[SRU][J/N/Q][PATCH 0/1] CVE-2026-31418

[Tim Whisonant]

SRU Justification:

[Impact]

netfilter: ipset: drop logically empty buckets in mtype_del

mtype_del() counts empty slots below n->pos in k, but it only drops the
bucket when both n->pos and k are zero. This misses buckets whose live
entries have all been removed while n->pos still points past deleted slots.

Treat a bucket as empty when all positions below n->pos are unused and
release it directly instead of shrinking it further.

[Fix]

Questing: applied Jammy patch
Noble:    applied Jammy patch
Jammy:    cherry picked from upstream
Focal:    patch sent to forgejo
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the routine responsible for managing ipset
hash table element removals. Issues might manifest as
prematurely- or non-freed hash table elements.

Yifan Wu (1):
  netfilter: ipset: drop logically empty buckets in mtype_del

 net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.0