From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-out.kfki.hu (smtp-out.kfki.hu [148.6.0.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 909A23DF013 for ; Thu, 14 May 2026 08:55:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.6.0.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778748933; cv=none; b=K1iPwmSK6uLf3BPT7tmw/+VO+YF3lLJ0HrdNC4++bxfk/0di52rjYwz9tImAH9ucSw7tLhUja2HQyB/Epuw9ZauOY/DfnvTdWq8bhE0K8CGxHOreZmhVxocobDWJndMgykWA97wuuPM2OSqHW2XORDihFqoq5bdrCBHZb9Jrxv0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778748933; c=relaxed/simple; bh=z9vTmh0fSqwJ1ueufXsV7s1eXltCSepqRBLDjqQ/Xfs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KE/jjOp2wGTWcMm8f9ejWe3CJIwGKabPGaFzvCcnoaRMuy/ej5E9e8KqB+0LWWIdYYz+h6erZTUgQmDMEw90hpM9D1aHvzbPHeUEG99esMqoHOqwPr11A8jrPL5r6NSQ1CZrDmjjQlHN3KvhBZkCqx3KTnsCxdGKH3AWdMCwJRc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=blackhole.kfki.hu; dkim=pass (1024-bit key) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu header.b=fnOaZikE; arc=none smtp.client-ip=148.6.0.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=blackhole.kfki.hu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu header.b="fnOaZikE" Received: from localhost (localhost [127.0.0.1]) by smtp1.kfki.hu (Postfix) with ESMTP id 4gGPL11nS2zGFDNY; Thu, 14 May 2026 10:55:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= blackhole.kfki.hu; h=mime-version:references:in-reply-to :x-mailer:message-id:date:date:from:from:received:received :received; s=20151130; t=1778748919; x=1780563320; bh=mMbMG0BPl3 zgbThJJz5+q6tMTVZ/+YN5YNiuckTDl5Q=; b=fnOaZikEwZmqYZB2GyM8ZuVOMN wLKhkUKUbgfA/BIVjniaCovGldsOBaYatn1iFMMjk+Ag4QQi01ABL4a24cKZxdPb XHyjFjTAowOhwCHUJqSutvqvlDGDDKjVIDjaTeEXN9wuqZueMJ7FeGibpZ+dTBJL qUgujwdl+ZlpUosxg= X-Virus-Scanned: Debian amavis at smtp1.kfki.hu Received: from smtp1.kfki.hu ([127.0.0.1]) by localhost (smtp1.kfki.hu [127.0.0.1]) (amavis, port 10026) with ESMTP id ZvBdS_X_3mLY; Thu, 14 May 2026 10:55:19 +0200 (CEST) Received: from mentat.rmki.kfki.hu (guest-144-149.eduroam.kfki.hu [148.6.144.149]) (Authenticated sender: kadlecsik.jozsef@wigner.hu) by smtp1.kfki.hu (Postfix) with ESMTPSA id 4gGPKz1tnKzGFDNN; Thu, 14 May 2026 10:55:19 +0200 (CEST) Received: by mentat.rmki.kfki.hu (Postfix, from userid 1000) id 06680140B39; Thu, 14 May 2026 10:55:20 +0200 (CEST) From: Jozsef Kadlecsik To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso Subject: [PATCH v7 03/10] netfilter: ipset: Fix data race between add and dump in all hash types Date: Thu, 14 May 2026 10:55:12 +0200 Message-Id: <20260514085519.12729-4-kadlec@netfilter.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20260514085519.12729-1-kadlec@netfilter.org> References: <20260514085519.12729-1-kadlec@netfilter.org> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable When adding a new entry to the next position in the existing hash bucket, the position index was incremented too early and parallel dump could read it before the entry was populated with the value. Move the setting of the position index after populating the entry. v2: Position counting fixed, noticed by Florian Westphal. Reported-by: syzbot+786c889f046e8b003ca6@syzkaller.appspotmail.com Reported-by: syzbot+1da17e4b41d795df059e@syzkaller.appspotmail.com Reported-by: syzbot+421c5f3ff8e9493084d9@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/= ip_set_hash_gen.h index b79e5dd2af03..133ce4611eed 100644 --- a/net/netfilter/ipset/ip_set_hash_gen.h +++ b/net/netfilter/ipset/ip_set_hash_gen.h @@ -844,7 +844,7 @@ mtype_add(struct ip_set *set, void *value, const stru= ct ip_set_ext *ext, const struct mtype_elem *d =3D value; struct mtype_elem *data; struct hbucket *n, *old =3D ERR_PTR(-ENOENT); - int i, j =3D -1, ret; + int i, j =3D -1, npos =3D 0, ret; bool flag_exist =3D flags & IPSET_FLAG_EXIST; bool deleted =3D false, forceadd =3D false, reuse =3D false; u32 r, key, multi =3D 0, elements, maxelem; @@ -889,6 +889,7 @@ mtype_add(struct ip_set *set, void *value, const stru= ct ip_set_ext *ext, ext_size(AHASH_INIT_SIZE, set->dsize); goto copy_elem; } + npos =3D n->pos; for (i =3D 0; i < n->pos; i++) { if (!test_bit(i, n->used)) { /* Reuse first deleted entry */ @@ -962,7 +963,8 @@ mtype_add(struct ip_set *set, void *value, const stru= ct ip_set_ext *ext, } =20 copy_elem: - j =3D n->pos++; + j =3D npos; + npos =3D n->pos + 1; data =3D ahash_data(n, j, set->dsize); copy_data: t->hregion[r].elements++; @@ -985,6 +987,7 @@ mtype_add(struct ip_set *set, void *value, const stru= ct ip_set_ext *ext, if (SET_WITH_TIMEOUT(set)) ip_set_timeout_set(ext_timeout(data, set), ext->timeout); smp_mb__before_atomic(); + n->pos =3D npos; set_bit(j, n->used); if (old !=3D ERR_PTR(-ENOENT)) { rcu_assign_pointer(hbucket(t, key), n); --=20 2.39.5