Commit 456f010b authored Nov 29, 2024 by Phil Sutter Committed by Pablo Neira Ayuso Dec 04, 2024

netfilter: ipset: Hold module reference while requesting a module



User space may unload ip_set.ko while it is itself requesting a set type
backend module, leading to a kernel crash. The race condition may be
provoked by inserting an mdelay() right after the nfnl_unlock() call.

Fixes: a7b4f989 ("netfilter: ipset: IP set core support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 7b1d83da

net/netfilter/ipset/ip_set_core.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -104,14 +104,19 @@ find_set_type(const char *name, u8 family, u8 revision)
		static bool
		load_settype(const char *name)
		{
		if (!try_module_get(THIS_MODULE))
		return false;

		nfnl_unlock(NFNL_SUBSYS_IPSET);
		pr_debug("try to load ip_set_%s\n", name);
		if (request_module("ip_set_%s", name) < 0) {
		pr_warn("Can't find ip_set type %s\n", name);
		nfnl_lock(NFNL_SUBSYS_IPSET);
		module_put(THIS_MODULE);
		return false;
		}
		nfnl_lock(NFNL_SUBSYS_IPSET);
		module_put(THIS_MODULE);
		return true;
		}