netfilter: nf_tables_offload: drop device refcount on error

Reported by sashiko: If nft_flow_action_entry_next() returns NULL, dev reference leaks. Fixes: c6f85577584b ("netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it") Reported-by: Juri Lelli <juri.lelli@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2026-06-05 14:47:12 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2026-06-10 18:58:29 +0300
commit: efc542561729a2859397dad51bda1fe41262beb1 (patch)
tree: 2bb16a7ee4276bb9c7d2905291e42b5cee73b3c6
parent: ccb9fd4b87538ccf19ccff78ee26700526d94867 (diff)
download: linux-efc542561729a2859397dad51bda1fe41262beb1.tar.xz
1 files changed, 4 insertions, 2 deletions
diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index 3b0a70e154cd..3d88ef927f31 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -74,16 +74,18 @@ int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
 	struct flow_action_entry *entry;
 	struct net_device *dev;
 
-	/* nft_flow_rule_destroy() releases the reference on this device. */
 	dev = dev_get_by_index(ctx->net, oif);
 	if (!dev)
 		return -EOPNOTSUPP;
 
 	entry = nft_flow_action_entry_next(ctx, flow);
-	if (!entry)
+	if (!entry) {
+		dev_put(dev);
 		return -E2BIG;
+	}
 
 	entry->id = id;
+	/* nft_flow_rule_destroy() releases the reference on this device. */
 	entry->dev = dev;
 
 	return 0;
author	Florian Westphal <fw@strlen.de>	2026-06-05 14:47:12 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2026-06-10 18:58:29 +0300
commit	efc542561729a2859397dad51bda1fe41262beb1 (patch)
tree	2bb16a7ee4276bb9c7d2905291e42b5cee73b3c6
parent	ccb9fd4b87538ccf19ccff78ee26700526d94867 (diff)
download	linux-efc542561729a2859397dad51bda1fe41262beb1.tar.xz