public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-03 15:55:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/netfilter
History
Stefano Brivio 439cd39ea1 netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace 
Commit 45040978c8 ("netfilter: ipset: Fix set:list type crash
when flush/dump set in parallel") postponed decreasing set
reference counters to the RCU callback.

An 'ipset del' command can terminate before the RCU grace period
is elapsed, and if sets are listed before then, the reference
counter shown in userspace will be wrong:

 # ipset create h hash:ip; ipset create l list:set; ipset add l
 # ipset del l h; ipset list h
 Name: h
 Type: hash:ip
 Revision: 4
 Header: family inet hashsize 1024 maxelem 65536
 Size in memory: 88
 References: 1
 Number of entries: 0
 Members:
 # sleep 1; ipset list h
 Name: h
 Type: hash:ip
 Revision: 4
 Header: family inet hashsize 1024 maxelem 65536
 Size in memory: 88
 References: 0
 Number of entries: 0
 Members:

Fix this by making the reference count update synchronous again.

As a result, when sets are listed, ip_set_name_byindex() might
now fetch a set whose reference count is already zero. Instead
of relying on the reference count to protect against concurrent
set renaming, grab ip_set_ref_lock as reader and copy the name,
while holding the same lock in ip_set_rename() as writer
instead.

Reported-by: Li Shuang <shuali@redhat.com>
Fixes: 45040978c8 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-11-01 00:29:36 +01:00
..
ipset netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace 2018-11-01 00:29:36 +01:00
ipvs net: Add extack to nlmsg_parse 2018-10-08 10:39:04 -07:00
core.c netfilter: Add nf_ct_get_tuple_skb global lookup function 2018-07-10 20:06:34 -07:00
Kconfig netfilter: nf_tables: add xfrm expression 2018-09-17 11:40:08 +02:00
Makefile netfilter: nf_tables: add xfrm expression 2018-09-17 11:40:08 +02:00
nf_conncount.c netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search 2018-07-18 11:26:37 +02:00
nf_conntrack_acct.c netfilter: Replace printk() with pr_*() and define pr_fmt() 2018-03-20 13:44:14 +01:00
nf_conntrack_amanda.c
nf_conntrack_broadcast.c netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
nf_conntrack_core.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_ecache.c netfilter: Replace printk() with pr_*() and define pr_fmt() 2018-03-20 13:44:14 +01:00
nf_conntrack_expect.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_extend.c netfilter: conntrack: include kmemleak.h for kmemleak_not_leak() 2018-04-17 10:59:43 +02:00
nf_conntrack_ftp.c netfilter: add __exit mark to helper modules 2018-04-24 10:29:14 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: use kvmalloc_array to allocate memory for hashtable 2018-08-03 18:37:55 +02:00
nf_conntrack_irc.c netfilter: add __exit mark to helper modules 2018-04-24 10:29:14 +02:00
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-03-30 11:41:18 -04:00
nf_conntrack_netlink.c netfilter: ctnetlink: must check mark attributes vs NULL 2018-09-21 10:14:46 +02:00
nf_conntrack_pptp.c
nf_conntrack_proto.c netfilter: conntrack: clamp l4proto array size at largers supported protocol 2018-09-20 18:08:14 +02:00
nf_conntrack_proto_dccp.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_proto_generic.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_proto_gre.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_proto_icmp.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_proto_icmpv6.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_proto_sctp.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_proto_tcp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-10-08 21:28:55 -07:00
