596cf3fe58
This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
|---|---|---|
| .. | ||
| ipset | ||
| nf_conntrack_amanda.h | ||
| nf_conntrack_common.h | ||
| nf_conntrack_dccp.h | ||
| nf_conntrack_ftp.h | ||
| nf_conntrack_h323.h | ||
| nf_conntrack_h323_asn1.h | ||
| nf_conntrack_h323_types.h | ||
| nf_conntrack_irc.h | ||
| nf_conntrack_pptp.h | ||
| nf_conntrack_proto_gre.h | ||
| nf_conntrack_sane.h | ||
| nf_conntrack_sctp.h | ||
| nf_conntrack_sip.h | ||
| nf_conntrack_snmp.h | ||
| nf_conntrack_tcp.h | ||
| nf_conntrack_tftp.h | ||
| nf_conntrack_zones_common.h | ||
| nfnetlink.h | ||
| nfnetlink_acct.h | ||
| x_tables.h | ||
| xt_hashlimit.h | ||
| xt_physdev.h | ||