netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v2

synchronize_rcu() is moved into ip_set_swap() in order not to burden ip_set_destroy() unnecessarily when all sets are destroyed Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
author: Jozsef Kadlecsik <kadlec@netfilter.org> 2023-11-04 10:51:47 +0100
committer: Jozsef Kadlecsik <kadlec@netfilter.org> 2023-11-04 10:51:47 +0100
commit: 74f6e7b96229c6fd2a0e5fb8bb75e81b3fde9a59 (patch)
tree: c1749982ce88f209954e5ef12551fc3876ba71df /kernel/net/netfilter/ipset/ip_set_core.c
parent: cf94d3f5d139dc3695967e19f464e0958bf1d718 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c
index 98dd409..9ab2195 100644
--- a/kernel/net/netfilter/ipset/ip_set_core.c
+++ b/kernel/net/netfilter/ipset/ip_set_core.c
@@ -1225,9 +1225,6 @@ IPSET_CBFN(ip_set_destroy, struct net *net, struct sock *ctnl,
 	if (unlikely(protocol_min_failed(attr)))
 		return -IPSET_ERR_PROTOCOL;
 
-	/* Make sure all readers of the old set pointers are completed. */
-	synchronize_rcu();
-
 	/* Must wait for flush to be really finished in list:set */
 	rcu_barrier();
 
@@ -1441,6 +1438,9 @@ IPSET_CBFN(ip_set_swap, struct net *net, struct sock *ctnl,
 	ip_set(inst, to_id) = from;
 	write_unlock_bh(&ip_set_ref_lock);
 
+	/* Make sure all readers of the old set pointers are completed. */
+	synchronize_rcu();
+
 	return 0;
 }
author	Jozsef Kadlecsik <kadlec@netfilter.org>	2023-11-04 10:51:47 +0100
committer	Jozsef Kadlecsik <kadlec@netfilter.org>	2023-11-04 10:51:47 +0100
commit	74f6e7b96229c6fd2a0e5fb8bb75e81b3fde9a59 (patch)
tree	c1749982ce88f209954e5ef12551fc3876ba71df /kernel/net/netfilter/ipset/ip_set_core.c
parent	cf94d3f5d139dc3695967e19f464e0958bf1d718 (diff)