netfilter: ctnetlink: drop the incorrect cthelper module request

First, when creating a new ct, we will invoke request_module to try to
load the related inkernel cthelper. So there's no need to call the
request_module again when updating the ct helpinfo.

Second, ctnetlink_change_helper may be called with rcu_read_lock held,
i.e. rcu_read_lock -> nfqnl_recv_verdict -> nfqnl_ct_parse ->
ctnetlink_glue_parse -> ctnetlink_glue_parse_ct ->
ctnetlink_change_helper. But the request_module invocation may sleep,
so we can't call it with the rcu_read_lock held.

Remove it now.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dc7dfd68fafe5d8db341488ac7d9ad5bf8f80b46..48c184552de0f00dddc2816ac920122a1156d5d1 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1512,23 +1512,8 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
 
        helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
                                            nf_ct_protonum(ct));
-       if (helper == NULL) {
-#ifdef CONFIG_MODULES
-               spin_unlock_bh(&nf_conntrack_expect_lock);
-
-               if (request_module("nfct-helper-%s", helpname) < 0) {
-                       spin_lock_bh(&nf_conntrack_expect_lock);
-                       return -EOPNOTSUPP;
-               }
-
-               spin_lock_bh(&nf_conntrack_expect_lock);
-               helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
-                                                   nf_ct_protonum(ct));
-               if (helper)
-                       return -EAGAIN;
-#endif
+       if (helper == NULL)
                return -EOPNOTSUPP;
-       }
 
        if (help) {
                if (help->helper == helper) {