Hi Pablo, 2017-04-14 6:30 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>: >> We should call module_put when the time policy is not found. Otherwise, >> the related cthelper module cannot be removed anymore. >> >> It is easy to reproduce by typing the following command: >> # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx > > Can we fix all leaks in the error path in one single patch for xt_CT? Right. > Feng sent me a patch to fix another issue there, so if either you or > him send me one single patch to fix all xt_CT refcount leaks in one > go, I'd appreciate. Feng, since you spotted this issue earlier, can you send a new patch to do this? With a new patch name: "netfilter: xt_CT: fix refcnt leak on error path". Also you can add my: Signed-off-by: Liping Zhang <zlpnobody@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
