netfilter: ipset: drop logically empty buckets in mtype_del

GhostFrankWu · ummakynes · commit 9862ef9ab0a1 · 2026-04-01T11:55:29.000+02:00
mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further. Fixes: 8af1c6f ("netfilter: ipset: Fix forceadd evaluation path") Cc: stable@vger.kernel.org Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <dstsmallbird@foxmail.com> Signed-off-by: Yifan Wu <yifanwucs@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Reviewed-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -1098,7 +1098,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
 			if (!test_bit(i, n->used))
 				k++;
 		}
-		if (n->pos == 0 && k == 0) {
+		if (k == n->pos) {
 			t->hregion[r].ext_size -= ext_size(n->size, dsize);
 			rcu_assign_pointer(hbucket(t, key), NULL);
 			kfree_rcu(n, rcu);

Original file line number	Diff line number	Diff line change
`@@ -1098,7 +1098,7 @@ mtype_del(struct ip_set set, void value, const struct ip_set_ext *ext,`
`1098`	`1098`	`if (!test_bit(i, n->used))`
`1099`	`1099`	`k++;`
`1100`	`1100`	`}`
`1101`		`- if (n->pos == 0 && k == 0) {`
	`1101`	`+ if (k == n->pos) {`
`1102`	`1102`	`t->hregion[r].ext_size -= ext_size(n->size, dsize);`
`1103`	`1103`	`rcu_assign_pointer(hbucket(t, key), NULL);`
`1104`	`1104`	`kfree_rcu(n, rcu);`