Ale Crismani

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a performance regression in the swap operation of the netfilter ipset component in the Linux kernel. A race condition between swap/destroy and kernel side add/del/test operations has been fixed by moving the synchronize rcu() call from the swap function to the destroy function and using call rcu() instead. This change was necessary because simply calling the destroy functions as an rcu callback does not work for sets with timeout, which use garbage collectors that need to be cancelled at destroy. The destroy functions have been split into two parts: one for cancelling garbage collectors safely at the execution of the command received by netlink, and another for moving the remaining part into the rcu callback. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.