[SRU][J/N/Q][PATCH 0/1] CVE-2026-23351

Tim Whisonant tim.whisonant at canonical.com
Wed Apr 1 21:59:35 UTC 2026 

SRU Justification:

[Impact]

netfilter: nft_set_pipapo: split gc into unlink and reclaim phase

Yiming Qian reports Use-after-free in the pipapo set type:
  Under a large number of expired elements, commit-time GC can run for a very
  long time in a non-preemptible context, triggering soft lockup warnings and
  RCU stall reports (local denial of service).

We must split GC in an unlink and a reclaim phase.

We cannot queue elements for freeing until pointers have been swapped.
Expired elements are still exposed to both the packet path and userspace
dumpers via the live copy of the data structure.

call_rcu() does not protect us: dump operations or element lookups starting
after call_rcu has fired can still observe the free'd element, unless the
commit phase has made enough progress to swap the clone and live pointers
before any new reader has picked up the old version.

This a similar approach as done recently for the rbtree backend in commit
35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").

[Fix]

Questing: cherry picked from upstream
Noble:    backported from linux-6.6.y
Jammy:    cherry picked from linux-6.1.y
Focal:    not affected
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the Pile Packet Policies set type portion of the
nftables framework, specifically the garbage collector, to address
a use after free. Issues would affect handling of these set type
data structures.

[Notes]

* The Jammy fix consists of two patches:
 * 25600167215 ("netfilter: nf_tables: de-constify set commit ops function argument")
   This patch brings the code closer to upstream. It also allows
   the fix commit to apply as a clean cherry pick.
 * 16f3595c044 ("netfilter: nft_set_pipapo: split gc into unlink and reclaim phase")
   This patch is a backport of the fix commit to 6.1. It applies as a
   clean cherry pick, thanks to the first patch.

Florian Westphal (1):
  netfilter: nft_set_pipapo: split gc into unlink and reclaim phase

 include/net/netfilter/nf_tables.h |  5 +++
 net/netfilter/nf_tables_api.c     |  5 ---
 net/netfilter/nft_set_pipapo.c    | 51 ++++++++++++++++++++++++++-----
 net/netfilter/nft_set_pipapo.h    |  2 ++
 4 files changed, 50 insertions(+), 13 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list