Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/include/net
History
Florian Westphal 9df95785d3 netfilter: nft_set_pipapo: split gc into unlink and reclaim phase 
Yiming Qian reports Use-after-free in the pipapo set type:
  Under a large number of expired elements, commit-time GC can run for a very
  long time in a non-preemptible context, triggering soft lockup warnings and
  RCU stall reports (local denial of service).

We must split GC in an unlink and a reclaim phase.

We cannot queue elements for freeing until pointers have been swapped.
Expired elements are still exposed to both the packet path and userspace
dumpers via the live copy of the data structure.

call_rcu() does not protect us: dump operations or element lookups starting
after call_rcu has fired can still observe the free'd element, unless the
commit phase has made enough progress to swap the clone and live pointers
before any new reader has picked up the old version.

This a similar approach as done recently for the rbtree backend in commit
35f83a7552 ("netfilter: nft_set_rbtree: don't gc elements on insert").

Fixes: 3c4287f620 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
 		2026-03-05 13:22:37 +01:00
..
9p 9p: convert to the new mount API 2025-11-03 16:49:53 +09:00
bluetooth Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short 2026-02-23 15:28:56 -05:00
caif
iucv treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
libeth libeth: xdp: Disable generic kCFI pass for libeth_xdp_tx_xmit_bulk() 2025-10-29 20:04:55 -07:00
mana RDMA v7.0 merge window 2026-02-12 17:05:20 -08:00
netfilter netfilter: nft_set_pipapo: split gc into unlink and reclaim phase 2026-03-05 13:22:37 +01:00
netns vsock: lock down child_ns_mode as write-once 2026-02-26 11:10:03 +01:00
nfc nfc: nci: Fix race between rfkill and nci_unregister_device(). 2026-01-28 19:32:26 -08:00
page_pool Revert "Merge branch 'netkit-support-for-io_uring-zero-copy-and-af_xdp'" 2026-01-20 18:06:01 -08:00
phonet
phy net: phy: realtek: add dummy PHY driver for RTL8127ATF 2026-01-12 19:29:11 -08:00
psp psp: add stats from psp spec to driver facing api 2025-11-07 18:53:57 -08:00
sctp sctp: Remove unused declaration sctp_auth_init_hmacs() 2025-11-14 18:00:34 -08:00
tc_act net/sched: act_gate: snapshot parameters with RCU on replace 2026-02-27 16:10:36 -08:00
6lowpan.h
Space.h
act_api.h net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks 2026-02-27 19:06:21 -08:00
addrconf.h ipv6: addrconf: reduce default temp_valid_lft to 2 days 2026-02-17 17:12:06 -08:00
af_ieee802154.h
af_rxrpc.h
af_unix.h
af_vsock.h vsock: lock down child_ns_mode as write-once 2026-02-26 11:10:03 +01:00
ah.h
aligned_data.h
amt.h
arp.h
atmclip.h
ax25.h Summary 2026-02-18 10:45:36 -08:00
ax88796.h
bareudp.h
bond_3ad.h
bond_alb.h
bond_options.h
bonding.h bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded 2026-03-03 10:47:37 +01:00
bpf_sk_storage.h
busy_poll.h
calipso.h
can.h can: add CAN skb extension infrastructure 2026-02-05 11:58:39 +01:00
cfg80211-wext.h
cfg80211.h wifi: cfg80211: add initial UHR support 2026-02-02 10:11:07 +01:00
cfg802154.h
checksum.h
cipso_ipv4.h
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: support default values for param-get and param-set 2025-11-20 19:01:22 -08:00
dropreason-core.h net: add net.core.qdisc_max_burst 2026-01-13 10:12:11 +01:00
dropreason.h
dsa.h net: dsa: add tag format for MxL862xx switches 2026-02-11 11:27:57 +01:00
dsa_stubs.h
dscp.h
dsfield.h
dst.h inet: add dst4_mtu() and dst6_mtu() helpers 2026-02-02 17:49:29 -08:00
dst_cache.h
dst_metadata.h
dst_ops.h
eee.h
erspan.h
esp.h
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h
firewire.h
flow.h
flow_dissector.h
flow_offload.h net: dsa: eliminate local type for tc policers 2026-02-10 15:30:11 +01:00
fou.h
fq.h
fq_impl.h Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
garp.h
gen_stats.h
genetlink.h
geneve.h
gre.h
gro.h gro: inline tcp6_gro_complete() 2026-01-21 19:28:32 -08:00
gro_cells.h
gso.h
gtp.h
gue.h
handshake.h
hotdata.h net: add net.core.qdisc_max_burst 2026-01-13 10:12:11 +01:00
hwbm.h
icmp.h
ieee8021q.h
ieee80211_radiotap.h wifi: mac80211: add RX flag to report radiotap VHT information 2025-10-30 08:38:51 +01:00
ieee802154_netdev.h
if_inet6.h
ife.h
inet6_connection_sock.h tcp: populate inet->cork.fl.u.ip6 in tcp_v6_syn_recv_sock() 2026-02-10 20:57:50 -08:00
inet6_hashtables.h inet: annotate data-races around isk->inet_num 2026-02-27 17:16:59 -08:00
inet_common.h net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
inet_connection_sock.h tcp: fix potential race in tcp_v6_syn_recv_sock() 2026-02-19 14:02:19 -08:00
