Hi Pablo,
Please apply the next patch to your nf tree, which fixes a race condition:
* There's a race between a fast swap/destroy and a slow kernel side add/del/test element
operation in ipset. The attached patch fixes it by forcing ip_set_swap() to wait for
all readers to finish accessing the old set pointers.
v2: synchronize_rcu() is moved into ip_set_swap() in order not to burden
ip_set_destroy() unnecessarily when all sets are destroyed.
v3: Florian Westphal pointed out that all netfilter hooks run with rcu_read_lock() held
and em_ipset.c wraps the entire ip_set_test() in rcu read lock/unlock pair
So there's no need to extend the rcu read locked area in ipset itse
Thanks!
Jozsef
The following changes since commit 7153a404fb70d21097af3169354e1e5fda3fbb02:
Merge tag 'nf-23-09-06' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2023-09-07 11:47:15 +0200)
are available in the Git repository at:
git://blackhole.kfki.hu/nf eca49fc2a1c2d
for you to fetch changes up to eca49fc2a1c2deafb870d88bef20690ecd5aeefd:
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test, v2 (2023-11-13 21:04:43 +0100)
----------------------------------------------------------------
Jozsef Kadlecsik (1):
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test, v2
net/netfilter/ipset/ip_set_core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
