4.11-stable patches

added patches:
	netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch

diff --git a/queue-4.11/netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch b/queue-4.11/netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch
new file mode 100644 (file)
index 0000000..bebb5ad
--- /dev/null
+++ b/queue-4.11/netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch
@@ -0,0 +1,55 @@
+From d2df92e98a34a5619dadd29c6291113c009181e7 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 21 May 2017 00:37:10 +0200
+Subject: netfilter: nft_set_rbtree: handle element re-addition after deletion
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit d2df92e98a34a5619dadd29c6291113c009181e7 upstream.
+
+The existing code selects no next branch to be inspected when
+re-inserting an inactive element into the rb-tree, looping endlessly.
+This patch restricts the check for active elements to the EEXIST case
+only.
+
+Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
+Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_set_rbtree.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -117,17 +117,17 @@ static int __nft_rbtree_insert(const str
+               else if (d > 0)
+                       p = &parent->rb_right;
+               else {
+-                      if (nft_set_elem_active(&rbe->ext, genmask)) {
+-                              if (nft_rbtree_interval_end(rbe) &&
+-                                  !nft_rbtree_interval_end(new))
+-                                      p = &parent->rb_left;
+-                              else if (!nft_rbtree_interval_end(rbe) &&
+-                                       nft_rbtree_interval_end(new))
+-                                      p = &parent->rb_right;
+-                              else {
+-                                      *ext = &rbe->ext;
+-                                      return -EEXIST;
+-                              }
++                      if (nft_rbtree_interval_end(rbe) &&
++                          !nft_rbtree_interval_end(new)) {
++                              p = &parent->rb_left;
++                      } else if (!nft_rbtree_interval_end(rbe) &&
++                                 nft_rbtree_interval_end(new)) {
++                              p = &parent->rb_right;
++                      } else if (nft_set_elem_active(&rbe->ext, genmask)) {
++                              *ext = &rbe->ext;
++                              return -EEXIST;
++                      } else {
++                              p = &parent->rb_left;
+                       }
+               }
+       }

diff --git a/queue-4.11/series b/queue-4.11/series
index 0975b4d3f006601d696137ca9177634188177ca7..df6e1c71b42398a147937213b1fca7ac2cab33dd 100644 (file)
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -147,3 +147,4 @@ hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch
 audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch
 drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch
 drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch
+netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch