Linux Kernel Netfilter ipset Long Task Execution Vulnerability

A vulnerability in the Linux kernel's netfilter ipset component can lead to prolonged task execution when adding or deleting a large number of entries at once. This issue can cause soft lockup errors, where the system becomes unresponsive. Although a previous patch attempted to address the problem by limiting the number of elements processed, it was insufficient. The current patch improves the situation by allowing tasks to be paused and resumed, preventing long uninterrupted operations while removing the restriction on processing large batches of elements. However, this change means that multiple ipset commands cannot be issued in parallel.

Impact

The vulnerability can cause soft lockup errors, leading to a temporary unresponsive state in the system.

Reproduction

To reproduce this vulnerability, add or delete a large number of entries in a single operation using ipset. Monitor the system for soft lockup errors, which indicate that the operation has caused a prolonged unresponsive state.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree to address this vulnerability.