Commit e23ed762 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: ipset: pernet ops must be unregistered last

Removing the ipset module leaves a small window where one cpu performs
module removal while another runs a command like 'ipset flush'.

ipset uses net_generic(), unregistering the pernet ops frees this
storage area.

Fix it by first removing the user-visible api handlers and the pernet
ops last.

Fixes: 1785e8f4 ("netfiler: ipset: Add net namespace for ipset")
Reported-by: default avatarLi Shuang <shuali@redhat.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 48596a8d
...@@ -2072,25 +2072,28 @@ static struct pernet_operations ip_set_net_ops = { ...@@ -2072,25 +2072,28 @@ static struct pernet_operations ip_set_net_ops = {
static int __init static int __init
ip_set_init(void) ip_set_init(void)
{ {
int ret = nfnetlink_subsys_register(&ip_set_netlink_subsys); int ret = register_pernet_subsys(&ip_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
return ret;
}
ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
if (ret != 0) { if (ret != 0) {
pr_err("ip_set: cannot register with nfnetlink.\n"); pr_err("ip_set: cannot register with nfnetlink.\n");
unregister_pernet_subsys(&ip_set_net_ops);
return ret; return ret;
} }
ret = nf_register_sockopt(&so_set); ret = nf_register_sockopt(&so_set);
if (ret != 0) { if (ret != 0) {
pr_err("SO_SET registry failed: %d\n", ret); pr_err("SO_SET registry failed: %d\n", ret);
nfnetlink_subsys_unregister(&ip_set_netlink_subsys); nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
unregister_pernet_subsys(&ip_set_net_ops);
return ret; return ret;
} }
ret = register_pernet_subsys(&ip_set_net_ops);
if (ret) {
pr_err("ip_set: cannot register pernet_subsys.\n");
nf_unregister_sockopt(&so_set);
nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
return ret;
}
pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL); pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);
return 0; return 0;
} }
...@@ -2098,9 +2101,10 @@ ip_set_init(void) ...@@ -2098,9 +2101,10 @@ ip_set_init(void)
static void __exit static void __exit
ip_set_fini(void) ip_set_fini(void)
{ {
unregister_pernet_subsys(&ip_set_net_ops);
nf_unregister_sockopt(&so_set); nf_unregister_sockopt(&so_set);
nfnetlink_subsys_unregister(&ip_set_netlink_subsys); nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
unregister_pernet_subsys(&ip_set_net_ops);
pr_debug("these are the famous last words\n"); pr_debug("these are the famous last words\n");
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment