|
Hello,
On Thu, 28 May 2026, Wentao Liang wrote:
> ip_vs_sched_persist() calls ip_vs_ct_in_get() to look up an existing
> connection template, which returns ct with a reference held. If the
> template exists but fails the ip_vs_check_template() validation, the
> function can leak the reference in two ways:
You missed the __ip_vs_conn_put(ct) in ip_vs_check_template()
when 0 is returned :) So, there is no leak.
>
> 1. If no destination is found (scheduler returns NULL), the function
> returns NULL at the !dest check without calling ip_vs_conn_put(ct).
>
> 2. If a destination is found and a new template is created via
> ip_vs_conn_new(), the old ct pointer is overwritten without its
> reference being released.
>
> Fix this by adding ip_vs_conn_put(ct) before the early return when no
> destination is found, and before overwriting ct with the new template.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 5b57a98c1f0d ("IPVS: compact ip_vs_sched_persist()")
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
> ---
> net/netfilter/ipvs/ip_vs_core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index d40b404c1bf6..bdc3f296876a 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -536,6 +536,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
> IP_VS_DBG(1, "p-schedule: no dest found.\n");
> kfree(param.pe_data);
> *ignored = 0;
> + ip_vs_conn_put(ct);
> return NULL;
> }
>
> @@ -551,6 +552,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
> if (ct == NULL) {
> kfree(param.pe_data);
> *ignored = -1;
> + ip_vs_conn_put(ct);
> return NULL;
> }
>
> --
> 2.34.1
Regards
--
Julian Anastasov <ja@xxxxxx>
|
