[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: double call to ip_conntrack_put() ?
From:       Tobias DiPasquale <codeslinger () gmail ! com>
Date:       2005-04-18 9:57:30
Message-ID: 876ef97a05041802571f302bfe () mail ! gmail ! com
[Download RAW message or body]

On 4/18/05, Wang Jian <lark@linux.net.cn> wrote:
> death_by_timeout() calls ip_conntrack_put() before return. And
> death_by_timeout() is called combined with ip_conntrack_put() in some
> places, such as
> 
> in early_drop()
> 
>         if (del_timer(&ct->timeout)) {
>                 death_by_timeout((unsigned long)ct);
>                 dropped = 1;
>                 CONNTRACK_STAT_INC(early_drop);
>         }
>         ip_conntrack_put(ct);
> 
> and in ip_ct_iterate_cleanup()
> 
>         while ((h = get_next_corpse(iter, data, &bucket)) != NULL) {
>                 struct ip_conntrack *ct = tuplehash_to_ctrack(h);
>                 /* Time to push up daises... */
>                 if (del_timer(&ct->timeout))
>                         death_by_timeout((unsigned long)ct);
>                 /* ... else the timer will get him soon. */
> 
>                 ip_conntrack_put(ct);
>         }
> 
> Is this intended or misuse?

This is intended. tuplehash_to_ctrack() generates a reference to the
conntrack record. In death_by_timeout() the refcount is decremented,
yielding 1 for the second call to ip_conntrack_put(). The dec_and_test
in nf_conntrack_put() (called by ip_conntrack_put()) will result in a
refcount of 0, sending the record to the destroy_conntrack() function
(or more properly, whatever's registered in nfct->destroy(), which I'm
pretty sure is always either NULL or destroy_conntrack()).

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d


[prev in list] [next in list] [prev in thread] [next in thread]