path: root/net/netfilter/nf_conntrack_expect.c
diff options
authorFlorian Westphal <>2022-01-07 05:03:22 +0100
committerPablo Neira Ayuso <>2022-01-09 23:30:13 +0100
commit719774377622bc4025d2a74f551b5dc2158c6c30 (patch)
tree8fbe7d875fbdaf8fcd909f15b230728c8c8b5baa /net/netfilter/nf_conntrack_expect.c
parent613a0c67d12f33dcbeec2836f5fe60d05b4c18c0 (diff)
netfilter: conntrack: convert to refcount_t api
Convert nf_conn reference counting from atomic_t to refcount_t based api. refcount_t api provides more runtime sanity checks and will warn on certain constructs, e.g. refcount_inc() on a zero reference count, which usually indicates use-after-free. For this reason template allocation is changed to init the refcount to 1, the subsequenct add operations are removed. Likewise, init_conntrack() is changed to set the initial refcount to 1 instead refcount_inc(). This is safe because the new entry is not (yet) visible to other cpus. Signed-off-by: Florian Westphal <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'net/netfilter/nf_conntrack_expect.c')
1 files changed, 2 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 1e89b595ecd0..96948e98ec53 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -203,12 +203,12 @@ nf_ct_find_expectation(struct net *net,
* about to invoke ->destroy(), or nf_ct_delete() via timeout
* or early_drop().
- * The atomic_inc_not_zero() check tells: If that fails, we
+ * The refcount_inc_not_zero() check tells: If that fails, we
* know that the ct is being destroyed. If it succeeds, we
* can be sure the ct cannot disappear underneath.
if (unlikely(nf_ct_is_dying(exp->master) ||
- !atomic_inc_not_zero(&exp->master->ct_general.use)))
+ !refcount_inc_not_zero(&exp->master->ct_general.use)))
return NULL;
if (exp->flags & NF_CT_EXPECT_PERMANENT) {