nf_conntrack_proto_udp.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_sane.c netfilter: add __exit mark to helper modules 2018-04-24 10:29:14 +02:00
nf_conntrack_seqadj.c
nf_conntrack_sip.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-05-06 21:51:37 -04:00
nf_conntrack_snmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-03-30 11:41:18 -04:00
nf_conntrack_standalone.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
nf_conntrack_tftp.c netfilter: add __exit mark to helper modules 2018-04-24 10:29:14 +02:00
nf_conntrack_timeout.c netfilter: cttimeout: decouple timeout policy from nfnetlink_cttimeout object 2018-08-07 17:14:15 +02:00
nf_conntrack_timestamp.c netfilter: Replace printk() with pr_*() and define pr_fmt() 2018-03-20 13:44:14 +01:00
nf_dup_netdev.c
nf_flow_table_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2018-10-22 20:21:30 -07:00
nf_flow_table_inet.c netfilter: nf_flow_table: move init code to nf_flow_table_core.c 2018-04-24 10:28:45 +02:00
nf_flow_table_ip.c netfilter: nf_flow_table: remove unnecessary nat flag check code 2018-09-28 14:28:38 +02:00
nf_internals.h netfilter: core: export raw versions of add/delete hook functions 2018-05-23 09:14:05 +02:00
nf_log.c netfilter: nf_log: don't hold nf_log_mutex during user access 2018-06-26 16:48:40 +02:00
nf_log_common.c netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
nf_log_netdev.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
nf_nat_amanda.c
nf_nat_core.c netfilter: use kvmalloc_array to allocate memory for hashtable 2018-08-03 18:37:55 +02:00
nf_nat_ftp.c netfilter: Replace printk() with pr_*() and define pr_fmt() 2018-03-20 13:44:14 +01:00
nf_nat_helper.c netfilter: nat: remove duplicate skb_is_nonlinear() in __nf_nat_mangle_tcp_packet() 2018-09-20 18:26:56 +02:00
nf_nat_irc.c netfilter: Replace printk() with pr_*() and define pr_fmt() 2018-03-20 13:44:14 +01:00
nf_nat_proto_common.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_proto_dccp.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_proto_sctp.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_proto_tcp.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_proto_udp.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_proto_unknown.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_redirect.c netfilter: nat: remove unnecessary rcu_read_lock in nf_nat_redirect_ipv{4/6} 2018-09-17 16:11:14 +02:00
nf_nat_sip.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_nat_tftp.c
nf_queue.c
nf_sockopt.c
nf_synproxy_core.c proc: introduce proc_create_net{,_data} 2018-05-16 07:24:30 +02:00
nf_tables_api.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2018-10-22 20:21:30 -07:00
nf_tables_core.c netfilter: nf_tables: add SECMARK support 2018-09-28 14:28:29 +02:00
nf_tables_set_core.c netfilter: nf_tables: place all set backends in one single module 2018-07-06 19:31:53 +02:00
nf_tables_trace.c
nfnetlink.c netfilter: nf_tables: use dedicated mutex to guard transactions 2018-07-18 11:26:48 +02:00
nfnetlink_acct.c netfilter: fix memory leaks on netlink_dump_start error 2018-08-16 19:37:00 +02:00
nfnetlink_cthelper.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
nfnetlink_cttimeout.c netfilter: cttimeout: remove set but not used variable 'l3num' 2018-10-16 10:01:48 +02:00
nfnetlink_log.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
nfnetlink_osf.c netfilter: nft_osf: Add ttl option support 2018-10-16 10:01:48 +02:00
nfnetlink_queue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-09-12 22:22:42 -07:00
nft_bitwise.c
nft_byteorder.c
nft_chain_filter.c netfilter: nf_tables: don't prevent event handler from device cleanup on netns exit 2018-08-16 19:37:03 +02:00
