netfilter: nf_tables: check if bind callback fails and unbind if hook registration fails

Undo the callback binding before unregistering the existing hooks. This should also check for error of the bind setup call. Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: wenxu <wenxu@ucloud.cn> 2019-11-15 19:21:26 +0800
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-11-15 23:44:53 +0100
commit: d7c03a9f5c2577b29a7699bbaa1c1cbcfb56afd3 (patch)
tree: 691b13a7abfaa99d147a3a003c905f8632050be7
parent: 63b48c73ff567bbab1f940d6e8f3f48607077a13 (diff)
download: linux-d7c03a9f5c2577b29a7699bbaa1c1cbcfb56afd3.tar.bz2
1 files changed, 11 insertions, 3 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4f0d880a8496..9340b976d85c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6006,12 +6006,20 @@ static int nft_register_flowtable_net_hooks(struct net *net,
 			}
 		}
 
-		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
-					    FLOW_BLOCK_BIND);
-		err = nf_register_net_hook(net, &hook->ops);
+		err = flowtable->data.type->setup(&flowtable->data,
+						  hook->ops.dev,
+						  FLOW_BLOCK_BIND);
 		if (err < 0)
 			goto err_unregister_net_hooks;
 
+		err = nf_register_net_hook(net, &hook->ops);
+		if (err < 0) {
+			flowtable->data.type->setup(&flowtable->data,
+						    hook->ops.dev,
+						    FLOW_BLOCK_UNBIND);
+			goto err_unregister_net_hooks;
+		}
+
 		i++;
 	}
author	wenxu <wenxu@ucloud.cn>	2019-11-15 19:21:26 +0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-11-15 23:44:53 +0100
commit	d7c03a9f5c2577b29a7699bbaa1c1cbcfb56afd3 (patch)
tree	691b13a7abfaa99d147a3a003c905f8632050be7
parent	63b48c73ff567bbab1f940d6e8f3f48607077a13 (diff)
download	linux-d7c03a9f5c2577b29a7699bbaa1c1cbcfb56afd3.tar.bz2