netfilter: ipset: Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit()
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Sat, 6 Jan 2018 14:24:18 +0000 (15:24 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 19 Apr 2018 06:56:15 +0000 (08:56 +0200)
commit f998b6b10144cd9809da6af02758615f789e8aa1 upstream.

Patch "netfilter: ipset: use nfnl_mutex_is_locked" is added the real
mutex locking check, which revealed the missing locking in ip_set_net_exit().

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Reported-by: syzbot+36b06f219f2439fe62e1@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/netfilter/ipset/ip_set_core.c

index cf84f7b37cd9dfb828892e23b0aa2603827b6427..9d2ce1459cec462e72a65bd105a1e4a2f855b899 100644 (file)
@@ -2055,6 +2055,7 @@ ip_set_net_exit(struct net *net)
 
        inst->is_deleted = true; /* flag for ip_set_nfnl_put */
 
+       nfnl_lock(NFNL_SUBSYS_IPSET);
        for (i = 0; i < inst->ip_set_max; i++) {
                set = ip_set(inst, i);
                if (set) {
@@ -2062,6 +2063,7 @@ ip_set_net_exit(struct net *net)
                        ip_set_destroy_set(set);
                }
        }
+       nfnl_unlock(NFNL_SUBSYS_IPSET);
        kfree(rcu_dereference_protected(inst->ip_set_list, 1));
 }