24 Jun 2021 15:59:45 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:48621 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232178AbhFXT7n (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 Jun 2021 15:59:43 -0400
Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost)
        by youngberry.canonical.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        (Exim 4.93)
        (envelope-from <colin.king@canonical.com>)
        id 1lwVTT-00047p-DD; Thu, 24 Jun 2021 19:57:19 +0000
From:   Colin King <colin.king@canonical.com>
To:     Pablo Neira Ayuso <pablo@netfilter.org>,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        Florian Westphal <fw@strlen.de>,
        "David S . Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org
Cc:     kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow
Date:   Thu, 24 Jun 2021 20:57:18 +0100
Message-Id: <20210624195718.170796-1-colin.king@canonical.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Colin Ian King <colin.king@canonical.com>

In the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then
nft_flow_rule_create is not called and flow is NULL. The subsequent
error handling execution via label err_destroy_flow_rule will lead
to a null pointer dereference on flow when calling nft_flow_rule_destroy.
Since the error path to err_destroy_flow_rule has to cater for null
and non-null flows, only call nft_flow_rule_destroy if flow is non-null
to fix this issue.

Addresses-Coverity: ("Explicity null dereference")
Fixes: 3c5e44622011 ("netfilter: nf_tables: memleak in hw offload abort path")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/netfilter/nf_tables_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 390d4466567f..de182d1f7c4e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3446,7 +3446,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
 	return 0;
 
 err_destroy_flow_rule:
-	nft_flow_rule_destroy(flow);
+	if (flow)
+		nft_flow_rule_destroy(flow);
 err_release_rule:
 	nf_tables_rule_release(&ctx, rule);
 err_release_expr:
-- 
2.31.1