On Wed, 2012-08-08 at 12:14 +0200, Marcin Szewczyk wrote: > Hi, > > I've been experiencing a problem with ipset causing the kernel to panic. > > Steps to reproduce: > 1) create an ipset (script attached), > 2) add some addresses: > # for i in $(seq 1 200); do ipset add wifi-registered 192.168.20.$i; done > 3) run: > # ipset -L > a couple of times and voilà. > > Kernel messages dumped via netconsole attached. Please test the attached patch, following the instructions at <http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official> Ben. -- Ben Hutchings Sturgeon's Law: Ninety percent of everything is crap.
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Sat, 14 Jan 2012 16:42:13 +0100
Subject: [PATCH] netfilter: ipset: dumping error triggered removing
references twice
commit be94db9ddac0d6ea76f479b04fb3a43314654c9f upstream.
If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
Reported by Jean-Philippe Menil.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 0f8e5f2..32dbf0f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1142,6 +1142,7 @@ release_refcount:
if (ret || !cb->args[2]) {
pr_debug("release set %s\n", ip_set_list[index]->name);
ip_set_put_byindex(index);
+ cb->args[2] = 0;
}
out:
if (nlh) {
Attachment:
signature.asc
Description: This is a digitally signed message part