netfilter: ipset: Hold module reference while requesting a module

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

User space may unload ip_set.ko while it is itself requesting a set type
backend module, leading to a kernel crash. The race condition may be
provoked by inserting an mdelay() right after the nfnl_unlock() call.

Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Phil Sutter and committed by

Pablo Neira Ayuso 1 year ago 456f010b 7b1d83da

1 changed file

expand all

net

netfilter

ipset

ip_set_core.c

net/netfilter/ipset/ip_set_core.c

··· 104 104 static bool 105 105 load_settype(const char *name) 106 106 { 107 + if (!try_module_get(THIS_MODULE)) 108 + return false; 109 + 107 110 nfnl_unlock(NFNL_SUBSYS_IPSET); 108 111 pr_debug("try to load ip_set_%s\n", name); 109 112 if (request_module("ip_set_%s", name) < 0) { 110 113 pr_warn("Can't find ip_set type %s\n", name); 111 114 nfnl_lock(NFNL_SUBSYS_IPSET); 115 + module_put(THIS_MODULE); 112 116 return false; 113 117 } 114 118 nfnl_lock(NFNL_SUBSYS_IPSET); 119 + module_put(THIS_MODULE); 115 120 return true; 116 121 } 117 122