[{"id":3676395,"web_url":"http://patchwork.ozlabs.org/comment/3676395/","msgid":"","list_archive_url":null,"date":"2026-04-12T22:31:51","subject":"Re: [PATCH net v3] netfilter: nft_set_rbtree: fix use count leak on\n transaction abort","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Marko Jevtic wrote:\n> nft_rbtree_abort() does not handle elements moved to the expired list\n> by inline GC during __nft_rbtree_insert(). When inline GC encounters\n> expired elements during overlap detection, it calls\n> nft_rbtree_gc_elem_move() which deactivates element data (decrementing\n> chain/object use counts), removes the element from the rbtree, and\n> queues it for deferred freeing. On commit, these elements are freed\n> via nft_rbtree_gc_queue(). On abort, however, the expired list is\n> ignored entirely.\n> \n> This leaves use counts permanently decremented after abort.\n\nI have not seen a reason/answer why this needs to be rolled back.\nGC is an implementation detail, its not part of the transaction.\n\nIt could also be done from work queue, for example, not just from insert\nor commit.\n\nI see no reason to change the existing approach.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11836-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fv4zB6j2Qz1xtJ\n\tfor ; Mon, 13 Apr 2026 08:32:06 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 84430300E25A\n\tfor ; Sun, 12 Apr 2026 22:32:00 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 1A57231E85A;\n\tSun, 12 Apr 2026 22:31:57 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id F3A0C43147;\n\tSun, 12 Apr 2026 22:31:54 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid E057F60491; Mon, 13 Apr 2026 00:31:51 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776033116; cv=none;\n b=EjhG/8NCqWdiCXrk2l4Djn0c44FD7XYmtlv/HiiiNOetK9GaI/kyyBa9snOrQaDQ2P9q7y1HpAOywsELuw95HO/EDfS2FuZAE3k+fQH2udS9ofGppjDO3k9ej6Mc8PQc0kyBpHXDntXQ6eypyZmxJqTnR6t9mst7q6LCGzq/uHk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776033116; c=relaxed/simple;\n\tbh=VQ0E2CPHBAKyPinm9SCfzHRTKJ0Or0lZ8hhPAVGSE4w=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=YUaxzral1olVn2uwJejoaMq2YCiwZE9S6vJpjRpwn9j8Jgd5W/XtdLgAG7YYMpQRYzxShHvHR/1Vl7rOULDzA+Kvg0XGo7d/KP1bS0d8YMRl8ACJnB+EW+GT+CHQuM0wYcyjhuLT1Y4610h7K9rlvp/IHxm1LEnJtGqOO2bDgI4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Mon, 13 Apr 2026 00:31:51 +0200","From":"Florian Westphal ","To":"Marko Jevtic ","Cc":"pablo@netfilter.org, netfilter-devel@vger.kernel.org, phil@nwl.cc,\n\tcoreteam@netfilter.org, davem@davemloft.net, edumazet@google.com,\n\tkuba@kernel.org, pabeni@redhat.com, horms@kernel.org,\n\tnetdev@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH net v3] netfilter: nft_set_rbtree: fix use count leak on\n transaction abort","Message-ID":"","References":"<20260412222801.34965-1-marko.jevtic@codereflect.io>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260412222801.34965-1-marko.jevtic@codereflect.io>"}},{"id":3676987,"web_url":"http://patchwork.ozlabs.org/comment/3676987/","msgid":"","list_archive_url":null,"date":"2026-04-14T00:11:26","subject":"Re: [PATCH net v3] netfilter: nft_set_rbtree: fix use count leak on\n transaction abort","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Hi,\n\nOn Mon, Apr 13, 2026 at 12:28:01AM +0200, Marko Jevtic wrote:\n> nft_rbtree_abort() does not handle elements moved to the expired list\n> by inline GC during __nft_rbtree_insert(). When inline GC encounters\n> expired elements during overlap detection, it calls\n> nft_rbtree_gc_elem_move() which deactivates element data (decrementing\n> chain/object use counts), removes the element from the rbtree, and\n> queues it for deferred freeing. On commit, these elements are freed\n> via nft_rbtree_gc_queue(). On abort, however, the expired list is\n> ignored entirely.\n> \n> This leaves use counts permanently decremented after abort.\n\nYes, but that is expected?\n\nExpired elements reside in priv->expired, these elements are already\ndeactivated, ie. removed from the rbtree and chain reference is\ndecremented.\n\nFrom abort path, the deactivated element simply remains there until\nthere is a commit run that gets rid of it.\n\nI can't make any sense of this bug report so far.\n\nWhy do you think there is a need to restore an expired element?","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=U3zd1/5P;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11854-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"U3zd1/5P\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvl7k0vG3z1xtJ\n\tfor ; Tue, 14 Apr 2026 10:11:46 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 355B830480E1\n\tfor ; Tue, 14 Apr 2026 00:11:34 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3F33B7081E;\n\tTue, 14 Apr 2026 00:11:33 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 643E212B93;\n\tTue, 14 Apr 2026 00:11:31 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 5162560177;\n\tTue, 14 Apr 2026 02:11:29 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776125492; cv=none;\n b=tg6VIjg7sWW8GWtW61ZhZG5oh/9htPSkcXszpe4JWSmuEOI981He/7YW4fr5zD56x6OZDPiJrasDlOiIkyvmZ3KByVdWAlNw9q1CIIN9An3es/FsQ1U58rScU9ySLDi+ZlCgKjgQWnL15hGodYds6UrO/fH/sbnbI3m4gGeCMw8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776125492; c=relaxed/simple;\n\tbh=BsJ44EHp9plgRWqro2dZPO4rDiLIW6QcDNIeoNvIS1c=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=LCIDm/n/CpNNstL12WG4pWdUdd1dzwGc+1xugyNIu0NpV7YvI6sBSYvWVy4MwQawVA32SAN7HxJS+QrGEJrFDQZRXj0m3uJMk04SA5aIBDO+RU+HSUOYsht7oUka3y7NXDQrszLuJAxOTFctpgB7QOqFtoKPHxZkHt+/ITUD7W4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=U3zd1/5P; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776125489;\n\tbh=NvfB7f0eOiBdW3wAIWp57z2zunsl+ur5h/Olq4MZt50=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=U3zd1/5PXjK7qonqD6c0rFazYmPOeAL5ygx886wH1wRG3FSXRlUkIYMOCHVAlY2FC\n\t UPwQVw1sQTMDex2bN4qSpD5V7/IUvA/8T0wABTL+l2yqMGSfIXVyneN4jz8LM4IwEe\n\t Pq62AKWDYivSJ5BXE7kerS86mapw4Ey1p2+Xh0oCUsNvnSgu7yOg/JaX/vNuTzE3IW\n\t Qs1XF3xFRFU/eaRDi/7YJNDLQ7VuBXg2DQglNv25iLn2qg+Egr38xXwM2gHwgxFfaO\n\t aZwRx8dfrgA1DUVStXsrRgUyVYLIuH06swDcsYK4g1JtNdehYnXPOzfr+v3dQ4v8hj\n\t 5ziXkU5xWlfSw==","Date":"Tue, 14 Apr 2026 02:11:26 +0200","From":"Pablo Neira Ayuso ","To":"Marko Jevtic ","Cc":"fw@strlen.de, netfilter-devel@vger.kernel.org, phil@nwl.cc,\n\tcoreteam@netfilter.org, davem@davemloft.net, edumazet@google.com,\n\tkuba@kernel.org, pabeni@redhat.com, horms@kernel.org,\n\tnetdev@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH net v3] netfilter: nft_set_rbtree: fix use count leak on\n transaction abort","Message-ID":"","References":"<20260412222801.34965-1-marko.jevtic@codereflect.io>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260412222801.34965-1-marko.jevtic@codereflect.io>"}}]