[PATCH] Conntrack leak with raw sockets

[Phil Oester <kernel@linuxace.com>]

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

In the event a raw socket is created for sending purposes only, the creator
never bothers to check the socket's receive queue.  But we continue to
add skbs to its queue until it fills up.

Unfortunately, if ip_conntrack is loaded on the box, each skb we add to the
queue potentially holds a reference to a conntrack.  If the user attempts
to unload ip_conntrack, we will spin around forever since the queued skbs
are pinned.

This behaviour can be witnessed in Fedora distributions which use
NetworkManager.  Arguably there should be an option to create a 'sending-only'
socket which won't suffer from this problem, but in the interim I think
the cleanest solution is to drop the conntrack reference before adding the skb
to the socket's queue.  The below patch does just that.

This fixes Netfilter bugzilla #91 and Redhat bugzilla #112630.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>




[-- Attachment #2: patch-ref --]
[-- Type: text/plain, Size: 727 bytes --]

diff -ru linux-orig/net/packet/af_packet.c linux-new/net/packet/af_packet.c
--- linux-orig/net/packet/af_packet.c	2005-03-25 14:48:13.597903552 -0500
+++ linux-new/net/packet/af_packet.c	2005-03-25 14:51:05.480773384 -0500
@@ -274,6 +274,10 @@
 	dst_release(skb->dst);
 	skb->dst = NULL;
 
+	/* drop conntrack reference */
+	nf_conntrack_put(skb->nfct);
+	skb->nfct = NULL;
+
 	spkt = (struct sockaddr_pkt*)skb->cb;
 
 	skb_push(skb, skb->data-skb->mac.raw);
@@ -517,6 +521,10 @@
 	dst_release(skb->dst);
 	skb->dst = NULL;
 
+	/* drop conntrack reference */
+	nf_conntrack_put(skb->nfct);
+	skb->nfct = NULL;
+
 	spin_lock(&sk->sk_receive_queue.lock);
 	po->stats.tp_packets++;
 	__skb_queue_tail(&sk->sk_receive_queue, skb);