[PATCH 0/1] netfilter: ipset: Fix data race between add and list header

[PATCH 0/1] netfilter: ipset: Fix data race between add and list header

[Jozsef Kadlecsik]

Hi Pablo,

Please consider applying the next patch:

* Fix data race between add and list header commands in all hash types 
  by protecting the list header dumping part as well.

Best regards,
Jozsef

The following changes since commit 9ac76f3d0bb2940db3a9684d596b9c8f301ef315:

  Merge tag 'wireless-next-2026-03-19' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next (2026-03-19 15:30:20 +0100)

are available in the Git repository at:

  git://blackhole.kfki.hu/nf-next 1962de9a3ef9136598a53

for you to fetch changes up to 1962de9a3ef9136598a538898fe750094d3f9ab6:

  netfilter: ipset: Fix data race between add and list header in all hash types (2026-03-20 12:33:37 +0100)

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      netfilter: ipset: Fix data race between add and list header in all hash types

 net/netfilter/ipset/ip_set_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[PATCH 1/1] netfilter: ipset: Fix data race between add and list header in all hash types

[Jozsef Kadlecsik]

The "ipset list -terse" command is actually a dump operation which
may run parallel with "ipset add" commands, which can trigger an
internal resizing of the hash type of sets just being dumped. However,
dumping just the header part of the set was not protected against
underlying resizing. Fix it by protecting the header dumping part
as well.

Reported-by: syzbot+786c889f046e8b003ca6@syzkaller.appspotmail.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
 net/netfilter/ipset/ip_set_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index a2fe711cb5e3..2cc04da95afd 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1648,13 +1648,13 @@ ip_set_dump_do(struct sk_buff *skb, struct netlink_callback *cb)
 			if (cb->args[IPSET_CB_PROTO] > IPSET_PROTOCOL_MIN &&
 			    nla_put_net16(skb, IPSET_ATTR_INDEX, htons(index)))
 				goto nla_put_failure;
+			if (set->variant->uref)
+				set->variant->uref(set, cb, true);
 			ret = set->variant->head(set, skb);
 			if (ret < 0)
 				goto release_refcount;
 			if (dump_flags & IPSET_FLAG_LIST_HEADER)
 				goto next_set;
-			if (set->variant->uref)
-				set->variant->uref(set, cb, true);
 			fallthrough;
 		default:
 			ret = set->variant->list(set, skb, cb);
-- 
2.39.5

Re: [PATCH 0/1] netfilter: ipset: Fix data race between add and list header

[Florian Westphal]

Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> Hi Pablo,
> 
> Please consider applying the next patch:
> 
> * Fix data race between add and list header commands in all hash types 
>   by protecting the list header dumping part as well.

Thanks Jozsef for the quick fix.
Just to be sure, is this nf-next or nf material?

And, what do you make of:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260313180132.75655-1-davidbaum461@gmail.com/
and
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20250722153205.4626-1-phil@nwl.cc/

?

Thanks!

Re: [PATCH 0/1] netfilter: ipset: Fix data race between add and list header

[Pablo Neira Ayuso]

On Fri, Mar 20, 2026 at 01:04:14PM +0100, Florian Westphal wrote:
> Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > Hi Pablo,
> > 
> > Please consider applying the next patch:
> > 
> > * Fix data race between add and list header commands in all hash types 
> >   by protecting the list header dumping part as well.
> 
> Thanks Jozsef for the quick fix.
> Just to be sure, is this nf-next or nf material?

I think this is nf material, to deal with the KCSAN report from
syzbot.

> And, what do you make of:
> 
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260313180132.75655-1-davidbaum461@gmail.com/
> and
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20250722153205.4626-1-phil@nwl.cc/
> 
> ?
> 
> Thanks!

Re: [PATCH 0/1] netfilter: ipset: Fix data race between add and list header

[Jozsef Kadlecsik]

On Fri, 20 Mar 2026, Florian Westphal wrote:

> Just to be sure, is this nf-next or nf material?

I was unsure about it, because of the missing reproducer I could not 
verify the fix.
 
> And, what do you make of:
> 
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260313180132.75655-1-davidbaum461@gmail.com/
> and
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20250722153205.4626-1-phil@nwl.cc/

For both patches:

Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>

Thanks for reminding me about the pending patches!

Best regards,
Jozsef
-- 
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
         H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH 0/1] netfilter: ipset: Fix data race between add and list header

[Jozsef Kadlecsik]

On Fri, 20 Mar 2026, Pablo Neira Ayuso wrote:

> On Fri, Mar 20, 2026 at 01:04:14PM +0100, Florian Westphal wrote:
> > Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > 
> > > Please consider applying the next patch:
> > > 
> > > * Fix data race between add and list header commands in all hash types 
> > >   by protecting the list header dumping part as well.
> > 
> > Thanks Jozsef for the quick fix.
> > Just to be sure, is this nf-next or nf material?
> 
> I think this is nf material, to deal with the KCSAN report from syzbot.

The patch can be applied cleanly on top of nf too, so yes, better nf and 
not nf-next.

Best regards,
Jozsef
-- 
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
         H-1525 Budapest 114, POB. 49, Hungary