[SRU][N/O/P][PATCH 0/1] CVE-2025-37997

[Ian Whitfield]

[Impact]

netfilter: ipset: fix region locking in hash types

Region locking introduced in v5.6-rc4 contained three macros to handle
the region locks: ahash_bucket_start(), ahash_bucket_end() which gave
back the start and end hash bucket values belonging to a given region
lock and ahash_region() which should give back the region lock belonging
to a given hash bucket. The latter was incorrect which can lead to a
race condition between the garbage collector and adding new elements
when a hash type of set is defined with timeouts.

[Backport]

Cherry picked cleanly.

[Fix]

Plucky:   cherry pick
Oracular: cherry pick
Noble:    cherry pick
Jammy:    fixed via stable updates
Focal:    sent to ESM ML
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use hashed entries in netfilter IP sets with
timeouts. An issue with this fix would be visible to the user as unpredictable
kernel behavior around adding new netfilter IP set entries.

Jozsef Kadlecsik (1):
  netfilter: ipset: fix region locking in hash types

 net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.0