netfilter: ipset: Make sure listing doesn't grab a set which is just being destroyed.

struct ip_set_net {

	struct ip_set * __rcu *ip_set_list;	/* all individual sets */

	ip_set_id_t	ip_set_max;	/* max number of sets */

	int		is_deleted;	/* deleted by ip_set_net_exit */

	bool		is_deleted;	/* deleted by ip_set_net_exit */

	bool		is_destroyed;	/* all sets are destroyed */

};

static int ip_set_net_id __read_mostly;

};

static void

ip_set_destroy_set(struct ip_set_net *inst, ip_set_id_t index)

ip_set_destroy_set(struct ip_set *set)

{

	struct ip_set *set = ip_set(inst, index);

	pr_debug("set: %s\n",  set->name);

	ip_set(inst, index) = NULL;

	/* Must call it without holding any lock */

	set->variant->destroy(set);

				goto out;

			}

		}

		inst->is_destroyed = true;

		read_unlock_bh(&ip_set_ref_lock);

		for (i = 0; i < inst->ip_set_max; i++) {

			s = ip_set(inst, i);

			if (s != NULL)

				ip_set_destroy_set(inst, i);

			if (s) {

				ip_set(inst, i) = NULL;

				ip_set_destroy_set(s);

			}

		}

		/* Modified by ip_set_destroy() only, which is serialized */

		inst->is_destroyed = false;

	} else {

		s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),

				    &i);

			ret = -IPSET_ERR_BUSY;

			goto out;

		}

		ip_set(inst, i) = NULL;

		read_unlock_bh(&ip_set_ref_lock);

		ip_set_destroy_set(inst, i);

		ip_set_destroy_set(s);

	}

	return 0;

out:

	unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;

	struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk));

	u32 dump_type, dump_flags;

	bool is_destroyed;

	int ret = 0;

	if (!cb->args[IPSET_CB_DUMP]) {

		 dump_type, dump_flags, cb->args[IPSET_CB_INDEX]);

	for (; cb->args[IPSET_CB_INDEX] < max; cb->args[IPSET_CB_INDEX]++) {

		index = (ip_set_id_t) cb->args[IPSET_CB_INDEX];

		write_lock_bh(&ip_set_ref_lock);

		set = ip_set(inst, index);

		if (set == NULL) {

		is_destroyed = inst->is_destroyed;

		if (!set || is_destroyed) {

			write_unlock_bh(&ip_set_ref_lock);

			if (dump_type == DUMP_ONE) {

				ret = -ENOENT;

				goto out;

			}

			if (is_destroyed) {

				/* All sets are just being destroyed */

				ret = 0;

				goto out;

			}

			continue;

		}

		/* When dumping all sets, we must dump "sorted"

		 */

		if (dump_type != DUMP_ONE &&

		    ((dump_type == DUMP_ALL) ==

		     !!(set->type->features & IPSET_DUMP_LAST)))

		     !!(set->type->features & IPSET_DUMP_LAST))) {

			write_unlock_bh(&ip_set_ref_lock);

			continue;

		}

		pr_debug("List set: %s\n", set->name);

		if (!cb->args[IPSET_CB_ARG0]) {

			/* Start listing: make sure set won't be destroyed */

			pr_debug("reference set\n");

			__ip_set_get(set);

			set->ref++;

		}

		write_unlock_bh(&ip_set_ref_lock);

		nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,

				cb->nlh->nlmsg_seq, flags,

				IPSET_CMD_LIST);

	list = kzalloc(sizeof(struct ip_set *) * inst->ip_set_max, GFP_KERNEL);

	if (!list)

		return -ENOMEM;

	inst->is_deleted = 0;

	inst->is_deleted = false;

	inst->is_destroyed = false;

	rcu_assign_pointer(inst->ip_set_list, list);

	return 0;

}

	struct ip_set *set = NULL;

	ip_set_id_t i;

	inst->is_deleted = 1; /* flag for ip_set_nfnl_put */

	inst->is_deleted = true; /* flag for ip_set_nfnl_put */

	for (i = 0; i < inst->ip_set_max; i++) {

		set = ip_set(inst, i);

		if (set != NULL)

			ip_set_destroy_set(inst, i);

		if (set) {

			ip_set(inst, i) = NULL;

			ip_set_destroy_set(set);

		}

	}

	kfree(rcu_dereference_protected(inst->ip_set_list, 1));

}