diff options
author | Michał Mirosław <mirq-linux@rere.qmqm.pl> | 2007-03-24 21:27:27 +0100 |
---|---|---|
committer | Adrian Bunk <bunk@stusta.de> | 2007-03-24 21:27:27 +0100 |
commit | b7dc23da852c9507c138f46911e504e0943a5661 (patch) | |
tree | 85c82ea6d1f3d78297d76a67d3a5cf2b0cfe871f | |
parent | 18adb12b78b7c4d4a04401bd42c23b3f157c7ac1 (diff) | |
download | lwn-b7dc23da852c9507c138f46911e504e0943a5661.tar.gz lwn-b7dc23da852c9507c138f46911e504e0943a5661.zip |
Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing.
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
-rw-r--r-- | net/netfilter/nfnetlink_log.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 47c1a8f702c5..c35be233eaa2 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c @@ -210,6 +210,11 @@ _instance_destroy2(struct nfulnl_instance *inst, int lock) spin_lock_bh(&inst->lock); if (inst->skb) { + /* timer "holds" one reference (we have one more) */ + if (timer_pending(&inst->timer)) { + del_timer(&inst->timer); + instance_put(inst); + } if (inst->qlen) __nfulnl_send(inst); if (inst->skb) { @@ -346,9 +351,6 @@ __nfulnl_send(struct nfulnl_instance *inst) { int status; - if (timer_pending(&inst->timer)) - del_timer(&inst->timer); - if (!inst->skb) return 0; @@ -375,6 +377,8 @@ static void nfulnl_timer(unsigned long data) UDEBUG("timer function called, flushing buffer\n"); spin_lock_bh(&inst->lock); + if (timer_pending(&inst->timer)) /* is it always true or false here? */ + del_timer(&inst->timer); __nfulnl_send(inst); instance_put(inst); spin_unlock_bh(&inst->lock); @@ -655,6 +659,11 @@ nfulnl_log_packet(unsigned int pf, * enough room in the skb left. flush to userspace. */ UDEBUG("flushing old skb\n"); + /* timer "holds" one reference (we have another one) */ + if (timer_pending(&inst->timer)) { + del_timer(&inst->timer); + instance_put(inst); + } __nfulnl_send(inst); if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) { |