ACK: [SRU][N/O/P][PATCH 0/1] CVE-2025-37997
Edoardo Canepa
edoardo.canepa at canonical.com
Mon Jun 9 15:05:37 UTC 2025
On 07/06/25 01:13, Ian Whitfield wrote:
> [Impact]
>
> netfilter: ipset: fix region locking in hash types
>
> Region locking introduced in v5.6-rc4 contained three macros to handle
> the region locks: ahash_bucket_start(), ahash_bucket_end() which gave
> back the start and end hash bucket values belonging to a given region
> lock and ahash_region() which should give back the region lock belonging
> to a given hash bucket. The latter was incorrect which can lead to a
> race condition between the garbage collector and adding new elements
> when a hash type of set is defined with timeouts.
>
> [Backport]
>
> Cherry picked cleanly.
>
> [Fix]
>
> Plucky: cherry pick
> Oracular: cherry pick
> Noble: cherry pick
> Jammy: fixed via stable updates
> Focal: sent to ESM ML
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use hashed entries in netfilter IP sets with
> timeouts. An issue with this fix would be visible to the user as unpredictable
> kernel behavior around adding new netfilter IP set entries.
>
> Jozsef Kadlecsik (1):
> netfilter: ipset: fix region locking in hash types
>
> net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Acked-by: Edoardo Canepa <edoardo.canepa at canonical.com>
More information about the kernel-team
mailing list