Re: [PATCH NETFILTER] netfilter: gre: nf_ct_gre_keymap_flush() removal

Re: [PATCH NETFILTER] netfilter: gre: nf_ct_gre_keymap_flush() removal

[Florian Westphal]

Vasily Averin <vvs@virtuozzo.com> wrote:
> nf_ct_gre_keymap_flush() is useless.
> It is called from nf_conntrack_cleanup_net_list() only and tries to remove
> nf_ct_gre_keymap entries from pernet gre keymap list. Though:
> a) at this point the list should already be empty, all its entries were
> deleted during the conntracks cleanup, because
> nf_conntrack_cleanup_net_list() executes nf_ct_iterate_cleanup(kill_all)
> before nf_conntrack_proto_pernet_fini():
>  nf_conntrack_cleanup_net_list
>   +- nf_ct_iterate_cleanup
>   |   nf_ct_put
>   |    nf_conntrack_put
>   |     nf_conntrack_destroy
>   |      destroy_conntrack
>   |       destroy_gre_conntrack
>   |        nf_ct_gre_keymap_destroy
>   `- nf_conntrack_proto_pernet_fini
>       nf_ct_gre_keymap_flush
> 
> b) Let's say we find that the keymap list is not empty. This means netns
> still has a conntrack associated with gre, in which case we should not free
> its memory, because this will lead to a double free and related crashes.
> However I doubt it could have gone unnoticed for years, obviously
> this does not happen in real life. So I think we can remove
> both nf_ct_gre_keymap_flush() and nf_conntrack_proto_pernet_fini().

Acked-by: Florian Westphal <fw@strlen.de>