CVE-2023-53200

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: fix percpu counter block leak on error path when creating new netns

Here is the stack where we allocate percpu counter block:

+-< __allocpercpu +-< xtpercpucounteralloc +-< findcheckentry # {arp,ip,ip6}tables.c +-< translatetable

And it can be leaked on this code path:

+-> ip6tregistertable +-> translatetable # allocates percpu counter block +-> xtregister_table # fails

there is no freeing of the counter block on xtregistertable fail. Note: xtpercpucounterfree should be called to free it like we do in doreplace through cleanup_entry helper (or in __ip6tunregistertable).

Probability of hitting this error path is low AFAICS (xtregistertable can only return ENOMEM here, as it is not replacing anything, as we are creating new netns, and it is hard to imagine that all previous allocations succeeded and after that one in xtregistertable failed). But it's worth fixing even the rare leak.