4.19-stable patches

added patches:
	netfilter-nft_set_rbtree-add-missing-expired-checks.patch

diff --git a/queue-4.19/netfilter-nft_set_rbtree-add-missing-expired-checks.patch b/queue-4.19/netfilter-nft_set_rbtree-add-missing-expired-checks.patch
new file mode 100644 (file)
index 0000000..69dd963
--- /dev/null
+++ b/queue-4.19/netfilter-nft_set_rbtree-add-missing-expired-checks.patch
@@ -0,0 +1,70 @@
+From 340eaff651160234bdbce07ef34b92a8e45cd540 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 11 May 2020 15:31:41 +0200
+Subject: netfilter: nft_set_rbtree: Add missing expired checks
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit 340eaff651160234bdbce07ef34b92a8e45cd540 upstream.
+
+Expired intervals would still match and be dumped to user space until
+garbage collection wiped them out. Make sure they stop matching and
+disappear (from users' perspective) as soon as they expire.
+
+Fixes: 8d8540c4f5e03 ("netfilter: nft_set_rbtree: add timeout support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_set_rbtree.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -82,6 +82,10 @@ static bool __nft_rbtree_lookup(const st
+                               parent = rcu_dereference_raw(parent->rb_left);
+                               continue;
+                       }
++
++                      if (nft_set_elem_expired(&rbe->ext))
++                              return false;
++
+                       if (nft_rbtree_interval_end(rbe)) {
+                               if (nft_set_is_anonymous(set))
+                                       return false;
+@@ -97,6 +101,7 @@ static bool __nft_rbtree_lookup(const st
+ 
+       if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
+           nft_set_elem_active(&interval->ext, genmask) &&
++          !nft_set_elem_expired(&interval->ext) &&
+           nft_rbtree_interval_start(interval)) {
+               *ext = &interval->ext;
+               return true;
+@@ -154,6 +159,9 @@ static bool __nft_rbtree_get(const struc
+                               continue;
+                       }
+ 
++                      if (nft_set_elem_expired(&rbe->ext))
++                              return false;
++
+                       if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) ||
+                           (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) ==
+                           (flags & NFT_SET_ELEM_INTERVAL_END)) {
+@@ -170,6 +178,7 @@ static bool __nft_rbtree_get(const struc
+ 
+       if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
+           nft_set_elem_active(&interval->ext, genmask) &&
++          !nft_set_elem_expired(&interval->ext) &&
+           !nft_rbtree_interval_end(interval)) {
+               *elem = interval;
+               return true;
+@@ -352,6 +361,8 @@ static void nft_rbtree_walk(const struct
+ 
+               if (iter->count < iter->skip)
+                       goto cont;
++              if (nft_set_elem_expired(&rbe->ext))
++                      goto cont;
+               if (!nft_set_elem_active(&rbe->ext, iter->genmask))
+                       goto cont;
+ 

diff --git a/queue-4.19/series b/queue-4.19/series
index cd83b1aaa00539098a115de64b27c563e9f1a17a..22fa5858903fcb438cddf04d49ceab6b4fbd8f1e 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -78,3 +78,4 @@ arm64-dts-renesas-r8a77980-fix-ipmmu-vip-nodes.patch
 arm-dts-r8a7740-add-missing-extal2-to-cpg-node.patch
 kvm-x86-fix-off-by-one-error-in-kvm_vcpu_ioctl_x86_setup_mce.patch
 makefile-disallow-data-races-on-gcc-10-as-well.patch
+netfilter-nft_set_rbtree-add-missing-expired-checks.patch