From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 12 Jun 2017 15:01:30 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.57~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=30325127e5b68874852dc8ed0fe21a5fa6c150e6;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch
---

diff --git a/queue-4.9/netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch b/queue-4.9/netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch
new file mode 100644
index 00000000000..da0444c3381
--- /dev/null
+++ b/queue-4.9/netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch
@@ -0,0 +1,55 @@
+From d2df92e98a34a5619dadd29c6291113c009181e7 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 21 May 2017 00:37:10 +0200
+Subject: netfilter: nft_set_rbtree: handle element re-addition after deletion
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit d2df92e98a34a5619dadd29c6291113c009181e7 upstream.
+
+The existing code selects no next branch to be inspected when
+re-inserting an inactive element into the rb-tree, looping endlessly.
+This patch restricts the check for active elements to the EEXIST case
+only.
+
+Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
+Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_set_rbtree.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -118,17 +118,17 @@ static int __nft_rbtree_insert(const str
+ 		else if (d > 0)
+ 			p = &parent->rb_right;
+ 		else {
+-			if (nft_set_elem_active(&rbe->ext, genmask)) {
+-				if (nft_rbtree_interval_end(rbe) &&
+-				    !nft_rbtree_interval_end(new))
+-					p = &parent->rb_left;
+-				else if (!nft_rbtree_interval_end(rbe) &&
+-					 nft_rbtree_interval_end(new))
+-					p = &parent->rb_right;
+-				else {
+-					*ext = &rbe->ext;
+-					return -EEXIST;
+-				}
++			if (nft_rbtree_interval_end(rbe) &&
++			    !nft_rbtree_interval_end(new)) {
++				p = &parent->rb_left;
++			} else if (!nft_rbtree_interval_end(rbe) &&
++				   nft_rbtree_interval_end(new)) {
++				p = &parent->rb_right;
++			} else if (nft_set_elem_active(&rbe->ext, genmask)) {
++				*ext = &rbe->ext;
++				return -EEXIST;
++			} else {
++				p = &parent->rb_left;
+ 			}
+ 		}
+ 	}
diff --git a/queue-4.9/series b/queue-4.9/series
index d9fa5138d0a..3cb3259911c 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -116,3 +116,4 @@ drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch
 drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch
 cpufreq-schedutil-move-cached_raw_freq-to-struct-sugov_policy.patch
 cpufreq-schedutil-fix-per-cpu-structure-initialization-in-sugov_start.patch
+netfilter-nft_set_rbtree-handle-element-re-addition-after-deletion.patch