On Fri, 10 Aug 2012, pablo@xxxxxxxxxxxxx wrote:
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Bump expectation refcount to make sure it does not vanish while reporting the event via ctnetlink. One user reported a crash while on nf_ct_expect_related_report triggered by the SIP helper. Reported-by: Rafal Fitt <rafalf@xxxxxxxxxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
I don't think this can be correct. The nf_ct_expect_related_report() call is usually done through the nf_ct_expect_related() call chain, in which case the helper still has one refcount for its one reference, so the helper can't be destroyed at this point. Even if another CPU tries to remove it again, it will just release the reference of the expectation hash and not the one the helper is holding. Am I missing something here?
--- net/netfilter/nf_conntrack_expect.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index ec8bb0d..d5fccd3 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -444,8 +444,12 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, ret = nf_ct_expect_insert(expect); if (ret < 0) goto out; + + atomic_inc(&expect->use); spin_unlock_bh(&nf_conntrack_lock); nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report); + nf_ct_expect_put(expect); + return ret; out: spin_unlock_bh(&nf_conntrack_lock); -- 1.7.10.4
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
