netfilter: ipset: Hold module reference while requesting a module

User space may unload ip_set.ko while it is itself requesting a set type
backend module, leading to a kernel crash. The race condition may be
provoked by inserting an mdelay() right after the nfnl_unlock() call.

Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
Signed-off-by: Phil Sutter <[email protected]>
Acked-by: Jozsef Kadlecsik <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 61431690cbd5f195ca27a90661c3838189e2330d..cc20e6d56807c6b31d8beabc7f7d2617cad76c8a 100644 (file)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -104,14 +104,19 @@ find_set_type(const char *name, u8 family, u8 revision)
 static bool
 load_settype(const char *name)
 {
+       if (!try_module_get(THIS_MODULE))
+               return false;
+
        nfnl_unlock(NFNL_SUBSYS_IPSET);
        pr_debug("try to load ip_set_%s\n", name);
        if (request_module("ip_set_%s", name) < 0) {
                pr_warn("Can't find ip_set type %s\n", name);
                nfnl_lock(NFNL_SUBSYS_IPSET);
+               module_put(THIS_MODULE);
                return false;
        }
        nfnl_lock(NFNL_SUBSYS_IPSET);
+       module_put(THIS_MODULE);
        return true;
 }