netfilter: ipset: Hold module reference while requesting a module

Phil Sutter · ummakynes · commit 456f010bfaef · 2024-12-04T15:39:22.000+01:00
User space may unload ip_set.ko while it is itself requesting a set type backend module, leading to a kernel crash. The race condition may be provoked by inserting an mdelay() right after the nfnl_unlock() call. Fixes: a7b4f98 ("netfilter: ipset: IP set core support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
@@ -104,14 +104,19 @@ find_set_type(const char *name, u8 family, u8 revision)
 static bool
 load_settype(const char *name)
 {
+	if (!try_module_get(THIS_MODULE))
+		return false;
+
 	nfnl_unlock(NFNL_SUBSYS_IPSET);
 	pr_debug("try to load ip_set_%s\n", name);
 	if (request_module("ip_set_%s", name) < 0) {
 		pr_warn("Can't find ip_set type %s\n", name);
 		nfnl_lock(NFNL_SUBSYS_IPSET);
+		module_put(THIS_MODULE);
 		return false;
 	}
 	nfnl_lock(NFNL_SUBSYS_IPSET);
+	module_put(THIS_MODULE);
 	return true;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -104,14 +104,19 @@ find_set_type(const char *name, u8 family, u8 revision)`
`104`	`104`	`static bool`
`105`	`105`	`load_settype(const char *name)`
`106`	`106`	`{`
	`107`	`+ if (!try_module_get(THIS_MODULE))`
	`108`	`+ return false;`
	`109`	`+`
`107`	`110`	`nfnl_unlock(NFNL_SUBSYS_IPSET);`
`108`	`111`	`pr_debug("try to load ip_set_%s\n", name);`
`109`	`112`	`if (request_module("ip_set_%s", name) < 0) {`
`110`	`113`	`pr_warn("Can't find ip_set type %s\n", name);`
`111`	`114`	`nfnl_lock(NFNL_SUBSYS_IPSET);`
	`115`	`+ module_put(THIS_MODULE);`
`112`	`116`	`return false;`
`113`	`117`	`}`
`114`	`118`	`nfnl_lock(NFNL_SUBSYS_IPSET);`
	`119`	`+ module_put(THIS_MODULE);`
`115`	`120`	`return true;`
`116`	`121`	`}`
`117`	`122`