APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31418

[Edoardo Canepa]

Applied to J/N/Q:linux/master-next. Thanks.

On 4/24/26 18:41, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> netfilter: ipset: drop logically empty buckets in mtype_del
>
> mtype_del() counts empty slots below n->pos in k, but it only drops the
> bucket when both n->pos and k are zero. This misses buckets whose live
> entries have all been removed while n->pos still points past deleted slots.
>
> Treat a bucket as empty when all positions below n->pos are unused and
> release it directly instead of shrinking it further.
>
> [Fix]
>
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    patch sent to forgejo
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the routine responsible for managing ipset
> hash table element removals. Issues might manifest as
> prematurely- or non-freed hash table elements.
>
> Yifan Wu (1):
>    netfilter: ipset: drop logically empty buckets in mtype_del
>
>   net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/885d6714/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/885d6714/attachment-0001.sig>