inet_dscp.h
inet_ecn.h tcp: ECT_1_NEGOTIATION and NEEDS_ACCECN identifiers 2026-02-03 15:13:24 +01:00
inet_frag.h inet: frags: flush pending skbs in fqdir_pre_exit() 2025-12-10 01:15:27 -08:00
inet_hashtables.h inet: annotate data-races around isk->inet_num 2026-02-27 17:16:59 -08:00
inet_sock.h ipv6: colocate inet6_cork in inet_cork_full 2026-02-02 17:49:30 -08:00
inet_timewait_sock.h
inetpeer.h
ioam6.h ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() 2026-02-13 12:24:05 -08:00
ip.h inet: annotate data-races around isk->inet_num 2026-02-27 17:16:59 -08:00
ip6_checksum.h
ip6_fib.h
ip6_route.h inet: add dst4_mtu() and dst6_mtu() helpers 2026-02-02 17:49:29 -08:00
ip6_tunnel.h
ip_fib.h net: ipv4: fix ARM64 alignment fault in multipath hash seed 2026-03-03 17:20:37 -08:00
ip_tunnels.h ipv4: ip_tunnel: spread netdev_lockdep_set_classes() 2026-01-08 18:02:35 -08:00
ip_vs.h
ipcomp.h
ipconfig.h
ipv6.h ipv6: fix a race in ip6_sock_set_v6only() 2026-02-17 16:45:29 -08:00
ipv6_frag.h inet: frags: flush pending skbs in fqdir_pre_exit() 2025-12-10 01:15:27 -08:00
ipv6_stubs.h net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
iw_handler.h
kcm.h
l3mdev.h net: l3mdev: use skb_dst_dev_rcu() in l3mdev_l3_out() 2026-02-02 17:09:11 -08:00
lag.h
lapb.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h
mac80211.h wifi: mac80211: Add eMLSR/eMLMR action frame parsing support 2026-02-02 10:11:18 +01:00
mac802154.h
macsec.h
mctp.h
mctpdevice.h
mip6.h
mld.h
mpls.h
mpls_iptunnel.h
mptcp.h
mrp.h
ncsi.h
ndisc.h
neighbour.h neighbour: Convert rwlock of struct neigh_table to spinlock. 2025-10-24 17:57:20 -07:00
neighbour_tables.h
net_debug.h
net_failover.h
net_namespace.h netns: optimize netns cleaning by batching unhash_nsid calls 2026-02-06 20:01:31 -08:00
net_ratelimit.h
net_shaper.h
net_trackers.h
netdev_lock.h
netdev_netlink.h
netdev_queues.h net: add queue config validation callback 2026-01-23 11:49:02 -08:00
netdev_rx_queue.h Revert "Merge branch 'netkit-support-for-io_uring-zero-copy-and-af_xdp'" 2026-01-20 18:06:01 -08:00
netevent.h
netkit.h
netlabel.h
netlink.h
netmem.h net: inline get_netmem() and put_netmem() 2026-01-25 13:18:53 -08:00
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h nl802154: fix some kernel-doc warnings 2025-10-20 17:13:40 -07:00
nsh.h
pfcp.h
pie.h
ping.h net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
pkt_cls.h net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() 2025-11-24 18:53:14 -08:00
pkt_sched.h net/sched: don't use dynamic lockdep keys with clsact/ingress/noqueue 2026-02-05 09:32:45 -08:00
pptp.h
proto_memory.h net: Allow opt-out from global protocol memory accounting. 2025-10-16 12:04:47 -07:00
protocol.h
psample.h
psnap.h
psp.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h tcp: move __reqsk_free() out of line 2026-02-05 09:23:06 -08:00
rose.h
route.h
rpl.h
rps.h
rsi_91x.h
rstreason.h
rtnetlink.h
rtnh.h
sch_generic.h net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs 2026-03-04 17:43:45 -08:00
sch_priv.h net/sched: Export mq functions for reuse 2026-01-13 11:54:29 +01:00
scm.h
secure_seq.h tcp: secure_seq: add back ports to TS offset 2026-03-04 17:44:35 -08:00
seg6.h
seg6_hmac.h
seg6_local.h
selftests.h net: selftests: export packet creation helpers for driver use 2025-11-06 13:38:11 +01:00
slhc_vj.h
smc.h net/smc: bpf: Introduce generic hook for handshake flow 2025-11-10 11:19:41 -08:00
snmp.h
sock.h net: Drop the lock in skb_may_tx_timestamp() 2026-02-24 11:27:29 +01:00
sock_reuseport.h
stp.h
strparser.h
switchdev.h
tc_wrapper.h
tcp.h tcp: secure_seq: add back ports to TS offset 2026-03-04 17:44:35 -08:00
tcp_ao.h
tcp_ecn.h tcp: accecn: add tcpi_ecn_mode and tcpi_option2 in tcp_info 2026-02-03 15:13:25 +01:00
tcp_states.h
tcx.h
timewait_sock.h
tipc.h
tls.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-10-31 06:46:03 -07:00
tls_prot.h
tls_toe.h
transp_v6.h
tso.h
tun_proto.h
udp.h Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
udp_tunnel.h geneve: expose gso partial features for tunnel offload 2026-01-23 11:31:14 -08:00
udplite.h
vsock_addr.h net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
vxlan.h
wext.h
x25.h
x25device.h
xdp.h
xdp_priv.h
xdp_sock.h xsk: add indirect call for xsk_destruct_skb 2025-11-11 10:21:08 +01:00
xdp_sock_drv.h xsk: Fix fragment node deletion to prevent buffer leak 2026-02-28 08:55:11 -08:00
xfrm.h xfrm: reduce struct sec_path size 2026-02-10 20:21:48 -08:00
xsk_buff_pool.h xsk: move cq_cached_prod_lock to avoid touching a cacheline in sending path 2026-01-15 10:07:45 +01:00