Commit 9862ef9a authored Mar 30, 2026 by Yifan Wu Committed by Pablo Neira Ayuso Apr 01, 2026

netfilter: ipset: drop logically empty buckets in mtype_del



mtype_del() counts empty slots below n->pos in k, but it only drops the
bucket when both n->pos and k are zero. This misses buckets whose live
entries have all been removed while n->pos still points past deleted slots.

Treat a bucket as empty when all positions below n->pos are unused and
release it directly instead of shrinking it further.

Fixes: 8af1c6fb ("netfilter: ipset: Fix forceadd evaluation path")
Cc: stable@vger.kernel.org
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <dstsmallbird@foxmail.com>
Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 917b61fa

net/netfilter/ipset/ip_set_hash_gen.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -1098,7 +1098,7 @@ mtype_del(struct ip_set set, void value, const struct ip_set_ext *ext,
		if (!test_bit(i, n->used))
		k++;
		}
		if (n->pos == 0 && k == 0) {
		if (k == n->pos) {
		t->hregion[r].ext_size -= ext_size(n->size, dsize);
		rcu_assign_pointer(hbucket(t, key), NULL);
		kfree_rcu(n, rcu);