{"id":2220826,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2220826/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260408070257.2437291-2-kadlec@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.2/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260408070257.2437291-2-kadlec@netfilter.org>","list_archive_url":null,"date":"2026-04-08T07:02:56","name":"[1/2] netfilter: ipset: Fix data race between add and list header in all hash types","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":true,"hash":"522c2a88b848ad3180e48026c837f6729d66450a","submitter":{"id":77226,"url":"http://patchwork.ozlabs.org/api/1.2/people/77226/?format=json","name":"Jozsef Kadlecsik","email":"kadlec@netfilter.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260408070257.2437291-2-kadlec@netfilter.org/mbox/","series":[{"id":499081,"url":"http://patchwork.ozlabs.org/api/1.2/series/499081/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499081","date":"2026-04-08T07:02:57","name":"[1/2] netfilter: ipset: Fix data race between add and list header in all hash types","version":1,"mbox":"http://patchwork.ozlabs.org/series/499081/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220826/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220826/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu\n header.a=rsa-sha256 header.s=20151130 header.b=JhgfFbUs;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11710-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=\"JhgfFbUs\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=148.6.0.49","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frDvn2m9pz1xtJ\n\tfor ; Wed, 08 Apr 2026 17:19:17 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 7DB9430ACFE8\n\tfor ; Wed, 8 Apr 2026 07:13:18 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 541F9377006;\n\tWed, 8 Apr 2026 07:13:17 +0000 (UTC)","from smtp-out.kfki.hu (smtp-out.kfki.hu [148.6.0.49])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E2C437754C\n\tfor ; Wed, 8 Apr 2026 07:13:15 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby smtp0.kfki.hu (Postfix) with ESMTP id 4frDXz297bz3sb8d;\n\tWed, 8 Apr 2026 09:02:59 +0200 (CEST)","from smtp0.kfki.hu ([127.0.0.1])\n by localhost (smtp0.kfki.hu [127.0.0.1]) (amavis, port 10026) with ESMTP\n id pMJ1KZFxPMup; Wed, 8 Apr 2026 09:02:57 +0200 (CEST)","from blackhole.kfki.hu (blackhole.szhk.kfki.hu\n [IPv6:2001:738:5001:1::240:2])\n\tby smtp0.kfki.hu (Postfix) with ESMTP id 4frDXx0wCvz3sb8c;\n\tWed, 8 Apr 2026 09:02:57 +0200 (CEST)","by blackhole.kfki.hu (Postfix, from userid 1000)\n\tid 1463734316B; Wed, 8 Apr 2026 09:02:57 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775632396; cv=none;\n b=cSD/1aJkBY/h2rM73Ce1ThT6GryekvWqUUVbAUqpPmVUC2zP45vm9G0ToiIo0N+PV/JUvcV32j3qV8WKBkDJsGsQfj3srFYJeLVuGjU3aK0fBN5QSqwkf3LNmuKLZ3qmmqPBA6xiipJZVHI5jSdEyZqyBBftLy+uaGQZOHCOvKA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775632396; c=relaxed/simple;\n\tbh=mhivghAY4iqzWA8QMbRoxlpLf9wlOsy2eI7mzmhbFMM=;\n\th=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:\n\t MIME-Version;\n b=XqnjEj4TOz258uhsp7ffDg4PUESI8NdiTugBmNKWE1DGggjocucqB6JRI27j8VCPnyLe76ZTHppt/38BF4ifi01sxzjumTopEn85CBo385Rg1UoGGcFS+dBUw/s6q4USIZmHsAXFKAuJntCC/+P0bSBRMBHnusmNSs6o2kOIWNA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu;\n dkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=JhgfFbUs;\n arc=none smtp.client-ip=148.6.0.49","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n\tblackhole.kfki.hu; h=mime-version:references:in-reply-to\n\t:x-mailer:message-id:date:date:from:from:received:received\n\t:received; s=20151130; t=1775631777; x=1777446178; bh=UPYFQnNHUB\n\tvCFSBcJlCDrBtq0YeZvIr5oN6GY29vYpg=; b=JhgfFbUsqZxDai6GCw3BXglII4\n\tgA6O5ZprkCHnrugh8KGT8a0FDcChX3lGsmCrRzApNKkM4oAiN/sFOj12b5Yh/9Ix\n\tMIyNNDdsaEdU2VMgE1zMX55mieLy/h42SkAcMUC8/Bav87m4rOBC2zUY9HE1l44F\n\tOsCaNyK/eUcKYrv8A=","X-Virus-Scanned":"Debian amavis at smtp0.kfki.hu","From":"Jozsef Kadlecsik ","To":"netfilter-devel@vger.kernel.org","Cc":"Pablo Neira Ayuso ,\n\tFlorian Westphal ","Subject":"[PATCH 1/2] netfilter: ipset: Fix data race between add and list\n header in all hash types","Date":"Wed, 8 Apr 2026 09:02:56 +0200","Message-Id":"<20260408070257.2437291-2-kadlec@netfilter.org>","X-Mailer":"git-send-email 2.39.5","In-Reply-To":"<20260408070257.2437291-1-kadlec@netfilter.org>","References":"<20260408070257.2437291-1-kadlec@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"quoted-printable"},"content":"The \"ipset list -terse\" command is actually a dump operation which\nmay run parallel with \"ipset add\" commands, which can trigger an\ninternal resizing of the hash type of sets just being dumped. However,\ndumping just the header part of the set was not protected against\nunderlying resizing. Fix it by protecting the header dumping part\nas well.\n\nSigned-off-by: Jozsef Kadlecsik \n---\n net/netfilter/ipset/ip_set_core.c | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)","diff":"diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c\nindex d0c9fe59c67d..e6a8b3acc556 100644\n--- a/net/netfilter/ipset/ip_set_core.c\n+++ b/net/netfilter/ipset/ip_set_core.c\n@@ -1648,13 +1648,13 @@ ip_set_dump_do(struct sk_buff *skb, struct netlink_callback *cb)\n \t\t\tif (cb->args[IPSET_CB_PROTO] > IPSET_PROTOCOL_MIN &&\n \t\t\t nla_put_net16(skb, IPSET_ATTR_INDEX, htons(index)))\n \t\t\t\tgoto nla_put_failure;\n+\t\t\tif (set->variant->uref)\n+\t\t\t\tset->variant->uref(set, cb, true);\n \t\t\tret = set->variant->head(set, skb);\n \t\t\tif (ret < 0)\n \t\t\t\tgoto release_refcount;\n \t\t\tif (dump_flags & IPSET_FLAG_LIST_HEADER)\n \t\t\t\tgoto next_set;\n-\t\t\tif (set->variant->uref)\n-\t\t\t\tset->variant->uref(set, cb, true);\n \t\t\tfallthrough;\n \t\tdefault:\n \t\t\tret = set->variant->list(set, skb, cb);\n","prefixes":["1/2"]}