ACK/Cmnt: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351

Yufeng Gao yufeng.gao at canonical.com
Thu Apr 2 03:17:59 UTC 2026 

On 2/4/26 07:59, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
>
> Yiming Qian reports Use-after-free in the pipapo set type:
>    Under a large number of expired elements, commit-time GC can run for a very
>    long time in a non-preemptible context, triggering soft lockup warnings and
>    RCU stall reports (local denial of service).
>
> We must split GC in an unlink and a reclaim phase.
>
> We cannot queue elements for freeing until pointers have been swapped.
> Expired elements are still exposed to both the packet path and userspace
> dumpers via the live copy of the data structure.
>
> call_rcu() does not protect us: dump operations or element lookups starting
> after call_rcu has fired can still observe the free'd element, unless the
> commit phase has made enough progress to swap the clone and live pointers
> before any new reader has picked up the old version.
>
> This a similar approach as done recently for the rbtree backend in commit
> 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
>
> [Fix]
>
> Questing: cherry picked from upstream
> Noble:    backported from linux-6.6.y
> Jammy:    cherry picked from linux-6.1.y
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the Pile Packet Policies set type portion of the
> nftables framework, specifically the garbage collector, to address
> a use after free. Issues would affect handling of these set type
> data structures.
>
> [Notes]
>
> * The Jammy fix consists of two patches:
>   * 25600167215 ("netfilter: nf_tables: de-constify set commit ops function argument")
>     This patch brings the code closer to upstream. It also allows
>     the fix commit to apply as a clean cherry pick.
>   * 16f3595c044 ("netfilter: nft_set_pipapo: split gc into unlink and reclaim phase")
>     This patch is a backport of the fix commit to 6.1. It applies as a
>     clean cherry pick, thanks to the first patch.
>
> Florian Westphal (1):
>    netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
>
>   include/net/netfilter/nf_tables.h |  5 +++
>   net/netfilter/nf_tables_api.c     |  5 ---
>   net/netfilter/nft_set_pipapo.c    | 51 ++++++++++++++++++++++++++-----
>   net/netfilter/nft_set_pipapo.h    |  2 ++
>   4 files changed, 50 insertions(+), 13 deletions(-)
>
Not all emails are grouped under the same thread in my mail client - 
probably just an issue on my side.

Acked-by: Yufeng Gao <yufeng.gao at canonical.com>

More information about the kernel-team mailing list