[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter-devel
Subject: Re: double call to ip_conntrack_put() ?
From: Tobias DiPasquale <codeslinger () gmail ! com>
Date: 2005-04-18 9:57:30
Message-ID: 876ef97a05041802571f302bfe () mail ! gmail ! com
[Download RAW message or body]
On 4/18/05, Wang Jian <lark@linux.net.cn> wrote:
> death_by_timeout() calls ip_conntrack_put() before return. And
> death_by_timeout() is called combined with ip_conntrack_put() in some
> places, such as
>
> in early_drop()
>
> if (del_timer(&ct->timeout)) {
> death_by_timeout((unsigned long)ct);
> dropped = 1;
> CONNTRACK_STAT_INC(early_drop);
> }
> ip_conntrack_put(ct);
>
> and in ip_ct_iterate_cleanup()
>
> while ((h = get_next_corpse(iter, data, &bucket)) != NULL) {
> struct ip_conntrack *ct = tuplehash_to_ctrack(h);
> /* Time to push up daises... */
> if (del_timer(&ct->timeout))
> death_by_timeout((unsigned long)ct);
> /* ... else the timer will get him soon. */
>
> ip_conntrack_put(ct);
> }
>
> Is this intended or misuse?
This is intended. tuplehash_to_ctrack() generates a reference to the
conntrack record. In death_by_timeout() the refcount is decremented,
yielding 1 for the second call to ip_conntrack_put(). The dec_and_test
in nf_conntrack_put() (called by ip_conntrack_put()) will result in a
refcount of 0, sending the record to the destroy_conntrack() function
(or more properly, whatever's registered in nfct->destroy(), which I'm
pretty sure is always either NULL or destroy_conntrack()).
--
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic