netfilter: ipset: dumping error triggered removing references twice
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Sat, 14 Jan 2012 15:42:13 +0000 (16:42 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 17 Jan 2012 09:52:55 +0000 (10:52 +0100)
If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
Reported by Jean-Philippe Menil.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/ipset/ip_set_core.c

index 0f8e5f2fa1ba99644c0db756e901caaf1e53f941..32dbf0fa89db7661e1ee22cee519c273a229c9ca 100644 (file)
@@ -1142,6 +1142,7 @@ release_refcount:
        if (ret || !cb->args[2]) {
                pr_debug("release set %s\n", ip_set_list[index]->name);
                ip_set_put_byindex(index);
+               cb->args[2] = 0;
        }
 out:
        if (nlh) {