Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1013306pxv; Fri, 25 Jun 2021 03:34:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzi8rJk8wIZ/K/8WoL/glVmjpUnsv+LchErlSdC/eCfpuB0OISx27c6KtxIVznseVXIavGs X-Received: by 2002:a02:942e:: with SMTP id a43mr9249605jai.74.1624617291737; Fri, 25 Jun 2021 03:34:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624617291; cv=none; d=google.com; s=arc-20160816; b=U1TgpVBHaknrDwCG61NSU0sm7u5PSN5s3/q9hPD6tt4bgphiDK7Wcr1s48/XHArrlt TTLSBV+5meJyXOzFq0p201YeMgU6nlyZEtU+7hwywjxRltKBR5F+PNLu4d8Y2IvZkHAK yxJtbR3rZ1FXjeyJcBwN2usRNEoC6YfvpBS5jlc//5995YQRLSbnNEI1PN3OEgNf9ZRg 88zv2dBlFEaeBqLcZkOhZZIWXsXfe0pGmMwErW0qbfAI7FXxkt7VlVdjepVdhLL75F+Z F0UXr/cokUyH/QDAgDSSy9iMiu9r+VPCha0NMPgpJq/y3e7/uj4yuVPevw6SJwKE1Vw0 13fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=7kXzU6VQY7lM9RFtj3Mn30bxf9x5MvbukVSQFWdLIZY=; b=oDHvW+22aIhwKHzM+fXgQnuz03Pps6xoK4aRy93aDvWye5TOrwtqOCeGVjzOuQMuPZ Cs2/wkUFxwGIn7BFbxvMJCp8UcClXp68dTDoJ1ZwN21ImPrcuI26UEung5P3xewfdSxK /NCJsuHaUMkH6Gbb6gRzfVrLYFuCksM6pLAoSW/refHcqJOft0JDBNTwlmEtSU3kCyHE BujUZt8CaTnquRbGVI33foM4YKhOagwZaQpmoHYc5s/HLUxEePea6DtCEMXrE+c+84ED +2JXvc0ecbKrncDIh4mRb4UwiLtrMQ46rbfJUF8CxwGUKZgQfHXWGCoj0ZrtjaA9VHQK 5WQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=shLe6ys8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l14si6029225jah.73.2021.06.25.03.34.40; Fri, 25 Jun 2021 03:34:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=shLe6ys8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231447AbhFYKgA (ORCPT + 99 others); Fri, 25 Jun 2021 06:36:00 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:26518 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230379AbhFYKfv (ORCPT ); Fri, 25 Jun 2021 06:35:51 -0400 Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15PAC0Lx003048; Fri, 25 Jun 2021 10:33:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2020-01-29; bh=7kXzU6VQY7lM9RFtj3Mn30bxf9x5MvbukVSQFWdLIZY=; b=shLe6ys8iFsFYHDOZvl26wehMyAZpyOcBMPgpa/Y9ApffGJJCBLvHj8/3wXmktB5glND ysiu+bscHge3edzw3lyRnjyM+9P51rLe23FPQn5oLzViS3jk+MiXIFBckxBdV7C+V2JF 2EsXHayTySklTvB0+CGC+dZ92Y2WriziuC+hCJNqZ6t481Sr+/UuQCBJcVbgfw1xyrSC Qv5ufAYKO1ZK8bX7jruIKBgmm6SYEqENjwHLoP26Z7X3Jjv+uZClpO3n/aoE/5TPjvKT uDlnT40DTd5dWz0ckpeDS92XXF7/H/n2qoK5jLMx12Xl0iU07VHKG7pWpjbB+/skrHzs Ng== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39d2kxs0v1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 Jun 2021 10:33:19 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 15PABQ2i094051; Fri, 25 Jun 2021 10:33:18 GMT Received: from pps.reinject (localhost [127.0.0.1]) by userp3020.oracle.com with ESMTP id 39dbb15rpe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 Jun 2021 10:33:18 +0000 Received: from userp3020.oracle.com (userp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 15PASHaK149866; Fri, 25 Jun 2021 10:33:17 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3020.oracle.com with ESMTP id 39dbb15rng-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 Jun 2021 10:33:17 +0000 Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0121.oracle.com (8.14.4/8.14.4) with ESMTP id 15PAXFOI031239; Fri, 25 Jun 2021 10:33:16 GMT Received: from kadam (/102.222.70.252) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 25 Jun 2021 03:33:14 -0700 Date: Fri, 25 Jun 2021 13:33:04 +0300 From: Dan Carpenter To: Pablo Neira Ayuso Cc: Colin King , Jozsef Kadlecsik , Florian Westphal , "David S . Miller" , Jakub Kicinski , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow Message-ID: <20210625103304.GI2040@kadam> References: <20210624195718.170796-1-colin.king@canonical.com> <20210625095901.GH2040@kadam> <20210625102021.GA32352@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210625102021.GA32352@salvia> User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-GUID: agBZSEvUiaAafEXSUMxVl_YcRlBC2KJn X-Proofpoint-ORIG-GUID: agBZSEvUiaAafEXSUMxVl_YcRlBC2KJn Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 25, 2021 at 12:20:21PM +0200, Pablo Neira Ayuso wrote: > Hi, > > On Fri, Jun 25, 2021 at 12:59:01PM +0300, Dan Carpenter wrote: > > Btw, why is there no clean up if nft_table_validate() fails? > > See below. > > > net/netfilter/nf_tables_api.c > > 3432 list_add_tail_rcu(&rule->list, &old_rule->list); > > 3433 else > > 3434 list_add_rcu(&rule->list, &chain->rules); > > 3435 } > > 3436 } > > 3437 kvfree(expr_info); > > 3438 chain->use++; > > 3439 > > 3440 if (flow) > > 3441 nft_trans_flow_rule(trans) = flow; > > 3442 > > 3443 if (nft_net->validate_state == NFT_VALIDATE_DO) > > 3444 return nft_table_validate(net, table); > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > The cleanup for this would be quite involved unfortunately... Not > > necessarily something to attempt without being able to test the code. > > At this stage, the transaction has been already registered in the > list, and the nf_tables_abort() path takes care of undoing what has > been updated in the preparation phase. > Ah... Thanks. regards, dan carpenter