mirror of
https://github.com/torvalds/linux
synced 2024-10-14 23:39:09 +00:00
netfilter: nf_tables: fix out of memory error handling
Several instances of pipapo_resize() don't propagate allocation failures,
this causes a crash when fault injection is enabled for gfp_kernel slabs.
Fixes: 3c4287f620
("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
8357bc946a
commit
5e1be4cdc9
|
@ -902,12 +902,14 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f)
|
||||||
static int pipapo_insert(struct nft_pipapo_field *f, const uint8_t *k,
|
static int pipapo_insert(struct nft_pipapo_field *f, const uint8_t *k,
|
||||||
int mask_bits)
|
int mask_bits)
|
||||||
{
|
{
|
||||||
int rule = f->rules++, group, ret, bit_offset = 0;
|
int rule = f->rules, group, ret, bit_offset = 0;
|
||||||
|
|
||||||
ret = pipapo_resize(f, f->rules - 1, f->rules);
|
ret = pipapo_resize(f, f->rules, f->rules + 1);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
f->rules++;
|
||||||
|
|
||||||
for (group = 0; group < f->groups; group++) {
|
for (group = 0; group < f->groups; group++) {
|
||||||
int i, v;
|
int i, v;
|
||||||
u8 mask;
|
u8 mask;
|
||||||
|
@ -1052,7 +1054,9 @@ static int pipapo_expand(struct nft_pipapo_field *f,
|
||||||
step++;
|
step++;
|
||||||
if (step >= len) {
|
if (step >= len) {
|
||||||
if (!masks) {
|
if (!masks) {
|
||||||
pipapo_insert(f, base, 0);
|
err = pipapo_insert(f, base, 0);
|
||||||
|
if (err < 0)
|
||||||
|
return err;
|
||||||
masks = 1;
|
masks = 1;
|
||||||
}
|
}
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -1235,6 +1239,9 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
|
||||||
else
|
else
|
||||||
ret = pipapo_expand(f, start, end, f->groups * f->bb);
|
ret = pipapo_expand(f, start, end, f->groups * f->bb);
|
||||||
|
|
||||||
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
|
|
||||||
if (f->bsize > bsize_max)
|
if (f->bsize > bsize_max)
|
||||||
bsize_max = f->bsize;
|
bsize_max = f->bsize;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue