lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20251128201530.10e5c3c2@kernel.org>
Date: Fri, 28 Nov 2025 20:15:30 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
 netdev@...r.kernel.org, pabeni@...hat.com, edumazet@...gle.com,
 fw@...len.de, horms@...nel.org
Subject: Re: [PATCH net-next 11/17] netfilter: nf_conncount: rework API to
 use sk_buff directly

On Fri, 28 Nov 2025 00:23:38 +0000 Pablo Neira Ayuso wrote:
>  static int __nf_conncount_add(struct net *net,
> -			      struct nf_conncount_list *list,
> -			      const struct nf_conntrack_tuple *tuple,
> -			      const struct nf_conntrack_zone *zone)
> +			      const struct sk_buff *skb,
> +			      u16 l3num,
> +			      struct nf_conncount_list *list)
>  {
> +	const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
>  	const struct nf_conntrack_tuple_hash *found;
>  	struct nf_conncount_tuple *conn, *conn_n;
> +	struct nf_conntrack_tuple tuple;
> +	struct nf_conn *ct = NULL;
>  	struct nf_conn *found_ct;
>  	unsigned int collect = 0;
> +	bool refcounted = false;
> +
> +	if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
> +		return -ENOENT;
> +
> +	if (ct && nf_ct_is_confirmed(ct)) {
> +		if (refcounted)
> +			nf_ct_put(ct);
> +		return 0;
> +	}
>  	if ((u32)jiffies == list->last_gc)
>  		goto add_new_node;
> @@ -144,10 +194,10 @@ static int __nf_conncount_add(struct net *net,
>  		if (IS_ERR(found)) {
>  			/* Not found, but might be about to be confirmed */
>  			if (PTR_ERR(found) == -EAGAIN) {
> -				if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> +				if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
>  				    nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
>  				    nf_ct_zone_id(zone, zone->dir))
> -					return 0; /* already exists */
> +					goto out_put; /* already exists */
>  			} else {
>  				collect++;
>  			}
> @@ -156,7 +206,7 @@ static int __nf_conncount_add(struct net *net,
>  
>  		found_ct = nf_ct_tuplehash_to_ctrack(found);
>  
> -		if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> +		if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
>  		    nf_ct_zone_equal(found_ct, zone, zone->dir)) {
>  			/*
>  			 * We should not see tuples twice unless someone hooks
> @@ -165,7 +215,7 @@ static int __nf_conncount_add(struct net *net,
>  			 * Attempt to avoid a re-add in this case.
>  			 */
>  			nf_ct_put(found_ct);
> -			return 0;
> +			goto out_put;
>  		} else if (already_closed(found_ct)) {
>  			/*
>  			 * we do not care about connections which are
> @@ -188,31 +238,35 @@ static int __nf_conncount_add(struct net *net,
>  	if (conn == NULL)
>  		return -ENOMEM;


The AI review tool points out this an another direct return missing a put(ct).

Similar issue in count_tree(). Please take a look and follow up where
appropriate:
https://netdev-ai.bots.linux.dev/ai-review.html?id=348ddc42-0343-4832-9047-0c62767f074f

> -	conn->tuple = *tuple;
> +	conn->tuple = tuple;
>  	conn->zone = *zone;
>  	conn->cpu = raw_smp_processor_id();
>  	conn->jiffies32 = (u32)jiffies;
>  	list_add_tail(&conn->node, &list->head);
>  	list->count++;
>  	list->last_gc = (u32)jiffies;
> +
> +out_put:
> +	if (refcounted)
> +		nf_ct_put(ct);
>  	return 0;
>  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