From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 10/14] netfilter: ipset: Fix calling ip_set() macro at dumping
Date: Tue, 6 Nov 2018 00:28:28 +0100 [thread overview]
Message-ID: <20181105232832.21896-11-pablo@netfilter.org> (raw)
In-Reply-To: <20181105232832.21896-1-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The ip_set() macro is called when either ip_set_ref_lock held only
or no lock/nfnl mutex is held at dumping. Take this into account
properly. Also, use Pablo's suggestion to use rcu_dereference_raw(),
the ref_netlink protects the set.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 68db946df151..1577f2f76060 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -55,11 +55,15 @@ MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("core IP set support");
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
-/* When the nfnl mutex is held: */
+/* When the nfnl mutex or ip_set_ref_lock is held: */
#define ip_set_dereference(p) \
- rcu_dereference_protected(p, lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET))
+ rcu_dereference_protected(p, \
+ lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \
+ lockdep_is_held(&ip_set_ref_lock))
#define ip_set(inst, id) \
ip_set_dereference((inst)->ip_set_list)[id]
+#define ip_set_ref_netlink(inst,id) \
+ rcu_dereference_raw((inst)->ip_set_list)[id]
/* The set types are implemented in modules and registered set types
* can be found in ip_set_type_list. Adding/deleting types is
@@ -1251,7 +1255,7 @@ ip_set_dump_done(struct netlink_callback *cb)
struct ip_set_net *inst =
(struct ip_set_net *)cb->args[IPSET_CB_NET];
ip_set_id_t index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
- struct ip_set *set = ip_set(inst, index);
+ struct ip_set *set = ip_set_ref_netlink(inst, index);
if (set->variant->uref)
set->variant->uref(set, cb, false);
@@ -1440,7 +1444,7 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
release_refcount:
/* If there was an error or set is done, release set */
if (ret || !cb->args[IPSET_CB_ARG0]) {
- set = ip_set(inst, index);
+ set = ip_set_ref_netlink(inst, index);
if (set->variant->uref)
set->variant->uref(set, cb, false);
pr_debug("release set %s\n", set->name);
--
2.11.0
next prev parent reply other threads:[~2018-11-06 8:50 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-05 23:28 [PATCH 00/14] Netfilter fixes for net Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 01/14] netfilter: ipv6: fix oops when defragmenting locally generated fragments Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 02/14] netfilter: nft_osf: check if attribute is present Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 03/14] netfilter: bridge: define INT_MIN & INT_MAX in userspace Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 04/14] Revert "netfilter: nft_numgen: add map lookups for numgen random operations" Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 05/14] netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 06/14] netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 07/14] netfilter: ipset: fix ip_set_list allocation failure Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 08/14] netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 09/14] netfilter: xt_IDLETIMER: add sysfs filename checking routine Pablo Neira Ayuso
2018-11-05 23:28 ` Pablo Neira Ayuso [this message]
2018-11-05 23:28 ` [PATCH 11/14] netfilter: conntrack: add nf_{tcp,udp,sctp,icmp,dccp,icmpv6,generic}_pernet() Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 12/14] netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 13/14] netfilter: nft_compat: ebtables 'nat' table is normal chain type Pablo Neira Ayuso
2018-11-05 23:28 ` [PATCH 14/14] netfilter: conntrack: fix calculation of next bucket number in early_drop Pablo Neira Ayuso
2018-11-06 1:19 ` [PATCH 00/14] Netfilter fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181105232832.21896-11-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.