Re: [PATCH] net: netfilter: fix possible refcount leak in ctnetlink_create_conntrack()

From: Florian Westphal
Date: Sun Feb 12 2023 - 07:53:38 EST

Next message: kernel test robot: "drivers/media/platform/mediatek/mdp/mtk_mdp_core.c:31:34: warning: unused variable 'mtk_mdp_comp_dt_ids'"
Previous message: Yoshinori Sato: "Re: [PATCH] MAINTAINERS: Add myself as maintainer for arch/sh (SUPERH)"
In reply to: Pablo Neira Ayuso: "Re: [PATCH] net: netfilter: fix possible refcount leak in ctnetlink_create_conntrack()"
Next in thread: Hangyu Hua: "Re: [PATCH] net: netfilter: fix possible refcount leak in ctnetlink_create_conntrack()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > One way would be to return 0 in that case (in
> > nf_conntrack_hash_check_insert()). What do you think?
>
> This is misleading to the user that adds an entry via ctnetlink?
>
> ETIMEDOUT also looks a bit confusing to report to userspace.
> Rewinding: if the intention is to deal with stale conntrack extension,
> for example, helper module has been removed while this entry was
> added. Then, probably call EAGAIN so nfnetlink has a chance to retry
> transparently?

Seems we first need to add a "bool *inserted" so we know when the ct
entry went public.

I'll also have a look at switching to a refcount based model for
all extensions that reference external objects, this would avoid
the entire problem, but thats likely more intrusive.

Next message: kernel test robot: "drivers/media/platform/mediatek/mdp/mtk_mdp_core.c:31:34: warning: unused variable 'mtk_mdp_comp_dt_ids'"
Previous message: Yoshinori Sato: "Re: [PATCH] MAINTAINERS: Add myself as maintainer for arch/sh (SUPERH)"
In reply to: Pablo Neira Ayuso: "Re: [PATCH] net: netfilter: fix possible refcount leak in ctnetlink_create_conntrack()"
Next in thread: Hangyu Hua: "Re: [PATCH] net: netfilter: fix possible refcount leak in ctnetlink_create_conntrack()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]