| Message ID | 20240321112117.36737-2-pablo@netfilter.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | b0e256f3dd2ba6532f37c5c22e07cb07a36031ee |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net,1/3] netfilter: nft_set_pipapo: release elements in clone only from destroy path | expand |
Hello: This series was applied to netdev/net.git (main) by Pablo Neira Ayuso <pablo@netfilter.org>: On Thu, 21 Mar 2024 12:21:15 +0100 you wrote: > Clone already always provides a current view of the lookup table, use it > to destroy the set, otherwise it is possible to destroy elements twice. > > This fix requires: > > 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") > > [...] Here is the summary with links: - [net,1/3] netfilter: nft_set_pipapo: release elements in clone only from destroy path https://git.kernel.org/netdev/net/c/b0e256f3dd2b - [net,2/3] netfilter: nf_tables: do not compare internal table flags on updates https://git.kernel.org/netdev/net/c/4a0e7f2decbf - [net,3/3] netfilter: nf_tables: Fix a memory leak in nf_tables_updchain https://git.kernel.org/netdev/net/c/7eaf837a4eb5 You are awesome, thank you!
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index c0ceea068936..df8de5090246 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -2329,8 +2329,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx, if (m) { rcu_barrier(); - nft_set_pipapo_match_destroy(ctx, set, m); - for_each_possible_cpu(cpu) pipapo_free_scratch(m, cpu); free_percpu(m->scratch); @@ -2342,8 +2340,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx, if (priv->clone) { m = priv->clone; - if (priv->dirty) - nft_set_pipapo_match_destroy(ctx, set, m); + nft_set_pipapo_match_destroy(ctx, set, m); for_each_possible_cpu(cpu) pipapo_free_scratch(priv->clone, cpu);
Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). Fixes: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nft_set_pipapo.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)