netfilter: conntrack: destroy functions need to free queued packets - kernel

diff options

author	Florian Westphal <[email protected]>	2017-07-25 22:02:33 +0000
committer	Pablo Neira Ayuso <[email protected]>	2017-07-31 17:09:39 +0000
commit	e2a750070aeec7af3818065b39d61cb38627ce64 (patch)
tree	54dd9cce351fb40fa4eb95d5d27e60992360c9fe /security/selinux/hooks.c
parent	netfilter: add and use nf_ct_unconfirmed_destroy (diff)
download	kernel-e2a750070aeec7af3818065b39d61cb38627ce64.tar.gz kernel-e2a750070aeec7af3818065b39d61cb38627ce64.zip

netfilter: conntrack: destroy functions need to free queued packets

queued skbs might be using conntrack extensions that are being removed, such as timeout. This happens for skbs that have a skb->nfct in unconfirmed state (i.e., not in hash table yet). This is destructive, but there are only two use cases: - module removal (rare) - netns cleanup (most likely no conntracks exist, and if they do, they are removed anyway later on). Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>

Diffstat (limited to 'security/selinux/hooks.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: