netfilter: ipset: dumping error triggered removing references twice

If there was a dumping error in the middle, the set-specific variable was not zeroed out and thus the 'done' function of the dumping wrongly tried to release the already released reference of the set. The already released reference was caught by __ip_set_put and triggered a kernel BUG message. Reported by Jean-Philippe Menil. Signed-off-by: N Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: ipset: dumping error triggered removing references twice
If there was a dumping error in the middle, the set-specific variable was not zeroed out and thus the 'done' function of the dumping wrongly tried to release the already released reference of the set. The already released reference was caught by __ip_set_put and triggered a kernel BUG message. Reported by Jean-Philippe Menil. Signed-off-by: N Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
be94db9d · Jozsef Kadlecsik · Pablo Neira Ayuso · 088067f4 · be94db9d
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

net/netfilter/ipset/ip_set_core.c net/netfilter/ipset/ip_set_core.c +1 -0

未找到文件。
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1142,6 +1142,7 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
 	if (ret || !cb->args[2]) {
 		pr_debug("release set %s\n", ip_set_list[index]->name);
 		ip_set_put_byindex(index);
+		cb->args[2] = 0;
 	}
 out:
 	if (nlh) {