netfilter: nf_tables: add nft_unregister_flowtable_hook()

Unbind flowtable callback if hook is unregistered.

This patch is implicitly fixing the error path of
nf_tables_newflowtable() and nft_flowtable_event().

Fixes: 8bb69f3b2918 ("netfilter: nf_tables: add flowtable offload control plane")
Reported-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9340b976d85ca55a890b97a95547f6a3c1d0e9dd..ff04cdc87f7604777ea30cf5595912420cdc5889 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5975,16 +5975,22 @@ nft_flowtable_type_get(struct net *net, u8 family)
        return ERR_PTR(-ENOENT);
 }
 
+static void nft_unregister_flowtable_hook(struct net *net,
+                                         struct nft_flowtable *flowtable,
+                                         struct nft_hook *hook)
+{
+       nf_unregister_net_hook(net, &hook->ops);
+       flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
+                                   FLOW_BLOCK_UNBIND);
+}
+
 static void nft_unregister_flowtable_net_hooks(struct net *net,
                                               struct nft_flowtable *flowtable)
 {
        struct nft_hook *hook;
 
-       list_for_each_entry(hook, &flowtable->hook_list, list) {
-               nf_unregister_net_hook(net, &hook->ops);
-               flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
-                                           FLOW_BLOCK_UNBIND);
-       }
+       list_for_each_entry(hook, &flowtable->hook_list, list)
+               nft_unregister_flowtable_hook(net, flowtable, hook);
 }
 
 static int nft_register_flowtable_net_hooks(struct net *net,
@@ -6030,9 +6036,7 @@ err_unregister_net_hooks:
                if (i-- <= 0)
                        break;
 
-               nf_unregister_net_hook(net, &hook->ops);
-               flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
-                                           FLOW_BLOCK_UNBIND);
+               nft_unregister_flowtable_hook(net, flowtable, hook);
                list_del_rcu(&hook->list);
                kfree_rcu(hook, rcu);
        }
@@ -6139,7 +6143,7 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
        return 0;
 err5:
        list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
-               nf_unregister_net_hook(net, &hook->ops);
+               nft_unregister_flowtable_hook(net, flowtable, hook);
                list_del_rcu(&hook->list);
                kfree_rcu(hook, rcu);
        }
@@ -6484,7 +6488,7 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev,
                if (hook->ops.dev != dev)
                        continue;
 
-               nf_unregister_net_hook(dev_net(dev), &hook->ops);
+               nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
                list_del_rcu(&hook->list);
                kfree_rcu(hook, rcu);
                break;