netfilter: ctnetlink: fix regression in expectation handling

This patch fixes a regression (introduced by myself in commit 19abb7b:
netfilter: ctnetlink: deliver events for conntracks changed from
userspace) that results in an expectation re-insertion since
__nf_ct_expect_check() may return 0 for expectation timer refreshing.

This patch also removes a unnecessary refcount bump that
pretended to avoid a possible race condition with event delivery
and expectation timers (as said, not needed since we hold a
reference to the object since until we finish the expectation
setup). This also merges nf_ct_expect_related_report() and
nf_ct_expect_related() which look basically the same.

Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

2 files changed, 10 insertions, 25 deletions

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index ab17a159ac66..a9652806d0df 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -99,9 +99,12 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t,
                        const union nf_inet_addr *,
                        u_int8_t, const __be16 *, const __be16 *);
 void nf_ct_expect_put(struct nf_conntrack_expect *exp);
-int nf_ct_expect_related(struct nf_conntrack_expect *expect);
 int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 
                                 u32 pid, int report);
+static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect)
+{
+        return nf_ct_expect_related_report(expect, 0, 0);
+}
 
 #endif /*_NF_CONNTRACK_EXPECT_H*/
 
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 3940f996a2e4..afde8f991646 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -372,7 +372,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
         struct net *net = nf_ct_exp_net(expect);
         struct hlist_node *n;
         unsigned int h;
-        int ret = 0;
+        int ret = 1;
 
         if (!master_help->helper) {
                 ret = -ESHUTDOWN;
@@ -412,41 +412,23 @@ out:
         return ret;
 }
 
-int nf_ct_expect_related(struct nf_conntrack_expect *expect)
+int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 
+                                u32 pid, int report)
 {
         int ret;
 
         spin_lock_bh(&nf_conntrack_lock);
         ret = __nf_ct_expect_check(expect);
-        if (ret < 0)
+        if (ret <= 0)
                 goto out;
 
+        ret = 0;
         nf_ct_expect_insert(expect);
-        atomic_inc(&expect->use);
-        spin_unlock_bh(&nf_conntrack_lock);
-        nf_ct_expect_event(IPEXP_NEW, expect);
-        nf_ct_expect_put(expect);
-        return ret;
-out:
         spin_unlock_bh(&nf_conntrack_lock);
+        nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report);
         return ret;
-}
-EXPORT_SYMBOL_GPL(nf_ct_expect_related);
-
-int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 
-                                u32 pid, int report)
-{
-        int ret;
-
-        spin_lock_bh(&nf_conntrack_lock);
-        ret = __nf_ct_expect_check(expect);
-        if (ret < 0)
-                goto out;
-        nf_ct_expect_insert(expect);
 out:
         spin_unlock_bh(&nf_conntrack_lock);
-        if (ret == 0)
-                nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report);
         return ret;
 }
 EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);