Re: [PATCH nf] netfilter: nf_tables: inconditionally bump set->nelems before insertion

public inbox for netfilter-devel@vger.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nf_tables: inconditionally bump set->nelems before insertion
Date: Tue, 24 Feb 2026 19:55:26 +0100	[thread overview]
Message-ID: <aZ30HscJe0XroBtg@strlen.de> (raw)
In-Reply-To: <20260224182247.2343607-1-pablo@netfilter.org>

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> In case that the set is full, a new element gets published then removed
> without waiting for the RCU grace period, while RCU reader can be
> walking over it already.
> 
> To address this issue, add the element transaction even if set is full,
> but toggle the set_full flag to report -ENFILE so the abort path safely
> unwinds the set to its previous state.
> 
> As for element updates, decrement set->nelems to restore it.

While I think this patch is correct and fixes the bug, I would
prefer the one-liner from Inseo An, it will be easier to backport it.
I propose we do this:

I do a nf pull request now, with Inseos version.

Then, after that has been merged back into nf-next, rebase this patch
on top of it and apply it.

Then, in 2nd step, also rework 71e99ee20fc3 ("netfilter: nf_tables: fix use-after-free in nf_tables_addchain()")
to follow same pattern as in your patch, i.e. defer the release to the
abort path instead.  This way we have easier to backport fixes while we
establish this new pattern of adding to-be-aborted transaction objects to
the list.

Makes sense to you?

next prev parent reply	other threads:[~2026-02-24 18:55 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-24 18:22 [PATCH nf] netfilter: nf_tables: inconditionally bump set->nelems before insertion Pablo Neira Ayuso
2026-02-24 18:55 ` Florian Westphal [this message]
2026-02-24 19:11   ` Pablo Neira Ayuso
2026-02-24 19:19     ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aZ30HscJe0XroBtg@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox