[{"id":3672537,"web_url":"http://patchwork.ozlabs.org/comment/3672537/","msgid":"","list_archive_url":null,"date":"2026-04-02T03:17:59","subject":"ACK/Cmnt: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351","submitter":{"id":92836,"url":"http://patchwork.ozlabs.org/api/people/92836/","name":"Yufeng Gao","email":"yufeng.gao@canonical.com"},"content":"On 2/4/26 07:59, Tim Whisonant wrote:\n> SRU Justification:\n>\n> [Impact]\n>\n> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n>\n> Yiming Qian reports Use-after-free in the pipapo set type:\n> Under a large number of expired elements, commit-time GC can run for a very\n> long time in a non-preemptible context, triggering soft lockup warnings and\n> RCU stall reports (local denial of service).\n>\n> We must split GC in an unlink and a reclaim phase.\n>\n> We cannot queue elements for freeing until pointers have been swapped.\n> Expired elements are still exposed to both the packet path and userspace\n> dumpers via the live copy of the data structure.\n>\n> call_rcu() does not protect us: dump operations or element lookups starting\n> after call_rcu has fired can still observe the free'd element, unless the\n> commit phase has made enough progress to swap the clone and live pointers\n> before any new reader has picked up the old version.\n>\n> This a similar approach as done recently for the rbtree backend in commit\n> 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").\n>\n> [Fix]\n>\n> Questing: cherry picked from upstream\n> Noble: backported from linux-6.6.y\n> Jammy: cherry picked from linux-6.1.y\n> Focal: not affected\n> Bionic: not affected\n> Xenial: not affected\n> Trusty: not affected\n>\n> [Test Plan]\n>\n> Compile and boot tested.\n>\n> [Where problems could occur]\n>\n> The change affects the Pile Packet Policies set type portion of the\n> nftables framework, specifically the garbage collector, to address\n> a use after free. Issues would affect handling of these set type\n> data structures.\n>\n> [Notes]\n>\n> * The Jammy fix consists of two patches:\n> * 25600167215 (\"netfilter: nf_tables: de-constify set commit ops function argument\")\n> This patch brings the code closer to upstream. It also allows\n> the fix commit to apply as a clean cherry pick.\n> * 16f3595c044 (\"netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\")\n> This patch is a backport of the fix commit to 6.1. It applies as a\n> clean cherry pick, thanks to the first patch.\n>\n> Florian Westphal (1):\n> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n>\n> include/net/netfilter/nf_tables.h | 5 +++\n> net/netfilter/nf_tables_api.c | 5 ---\n> net/netfilter/nft_set_pipapo.c | 51 ++++++++++++++++++++++++++-----\n> net/netfilter/nft_set_pipapo.h | 2 ++\n> 4 files changed, 50 insertions(+), 13 deletions(-)\n>\nNot all emails are grouped under the same thread in my mail client - \nprobably just an issue on my side.\n\nAcked-by: Yufeng Gao ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=WTjDZbdf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmRrQ4QQtz1yGH\n\tfor ; Thu, 02 Apr 2026 14:18:14 +1100 (AEDT)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1w88ZL-00022W-5h; Thu, 02 Apr 2026 03:18:07 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1w88ZK-00022P-Ad\n for kernel-team@lists.ubuntu.com; Thu, 02 Apr 2026 03:18:06 +0000","from mail-pl1-f199.google.com (mail-pl1-f199.google.com\n [209.85.214.199])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 2A3BC3F1DA\n for ; Thu, 2 Apr 2026 03:18:06 +0000 (UTC)","by mail-pl1-f199.google.com with SMTP id\n d9443c01a7336-2b0b339b8dbso4003995ad.0\n for ; Wed, 01 Apr 2026 20:18:06 -0700 (PDT)","from ?IPV6:2001:8003:ec14:5900:1487:f09a:a0e3:68b9?\n ([2001:8003:ec14:5900:1487:f09a:a0e3:68b9])\n by smtp.gmail.com with ESMTPSA id\n d9443c01a7336-2b27477c54bsm14599265ad.27.2026.04.01.20.18.02\n for \n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Wed, 01 Apr 2026 20:18:03 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775099886;\n bh=rkvcLwE50nsDO8hXxkATQ76qjQDZn2+r7iTGNiZlWKE=;\n h=Message-ID:Date:MIME-Version:Subject:To:References:From:\n In-Reply-To:Content-Type;\n b=WTjDZbdfFwS53Pt8XWWpN7pHQK35ZRG0shdWuv84JgBqvtIe2RgMje0f7kWcXTOyD\n 8v3uCntfwpLHkjORQTa4ylf+v6dHnVYWb1P//NG+dHah05D6YKH26lXteKwjsK9EFS\n OGPvOd1DJwnGfg7m+pt3/B8L9Hizp7wQHZE3M78P0n/FAkqDN+2DbVJyVPVCM5ORtG\n c2GMmuoVSeRyXcGnYl8kuX3DirD4J90ot9Nn4Xj2IarHwrjEVWnDmgPGps0D6IEjgv\n 7HVk1AiLVbAZczuo1HOm+FBf2pvO/VPOHfQBW0Z2JMW5LmNi+ZnD7tq7or1GXrJqaW\n cvTfaXC8jYIk3HCndeK9ezdHEmJVuY1ILyDFtuoYMOJ9OSbxEGJpAbC4qbDwlhWmKo\n eqvSqeICkHFl2xFIAMp8F5K9GmJd/f3jKSzXZd0kmhIDmabr/ZlNRVvQH6tXe4/m6e\n rB4fS6fW8M1afyj+nLOs/+bLYOL3UOtPMl54lNe7mCsIAw2zr5HkGM2LxT+OHoCMbn\n CCRsyJh2/7PE1M72htrQwsO0Utl1EJIuRkThQ3Yfjyi5oli8IgI3S3sJFDb5W0rlKY\n oZcbCaQTGGNYDbfG0msrE4ypwzG94Hk4zng1x2Sim0y1gSD0GSKFdtHXsgVuAxImAN\n XO7DCRt0424pX36g0+OmFr8M=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775099885; x=1775704685;\n h=content-transfer-encoding:in-reply-to:content-language:from\n :references:to:subject:user-agent:mime-version:date:message-id\n :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=rkvcLwE50nsDO8hXxkATQ76qjQDZn2+r7iTGNiZlWKE=;\n b=cx5w9K5dXkgvxPuXjV4b9zAqRQ6qIKOY1Fb4w3H0LH/n6SOAC8NFggEv5FokeKOI9Z\n YHg+D3s3eAak3gZn54vKSyiosGoQwimtKJSjxfuAUpfnz3Dwa6AWleozz4lgkcHCkJeg\n JcnmNyMw80TBg6WOqAIyjtysdvViIVJyk4DUDasKLbexirqSpiDXlTDgidsH78IpeCR7\n O/V5d0wPte255y+zX7eW1qlKpaja1DiVZ2R6xD8/THBXGyye8NwSr5El5rMEnxPpBNxo\n RCRXwwPjhEFVt825WXzpyN1iNi3fYCMWnz8FFrDuPPQbsNlPkfDKkANRUCN6j3S62wPx\n 7hMQ==","X-Gm-Message-State":"AOJu0Yy39tTZk83jFi5CJlQqDj1G51xvgeRTaeiVqUcnZ7i59kePtqsZ\n tSLGrma6WeHG4DFdc4ueVIkhSGIx1XGw/bfF2GCh0mhENYdGqRCHKqaXwZiZwM/a1LwQ3R/Vp7H\n kvQBdHkBTsB6hdDJxl0FFstgTWC0vF864j1r3X27fOXa/CMM1YsgdDfza3jzQQY2IMpZCWnu5No\n Oj7je+jRge0Wk/UA==","X-Gm-Gg":"ATEYQzx8B77cVobXOM2Amg43GMRtP0Kcinl73CJKPgnM923tfI1hCrfK3OPRPtyBqlk\n mo9xzwrS1R3x552ze3S7AtG8QijWRzFAfq7vlc7IYCwf2chR3cuiZJ7lZU+fNegK1o+txa8ijtT\n zgKZFHKE82F9w665i7z5U2hWr8E1lJbC4/Q+nE05RlT9/PokShAMTFucv0SM0YqkWwWQX5HF4UO\n qeWQfrLnvJOgjW/KVft+A0fTQEhn+iDR6zdFWgPmmifhHfwxW5O9A4i6+DGoksCXWlYKythfF08\n Hsq0YEo9k7sGXuVUEHoS4BpQLbuzxW6rrOtbU//k7ii8+M96mAnJMMBfCI4pz4PKR8qA2CfqG+M\n fvRyBlCiTF1jS8JUvvKZivORXBzzabzpLjirSsQSjUDPA/qH4alpwQKIzXxKwZPnpqlpzTg4w3t\n TU9zQ=","X-Received":["by 2002:a17:902:cf11:b0:2b2:4029:d77c with SMTP id\n d9443c01a7336-2b269c57e6emr57895255ad.23.1775099884322;\n Wed, 01 Apr 2026 20:18:04 -0700 (PDT)","by 2002:a17:902:cf11:b0:2b2:4029:d77c with SMTP id\n d9443c01a7336-2b269c57e6emr57895005ad.23.1775099883812;\n Wed, 01 Apr 2026 20:18:03 -0700 (PDT)"],"Message-ID":"","Date":"Thu, 2 Apr 2026 13:17:59 +1000","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"ACK/Cmnt: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351","To":"kernel-team@lists.ubuntu.com","References":"<20260401215936.1178011-1-tim.whisonant@canonical.com>","From":"Yufeng Gao ","Content-Language":"en-US","In-Reply-To":"<20260401215936.1178011-1-tim.whisonant@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Transfer-Encoding":"base64","Content-Type":"text/plain; charset=\"utf-8\"; Format=\"flowed\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":3672992,"web_url":"http://patchwork.ozlabs.org/comment/3672992/","msgid":"","list_archive_url":null,"date":"2026-04-03T06:05:39","subject":"ACK/Cmnt: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351","submitter":{"id":85372,"url":"http://patchwork.ozlabs.org/api/people/85372/","name":"Masahiro Yamada","email":"masahiro.yamada@canonical.com"},"content":"On 4/2/26 06:59, Tim Whisonant wrote:\n> SRU Justification:\n>\n> [Impact]\n>\n> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n>\n> Yiming Qian reports Use-after-free in the pipapo set type:\n> Under a large number of expired elements, commit-time GC can run for a very\n> long time in a non-preemptible context, triggering soft lockup warnings and\n> RCU stall reports (local denial of service).\n>\n> We must split GC in an unlink and a reclaim phase.\n>\n> We cannot queue elements for freeing until pointers have been swapped.\n> Expired elements are still exposed to both the packet path and userspace\n> dumpers via the live copy of the data structure.\n>\n> call_rcu() does not protect us: dump operations or element lookups starting\n> after call_rcu has fired can still observe the free'd element, unless the\n> commit phase has made enough progress to swap the clone and live pointers\n> before any new reader has picked up the old version.\n>\n> This a similar approach as done recently for the rbtree backend in commit\n> 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").\n>\n> [Fix]\n>\n> Questing: cherry picked from upstream\n> Noble: backported from linux-6.6.y\n> Jammy: cherry picked from linux-6.1.y\n> Focal: not affected\n> Bionic: not affected\n> Xenial: not affected\n> Trusty: not affected\n>\n> [Test Plan]\n>\n> Compile and boot tested.\n>\n> [Where problems could occur]\n>\n> The change affects the Pile Packet Policies set type portion of the\n> nftables framework, specifically the garbage collector, to address\n> a use after free. Issues would affect handling of these set type\n> data structures.\n>\n> [Notes]\n>\n> * The Jammy fix consists of two patches:\n> * 25600167215 (\"netfilter: nf_tables: de-constify set commit ops function argument\")\n> This patch brings the code closer to upstream. It also allows\n> the fix commit to apply as a clean cherry pick.\n> * 16f3595c044 (\"netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\")\n> This patch is a backport of the fix commit to 6.1. It applies as a\n> clean cherry pick, thanks to the first patch.\n>\n> Florian Westphal (1):\n> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n>\n> include/net/netfilter/nf_tables.h | 5 +++\n> net/netfilter/nf_tables_api.c | 5 ---\n> net/netfilter/nft_set_pipapo.c | 51 ++++++++++++++++++++++++++-----\n> net/netfilter/nft_set_pipapo.h | 2 ++\n> 4 files changed, 50 insertions(+), 13 deletions(-)\n>\nSame for me: Not all emails are grouped under the same thread.\n\nOther than that,\n\nAcked-by: Masahiro Yamada ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=c74w72Il;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fn7WY2Ckjz1yCs\n\tfor ; Fri, 03 Apr 2026 17:06:00 +1100 (AEDT)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1w8Xf8-0004gT-39; Fri, 03 Apr 2026 06:05:46 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1w8Xf6-0004fr-Jd\n for kernel-team@lists.ubuntu.com; Fri, 03 Apr 2026 06:05:44 +0000","from mail-pg1-f197.google.com (mail-pg1-f197.google.com\n [209.85.215.197])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6D8663F294\n for ; Fri, 3 Apr 2026 06:05:44 +0000 (UTC)","by mail-pg1-f197.google.com with SMTP id\n 41be03b00d2f7-c76bb22a8ceso2066927a12.2\n for ; Thu, 02 Apr 2026 23:05:44 -0700 (PDT)","from ?IPV6:2001:f74:8f00:c00:6aff::1002?\n ([2001:f74:8f00:c00:6aff::1002]) by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82cf9b2694csm4877510b3a.2.2026.04.02.23.05.40\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Thu, 02 Apr 2026 23:05:41 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775196344;\n bh=CbVmJEJJfq/Yb+tKRN/kIXUZmgSFM6CflVsZhf8Bv3k=;\n h=Message-ID:Date:MIME-Version:Subject:To:References:From:\n In-Reply-To:Content-Type;\n b=c74w72IlfM5868OJ1oLFdEUBO4dRGz0kZJ2Ik0eY12rvC6aaGSZ0Wv6BQoth/pz37\n rwxPC7B4v1W7RmbzsMCEbmk4C27dxgnwzuWuVjJGQj+WfPH6mauV5QWG3S3cNVDKqn\n AeUpH5OXefXDXTtXwqZieAobKh87IgG+piXQTZ79ZfQN04q8vgAJ2GbX8OQO7eE4ei\n YnhO3H+DMDVDK7eBAMCGCG5KkSh7j6Jwu4PjgMx7wdVF1wUL1TDzjnFOWu8GZeW7bx\n fx3KD7U5On1JW3onhUiwvHTREJWGlJN9H6gD5mAmrZZ18l/bZoDROJ7Lod/3iUouQO\n 8TWbOe2ETxNnL7zJ0rJvlXWDrB9drWUcyS8nrKij1tQJ71f7S4Pi6RjUI/PB4pc7P0\n ijlAOktHOfEsRqYp8LY+JdeH2l4EaBoFdKZmGoiZ+GKGRRAN9/Ec9Rgg/Y+OE/I1dL\n t5zOzY1JZPhuDwuLaijq0GBen9LGR26AGA9CBzk6pZWJ1VfBWpQPqkxBjBl13wOk0Q\n 48YP1JMd7ki4PS9Ada90TRcSXuQ8Quwt+03MNbtB1Gqe422jDjIwn83oG+LaN+ObOV\n hzfzfW3rayler2fKwirU/vPaB+foq6mZ3G/VYkHXi8qdms3VonRmU40ZnYFsJGr3hY\n o/lNI2foqANHhB8sginlcoqU=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775196342; x=1775801142;\n h=content-transfer-encoding:in-reply-to:content-language:from\n :references:to:subject:user-agent:mime-version:date:message-id\n :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=CbVmJEJJfq/Yb+tKRN/kIXUZmgSFM6CflVsZhf8Bv3k=;\n b=H8kieIU9sD6KDQ+c31Q+hsLR5QdI0JW7v/QR/qdGK+vGHn3s9z20kfXkqZOTFncZK8\n IG41ykpVgI/E2uZJY+MmTzY+18QPgnJ6aGnEyxxEmKY7SfHGAs4A5dam1n7yGdb7bCdg\n lWyy/7CPk6mxqwRTv9g/FRYUvUXgonXQQaxtht0JrXEEcfTY28HVVdG2rwSr8x4V/28r\n h5v9loalYQ8WpruIaCElabdGaSZFrB7xxf7Qzf8uNkyCiDKAQKhnkHmFl2Kb9QYP5+0V\n gRx4j4uSgyPq3l4NMybF/hA4xR/7yU6TFKFNLZqK1kwQUjUXChUIJEDTkm+/Plyzv75i\n W+fA==","X-Forwarded-Encrypted":"i=1;\n AJvYcCVoAG2MmTpj8oLh9tO9nZ5XfOMXuLsTEolAunHzRV+prrQUI6elt34OzDjls9d81GzJF5fiIqL0O0UrIQ==@lists.ubuntu.com","X-Gm-Message-State":"AOJu0Yz7ADRp0OkrDEey4TWENL+kgvHQi6Fft4JhNTFXisVLgHLl8qo/\n mf7nwiAmeFxZw0eXh66+pKUatF7fzDGu77y0l2Uv9q2XP+Wwlr0Eooyzf3VVc2d/krTsdhY/fvQ\n bp6n+UKl/whaZbILXJSVPj/A8lfYcROuF6IKdtadUpyZjLwLGg+vgBw3AzqXLpNpDKar1VeFVaZ\n Vcyzxs3E0nRA2nbA==","X-Gm-Gg":"AeBDieseYBaPcBFbf8KK4PgKOsfAkk5C6Im0NHmQJxDDhT6Rf0fkav7pcVtKTAECv+U\n Pd+Pdqr5OCapf4743ZtRYuu97RNUixMDUPILXU27u4AC0Qc3PpEy8cItzBYod1aszVZEm292+tE\n b3ns9XhycddwEd/mFE47UI0yd6s7hfDpFydkG+i1fuo1gTQ8P5kedevnxonKtERatFlZJkJbZfx\n bynznBoqQF6qK4kBpIsrtNjNo7ZocfpZQ91q6+lSh6l+sBsJ4JZW8SpFbcgbjzoyQVkUtRqDyS3\n H87lFps8WVT1zKBOq+0SaUMyfSkpNsWbbfxHw3K5r9TtvcxKNuW/PluXSH0yZQBzPPsh0nCJTjg\n yfDXVwK6D7Q1Vka3ZU5todJTXR0SEKb1g3jNdzPsdldGG6EtrgI8jnXFh","X-Received":["by 2002:a05:6a00:3cd3:b0:82c:df25:fbd9 with SMTP id\n d2e1a72fcca58-82d0dbaf921mr1926084b3a.50.1775196342610;\n Thu, 02 Apr 2026 23:05:42 -0700 (PDT)","by 2002:a05:6a00:3cd3:b0:82c:df25:fbd9 with SMTP id\n d2e1a72fcca58-82d0dbaf921mr1926052b3a.50.1775196342051;\n Thu, 02 Apr 2026 23:05:42 -0700 (PDT)"],"Message-ID":"","Date":"Fri, 3 Apr 2026 15:05:39 +0900","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"ACK/Cmnt: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351","To":"Tim Whisonant , kernel-team@lists.ubuntu.com","References":"<20260401215936.1178011-1-tim.whisonant@canonical.com>","From":"Masahiro Yamada ","Content-Language":"en-US","In-Reply-To":"<20260401215936.1178011-1-tim.whisonant@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Transfer-Encoding":"base64","Content-Type":"text/plain; charset=\"utf-8\"; Format=\"flowed\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":3674021,"web_url":"http://patchwork.ozlabs.org/comment/3674021/","msgid":"<87fr57ce7s.fsf@gmail.com>","list_archive_url":null,"date":"2026-04-07T09:27:35","subject":"APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351","submitter":{"id":89305,"url":"http://patchwork.ozlabs.org/api/people/89305/","name":"Mehmet Basaran","email":"mehmet.basaran@canonical.com"},"content":"Applied to jammy:linux, noble:linux, questing:linux master-next\nbranches. Thanks.\nTim Whisonant writes:\n\n> SRU Justification:\n>\n> [Impact]\n>\n> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n>\n> Yiming Qian reports Use-after-free in the pipapo set type:\n> Under a large number of expired elements, commit-time GC can run for a very\n> long time in a non-preemptible context, triggering soft lockup warnings and\n> RCU stall reports (local denial of service).\n>\n> We must split GC in an unlink and a reclaim phase.\n>\n> We cannot queue elements for freeing until pointers have been swapped.\n> Expired elements are still exposed to both the packet path and userspace\n> dumpers via the live copy of the data structure.\n>\n> call_rcu() does not protect us: dump operations or element lookups starting\n> after call_rcu has fired can still observe the free'd element, unless the\n> commit phase has made enough progress to swap the clone and live pointers\n> before any new reader has picked up the old version.\n>\n> This a similar approach as done recently for the rbtree backend in commit\n> 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").\n>\n> [Fix]\n>\n> Questing: cherry picked from upstream\n> Noble: backported from linux-6.6.y\n> Jammy: cherry picked from linux-6.1.y\n> Focal: not affected\n> Bionic: not affected\n> Xenial: not affected\n> Trusty: not affected\n>\n> [Test Plan]\n>\n> Compile and boot tested.\n>\n> [Where problems could occur]\n>\n> The change affects the Pile Packet Policies set type portion of the\n> nftables framework, specifically the garbage collector, to address\n> a use after free. Issues would affect handling of these set type\n> data structures.\n>\n> [Notes]\n>\n> * The Jammy fix consists of two patches:\n> * 25600167215 (\"netfilter: nf_tables: de-constify set commit ops function argument\")\n> This patch brings the code closer to upstream. It also allows\n> the fix commit to apply as a clean cherry pick.\n> * 16f3595c044 (\"netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\")\n> This patch is a backport of the fix commit to 6.1. It applies as a\n> clean cherry pick, thanks to the first patch.\n>\n> Florian Westphal (1):\n> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n>\n> include/net/netfilter/nf_tables.h | 5 +++\n> net/netfilter/nf_tables_api.c | 5 ---\n> net/netfilter/nft_set_pipapo.c | 51 ++++++++++++++++++++++++++-----\n> net/netfilter/nft_set_pipapo.h | 2 ++\n> 4 files changed, 50 insertions(+), 13 deletions(-)\n>\n> -- \n> 2.43.0\n>\n>\n> -- \n> kernel-team mailing list\n> kernel-team@lists.ubuntu.com\n> https://lists.ubuntu.com/mailman/listinfo/kernel-team","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=Gb/4EIeC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fqgpW569Hz1xtJ\n\tfor ; Tue, 07 Apr 2026 19:27:47 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1wA2ii-0008PW-MN; Tue, 07 Apr 2026 09:27:40 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1wA2ig-0008Ne-FB\n for kernel-team@lists.ubuntu.com; Tue, 07 Apr 2026 09:27:38 +0000","from mail-wr1-f71.google.com (mail-wr1-f71.google.com\n [209.85.221.71])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 417583F29A\n for ; Tue, 7 Apr 2026 09:27:38 +0000 (UTC)","by mail-wr1-f71.google.com with SMTP id\n ffacd0b85a97d-43d034589d0so4910414f8f.1\n for ; Tue, 07 Apr 2026 02:27:38 -0700 (PDT)","from localhost ([149.86.141.159]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4887e83e906sm623699215e9.8.2026.04.07.02.27.36\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 07 Apr 2026 02:27:36 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775554058;\n bh=1Q7j+/L7DxuF9R9/zLc2FPtl54zbD+LPfjywTkgZnk4=;\n h=From:To:Subject:In-Reply-To:References:Date:Message-ID:\n MIME-Version:Content-Type;\n b=Gb/4EIeCb5P0aL/ux/KN/fHI3TC9T+74s873DUzMvUw7XWRFPyiSJ0CJ5ESAD8hZ1\n d/RfABjTuud2WJVgRAvriDWtHCs255pnKFrTXDRKxx2cJlCq/o3bZfklecbhAhNTZl\n BTuZ5Mw3L3k5QiQRErGSeAQP4cDT6CfYf7xkJlcLwRV2HNNpsaorWmByM9G1IlLg72\n gsZw4mrpa0pYL4/BOcrFt3XKNqIpR94jc/KWCM7OtGiddGM+B/Iul7CU9N64UPSB1m\n 7DMH1slbSC+BM/hDmMpSXnFZvvDldulDjYq6ChIqhesDS0Ny7UZ5Qx+z93SkWnVvcY\n tknnxar7lWbEVIHSrXAj9RELNcow94zl2qX+sMq0ALF+v7gzce8Qt5hEC5cxdtm5iV\n iyCWCMDzitzCKnl1kKUDSXOh62KQD0GHhIiG5uT9Ynb4LTtaUMMAqThd/VppQsbkHQ\n FcnFl4vVGiRAdaWq5SCtJcbuGoWTw+Rl6G2Rnl0XGZatyW0ZdOgOk+Ae7gcUO/hwt8\n tAliL8ZtyYy+dlqds30X2vU1Ccw4F8ICN2RoxsoAkhlrLsJvr64UrErLi68Eb1gZv4\n x6IWYxAAgxvbCV8uzdTs/PVtP+H5wpM3pUXA9EYnUW8PBXAfS+CJ3PiAsy1FgDnOd/\n pXE1/EgpcBGftfMw0VwOXg6w=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775554058; x=1776158858;\n h=mime-version:message-id:date:references:in-reply-to:subject:to:from\n :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=1Q7j+/L7DxuF9R9/zLc2FPtl54zbD+LPfjywTkgZnk4=;\n b=bPnyNZw+n7FUD8i1H0T0vfVUjzCtUE0fa4OB1DHdit0JUddAyDakQxG60D3fJF80Ab\n e+3hejDj9hQjFWg3CsbG0phiLJ/hf7kK+sfY1+UoVrat6u2BCOgq6K7xdTPBMs+upeXD\n VvJNdwf/nclbeKUmJT98WGU1m2r4au1DQKokXWbpNN5/taTgWhzPqMlYWDrS1qs7wIQ7\n n7RnIJn4SbX8jTUSOqVOLHMjc2FhbOQX0GPAYS3EuYZrnR2aInKhdUBuMOuXuC0NwajB\n 43OISE9YadNIou+oQsab2FKm5UpQMrv0ruO80rStUpnF6gxIaOLs9Fu5RndC3Pyyk1qm\n dYgA==","X-Forwarded-Encrypted":"i=1;\n AJvYcCW1kXoBsCCPjFTTAek31YWqwozolZ3VOnO78uD0upTI/srgEM2/V3oWGSTBTYyzJLZuFVs5GErXw+Ea4Q==@lists.ubuntu.com","X-Gm-Message-State":"AOJu0YxnGmCRg5FdbCgb6phGaMDQijVeKFSu5ve3l/qrZhRxJnxFMEtM\n hNxWCSp7H1uUGvZMemuzHOv2nHbF9ohUWHSok59i/6OjVcGYIVi9EvJ2DG6BJZyIY+H+p/vHl3n\n Isi3jrXJF+CUx4YLpLB5PWHBDz6YjdTQ6DKzJVqIxDQ9JrLkGTpGEls/csGVNjem6nAnqHN9pgF\n Er1JE2NA==","X-Gm-Gg":"AeBDiesyfknC+YyhbLitXNhhksy8VwdUMP1uzxupH5cg4Z7Lr5iRYcPU9ZfP2Fr6eA5\n KGQPcVYidVwO624hfFkBNTXVyg3rnlW8RFZlnUyx7rj8FwGq1I+iDWm9Ew/+lDeXVFH0USQdb/D\n QRSugzCwrT0hkJilYysVnUpD9N4RJJtKuSiKnUoBI+2PpEaHghn2c5gtUzwQNnOXpSgbQSKmDpE\n 8ckc+3Psr5tsddAMgcVYIHxZ9jwhmugPZEy/3ytlWAqF83255yCGn25fkFEevKP+639E20fJcyv\n G7BSuypvddbYQ1aBAOVPF4JqXoUYSzkdtsXfcMc4AoWahULXfpLzCvFv5LzKCv5cSZ2MWBBS/na\n yVJgu7pZUybKCJ7nEAVzM2IaxtzdYRg==","X-Received":["by 2002:a05:600c:3f0a:b0:487:2439:b7c8 with SMTP id\n 5b1f17b1804b1-488996a206dmr244290445e9.1.1775554057663;\n Tue, 07 Apr 2026 02:27:37 -0700 (PDT)","by 2002:a05:600c:3f0a:b0:487:2439:b7c8 with SMTP id\n 5b1f17b1804b1-488996a206dmr244290015e9.1.1775554057179;\n Tue, 07 Apr 2026 02:27:37 -0700 (PDT)"],"From":"Mehmet Basaran ","To":"Tim Whisonant , kernel-team@lists.ubuntu.com","Subject":"APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351","In-Reply-To":"<20260401215936.1178011-1-tim.whisonant@canonical.com>","References":"<20260401215936.1178011-1-tim.whisonant@canonical.com>","Date":"Tue, 07 Apr 2026 12:27:35 +0300","Message-ID":"<87fr57ce7s.fsf@gmail.com>","MIME-Version":"1.0","Content-Type":"multipart/mixed; boundary=\"=-=-=\"","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}}]