| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251128201530.10e5c3c2@kernel.org>
Date: Fri, 28 Nov 2025 20:15:30 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, pabeni@...hat.com, edumazet@...gle.com,
fw@...len.de, horms@...nel.org
Subject: Re: [PATCH net-next 11/17] netfilter: nf_conncount: rework API to
use sk_buff directly
On Fri, 28 Nov 2025 00:23:38 +0000 Pablo Neira Ayuso wrote:
> static int __nf_conncount_add(struct net *net,
> - struct nf_conncount_list *list,
> - const struct nf_conntrack_tuple *tuple,
> - const struct nf_conntrack_zone *zone)
> + const struct sk_buff *skb,
> + u16 l3num,
> + struct nf_conncount_list *list)
> {
> + const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
> const struct nf_conntrack_tuple_hash *found;
> struct nf_conncount_tuple *conn, *conn_n;
> + struct nf_conntrack_tuple tuple;
> + struct nf_conn *ct = NULL;
> struct nf_conn *found_ct;
> unsigned int collect = 0;
> + bool refcounted = false;
> +
> + if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
> + return -ENOENT;
> +
> + if (ct && nf_ct_is_confirmed(ct)) {
> + if (refcounted)
> + nf_ct_put(ct);
> + return 0;
> + }
> if ((u32)jiffies == list->last_gc)
> goto add_new_node;
> @@ -144,10 +194,10 @@ static int __nf_conncount_add(struct net *net,
> if (IS_ERR(found)) {
> /* Not found, but might be about to be confirmed */
> if (PTR_ERR(found) == -EAGAIN) {
> - if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> + if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
> nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
> nf_ct_zone_id(zone, zone->dir))
> - return 0; /* already exists */
> + goto out_put; /* already exists */
> } else {
> collect++;
> }
> @@ -156,7 +206,7 @@ static int __nf_conncount_add(struct net *net,
>
> found_ct = nf_ct_tuplehash_to_ctrack(found);
>
> - if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
> + if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
> nf_ct_zone_equal(found_ct, zone, zone->dir)) {
> /*
> * We should not see tuples twice unless someone hooks
> @@ -165,7 +215,7 @@ static int __nf_conncount_add(struct net *net,
> * Attempt to avoid a re-add in this case.
> */
> nf_ct_put(found_ct);
> - return 0;
> + goto out_put;
> } else if (already_closed(found_ct)) {
> /*
> * we do not care about connections which are
> @@ -188,31 +238,35 @@ static int __nf_conncount_add(struct net *net,
> if (conn == NULL)
> return -ENOMEM;
The AI review tool points out this an another direct return missing a put(ct).
Similar issue in count_tree(). Please take a look and follow up where
appropriate:
https://netdev-ai.bots.linux.dev/ai-review.html?id=348ddc42-0343-4832-9047-0c62767f074f
> - conn->tuple = *tuple;
> + conn->tuple = tuple;
> conn->zone = *zone;
> conn->cpu = raw_smp_processor_id();
> conn->jiffies32 = (u32)jiffies;
> list_add_tail(&conn->node, &list->head);
> list->count++;
> list->last_gc = (u32)jiffies;
> +
> +out_put:
> + if (refcounted)
> + nf_ct_put(ct);
> return 0;
> }
Powered by blists - more mailing lists