summaryrefslogtreecommitdiff
path: root/include/linux/highmem.h
diff options
context:
space:
mode:
authorVishwanath Pai <vpai@akamai.com>2016-03-16 23:49:00 +0300
committerPablo Neira Ayuso <pablo@netfilter.org>2016-03-28 18:57:45 +0300
commit596cf3fe5854fe2b1703b0466ed6bf9cfb83c91e (patch)
treefe02169500b0046f42b7f85e91c92b3cfb4fa342 /include/linux/highmem.h
parentd7be81a5916bdb1d904803958e5991a16f7ae4b2 (diff)
downloadlinux-596cf3fe5854fe2b1703b0466ed6bf9cfb83c91e.tar.xz
netfilter: ipset: fix race condition in ipset save, swap and delete
This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/highmem.h')
0 files changed, 0 insertions, 0 deletions