Re: [PATCH net v3] netfilter: nft_set_rbtree: fix use count leak on transaction abort

Next message: Josh Hilke: "Re: [PATCH 2/2] vfio: selftests: Automate setting up devices for testing"
Previous message: Wei-Lin Chang: "[PATCH v2 2/4] KVM: arm64: Factor out TG0/1 decoding of VTCR and TCR"
In reply to: Florian Westphal: "Re: [PATCH net v3] netfilter: nft_set_rbtree: fix use count leak on transaction abort"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pablo Neira Ayuso

Date: Mon Apr 13 2026 - 20:11:37 EST

Hi,

On Mon, Apr 13, 2026 at 12:28:01AM +0200, Marko Jevtic wrote:
> nft_rbtree_abort() does not handle elements moved to the expired list
> by inline GC during __nft_rbtree_insert(). When inline GC encounters
> expired elements during overlap detection, it calls
> nft_rbtree_gc_elem_move() which deactivates element data (decrementing
> chain/object use counts), removes the element from the rbtree, and
> queues it for deferred freeing. On commit, these elements are freed
> via nft_rbtree_gc_queue(). On abort, however, the expired list is
> ignored entirely.
>
> This leaves use counts permanently decremented after abort.

Yes, but that is expected?

Expired elements reside in priv->expired, these elements are already
deactivated, ie. removed from the rbtree and chain reference is
decremented.

>From abort path, the deactivated element simply remains there until
there is a commit run that gets rid of it.

I can't make any sense of this bug report so far.

Why do you think there is a need to restore an expired element?