linux/net/netfilter/ipset
Ross Lagerwall e5173418ac netfilter: ipset: Fix race between dump and swap
Fix a race between ip_set_dump_start() and ip_set_swap().
The race is as follows:
* Without holding the ref lock, ip_set_swap() checks ref_netlink of the
  set and it is 0.
* ip_set_dump_start() takes a reference on the set.
* ip_set_swap() does the swap (even though it now has a non-zero
  reference count).
* ip_set_dump_start() gets the set from ip_set_list again which is now a
  different set since it has been swapped.
* ip_set_dump_start() calls __ip_set_put_netlink() and hits a BUG_ON due
  to the reference count being 0.

Fix this race by extending the critical region in which the ref lock is
held to include checking the ref counts.

The race can be reproduced with the following script:
  while :; do
    ipset destroy hash_ip1
    ipset destroy hash_ip2
    ipset create hash_ip1 hash:ip family inet hashsize 1024 \
        maxelem 500000
    ipset create hash_ip2 hash:ip family inet hashsize 300000 \
        maxelem 500000
    ipset create hash_ip3 hash:ip family inet hashsize 1024 \
        maxelem 500000
    ipset save &
    ipset swap hash_ip3 hash_ip2
    ipset destroy hash_ip3
    wait
  done

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-09-29 12:15:14 +02:00
..
ip_set_bitmap_gen.h netfilter: Remove unnecessary cast on void pointer 2017-04-07 17:29:17 +02:00
ip_set_bitmap_ip.c netfilter: ipset: Fix extension alignment 2015-11-07 11:21:47 +01:00
ip_set_bitmap_ipmac.c netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length 2016-03-08 20:36:17 +01:00
ip_set_bitmap_port.c netfilter: ipset: Fix extension alignment 2015-11-07 11:21:47 +01:00
ip_set_core.c netfilter: ipset: Fix race between dump and swap 2017-09-29 12:15:14 +02:00
ip_set_getport.c sctp: remove the typedef sctp_sctphdr_t 2017-07-01 09:08:41 -07:00
ip_set_hash_gen.h netfilter: ipset: ipset list may return wrong member count for set with timeout 2017-09-18 17:35:32 +02:00
ip_set_hash_ip.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_ipmac.c netfilter: ipset: hash: fix boolreturn.cocci warnings 2016-11-10 13:28:50 +01:00
ip_set_hash_ipmark.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_ipport.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_ipportip.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_ipportnet.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_mac.c netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length 2016-03-08 20:36:17 +01:00
ip_set_hash_net.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_netiface.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_netnet.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_netport.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_hash_netportnet.c netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses 2017-09-26 20:15:04 +02:00
ip_set_list_set.c netfilter: ipset: Null pointer exception in ipset list:set 2017-02-19 19:08:47 +01:00
Kconfig netfilter: ipset: hash:ipmac type support added to ipset 2016-11-10 13:28:49 +01:00
Makefile netfilter: ipset: hash:ipmac type support added to ipset 2016-11-10 13:28:49 +01:00
pfxlen.c netfilter: ipset: Fix coding styles reported by checkpatch.pl 2015-06-14 10:40:18 +02:00