{"id":2228648,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2228648/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427073424.573672-5-kadlec@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260427073424.573672-5-kadlec@netfilter.org>","date":"2026-04-27T07:34:23","name":"[4/5] netfilter: ipset: skip gc when resize is in progress","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":true,"hash":"989c9db1f24aa0988a2fa726c0bb3394fffe531d","submitter":{"id":77226,"url":"http://patchwork.ozlabs.org/api/1.1/people/77226/?format=json","name":"Jozsef Kadlecsik","email":"kadlec@netfilter.org"},"delegate":{"id":11902,"url":"http://patchwork.ozlabs.org/api/1.1/users/11902/?format=json","username":"strlen","first_name":"Florian","last_name":"Westphal","email":"fw@strlen.de"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427073424.573672-5-kadlec@netfilter.org/mbox/","series":[{"id":501591,"url":"http://patchwork.ozlabs.org/api/1.1/series/501591/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501591","date":"2026-04-27T07:34:21","name":"netfilter: ipset fixes","version":1,"mbox":"http://patchwork.ozlabs.org/series/501591/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2228648/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2228648/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12206-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu\n header.a=rsa-sha256 header.s=20151130 header.b=J9xa+zB3;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12206-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=\"J9xa+zB3\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=148.6.0.49","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g3wRb31d0z1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 17:38:51 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D3FFF3021E98\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 07:34:51 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 50EB437E30F;\n\tMon, 27 Apr 2026 07:34:43 +0000 (UTC)","from smtp-out.kfki.hu (smtp-out.kfki.hu [148.6.0.49])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A36937CD29\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 07:34:36 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby smtp0.kfki.hu (Postfix) with ESMTP id 4g3wLX67kLz3sb8x;\n\tMon, 27 Apr 2026 09:34:28 +0200 (CEST)","from smtp0.kfki.hu ([127.0.0.1])\n by localhost (smtp0.kfki.hu [127.0.0.1]) (amavis, port 10026) with ESMTP\n id EmlYi-7G9zTc; Mon, 27 Apr 2026 09:34:27 +0200 (CEST)","from mentat.rmki.kfki.hu (254C0B05.nat.pool.telekom.hu [37.76.11.5])\n\t(Authenticated sender: kadlecsik.jozsef@wigner.hu)\n\tby smtp0.kfki.hu (Postfix) with ESMTPSA id 4g3wLT0f30z3sb9S;\n\tMon, 27 Apr 2026 09:34:25 +0200 (CEST)","by mentat.rmki.kfki.hu (Postfix, from userid 1000)\n\tid 8C7B41413C9; Mon, 27 Apr 2026 09:34:24 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777275280; cv=none;\n b=eolCIYp1TRaJeCIp50SfIeoFm1TYL7OiVNj0UVobYzE2+73UsXF4iDW7tIW4K3TKc+ETPFFun033hD2cx4G1agcJ+H6VvyRmvR8Ri+vnR31Z93AHsZ+lyZ238lovumAXLZH/SRReoS6dRPgrfLhQMLE3xbswj4/Mtp6sF9+ng6M=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777275280; c=relaxed/simple;\n\tbh=SLp5+e4JCIBWYzPlLRpHDJns9OX22HwTVDTGhvA/qQA=;\n\th=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:\n\t MIME-Version;\n b=L4cMkkSoL905eMNEZd5cL/RqVOkGJ6SgBNSuYxfFYehAYXbioJtqkMzWi+fEbMH6BKj3rWUPNFEZPeWJGkbXS0z9US6+MZjRekd7QRHZRGPlgTiCL0q6TaGJiA1cgc2e28im+HWqBs5uRE3YDTiWnCw0o7GMuGwF6DuWIRwTqZw=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu;\n dkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=J9xa+zB3;\n arc=none smtp.client-ip=148.6.0.49","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n\tblackhole.kfki.hu; h=mime-version:references:in-reply-to\n\t:x-mailer:message-id:date:date:from:from:received:received\n\t:received; s=20151130; t=1777275267; x=1779089668; bh=SMliz13asO\n\tSm0YbOnZYJXi5yXh41bAlFoRICKQ+BQZw=; b=J9xa+zB31y+7cbOrPpFpY6ySCV\n\t7nXPNPKmNvGMCjmY1YxCDZTtNBcHwHmCSOsXKgqkTP+r4vSKjBIt9rKM3cJ4NpTD\n\t9n36IvGa/JnLTb8wg9b9AIHHzEzY4Q7AvjTNTWYTur/lMxFoZqCBhLxIyDfVd7JP\n\tMAq53hzO+awLD+XTE=","X-Virus-Scanned":"Debian amavis at smtp0.kfki.hu","From":"Jozsef Kadlecsik <kadlec@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"Pablo Neira Ayuso <pablo@netfilter.org>","Subject":"[PATCH 4/5] netfilter: ipset: skip gc when resize is in progress","Date":"Mon, 27 Apr 2026 09:34:23 +0200","Message-Id":"<20260427073424.573672-5-kadlec@netfilter.org>","X-Mailer":"git-send-email 2.39.5","In-Reply-To":"<20260427073424.573672-1-kadlec@netfilter.org>","References":"<20260427073424.573672-1-kadlec@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","X-deepspam":"maybeham 3%","Content-Transfer-Encoding":"quoted-printable"},"content":"Zhengchuan Liang reported that because resize does not copy\nthe comment extension into the resized set but uses it's pointer,\nongoing gc can free the extension in the original set which then\nresults stale pointer in the resized one. The proposed patch was\nto recreate the extensions for every element in the resized set.\nIt is both expensive and wastes memory, so better skip gc\nwhen resizing in progress detected: resizing will destroy\nthe original set anyway, so doing gc on it unnecessary.\n\nReported by: Zhengchuan Liang <zcliangcn@gmail.com>\nSigned-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>\n---\n net/netfilter/ipset/ip_set_hash_gen.h | 8 +++++++-\n 1 file changed, 7 insertions(+), 1 deletion(-)","diff":"diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h\nindex 130cab2e2397..cdb681708b0d 100644\n--- a/net/netfilter/ipset/ip_set_hash_gen.h\n+++ b/net/netfilter/ipset/ip_set_hash_gen.h\n@@ -508,6 +508,8 @@ mtype_gc_do(struct ip_set *set, struct htype *h, struct htable *t, u32 r)\n \t\t\tdata = ahash_data(n, j, dsize);\n \t\t\tif (!ip_set_timeout_expired(ext_timeout(data, set)))\n \t\t\t\tcontinue;\n+\t\t\tif (atomic_read(&t->ref))\n+\t\t\t\tgoto resize_in_progress;\n \t\t\tpr_debug(\"expired %u/%u\\n\", i, j);\n \t\t\tclear_bit(j, n->used);\n \t\t\tsmp_mb__after_atomic();\n@@ -552,6 +554,7 @@ mtype_gc_do(struct ip_set *set, struct htype *h, struct htable *t, u32 r)\n \t\t\tkfree_rcu(n, rcu);\n \t\t}\n \t}\n+resize_in_progress:\n \tspin_unlock_bh(&t->hregion[r].lock);\n }\n \n@@ -672,7 +675,10 @@ mtype_resize(struct ip_set *set, bool retried)\n \t\tspin_lock_init(&t->hregion[i].lock);\n \n \t/* There can't be another parallel resizing,\n-\t * but dumping, gc, kernel side add/del are possible\n+\t * but dumping, kernel side add/del are possible.\n+\t * gc must detect ongoing resize when comments are in use\n+\t * in order not to free the comment extension area shared\n+\t * between the original and resized sets.\n \t */\n \torig = ipset_dereference_bh_nfnl(h->table);\n \tatomic_set(&orig->ref, 1);\n","prefixes":["4/5"]}