[thirdparty/kernel/stable-queue.git] / releases / 2.6.20.2 / nfnetlink_log_refcounting_fix.patch.patch

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Subject: Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing.

Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/netfilter/nfnetlink_log.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- linux-2.6.20.1.orig/net/netfilter/nfnetlink_log.c
+++ linux-2.6.20.1/net/netfilter/nfnetlink_log.c
@@ -217,6 +217,11 @@ _instance_destroy2(struct nfulnl_instanc
 
 	spin_lock_bh(&inst->lock);
 	if (inst->skb) {
+		/* timer "holds" one reference (we have one more) */
+		if (timer_pending(&inst->timer)) {
+			del_timer(&inst->timer);
+			instance_put(inst);
+		}
 		if (inst->qlen)
 			__nfulnl_send(inst);
 		if (inst->skb) {
@@ -363,9 +368,6 @@ __nfulnl_send(struct nfulnl_instance *in
 {
 	int status;
 
-	if (timer_pending(&inst->timer))
-		del_timer(&inst->timer);
-
 	if (!inst->skb)
 		return 0;
 
@@ -392,6 +394,8 @@ static void nfulnl_timer(unsigned long d
 	UDEBUG("timer function called, flushing buffer\n");
 
 	spin_lock_bh(&inst->lock);
+	if (timer_pending(&inst->timer))	/* is it always true or false here? */
+		del_timer(&inst->timer);
 	__nfulnl_send(inst);
 	instance_put(inst);
 	spin_unlock_bh(&inst->lock);
@@ -689,6 +693,11 @@ nfulnl_log_packet(unsigned int pf,
 		 * enough room in the skb left. flush to userspace. */
 		UDEBUG("flushing old skb\n");
 
+		/* timer "holds" one reference (we have another one) */
+		if (timer_pending(&inst->timer)) {
+			del_timer(&inst->timer);
+			instance_put(inst);
+		}
 		__nfulnl_send(inst);
 
 		if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {
Commit	Line	Data
5208ca74 GKH	1	From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
	2	Subject: Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing.
	3
	4	Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
	5	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	6
	7	---
	8	net/netfilter/nfnetlink_log.c \| 15 ++++++++++++---
	9	1 file changed, 12 insertions(+), 3 deletions(-)
	10
	11	--- linux-2.6.20.1.orig/net/netfilter/nfnetlink_log.c
	12	+++ linux-2.6.20.1/net/netfilter/nfnetlink_log.c
	13	@@ -217,6 +217,11 @@ _instance_destroy2(struct nfulnl_instanc
	14
	15	spin_lock_bh(&inst->lock);
	16	if (inst->skb) {
	17	+ /* timer "holds" one reference (we have one more) */
	18	+ if (timer_pending(&inst->timer)) {
	19	+ del_timer(&inst->timer);
	20	+ instance_put(inst);
	21	+ }
	22	if (inst->qlen)
	23	__nfulnl_send(inst);
	24	if (inst->skb) {
	25	@@ -363,9 +368,6 @@ __nfulnl_send(struct nfulnl_instance *in
	26	{
	27	int status;
	28
	29	- if (timer_pending(&inst->timer))
	30	- del_timer(&inst->timer);
	31	-
	32	if (!inst->skb)
	33	return 0;
	34
	35	@@ -392,6 +394,8 @@ static void nfulnl_timer(unsigned long d
	36	UDEBUG("timer function called, flushing buffer\n");
	37
	38	spin_lock_bh(&inst->lock);
	39	+ if (timer_pending(&inst->timer)) /* is it always true or false here? */
	40	+ del_timer(&inst->timer);
	41	__nfulnl_send(inst);
	42	instance_put(inst);
	43	spin_unlock_bh(&inst->lock);
	44	@@ -689,6 +693,11 @@ nfulnl_log_packet(unsigned int pf,
	45	* enough room in the skb left. flush to userspace. */
	46	UDEBUG("flushing old skb\n");
	47
	48	+ /* timer "holds" one reference (we have another one) */
	49	+ if (timer_pending(&inst->timer)) {
	50	+ del_timer(&inst->timer);
	51	+ instance_put(inst);
	52	+ }
	53	__nfulnl_send(inst);
	54
	55	if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {