[4/4] netfilter: ipset: dumping error triggered removing references twice

Submitted by Pablo Neira on Jan. 17, 2012, 11:04 a.m.


Message ID 1326798289-11592-5-git-send-email-pablo@netfilter.org
State Accepted
Delegated to: David Miller
Headers show

Commit Message

Pablo Neira Jan. 17, 2012, 11:04 a.m.
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
Reported by Jean-Philippe Menil.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 net/netfilter/ipset/ip_set_core.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 0f8e5f2..32dbf0f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1142,6 +1142,7 @@  release_refcount:
 	if (ret || !cb->args[2]) {
 		pr_debug("release set %s\n", ip_set_list[index]->name);
+		cb->args[2] = 0;
 	if (nlh) {