APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23351

Mehmet Basaran mehmet.basaran at canonical.com
Tue Apr 7 09:27:35 UTC 2026 

Applied to jammy:linux, noble:linux, questing:linux master-next
branches. Thanks.

-------------- next part --------------
Tim Whisonant <tim.whisonant at canonical.com> writes:

> SRU Justification:
>
> [Impact]
>
> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
>
> Yiming Qian reports Use-after-free in the pipapo set type:
>   Under a large number of expired elements, commit-time GC can run for a very
>   long time in a non-preemptible context, triggering soft lockup warnings and
>   RCU stall reports (local denial of service).
>
> We must split GC in an unlink and a reclaim phase.
>
> We cannot queue elements for freeing until pointers have been swapped.
> Expired elements are still exposed to both the packet path and userspace
> dumpers via the live copy of the data structure.
>
> call_rcu() does not protect us: dump operations or element lookups starting
> after call_rcu has fired can still observe the free'd element, unless the
> commit phase has made enough progress to swap the clone and live pointers
> before any new reader has picked up the old version.
>
> This a similar approach as done recently for the rbtree backend in commit
> 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
>
> [Fix]
>
> Questing: cherry picked from upstream
> Noble:    backported from linux-6.6.y
> Jammy:    cherry picked from linux-6.1.y
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the Pile Packet Policies set type portion of the
> nftables framework, specifically the garbage collector, to address
> a use after free. Issues would affect handling of these set type
> data structures.
>
> [Notes]
>
> * The Jammy fix consists of two patches:
>  * 25600167215 ("netfilter: nf_tables: de-constify set commit ops function argument")
>    This patch brings the code closer to upstream. It also allows
>    the fix commit to apply as a clean cherry pick.
>  * 16f3595c044 ("netfilter: nft_set_pipapo: split gc into unlink and reclaim phase")
>    This patch is a backport of the fix commit to 6.1. It applies as a
>    clean cherry pick, thanks to the first patch.
>
> Florian Westphal (1):
>   netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
>
>  include/net/netfilter/nf_tables.h |  5 +++
>  net/netfilter/nf_tables_api.c     |  5 ---
>  net/netfilter/nft_set_pipapo.c    | 51 ++++++++++++++++++++++++++-----
>  net/netfilter/nft_set_pipapo.h    |  2 ++
>  4 files changed, 50 insertions(+), 13 deletions(-)
>
> -- 
> 2.43.0
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260407/ee646e3d/attachment-0001.sig>

More information about the kernel-team mailing list