[NETFILTER]: nfnetlink_log: fix reference counting

Fix reference counting (memory leak) problem in __nfulnl_send() and callers
related to packet queueing.

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 6 insertions, 3 deletions

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index d0af8bc3eee1..91a0972ec117 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -218,6 +218,9 @@ _instance_destroy2(struct nfulnl_instance *inst, int lock)
 
         spin_lock_bh(&inst->lock);
         if (inst->skb) {
+                /* timer "holds" one reference (we have one more) */
+                if (del_timer(&inst->timer))
+                        instance_put(inst);
                 if (inst->qlen)
                         __nfulnl_send(inst);
                 if (inst->skb) {
@@ -362,9 +365,6 @@ __nfulnl_send(struct nfulnl_instance *inst)
 {
         int status;
 
-        if (timer_pending(&inst->timer))
-                del_timer(&inst->timer);
-
         if (!inst->skb)
                 return 0;
 
@@ -689,6 +689,9 @@ nfulnl_log_packet(unsigned int pf,
                  * enough room in the skb left. flush to userspace. */
                 UDEBUG("flushing old skb\n");
 
+                /* timer "holds" one reference (we have another one) */
+                if (del_timer(&inst->timer))
+                        instance_put(inst);
                 __nfulnl_send(inst);
 
                 if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {