Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> From: Florian Westphal <fw@xxxxxxxxx>
>
> commit 24138933b97b055d486e8064b4a1721702442a9b upstream.
Just FYI, this change is not correct.
> There is an asymmetry between commit/abort and preparation phase if the
> following conditions are met:
> 1. set is a verdict map ("1.2.3.4 : jump foo")
> 2. timeouts are enabled
[..]
> --- a/net/netfilter/nft_set_pipapo.c
> +++ b/net/netfilter/nft_set_pipapo.c
> @@ -566,8 +566,7 @@ next_match:
> goto out;
>
> if (last) {
> - if (nft_set_elem_expired(&f->mt[b].e->ext) ||
> - (genmask &&
> + if ((genmask &&
> !nft_set_elem_active(&f->mt[b].e->ext, genmask)))
> goto next_match;
This part is bonkers, it papers over the real issue and introduces
another bug while at it (insertions for key K will fail if we have
a key K that is already expired).
A patch to resolve it is queued on the mailing list and I'll make sure
it gets passed to the net tree by this wednesday.
Sorry for the inconvenience, I hope this doesn't interefere with
-stable release plans and this is leaves enough time for
the fix to make it to -stable too.
