Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-04 04:06:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

netfilter: ipset: Hold module reference while requesting a module

Browse Source 
User space may unload ip_set.ko while it is itself requesting a set type
backend module, leading to a kernel crash. The race condition may be
provoked by inserting an mdelay() right after the nfnl_unlock() call.

Fixes: a7b4f989a6 ("netfilter: ipset: IP set core support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Phil Sutter 2024-11-29 16:30:38 +01:00 committed by Pablo Neira Ayuso
parent 7b1d83da25
commit 456f010bfa
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
net/netfilter/ipset/ip_set_core.c
View File

@ -104,14 +104,19 @@ find_set_type(const char *name, u8 family, u8 revision)
static bool static bool
load_settype(const char *name) load_settype(const char *name)
{ {
if (!try_module_get(THIS_MODULE))
return false;
nfnl_unlock(NFNL_SUBSYS_IPSET); nfnl_unlock(NFNL_SUBSYS_IPSET);
pr_debug("try to load ip_set_%s\n", name); pr_debug("try to load ip_set_%s\n", name);
if (request_module("ip_set_%s", name) < 0) { if (request_module("ip_set_%s", name) < 0) {
pr_warn("Can't find ip_set type %s\n", name); pr_warn("Can't find ip_set type %s\n", name);
nfnl_lock(NFNL_SUBSYS_IPSET); nfnl_lock(NFNL_SUBSYS_IPSET);
module_put(THIS_MODULE);
return false; return false;
} }
nfnl_lock(NFNL_SUBSYS_IPSET); nfnl_lock(NFNL_SUBSYS_IPSET);
module_put(THIS_MODULE);
return true; return true;
} }