nft_cmp.c netfilter: nf_tables: avoid BUG_ON usage 2018-09-17 16:11:12 +02:00
nft_compat.c netfilter: nft_compat: do not dump private area 2018-10-11 11:29:53 +02:00
nft_connlimit.c netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search 2018-07-18 11:26:37 +02:00
nft_counter.c netfilter: nf_tables: add destroy_clone expression 2018-06-03 00:02:11 +02:00
nft_ct.c netfilter: nf_tables: add requirements for connsecmark support 2018-09-28 14:28:34 +02:00
nft_dup_netdev.c netfilter: remove two unused variables. 2018-10-19 14:00:33 +02:00
nft_dynset.c netfilter: nf_tables: split set destruction in deactivate and destroy phase 2018-09-17 11:29:49 +02:00
nft_exthdr.c netfilter: nf_tables: merge exthdr expression into nft core 2018-04-27 00:00:56 +02:00
nft_fib.c
nft_fib_inet.c
nft_fib_netdev.c
nft_flow_offload.c netfilter: nf_flow_table: remove unnecessary parameter of nf_flow_table_cleanup() 2018-10-19 13:25:22 +02:00
nft_fwd_netdev.c netfilter: remove two unused variables. 2018-10-19 14:00:33 +02:00
nft_hash.c netfilter: fix ptr_ret.cocci warnings 2018-06-01 09:38:40 +02:00
nft_immediate.c netfilter: nf_tables: fix jumpstack depth validation 2018-07-17 20:48:24 +02:00
nft_limit.c netfilter: nft_limit: fix packet ratelimiting 2018-05-23 09:50:28 +02:00
nft_log.c netfilter: nf_tables: add NFT_LOGLEVEL_* enumeration and use it 2018-06-07 16:14:00 -04:00
nft_lookup.c netfilter: nf_tables: split set destruction in deactivate and destroy phase 2018-09-17 11:29:49 +02:00
nft_masq.c
nft_meta.c netfilter: nf_tables: add requirements for connsecmark support 2018-09-28 14:28:34 +02:00
nft_nat.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nft_numgen.c Revert "netfilter: nft_numgen: add map lookups for numgen random operations" 2018-10-29 11:11:33 +01:00
nft_objref.c netfilter: nf_tables: split set destruction in deactivate and destroy phase 2018-09-17 11:29:49 +02:00
nft_osf.c netfilter: nft_osf: check if attribute is present 2018-10-25 10:18:31 +02:00
nft_payload.c
nft_queue.c
nft_quota.c
nft_range.c
nft_redir.c
nft_reject.c netfilter: nf_tables: avoid BUG_ON usage 2018-09-17 16:11:12 +02:00
nft_reject_inet.c
nft_rt.c netfilter: nf_tables: rt: allow checking if dst has xfrm attached 2018-09-17 11:29:49 +02:00
nft_set_bitmap.c netfilter: nft_set: fix allocation size overflow in privsize callback. 2018-08-16 19:36:59 +02:00
nft_set_hash.c netfilter: nf_tables: use rhashtable_lookup() instead of rhashtable_lookup_fast() 2018-09-28 14:28:43 +02:00
nft_set_rbtree.c netfilter: nft_set_rbtree: allow loose matching of closing element in interval 2018-10-11 11:29:14 +02:00
nft_socket.c netfilter: nft_socket: Expose socket mark 2018-07-18 11:26:52 +02:00
nft_tproxy.c netfilter: nft_tproxy: Fix missing-braces warning 2018-08-16 19:37:10 +02:00
nft_tunnel.c netfilter: nft_tunnel: fix sparse errors 2018-08-04 00:53:29 +02:00
nft_xfrm.c netfilter: nft_xfrm: use state family, not hook one 2018-10-16 10:01:49 +02:00
utils.c netfilter: utils: move nf_ip6_checksum* from ipv6 to utils 2018-07-16 17:51:48 +02:00
x_tables.c netfilter: x_tables: do not fail xt_alloc_table_info too easilly 2018-08-16 19:37:05 +02:00
xt_addrtype.c netfilter: x_tables: use pr ratelimiting in matches/targets 2018-02-14 21:05:37 +01:00
xt_AUDIT.c audit: eliminate audit_enabled magic number comparison 2018-06-19 10:43:55 -04:00
xt_bpf.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_cgroup.c netfilter: xt_cgroup: shrink size of v2 path 2018-09-17 16:11:03 +02:00
xt_CHECKSUM.c netfilter: xt_checksum: ignore gso skbs 2018-08-24 09:58:16 +02:00
xt_CLASSIFY.c
xt_cluster.c netfilter: xt_cluster: add dependency on conntrack module 2018-08-23 20:26:53 +02:00
xt_comment.c
