Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp696997pxv; Thu, 22 Jul 2021 09:57:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyT78jwidGwz19CrRTWkw4TfaEjDjbLh9I01pmgUMXRhCJvwfLzvq1H7eBzre/0qetiJbQC X-Received: by 2002:a02:7a50:: with SMTP id z16mr407858jad.139.1626973072129; Thu, 22 Jul 2021 09:57:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626973072; cv=none; d=google.com; s=arc-20160816; b=MgaAzrPdgzQJFdIJVR6MXdohocUXCz3OWAqG9muCW1dm4qH+gIwuJ2kqVg5RxneVnH G17QDk3z3CNvjyEXCr8tC5WTTqbrXONvzaC5v6kJTuDw9D6Ddk4JQL8V73FR+VfP0p5e suudcw74bkXbnzE2GTe+GWTEsCXETEZOKQqEQDPWbA1hTvLgQJbPY1qVgZ7KQ7UTneHr SHm0R/WegXNxbP0AM6PFa4GVbwbp6p0JBjiCKvaB2wnVS9NCpQy5vk1/CcNKgQKXuwqf +EBn95ktd9N6t51e0AOnETwh8nugbAR11qvZEKCcGhxJ56wOoiBhjUcRYfB5rXG0XH7c 3e+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OOpBKzvEFLR67ZpXtAFtxnh9oOLEj7cz1A1R6FqFb7g=; b=l7QeRyZSlhJmuylAHkeg1xRVXJxHdu4WKCN4jkoYgu9vnly+vhpTrdT0eLNOoTmGKf qtEG0+yhcSzntbcSVpgIFZ0FXFM9/uqawdeTQjCEu1x0y09ZhuSVt57xm+ekJSc6LN2P cmGI/mCrvO2IsXAD3gwIJYGBGglOGtKKeP++qNWkE/9/T5KmXCTJ7eIO5Z7O25A3/h/D EddeUUuih7AH4X7UskVPnm02m37qpxlScmSaKAiJvmeDN8W3Gsx09tb441TUkR/qimsV Bf+o9RWDQ++T7qxe1ayBD5wmqcj1nqx227Ez04PpKOFjPN8asZ2qo2w6uGJNVNFr3nWT TKtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HwwRqGDv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r23si12413662iot.18.2021.07.22.09.57.41; Thu, 22 Jul 2021 09:57:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HwwRqGDv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235450AbhGVQOJ (ORCPT + 99 others); Thu, 22 Jul 2021 12:14:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:43910 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235383AbhGVQJO (ORCPT ); Thu, 22 Jul 2021 12:09:14 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C111061DD3; Thu, 22 Jul 2021 16:49:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626972552; bh=8xLDXjQ/xNoMru2tZozrN8rqgrCS60aSCI41WcSiZfk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HwwRqGDvJBZ4OWXKrujRO3kIW3AAigOlJ1DXdiZO6b55qZ5CACKjL2/aTGJQ118BB hwnd30eia3fqrXdHdSaC0208Kk7c5C5KOFH6Jd2KQu8pYDN0Rs8ygNh3/7L+14X+Ty UuUzNd9jtWfDZksHCFlBb+Vc4Ptw4rqp8lIjtSTw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Colin Ian King , Pablo Neira Ayuso Subject: [PATCH 5.13 118/156] netfilter: nf_tables: Fix dereference of null pointer flow Date: Thu, 22 Jul 2021 18:31:33 +0200 Message-Id: <20210722155632.183087632@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210722155628.371356843@linuxfoundation.org> References: <20210722155628.371356843@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King commit 4ca041f919f13783b0b03894783deee00dbca19a upstream. In the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then nft_flow_rule_create is not called and flow is NULL. The subsequent error handling execution via label err_destroy_flow_rule will lead to a null pointer dereference on flow when calling nft_flow_rule_destroy. Since the error path to err_destroy_flow_rule has to cater for null and non-null flows, only call nft_flow_rule_destroy if flow is non-null to fix this issue. Addresses-Coverity: ("Explicity null dereference") Fixes: 3c5e44622011 ("netfilter: nf_tables: memleak in hw offload abort path") Signed-off-by: Colin Ian King Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_tables_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3453,7 +3453,8 @@ static int nf_tables_newrule(struct sk_b return 0; err_destroy_flow_rule: - nft_flow_rule_destroy(flow); + if (flow) + nft_flow_rule_destroy(flow); err_release_rule: nf_tables_rule_release(&ctx, rule); err_release_expr: