{"id":2220823,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2220823/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260408070257.2437291-3-kadlec@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.2/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260408070257.2437291-3-kadlec@netfilter.org>","list_archive_url":null,"date":"2026-04-08T07:02:57","name":"[2/2] netfilter: ipset: Fix data race between add and dump in all hash types","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":true,"hash":"54c29abe1c4cbf656c6ec5a55769f2b01b4b58ff","submitter":{"id":77226,"url":"http://patchwork.ozlabs.org/api/1.2/people/77226/?format=json","name":"Jozsef Kadlecsik","email":"kadlec@netfilter.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260408070257.2437291-3-kadlec@netfilter.org/mbox/","series":[{"id":499081,"url":"http://patchwork.ozlabs.org/api/1.2/series/499081/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499081","date":"2026-04-08T07:02:57","name":"[1/2] netfilter: ipset: Fix data race between add and list header in all hash types","version":1,"mbox":"http://patchwork.ozlabs.org/series/499081/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220823/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220823/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <netfilter-devel+bounces-11709-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu\n header.a=rsa-sha256 header.s=20151130 header.b=GjW/wwJp;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11709-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=\"GjW/wwJp\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=148.6.0.51","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frDmx5YqYz1xv0\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 08 Apr 2026 17:13:21 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id DD757301A082\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  8 Apr 2026 07:13:17 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id F09A6377015;\n\tWed,  8 Apr 2026 07:13:16 +0000 (UTC)","from smtp-out.kfki.hu (smtp-out.kfki.hu [148.6.0.51])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5583F374E5B\n\tfor <netfilter-devel@vger.kernel.org>; Wed,  8 Apr 2026 07:13:13 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby smtp2.kfki.hu (Postfix) with ESMTP id 4frDXz1qFBz7s85c;\n\tWed,  8 Apr 2026 09:02:59 +0200 (CEST)","from smtp2.kfki.hu ([127.0.0.1])\n by localhost (smtp2.kfki.hu [127.0.0.1]) (amavis, port 10026) with ESMTP\n id QBF8QebXEkj2; Wed,  8 Apr 2026 09:02:57 +0200 (CEST)","from blackhole.kfki.hu (blackhole.szhk.kfki.hu [148.6.240.2])\n\tby smtp2.kfki.hu (Postfix) with ESMTP id 4frDXx17VRz7s85Y;\n\tWed,  8 Apr 2026 09:02:57 +0200 (CEST)","by blackhole.kfki.hu (Postfix, from userid 1000)\n\tid 1736A34316C; Wed,  8 Apr 2026 09:02:57 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775632396; cv=none;\n b=Hgtez2FaxcQlqtdbEBdgpdS01NDkMTz0q6LjbJHHzEqbM130aCPZDV6K1ckWI88k5IlMNzQeTuwyITXj73eVwQ3wJ/77IScm/BhQCMKCtDd5NTAuv2+NfJI9TwO7JFhI9jfSCGPXQvA8CPyMn+p0Lbz0X3OscHgPngw0B4xyCIA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775632396; c=relaxed/simple;\n\tbh=ceBuwgOrGdTJRMGljasRbtuSVZswPAXGOGqSqWSmMWU=;\n\th=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:\n\t MIME-Version;\n b=p5HH/GhbZ4wgaUc25sMs1p5/dfzd7vUZAjKnzclvT77Rh7n8sX/gKe1e2QqoBhUpfgIaNUTd9VYiCKfUhU+LV19YtVXZiXJz+UxMAyqOwERh3Wu0rEprtEt2Z9HlAwGIKMnWsZqCMNdvfAjGypKV4aVjPcbv7vKNIfmPSR+Ct+A=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu;\n dkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=GjW/wwJp;\n arc=none smtp.client-ip=148.6.0.51","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n\tblackhole.kfki.hu; h=mime-version:references:in-reply-to\n\t:x-mailer:message-id:date:date:from:from:received:received\n\t:received; s=20151130; t=1775631777; x=1777446178; bh=wMXc7XMZgr\n\tXyg7Y3UM17LRW1mDQQUfQ91BE2SkA1rAQ=; b=GjW/wwJpxqvleyIpqFnPyQrRii\n\t/PRTPmUQBjLk5NgZMIuvYKTpiywQJthHAcEvD/iWCQkIzEl2mIyILNoEcwQxMu9M\n\trD8FQEo3jb3M0xxQv38chEHMpjVf+70ckbof57WAl6PmKKZGtUOx1sV4WTXx/olN\n\tLgOPhRfOUhTqD8v0o=","X-Virus-Scanned":"Debian amavis at smtp2.kfki.hu","From":"Jozsef Kadlecsik <kadlec@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"Pablo Neira Ayuso <pablo@netfilter.org>,\n\tFlorian Westphal <fw@strlen.de>","Subject":"[PATCH 2/2] netfilter: ipset: Fix data race between add and dump in\n all hash types","Date":"Wed,  8 Apr 2026 09:02:57 +0200","Message-Id":"<20260408070257.2437291-3-kadlec@netfilter.org>","X-Mailer":"git-send-email 2.39.5","In-Reply-To":"<20260408070257.2437291-1-kadlec@netfilter.org>","References":"<20260408070257.2437291-1-kadlec@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"quoted-printable"},"content":"When adding a new entry to the next position in the existing hash bucket,\nthe position index was incremented too early and parallel dump could\nread it before the entry was populated with the value. Move the setting\nof the position index after populating the entry.\n\nReported-by: syzbot+786c889f046e8b003ca6@syzkaller.appspotmail.com\nReported-by: syzbot+1da17e4b41d795df059e@syzkaller.appspotmail.com\nReported-by: syzbot+421c5f3ff8e9493084d9@syzkaller.appspotmail.com\nSigned-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>\n---\n net/netfilter/ipset/ip_set_hash_gen.h | 6 ++++--\n 1 file changed, 4 insertions(+), 2 deletions(-)","diff":"diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h\nindex b79e5dd2af03..492c2095c11b 100644\n--- a/net/netfilter/ipset/ip_set_hash_gen.h\n+++ b/net/netfilter/ipset/ip_set_hash_gen.h\n@@ -844,7 +844,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n \tconst struct mtype_elem *d = value;\n \tstruct mtype_elem *data;\n \tstruct hbucket *n, *old = ERR_PTR(-ENOENT);\n-\tint i, j = -1, ret;\n+\tint i, j = -1, npos, ret;\n \tbool flag_exist = flags & IPSET_FLAG_EXIST;\n \tbool deleted = false, forceadd = false, reuse = false;\n \tu32 r, key, multi = 0, elements, maxelem;\n@@ -889,6 +889,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n \t\t\text_size(AHASH_INIT_SIZE, set->dsize);\n \t\tgoto copy_elem;\n \t}\n+\tnpos = n->pos;\n \tfor (i = 0; i < n->pos; i++) {\n \t\tif (!test_bit(i, n->used)) {\n \t\t\t/* Reuse first deleted entry */\n@@ -962,7 +963,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n \t}\n \n copy_elem:\n-\tj = n->pos++;\n+\tj = npos = n->pos + 1;\n \tdata = ahash_data(n, j, set->dsize);\n copy_data:\n \tt->hregion[r].elements++;\n@@ -985,6 +986,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n \tif (SET_WITH_TIMEOUT(set))\n \t\tip_set_timeout_set(ext_timeout(data, set), ext->timeout);\n \tsmp_mb__before_atomic();\n+\tn->pos = npos;\n \tset_bit(j, n->used);\n \tif (old != ERR_PTR(-ENOENT)) {\n \t\trcu_assign_pointer(hbucket(t, key), n);\n","prefixes":["2/2"]}