Commit e23ed762 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: ipset: pernet ops must be unregistered last 



Removing the ipset module leaves a small window where one cpu performs
module removal while another runs a command like 'ipset flush'.

ipset uses net_generic(), unregistering the pernet ops frees this
storage area.

Fix it by first removing the user-visible api handlers and the pernet
ops last.

Fixes: 1785e8f4 ("netfiler: ipset: Add net namespace for ipset")
Reported-by: default avatarLi Shuang <shuali@redhat.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 48596a8d

net/netfilter/ipset/ip_set_core.c

+13 −9
Original line number Diff line number Diff line
@@ -2072,25 +2072,28 @@ static struct pernet_operations ip_set_net_ops = { 
static int __init

ip_set_init(void)

{

	int ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);

	int ret = register_pernet_subsys(&ip_set_net_ops);



	if (ret) {

		pr_err("ip_set: cannot register pernet_subsys.\n");

		return ret;

	}



	ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);

	if (ret != 0) {

		pr_err("ip_set: cannot register with nfnetlink.\n");

		unregister_pernet_subsys(&ip_set_net_ops);

		return ret;

	}



	ret = nf_register_sockopt(&so_set);

	if (ret != 0) {

		pr_err("SO_SET registry failed: %d\n", ret);

		nfnetlink_subsys_unregister(&ip_set_netlink_subsys);

		unregister_pernet_subsys(&ip_set_net_ops);

		return ret;

	}

	ret = register_pernet_subsys(&ip_set_net_ops);

	if (ret) {

		pr_err("ip_set: cannot register pernet_subsys.\n");

		nf_unregister_sockopt(&so_set);

		nfnetlink_subsys_unregister(&ip_set_netlink_subsys);

		return ret;

	}



	pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);

	return 0;

}
@@ -2098,9 +2101,10 @@ ip_set_init(void) 
static void __exit

ip_set_fini(void)

{

	unregister_pernet_subsys(&ip_set_net_ops);

	nf_unregister_sockopt(&so_set);

	nfnetlink_subsys_unregister(&ip_set_netlink_subsys);



	unregister_pernet_subsys(&ip_set_net_ops);

	pr_debug("these are the famous last words\n");

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE