From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 Dec 2023 13:39:51 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v4.14.333~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=426ec17b4240f8bb56f8cf21f2fc8ac2454300b0;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	netfilter-nft_set_pipapo-skip-inactive-elements-during-set-walk.patch
---

diff --git a/queue-5.15/netfilter-nft_set_pipapo-skip-inactive-elements-during-set-walk.patch b/queue-5.15/netfilter-nft_set_pipapo-skip-inactive-elements-during-set-walk.patch
new file mode 100644
index 00000000000..54e5365aae6
--- /dev/null
+++ b/queue-5.15/netfilter-nft_set_pipapo-skip-inactive-elements-during-set-walk.patch
@@ -0,0 +1,32 @@
+From 317eb9685095678f2c9f5a8189de698c5354316a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 1 Dec 2023 15:47:13 +0100
+Subject: netfilter: nft_set_pipapo: skip inactive elements during set walk
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 317eb9685095678f2c9f5a8189de698c5354316a upstream.
+
+Otherwise set elements can be deactivated twice which will cause a crash.
+
+Reported-by: Xingyuan Mo <hdthky0@gmail.com>
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2042,6 +2042,9 @@ static void nft_pipapo_walk(const struct
+ 
+ 		e = f->mt[r].e;
+ 
++		if (!nft_set_elem_active(&e->ext, iter->genmask))
++			goto cont;
++
+ 		elem.priv = e;
+ 
+ 		iter->err = iter->fn(ctx, set, iter, &elem);
diff --git a/queue-5.15/series b/queue-5.15/series
index 8765dc147de..0604037488f 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -105,6 +105,7 @@ tracing-stop-current-tracer-when-resizing-buffer.patch
 r8169-fix-rtl8125b-pause-frames-blasting-when-suspen.patch
 mm-fix-oops-when-filemap_map_pmd-without-prealloc_pte.patch
 io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
+netfilter-nft_set_pipapo-skip-inactive-elements-during-set-walk.patch
 arm64-dts-mediatek-align-thermal-zone-node-names-wit.patch
 arm64-dts-mediatek-mt8183-move-thermal-zones-to-the-.patch
 arm64-dts-mediatek-add-missing-space-before.patch