[PATCH 5.10 098/125] net/sched: act_ct: remove and free nf_table callbacks

From: Greg Kroah-Hartman
Date: Thu Jul 22 2021 - 12:42:01 EST

From: Louis Peens <louis.peens@xxxxxxxxxxxx>

commit 77ac5e40c44eb78333fbc38482d61fc2af7dda0a upstream.

When cleaning up the nf_table in tcf_ct_flow_table_cleanup_work
there is no guarantee that the callback list, added to by
nf_flow_table_offload_add_cb, is empty. This means that it is
possible that the flow_block_cb memory allocated will be lost.

Fix this by iterating the list and freeing the flow_block_cb entries
before freeing the nf_table entry (via freeing ct_ft).

Fixes: 978703f42549 ("netfilter: flowtable: Add API for registering to flow table events")
Signed-off-by: Louis Peens <louis.peens@xxxxxxxxxxxx>
Signed-off-by: Yinjun Zhang <yinjun.zhang@xxxxxxxxxxxx>
Signed-off-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
net/sched/act_ct.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -320,11 +320,22 @@ err_alloc:

static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
+ struct flow_block_cb *block_cb, *tmp_cb;
struct tcf_ct_flow_table *ct_ft;
+ struct flow_block *block;

ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
+ /* Remove any remaining callbacks before cleanup */
+ block = &ct_ft->nf_ft.flow_block;
+ down_write(&ct_ft->nf_ft.flow_block_lock);
+ list_for_each_entry_safe(block_cb, tmp_cb, &block->cb_list, list) {
+ list_del(&block_cb->list);
+ flow_block_cb_free(block_cb);
+ }
+ up_write(&ct_ft->nf_ft.flow_block_lock);