From patchwork Sat Apr 8 03:38:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liping Zhang X-Patchwork-Id: 748533 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3w0MdJ6lp8z9s7m for ; Sat, 8 Apr 2017 13:39:32 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=163.com header.i=@163.com header.b="OXdXmpXB"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751127AbdDHDjb (ORCPT ); Fri, 7 Apr 2017 23:39:31 -0400 Received: from m12-16.163.com ([220.181.12.16]:39514 "EHLO m12-16.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751011AbdDHDja (ORCPT ); Fri, 7 Apr 2017 23:39:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=FRnxXNjFfIioqea/HF utWD1tSfVW40Fl+qvry9LZjYg=; b=OXdXmpXBw/JcRcBUr1/u6EJKxaILvIFuUU GkOfNU/s6TqRBOavF3XcAqL9yonPmOS/B2ymZNH9e7jNn8KwoBExla0CdhAY7gYP q0fqzN0LLyBNnnIOq1DCcoJ0LofInUNJ9iKTDOhIwd8ASMesQG0cYDPhKV/4zPxF ZGj7h/Kko= Received: from MiWiFi-R2D-srv.localdomain (unknown [180.164.231.180]) by smtp12 (Coremail) with SMTP id EMCowAAHICFeW+hYpqOnAA--.9293S2; Sat, 08 Apr 2017 11:39:21 +0800 (CST) From: Liping Zhang To: pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org, Liping Zhang Subject: [PATCH nf] netfilter: xt_CT: fix cthelper module's refcnt leak Date: Sat, 8 Apr 2017 11:38:48 +0800 Message-Id: <1491622728-55625-1-git-send-email-zlpnobody@163.com> X-Mailer: git-send-email 2.5.5 X-CM-TRANSID: EMCowAAHICFeW+hYpqOnAA--.9293S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7AFy7KF4DGFyfGrW8Kr17Jrb_yoW8Gryrpa 1jkw17trWxtry3ua4vkr4DZFnIkr97trWS9F9xC3s7Aas8JrsYva1fKry0vFy5KFZ5Ga13 AF4jgrWDAr1Ikw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07j7J5rUUUUU= X-Originating-IP: [180.164.231.180] X-CM-SenderInfo: x2os00perg5qqrwthudrp/1tbiQBezl1SISjugpAAAsa Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Liping Zhang We should call module_put when the time policy is not found. Otherwise, the related cthelper module cannot be removed anymore. It is easy to reproduce by typing the following command: # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx Signed-off-by: Liping Zhang Signed-off-by: Liping Zhang --- net/netfilter/xt_CT.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index b008db0..841cfba 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -200,6 +200,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, struct xt_ct_target_info_v1 *info) { struct nf_conntrack_zone zone; + struct nf_conn_help *help; struct nf_conn *ct; int ret = -EOPNOTSUPP; @@ -248,7 +249,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, if (info->timeout[0]) { ret = xt_ct_set_timeout(ct, par, info->timeout); if (ret < 0) - goto err3; + goto err4; } __set_bit(IPS_CONFIRMED_BIT, &ct->status); nf_conntrack_get(&ct->ct_general); @@ -256,6 +257,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, info->ct = ct; return 0; +err4: + help = nfct_help(ct); + if (help) + module_put(help->helper->me); err3: nf_ct_tmpl_free(ct); err2: