[NETFILTER]: nfnetlink_log: fix reference counting
authorMichal Miroslaw <mirq-linux@rere.qmqm.pl>
Mon, 5 Mar 2007 00:00:04 +0000 (16:00 -0800)
committerDavid S. Miller <davem@sunset.davemloft.net>
Mon, 5 Mar 2007 21:25:26 +0000 (13:25 -0800)
Fix reference counting (memory leak) problem in __nfulnl_send() and callers
related to packet queueing.

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nfnetlink_log.c

index d0af8bc3eee188a49b47d8e0c0cca814be73bcb9..91a0972ec117c1faefb72feca953653c40a7d80f 100644 (file)
@@ -218,6 +218,9 @@ _instance_destroy2(struct nfulnl_instance *inst, int lock)
 
        spin_lock_bh(&inst->lock);
        if (inst->skb) {
+               /* timer "holds" one reference (we have one more) */
+               if (del_timer(&inst->timer))
+                       instance_put(inst);
                if (inst->qlen)
                        __nfulnl_send(inst);
                if (inst->skb) {
@@ -362,9 +365,6 @@ __nfulnl_send(struct nfulnl_instance *inst)
 {
        int status;
 
-       if (timer_pending(&inst->timer))
-               del_timer(&inst->timer);
-
        if (!inst->skb)
                return 0;
 
@@ -689,6 +689,9 @@ nfulnl_log_packet(unsigned int pf,
                 * enough room in the skb left. flush to userspace. */
                UDEBUG("flushing old skb\n");
 
+               /* timer "holds" one reference (we have another one) */
+               if (del_timer(&inst->timer))
+                       instance_put(inst);
                __nfulnl_send(inst);
 
                if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {