From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 955623DF015; Sat, 16 May 2026 11:56:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778932606; cv=none; b=cN4BzmoSe6YSA1V+IMblpu1x0pkhV5nH1PT8U5+p82WDalVCf2kiEzZlgHZi7yVdZbZQEi4FV+b0GB41SplGK8zblTqElLZf2VHxi4sxO28J89Mmm9ghsRKHFgTkXZOI4svJUWnCvGbrawtWXQtY75wu5mgG+LF4lVxZAzthJCk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778932606; c=relaxed/simple; bh=cASquRzivzdvWbKKiGMb8H/GrNFumku14X4k1CwOji4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ka5o6+hHzD7anQV8YOJUD4uasFvCF88QNQcM61F2jK3vVYsOfPsqhfQaYASoUucvR25jUK0QuvHzalMmQqCkMsYfhJMKv2Ql9jhXzImZ1ahoRcOKEjEtN6YwzXaOTfsPoRLHyU0NA1NL03cBco3VEdnAH6h7fJcAfn9qBb5BAnE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=V0453iXd; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="V0453iXd" Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 8420A601AF; Sat, 16 May 2026 13:56:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1778932603; bh=eYa1eA6zQqDmQGaR3F8Qj/oYPGXfpvP3aaeDht8DSQg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V0453iXdumnKot0c8usWoRi+aN8Q+Sn67X3ZXiENXP84iHkuc1q89uhPBRnkYjb/h cLJXjuF7dyvgF6bZ62fqjxPfWlXFrPUNHnbFJN4TBsheRkNVGO4ORRMxhSGCyRWsw1 Q4L2R4lVCRuiYMyttfI4R+9OufMc+mV7X1eJuG6opxRmhPAZjFMAXl/MeGpnwLANSK P2FIhZD0anEbzJZ2OGY3LUNT3Ec3CIk6JWJrsp4Ppwjco7oTKsD8GPyqCKljlzV5A8 Bwn+Zspn79Xw8tzPfg+rGm/LgxvXScq/GugjXvwUgdmASBm3pdAI2qNSz14Etr4iaC oew82ZMwZuhPw== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 09/12] netfilter: ipset: Fix data race between add and dump in all hash types Date: Sat, 16 May 2026 13:56:24 +0200 Message-ID: <20260516115627.967773-10-pablo@netfilter.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260516115627.967773-1-pablo@netfilter.org> References: <20260516115627.967773-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Jozsef Kadlecsik When adding a new entry to the next position in the existing hash bucket, the position index was incremented too early and parallel dump could read it before the entry was populated with the value. Move the setting of the position index after populating the entry. v2: Position counting fixed, noticed by Florian Westphal. Fixes: 18f84d41d34f ("netfilter: ipset: Introduce RCU locking in hash:* types") Reported-by: syzbot+786c889f046e8b003ca6@syzkaller.appspotmail.com Reported-by: syzbot+1da17e4b41d795df059e@syzkaller.appspotmail.com Reported-by: syzbot+421c5f3ff8e9493084d9@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipset/ip_set_hash_gen.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h index b79e5dd2af03..133ce4611eed 100644 --- a/net/netfilter/ipset/ip_set_hash_gen.h +++ b/net/netfilter/ipset/ip_set_hash_gen.h @@ -844,7 +844,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext, const struct mtype_elem *d = value; struct mtype_elem *data; struct hbucket *n, *old = ERR_PTR(-ENOENT); - int i, j = -1, ret; + int i, j = -1, npos = 0, ret; bool flag_exist = flags & IPSET_FLAG_EXIST; bool deleted = false, forceadd = false, reuse = false; u32 r, key, multi = 0, elements, maxelem; @@ -889,6 +889,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext, ext_size(AHASH_INIT_SIZE, set->dsize); goto copy_elem; } + npos = n->pos; for (i = 0; i < n->pos; i++) { if (!test_bit(i, n->used)) { /* Reuse first deleted entry */ @@ -962,7 +963,8 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext, } copy_elem: - j = n->pos++; + j = npos; + npos = n->pos + 1; data = ahash_data(n, j, set->dsize); copy_data: t->hregion[r].elements++; @@ -985,6 +987,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext, if (SET_WITH_TIMEOUT(set)) ip_set_timeout_set(ext_timeout(data, set), ext->timeout); smp_mb__before_atomic(); + n->pos = npos; set_bit(j, n->used); if (old != ERR_PTR(-ENOENT)) { rcu_assign_pointer(hbucket(t, key), n); -- 2.47.3