netfilter pull request 24-03-21

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmX8FywACgkQ1V2XiooU
 IOQV6Q/+MR7+Dq1aIBvVgWyjP2IHra/2t4w3+YlQsMTEUCVgURjrkYDMU5xQ42YG
 3SC2XNvKBvupHWqCF5Rw0xFWTUdupgfE0b1YeaHDePenq+1Xd3gLLWKDc1ugnkB4
 Z1hF90MTMO/JpWPDieimGHuPqlydDpYvJiP05g0Oz8FCczvIalmAj34eJqe4nKA/
 Ymig/FKx0i8QE8YJp0UCyYNDkBAuFvHFLRM+FmppkeldNg2Lnhoh0+xW0Feei8HT
 Ljew7yRs5emniRAy6tPgOBumBrah4lxXD56J6Ua4vIRF4a3wQ1b+hW2YOUl0VyPh
 ALsq1AM/3PuGCiy1ooUbVpyHHEO3WgboPIVDc8GZ7ISxUxzzDKbRoCWdiLuiuLqZ
 hvuyrfON5gMLp082/KEFg8zbsqOdAwHPV+5qcjQMkhPBb6/qHQqBmE2wNjZlid1p
 m/oGODUgSBKsjZLa8pMyw96YfuaQXyjjsSsnFqx0v3Zmu8nOZdrLslSpwKaDK6fL
 wZKEna+3n3skS8f2Y9qstlaCdJmU5nJjAbl2knQdGEYr9hMF/y+dP65w2JpPAZ+9
 mHRubyD+IKR72QscJbXVk1GVcaZlDkuCITjwCxviBZvd1L31iMqorc1pcyoBlJaV
 ddMQWpVOKZJ3FXyNx4+Ro03GA5JwJwhTzfFIuN2KNvBbaI+9mKM=
 =8vTl
 -----END PGP SIGNATURE-----

Merge tag 'nf-24-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net. There is a
larger batch of fixes still pending that will follow up asap, this is
what I deemed to be more urgent at this time:

1) Use clone view in pipapo set backend to release elements from destroy
   path, otherwise it is possible to destroy elements twice.

2) Incorrect check for internal table flags lead to bogus transaction
   objects.

3) Fix counters memleak in netdev basechain update error path,
   from Quan Tian.

netfilter pull request 24-03-21

* tag 'nf-24-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: Fix a memory leak in nf_tables_updchain
  netfilter: nf_tables: do not compare internal table flags on updates
  netfilter: nft_set_pipapo: release elements in clone only from destroy path
====================

Link: https://lore.kernel.org/r/20240321112117.36737-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

net/netfilter/nf_tables_api.c

@@ -1213,7 +1213,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
 	if (flags & ~NFT_TABLE_F_MASK)
 		return -EOPNOTSUPP;
 
-	if (flags == ctx->table->flags)
+	if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
 		return 0;
 
 	if ((nft_table_has_owner(ctx->table) &&
@@ -2631,19 +2631,6 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 		}
 	}
 
-	if (nla[NFTA_CHAIN_COUNTERS]) {
-		if (!nft_is_base_chain(chain)) {
-			err = -EOPNOTSUPP;
-			goto err_hooks;
-		}
-
-		stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
-		if (IS_ERR(stats)) {
-			err = PTR_ERR(stats);
-			goto err_hooks;
-		}
-	}
-
 	if (!(table->flags & NFT_TABLE_F_DORMANT) &&
 	    nft_is_base_chain(chain) &&
 	    !list_empty(&hook.list)) {
@@ -2658,6 +2645,20 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 	}
 
 	unregister = true;
+
+	if (nla[NFTA_CHAIN_COUNTERS]) {
+		if (!nft_is_base_chain(chain)) {
+			err = -EOPNOTSUPP;
+			goto err_hooks;
+		}
+
+		stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
+		if (IS_ERR(stats)) {
+			err = PTR_ERR(stats);
+			goto err_hooks;
+		}
+	}
+
 	err = -ENOMEM;
 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
 				sizeof(struct nft_trans_chain));

net/netfilter/nft_set_pipapo.c

@@ -2329,8 +2329,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,
 	if (m) {
 		rcu_barrier();
 
-		nft_set_pipapo_match_destroy(ctx, set, m);
-
 		for_each_possible_cpu(cpu)
 			pipapo_free_scratch(m, cpu);
 		free_percpu(m->scratch);
@@ -2342,8 +2340,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,
 	if (priv->clone) {
 		m = priv->clone;
 
-		if (priv->dirty)
-			nft_set_pipapo_match_destroy(ctx, set, m);
+		nft_set_pipapo_match_destroy(ctx, set, m);
 
 		for_each_possible_cpu(cpu)
 			pipapo_free_scratch(priv->clone, cpu);