summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichał Mirosław <mirq-linux@rere.qmqm.pl>2007-03-24 21:27:27 +0100
committerAdrian Bunk <bunk@stusta.de>2007-03-24 21:27:27 +0100
commitb7dc23da852c9507c138f46911e504e0943a5661 (patch)
tree85c82ea6d1f3d78297d76a67d3a5cf2b0cfe871f
parent18adb12b78b7c4d4a04401bd42c23b3f157c7ac1 (diff)
downloadlwn-b7dc23da852c9507c138f46911e504e0943a5661.tar.gz
lwn-b7dc23da852c9507c138f46911e504e0943a5661.zip
Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing.
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
-rw-r--r--net/netfilter/nfnetlink_log.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 47c1a8f702c5..c35be233eaa2 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -210,6 +210,11 @@ _instance_destroy2(struct nfulnl_instance *inst, int lock)
spin_lock_bh(&inst->lock);
if (inst->skb) {
+ /* timer "holds" one reference (we have one more) */
+ if (timer_pending(&inst->timer)) {
+ del_timer(&inst->timer);
+ instance_put(inst);
+ }
if (inst->qlen)
__nfulnl_send(inst);
if (inst->skb) {
@@ -346,9 +351,6 @@ __nfulnl_send(struct nfulnl_instance *inst)
{
int status;
- if (timer_pending(&inst->timer))
- del_timer(&inst->timer);
-
if (!inst->skb)
return 0;
@@ -375,6 +377,8 @@ static void nfulnl_timer(unsigned long data)
UDEBUG("timer function called, flushing buffer\n");
spin_lock_bh(&inst->lock);
+ if (timer_pending(&inst->timer)) /* is it always true or false here? */
+ del_timer(&inst->timer);
__nfulnl_send(inst);
instance_put(inst);
spin_unlock_bh(&inst->lock);
@@ -655,6 +659,11 @@ nfulnl_log_packet(unsigned int pf,
* enough room in the skb left. flush to userspace. */
UDEBUG("flushing old skb\n");
+ /* timer "holds" one reference (we have another one) */
+ if (timer_pending(&inst->timer)) {
+ del_timer(&inst->timer);
+ instance_put(inst);
+ }
__nfulnl_send(inst);
if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {