{"id":2227986,"url":"http://patchwork.ozlabs.org/api/patches/2227986/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260424164150.3658854-2-tim.whisonant@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260424164150.3658854-2-tim.whisonant@canonical.com>","list_archive_url":null,"date":"2026-04-24T16:41:47","name":"[SRU,J/N/Q,1/1] netfilter: ipset: drop logically empty buckets in mtype_del","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"6b98140112da2bc75a86227f71ebab03e8861487","submitter":{"id":89903,"url":"http://patchwork.ozlabs.org/api/people/89903/?format=json","name":"Tim Whisonant","email":"tim.whisonant@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260424164150.3658854-2-tim.whisonant@canonical.com/mbox/","series":[{"id":501394,"url":"http://patchwork.ozlabs.org/api/series/501394/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501394","date":"2026-04-24T16:41:46","name":"CVE-2026-31418","version":1,"mbox":"http://patchwork.ozlabs.org/series/501394/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2227986/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2227986/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=NI8tXzEC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2Jdw0cTJz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 25 Apr 2026 02:42:11 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wGJbO-0000gL-5r; Fri, 24 Apr 2026 16:42:02 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wGJbM-0000cB-Hh\n for kernel-team@lists.ubuntu.com; Fri, 24 Apr 2026 16:42:00 +0000","from mail-ot1-f69.google.com (mail-ot1-f69.google.com\n [209.85.210.69])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 4E5743F11B\n for <kernel-team@lists.ubuntu.com>; Fri, 24 Apr 2026 16:42:00 +0000 (UTC)","by mail-ot1-f69.google.com with SMTP id\n 46e09a7af769-7dce437f1a1so8119854a34.3\n for <kernel-team@lists.ubuntu.com>; Fri, 24 Apr 2026 09:42:00 -0700 (PDT)","from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 46e09a7af769-7dcd164d2c3sm11138974a34.24.2026.04.24.09.41.57\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 24 Apr 2026 09:41:57 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777048920;\n bh=b1UQrldmI8ihMBG2suDiFfXB5PVEFpSmZZQlg+fu8D4=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=NI8tXzECvYgoCA5U/QKnAwDNy+o0FYq0UToZ8tqWHYNiIGQ/sl9Hk1nitkdC6aUwu\n lHHc6wUpY6BKT3IhRbnQMFsuyehXOFuGxf5cvurCb8MW3mdO+cnNP1EJfdapPeAsbY\n qA4KfVSSCAzGxWBZYnKaLFg3DQPEITJJDtxjeAoi1xn3/vJczJIKMcOoQFtu4/IOwA\n t/CZevKytyY8EE6DUAk8tm3FDsu81K2/uSOtBOvz2/wfBxRHHiyjs4SKylGIUmo7FW\n vsa4GV4vpxQE6LPhOt+03cw2yFaFR6nb7+SMNAVhfLwrNsIQ6ozZXKErAAf5rtfhSQ\n wawPs/4gik8fDAJgJO7zBzDT2f/xKZTw7Zl+0+Erte6HeGyxiIfE+l6UBcWzDpA7zB\n IPjnI/ADJQMcKO1MuQ80W5y67XhJVcixeDIYHDCJO69a8Ze0Yc5Mn1kYPhbVt74x44\n 8KbLwOS9F6JyctovoGymHVWai/5K0qAXGz72guzGn5IY4hdfMe/F1M1CihbJ3uVlzy\n 4TDoaUTwCYvl0IaPfwlZRPHpPPubd7Is4MAFw/CGtDKnCLI7Ci8zJQqzQzAckYwXRu\n Kfjdl2uG3pKLbNJDtRy4Ua+uBtP//23AsfAcH7JvQnUWpoPWH/j4bVS+JxqrMx63Ta\n /niG8Nis4SFb/HIxwzKFfkYo=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777048918; x=1777653718;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=b1UQrldmI8ihMBG2suDiFfXB5PVEFpSmZZQlg+fu8D4=;\n b=LtdlPDaSncZwnr5XjYiIrY4daSm/5OI6rwavdvlgyxD6QwLIcBy4LTpfrBt5wfiJnk\n idkxozgVn/Ip6VX4WcMd/VEz3heTit4oBHOgGhiccaDX+ulxpA3Zf8kQpt6Ag5j71q+D\n BWqJwfASU89LYmo5z69q4ME6g8P5Z5JiFOjiGWpHFAIsJc2CyfMY0jsrH7VGOfZ6VryC\n DANpbPvs79o/0+daIICRZTZVRL6wK08kMsNp8qw9OeHQ8QCeLNUf6Hwd79FyufoDEKgC\n tTExnEgVCrvqSsZz5QKhdHWNWmG/j0x1WiBAfW1Eajk4LB4F3KPVoUwMU3MDN7Zzpydg\n p4VA==","X-Gm-Message-State":"AOJu0YwuXNHhLR2nieumyCtbFX9J6T7K2SL11w1fVw0bla9wQ30Nr3JR\n lt5JhhoMFpSyIrhFkujlTs3+g9D6JYHQb3WzXNaSYW2hhiFHUHj2v6Ofvq0Y7szEZukOunD/JII\n g/90nuuYUKFS4FAPOegqVR3QRt2sDOJ9u79JIulzYH4HJdUoVZrFgMskYxiGsjezmRNu9WTNIM8\n Mx8+2ID2E6v1BqTQ==","X-Gm-Gg":"AeBDievYBncC3PzRASxOmrRfGQoa+8R1GeHz1t5B/vFcZp6WRJcRFfSpzfHoEEUm88f\n kvWsUqV09Nzkjw6paPnec+loRwljWwgivRXPBkXwmtXY3Fq+xjrNx3iwH6QUzEV8j+OxkRZi7hw\n z5VgyjEhKRSEinrF5gEsdktRwpI9ZgDBFlgIk2+RMxPbDdHUu6Ql3v2n4I6ALF47/Rz+IR70Ajb\n bJ+1f9deWcKvpiIqk2BLH6S6zJuzSDLnDxyLVfCzIgXM7lzEHLSutQ98qeL2xN02rF3icM0HUh8\n JMnOUqGD4gVKs0J/mKLJpbotn0yX69RUodZUd6cuPJV24wW41afljxypjR7y8nDSpkE2V2b4XBy\n r71QDpdMckVJB0pLVWUtPLSuYihA8Ax82jr+swFHsQKUAULa48obL13say0fr8ueYJRPN7mAtUz\n OqT5zyR+bhORPo","X-Received":["by 2002:a05:6830:4124:b0:7dc:cba3:e8f2 with SMTP id\n 46e09a7af769-7dccba3fd81mr13886439a34.19.1777048918636;\n Fri, 24 Apr 2026 09:41:58 -0700 (PDT)","by 2002:a05:6830:4124:b0:7dc:cba3:e8f2 with SMTP id\n 46e09a7af769-7dccba3fd81mr13886421a34.19.1777048918161;\n Fri, 24 Apr 2026 09:41:58 -0700 (PDT)"],"From":"Tim Whisonant <tim.whisonant@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J/N/Q][PATCH 1/1] netfilter: ipset: drop logically empty\n buckets in mtype_del","Date":"Fri, 24 Apr 2026 09:41:47 -0700","Message-ID":"<20260424164150.3658854-2-tim.whisonant@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260424164150.3658854-1-tim.whisonant@canonical.com>","References":"<20260424164150.3658854-1-tim.whisonant@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Yifan Wu <yifanwucs@gmail.com>\n\nmtype_del() counts empty slots below n->pos in k, but it only drops the\nbucket when both n->pos and k are zero. This misses buckets whose live\nentries have all been removed while n->pos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n->pos are unused and\nrelease it directly instead of shrinking it further.\n\nFixes: 8af1c6fbd923 (\"netfilter: ipset: Fix forceadd evaluation path\")\nCc: stable@vger.kernel.org\nReported-by: Juefei Pu <tomapufckgml@gmail.com>\nReported-by: Xin Liu <dstsmallbird@foxmail.com>\nSigned-off-by: Yifan Wu <yifanwucs@gmail.com>\nCo-developed-by: Yuan Tan <yuantan098@gmail.com>\nSigned-off-by: Yuan Tan <yuantan098@gmail.com>\nReviewed-by: Phil Sutter <phil@nwl.cc>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n(cherry picked from commit 9862ef9ab0a116c6dca98842aab7de13a252ae02)\nCVE-2026-31418\nSigned-off-by: Tim Whisonant <tim.whisonant@canonical.com>\n---\n net/netfilter/ipset/ip_set_hash_gen.h | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h\nindex 1f9ca5040982d..da7956e2f8d89 100644\n--- a/net/netfilter/ipset/ip_set_hash_gen.h\n+++ b/net/netfilter/ipset/ip_set_hash_gen.h\n@@ -1086,7 +1086,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n \t\t\tif (!test_bit(i, n->used))\n \t\t\t\tk++;\n \t\t}\n-\t\tif (n->pos == 0 && k == 0) {\n+\t\tif (k == n->pos) {\n \t\t\tt->hregion[r].ext_size -= ext_size(n->size, dsize);\n \t\t\trcu_assign_pointer(hbucket(t, key), NULL);\n \t\t\tkfree_rcu(n, rcu);\n","prefixes":["SRU","J/N/Q","1/1"]}