On Mon, Aug 14, 2023 at 12:17:30AM +0200, Florian Westphal wrote:
> Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > From: Florian Westphal <fw@xxxxxxxxx>
> >
> > commit 24138933b97b055d486e8064b4a1721702442a9b upstream.
>
> Just FYI, this change is not correct.
>
> > There is an asymmetry between commit/abort and preparation phase if the
> > following conditions are met:
>
> > 1. set is a verdict map ("1.2.3.4 : jump foo")
> > 2. timeouts are enabled
>
> [..]
>
> > --- a/net/netfilter/nft_set_pipapo.c
> > +++ b/net/netfilter/nft_set_pipapo.c
> > @@ -566,8 +566,7 @@ next_match:
> > goto out;
> >
> > if (last) {
> > - if (nft_set_elem_expired(&f->mt[b].e->ext) ||
> > - (genmask &&
> > + if ((genmask &&
> > !nft_set_elem_active(&f->mt[b].e->ext, genmask)))
> > goto next_match;
>
> This part is bonkers, it papers over the real issue and introduces
> another bug while at it (insertions for key K will fail if we have
> a key K that is already expired).
>
> A patch to resolve it is queued on the mailing list and I'll make sure
> it gets passed to the net tree by this wednesday.
>
> Sorry for the inconvenience, I hope this doesn't interefere with
> -stable release plans and this is leaves enough time for
> the fix to make it to -stable too.
Is there an upstream fix for this yet? If so, I can pull it into the
stable tree, or should I drop this one for now and wait for the real
fix? It's your call.
thanks,
greg k-h