xt_connbytes.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_connlabel.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_connlimit.c netfilter: use PTR_ERR_OR_ZERO() 2018-07-30 14:07:09 +02:00
xt_connmark.c netfilter: xt_connmark: fix list corruption on rmmod 2018-06-12 19:35:52 +02:00
xt_CONNSECMARK.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_conntrack.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_cpu.c
xt_CT.c netfilter: conntrack: remove l3->l4 mapping information 2018-09-20 18:07:35 +02:00
xt_dccp.c
xt_devgroup.c
xt_DSCP.c netfilter: x_tables: remove pr_info where possible 2018-02-14 21:05:33 +01:00
xt_dscp.c netfilter: x_tables: remove pr_info where possible 2018-02-14 21:05:33 +01:00
xt_ecn.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: use s->file instead of s->private 2018-09-11 01:35:32 +02:00
xt_helper.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_HL.c netfilter: x_tables: remove pr_info where possible 2018-02-14 21:05:33 +01:00
xt_hl.c
xt_HMARK.c netfilter: x_tables: use pr ratelimiting in matches/targets 2018-02-14 21:05:37 +01:00
xt_IDLETIMER.c netfilter: xtables: avoid BUG_ON 2018-09-17 16:11:12 +02:00
xt_ipcomp.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_iprange.c
xt_ipvs.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_l2tp.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_LED.c netfilter: x_tables: fix missing timer initialization in xt_LED 2018-02-14 21:05:39 +01:00
xt_length.c
xt_limit.c netfilter: xt_limit: Spelling s/maxmum/maximum/ 2018-03-05 23:15:50 +01:00
xt_LOG.c
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nat.c netfilter: xt_nat: fix DNAT target for shifted portmap ranges 2018-10-16 19:34:49 +02:00
xt_NETMAP.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
xt_nfacct.c netfilter: nfnetlink_acct: remove useless parameter 2018-03-05 23:15:43 +01:00
xt_NFLOG.c netfilter: xt_NFLOG: use nf_log_packet instead of nfulnl_log_packet. 2018-04-19 13:02:44 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: use pr ratelimiting 2018-02-14 21:05:35 +01:00
xt_osf.c netfilter: xt_osf: simplify xt_osf_match_packet() 2018-10-16 10:01:50 +02:00
xt_owner.c netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
xt_physdev.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_pkttype.c
xt_policy.c netfilter: x_tables: use pr ratelimiting in matches/targets 2018-02-14 21:05:37 +01:00
xt_quota.c Revert "netfilter: xt_quota: fix the behavior of xt_quota module" 2018-10-19 14:00:34 +02:00
xt_RATEEST.c netfilter: make xt_rateest hash table per net 2018-03-05 23:15:44 +01:00
xt_rateest.c netfilter: make xt_rateest hash table per net 2018-03-05 23:15:44 +01:00
xt_realm.c
xt_recent.c netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
xt_REDIRECT.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
xt_repldata.h
xt_sctp.c
xt_SECMARK.c netfilter: xtables: avoid BUG_ON 2018-09-17 16:11:12 +02:00
xt_set.c netfilter: ipset: Limit max timeout value 2018-06-06 14:00:54 +02:00
xt_socket.c netfilter: xt_socket: check sk before checking for netns. 2018-09-28 14:47:41 +02:00
xt_state.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_statistic.c netfilter: x_tables: fix pointer leaks to userspace 2018-01-31 14:59:24 +01:00
xt_string.c netfilter: ebtables: Add string filter 2018-03-30 11:04:12 +02:00
xt_TCPMSS.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_tcpmss.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_TEE.c netfilter: xt_TEE: add missing code to get interface index in checkentry. 2018-10-11 11:29:14 +02:00
xt_time.c netfilter: Replace printk() with pr_*() and define pr_fmt() 2018-03-20 13:44:14 +01:00
xt_TPROXY.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-07-20 22:28:28 -07:00
xt_TRACE.c
xt_u32.c