APPLIED: [SRU][J/N/Q][PATCH 0/3] CVE-2026-23272

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 16:23:08 UTC 2026 

Applied to J/N/Q:linux/master-next. Thanks.

On 5/6/26 18:33, Ian Whitfield wrote:
> [Impact]
>
> netfilter: nf_tables: unconditionally bump set->nelems before insertion
>
> In case that the set is full, a new element gets published then removed
> without waiting for the RCU grace period, while RCU reader can be
> walking over it already.
>
> To address this issue, add the element transaction even if set is full,
> but toggle the set_full flag to report -ENFILE so the abort path safely
> unwinds the set to its previous state.
>
> As for element updates, decrement set->nelems to restore it.
>
> A simpler fix is to call synchronize_rcu() in the error path.
> However, with a large batch adding elements to already maxed-out set,
> this could cause noticeable slowdown of such batches.
>
> [Backport]
>
> Questing applied the fix commit cleanly.
>
> For Noble, the fix commit was modified to drop changes for a missing feature added in
> 4201f3938914 ("netfilter: nf_tables: set element timeout update support")
> and there were context adjustments to work around several other missing changes.
>
> For Jammy, a slightly larger patchset was used to more safely transition the
> older kernel tree to accept the fix commit. Specifically, two pre-requisite
> commits were added that fix some issues with the way the number of nft set
> elements is incremented when an element is added. Some adjustments were made for
> context differences in the pre-requisite patches. The fix commit then applied
> similarly to in Noble, dropping changes for the missing feature and adjusting
> context for several other missing changes.
>
> [Fix]
>
> Resolute: Not affected
> Questing: Cherry-pick
> Noble: Backport
> Jammy: Backport
> Focal: PR on Forgejo
> Bionic: PR on Forgejo
> Xenial: Not affected
> Trusty: Not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use netfilter/nftables to route packets. An issue
> with this fix would be visible to the user as kernel faults or networking
> problems particularly when using sets in an nftables config.
>
> Florian Westphal (1):
>    netfilter: nf_tables: always increment set element count
>
> Pablo Neira Ayuso (2):
>    netfilter: nf_tables: fix set size with rbtree backend
>    netfilter: nf_tables: unconditionally bump set->nelems before
>      insertion
>
>   include/net/netfilter/nf_tables.h |  6 +++
>   net/netfilter/nf_tables_api.c     | 72 ++++++++++++++++++++++++++-----
>   net/netfilter/nft_set_rbtree.c    | 43 ++++++++++++++++++
>   3 files changed, 110 insertions(+), 11 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/d88c7bb4/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/d88c7bb4/attachment.sig>

More information about the kernel-team mailing list