netfilter: ipset: dumping error triggered removing references twice

If there was a dumping error in the middle, the set-specific variable was not zeroed out and thus the 'done' function of the dumping wrongly tried to release the already released reference of the set. The already released reference was caught by __ip_set_put and triggered a kernel BUG message. Reported by Jean-Philippe Menil. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
git-mirror · Jan 17, 2012 · be94db9 · be94db9
1 parent 088067f
commit be94db9
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
@@ -1142,6 +1142,7 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
 	if (ret || !cb->args[2]) {
 		pr_debug("release set %s\n", ip_set_list[index]->name);
 		ip_set_put_byindex(index);
+		cb->args[2] = 0;
 	}
 out:
 	if (nlh) {