netfilter: nft_dynset: restore set element counter when failing to update

ummakynes · gregkh · commit 031561caa38a · 2022-07-07T17:53:27.000+02:00
commit 05907f1 upstream. This patch fixes a race condition. nft_rhash_update() might fail for two reasons: - Element already exists in the hashtable. - Another packet won race to insert an entry in the hashtable. In both cases, new() has already bumped the counter via atomic_add_unless(), therefore, decrement the set element counter. Fixes: 22fe54d ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
@@ -143,6 +143,7 @@ static bool nft_rhash_update(struct nft_set *set, const u32 *key,
 	/* Another cpu may race to insert the element with the same key */
 	if (prev) {
 		nft_set_elem_destroy(set, he, true);
+		atomic_dec(&set->nelems);
 		he = prev;
 	}
 
@@ -152,6 +153,7 @@ static bool nft_rhash_update(struct nft_set *set, const u32 *key,
 
 err2:
 	nft_set_elem_destroy(set, he, true);
+	atomic_dec(&set->nelems);
 err1:
 	return false;
 }

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,7 @@ static bool nft_rhash_update(struct nft_set set, const u32 key,`
`143`	`143`	`/* Another cpu may race to insert the element with the same key */`
`144`	`144`	`if (prev) {`
`145`	`145`	`nft_set_elem_destroy(set, he, true);`
	`146`	`+ atomic_dec(&set->nelems);`
`146`	`147`	`he = prev;`
`147`	`148`	`}`
`148`	`149`
`@@ -152,6 +153,7 @@ static bool nft_rhash_update(struct nft_set set, const u32 key,`
`152`	`153`
`153`	`154`	`err2:`
`154`	`155`	`nft_set_elem_destroy(set, he, true);`
	`156`	`+ atomic_dec(&set->nelems);`
`155`	`157`	`err1:`
`156`	`158`	`return false;`
`157`	`159`	`}`