In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: fix performance regression in swap operation
The patch “netfilter: ipset: fix race condition between swap/destroy
and kernel side add/del/test”, commit 28628fa9 fixes a race condition.
But the synchronize_rcu() added to the swap function unnecessarily slows
it down: it can safely be moved to destroy and use call_rcu() instead.
Eric Dumazet pointed out that simply calling the destroy functions as
rcu callback does not work: sets with timeout use garbage collectors
which need cancelling at destroy which can wait. Therefore the destroy
functions are split into two: cancelling garbage collectors safely at
executing the command received by netlink and moving the remaining
part only into the rcu callback.
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "427deb5ba566",
"lessThan": "c7f2733e5011",
"versionType": "git"
},
{
"status": "affected",
"version": "e7152a138a5a",
"lessThan": "a24d5f2ac8ef",
"versionType": "git"
},
{
"status": "affected",
"version": "8bb930c3a1ea",
"lessThan": "c2dc077d8f72",
"versionType": "git"
},
{
"status": "affected",
"version": "875ee3a09e27",
"lessThan": "653bc5e6d999",
"versionType": "git"
},
{
"status": "affected",
"version": "23c31036f862",
"lessThan": "b93a6756a01f",
"versionType": "git"
},
{
"status": "affected",
"version": "28628fa952fe",
"lessThan": "970709a67696",
"versionType": "git"
},
{
"status": "affected",
"version": "28628fa952fe",
"lessThan": "97f7cf1cd80e",
"versionType": "git"
}
],
"programFiles": [
"include/linux/netfilter/ipset/ip_set.h",
"net/netfilter/ipset/ip_set_bitmap_gen.h",
"net/netfilter/ipset/ip_set_core.c",
"net/netfilter/ipset/ip_set_hash_gen.h",
"net/netfilter/ipset/ip_set_list_set.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "6.7",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "5.4.269",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.210",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.15.149",
"versionType": "custom",
"lessThanOrEqual": "5.15.*"
},
{
"status": "unaffected",
"version": "6.1.79",
"versionType": "custom",
"lessThanOrEqual": "6.1.*"
},
{
"status": "unaffected",
"version": "6.6.18",
"versionType": "custom",
"lessThanOrEqual": "6.6.*"
},
{
"status": "unaffected",
"version": "6.7.6",
"versionType": "custom",
"lessThanOrEqual": "6.7.*"
},
{
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"include/linux/netfilter/ipset/ip_set.h",
"net/netfilter/ipset/ip_set_bitmap_gen.h",
"net/netfilter/ipset/ip_set_core.c",
"net/netfilter/ipset/ip_set_hash_gen.h",
"net/netfilter/ipset/ip_set_list_set.c"
],
"defaultStatus": "affected"
}
]
git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c
git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb
git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001
git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05
git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397
git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49
git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225
lists.debian.org/debian-lts-announce/2024/06/msg00017.html