fix dst_release issue

2024-03-20 13:44:50 +08:00 · 2024-03-20 13:44:50 +08:00 · 3132c76269
commit 3132c76269
parent 7f6b8f9d7a
2 changed files with 47 additions and 17 deletions
--- a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
+++ b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,698 @@
+@@ -0,0 +1,701 @@
 +/*
 + * Copyright (C) 2018-2021 Felix Fietkau <nbd@nbd.name>
 + *
@ -544,10 +544,15 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +		break;
 +	}
 +
-+	nf_route(xt_net(par), &other_dst, &fl, false, xt_family(par));
-+	if (!other_dst)
+	if (!dst_hold_safe(this_dst))
 +		return -ENOENT;
 +
+	nf_route(xt_net(par), &other_dst, &fl, false, xt_family(par));
+	if (!other_dst) {
+		dst_release(this_dst);
+		return -ENOENT;
+	}
+
 +	nf_default_forward_path(route, this_dst, dir, devs);
 +	nf_default_forward_path(route, other_dst, !dir, devs);
 +
@ -622,8 +627,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (!flow)
 +		goto err_flow_alloc;
 +
-+	if (flow_offload_route_init(flow, &route) < 0)
-+		goto err_flow_add;
+	flow_offload_route_init(flow, &route);
 +
 +	if (tcph) {
 +		ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
@ -642,13 +646,12 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	xt_flowoffload_check_device(table, devs[0]);
 +	xt_flowoffload_check_device(table, devs[1]);
 +
-+	dst_release(route.tuple[!dir].dst);
-+
 +	return XT_CONTINUE;
 +
 +err_flow_add:
 +	flow_offload_free(flow);
 +err_flow_alloc:
+	dst_release(route.tuple[dir].dst);
 +	dst_release(route.tuple[!dir].dst);
 +err_flow_route:
 +	clear_bit(IPS_OFFLOAD_BIT, &ct->status);
@ -807,7 +810,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 #include <net/netfilter/nf_flow_table.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
-@@ -380,8 +379,7 @@ flow_offload_lookup(struct nf_flowtable
+@@ -373,8 +372,7 @@ flow_offload_lookup(struct nf_flowtable
 }
 EXPORT_SYMBOL_GPL(flow_offload_lookup);
 
@ -817,7 +820,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 		      void (*iter)(struct nf_flowtable *flowtable,
 				   struct flow_offload *flow, void *data),
 		      void *data)
-@@ -435,6 +433,7 @@ static void nf_flow_offload_gc_step(stru
+@@ -428,6 +426,7 @@ static void nf_flow_offload_gc_step(stru
 		nf_flow_offload_stats(flow_table, flow);
 	}
 }
--- a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
+++ b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
@ -8,7 +8,30 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>

 --- a/net/netfilter/Kconfig
 +++ b/net/netfilter/Kconfig
-@@ -1023,6 +1023,15 @@ config NETFILTER_XT_TARGET_NOTRACK
+@@ -712,8 +712,6 @@ config NFT_REJECT_NETDEV
+ 
+ endif # NF_TABLES_NETDEV
+ 
+-endif # NF_TABLES
+-
+ config NF_FLOW_TABLE_INET
+ 	tristate "Netfilter flow table mixed IPv4/IPv6 module"
+ 	depends on NF_FLOW_TABLE
+@@ -722,11 +720,12 @@ config NF_FLOW_TABLE_INET
+ 
+ 	  To compile it as a module, choose M here.
+ 
+endif # NF_TABLES
+
+ config NF_FLOW_TABLE
+ 	tristate "Netfilter flow table module"
+ 	depends on NETFILTER_INGRESS
+ 	depends on NF_CONNTRACK
+-	depends on NF_TABLES
+ 	help
+ 	  This option adds the flow table core infrastructure.
+ 
+@@ -1023,6 +1022,15 @@ config NETFILTER_XT_TARGET_NOTRACK
 	depends on NETFILTER_ADVANCED
 	select NETFILTER_XT_TARGET_CT
 
@ -36,7 +59,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,698 @@
+@@ -0,0 +1,702 @@
 +/*
 + * Copyright (C) 2018-2021 Felix Fietkau <nbd@nbd.name>
 + *
@ -482,10 +505,15 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +		break;
 +	}
 +
-+	nf_route(xt_net(par), &other_dst, &fl, false, xt_family(par));
-+	if (!other_dst)
+	if (!dst_hold_safe(this_dst))
 +		return -ENOENT;
 +
+	nf_route(xt_net(par), &other_dst, &fl, false, xt_family(par));
+	if (!other_dst) {
+		dst_release(this_dst);
+		return -ENOENT;
+	}
+
 +	nf_default_forward_path(route, this_dst, dir, devs);
 +	nf_default_forward_path(route, other_dst, !dir, devs);
 +
@ -560,8 +588,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (!flow)
 +		goto err_flow_alloc;
 +
-+	if (flow_offload_route_init(flow, &route) < 0)
-+		goto err_flow_add;
+	flow_offload_route_init(flow, &route);
 +
 +	if (tcph) {
 +		ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
@ -574,19 +601,19 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (!net)
 +		write_pnet(&table->ft.net, xt_net(par));
 +
+	__set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
 +	if (flow_offload_add(&table->ft, flow) < 0)
 +		goto err_flow_add;
 +
 +	xt_flowoffload_check_device(table, devs[0]);
 +	xt_flowoffload_check_device(table, devs[1]);
 +
-+	dst_release(route.tuple[!dir].dst);
-+
 +	return XT_CONTINUE;
 +
 +err_flow_add:
 +	flow_offload_free(flow);
 +err_flow_alloc:
+	dst_release(route.tuple[dir].dst);
 +	dst_release(route.tuple[!dir].dst);
 +err_flow_route:
 +	clear_bit(IPS_OFFLOAD_BIT, &ct->status);