Hi Pablo, Please apply the next patch to your nf tree, which fixes a race condition: * There's a race between a fast swap/destroy and a slow kernel side add/del/test element operation in ipset. The attached patch fixes it by forcing ip_set_swap() to wait for all readers to finish accessing the old set pointers. v2: synchronize_rcu() is moved into ip_set_swap() in order not to burden ip_set_destroy() unnecessarily when all sets are destroyed. v3: Florian Westphal pointed out that all netfilter hooks run with rcu_read_lock() held and em_ipset.c wraps the entire ip_set_test() in rcu read lock/unlock pair So there's no need to extend the rcu read locked area in ipset itse Thanks! Jozsef The following changes since commit 7153a404fb70d21097af3169354e1e5fda3fbb02: Merge tag 'nf-23-09-06' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2023-09-07 11:47:15 +0200) are available in the Git repository at: git://blackhole.kfki.hu/nf eca49fc2a1c2d for you to fetch changes up to eca49fc2a1c2deafb870d88bef20690ecd5aeefd: netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test, v2 (2023-11-13 21:04:43 +0100) ---------------------------------------------------------------- Jozsef Kadlecsik (1): netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test, v2 net/netfilter/ipset/ip_set_core.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)