* [PATCH nf] netfilter: ipset: skip extension destroy on hash resize replay
@ 2026-07-04 6:22 Weiming Shi
0 siblings, 0 replies; only message in thread
From: Weiming Shi @ 2026-07-04 6:22 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, coreteam, netdev, linux-kernel, Xiang Mei,
Weiming Shi
During a hash set resize, mtype_resize() copies each element into the
new table with memcpy(), so the new-table element shares the old-table
element's comment extension. An xt_SET delete on the old table during
the resize destroys that shared comment via ip_set_ext_destroy() and
queues a replayed delete on h->ad. After the table swap mtype_resize()
replays it with mtype_del() on the new table, whose copy still points at
the freed comment, so ip_set_ext_destroy() frees it a second time:
ODEBUG: activate active (active state 1) object: ... object type: rcu_head
WARNING: CPU: 3 PID: 5311 at lib/debugobjects.c:514 debug_print_object
Call Trace:
<IRQ>
kvfree_call_rcu (kernel/rcu/tree.c:3825)
ip_set_comment_free (net/netfilter/ipset/ip_set_core.c:397)
hash_ip4_del (net/netfilter/ipset/ip_set_hash_gen.h:1098)
hash_ip4_kadt (net/netfilter/ipset/ip_set_hash_ip.c:96)
ip_set_del (net/netfilter/ipset/ip_set_core.c:813)
set_target_v3 (net/netfilter/xt_set.c:412)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:346)
__ip_local_out (net/ipv4/ip_output.c:119)
icmp_push_reply (net/ipv4/icmp.c:397)
__icmp_send (net/ipv4/icmp.c:804)
__udp4_lib_rcv (net/ipv4/udp.c:2521)
ip_local_deliver (net/ipv4/ip_input.c:254)
ip_rcv (net/ipv4/ip_input.c:569)
</IRQ>
The replay passes a NULL ext (the kernel-side delete that queued it
already destroyed the extensions), so skip ip_set_ext_destroy() when ext
is NULL. This also avoids the NULL ext->target dereference that was only
kept safe by the new table's ref being zero.
Reachable from an unprivileged user namespace.
Fixes: f66ee0410b1c ("netfilter: ipset: Fix \"INFO: rcu detected stall in hash_xxx\" reports")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
net/netfilter/ipset/ip_set_hash_gen.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 5e4453e9e..bc909ae2d 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -1080,9 +1080,11 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
mtype_del_cidr(set, h,
NCIDR_PUT(DCIDR_GET(d->cidr, j)), j);
#endif
- ip_set_ext_destroy(set, data);
+ /* On a resize replay the extensions were already destroyed. */
+ if (ext)
+ ip_set_ext_destroy(set, data);
- if (atomic_read(&t->ref) && ext->target) {
+ if (ext && atomic_read(&t->ref) && ext->target) {
/* Resize is in process and kernel side del,
* save values
*/
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-04 6:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-04 6:22 [PATCH nf] netfilter: ipset: skip extension destroy on hash resize replay Weiming Shi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox