Hi Greg, Sasha,
This batch contains a fixes for 4.19:
1) Missing fix in 4.19, you can cherry-pick it from 8ca79606cdfd ("netfilter: nft_flow_offload: fix underflow in flowtable reference counter")
2) Oneliner that includes missing chunk in 4.19 backport. Fixes: 1df28fde1270 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") in 4.19 This patch you have to manually apply it.
Thanks.
Pablo Neira Ayuso (1): netfilter: nf_tables: missing NFT_TRANS_PREPARE_ERROR in flowtable deactivatation
wenxu (1): netfilter: nft_flow_offload: fix underflow in flowtable reference counter
net/netfilter/nf_tables_api.c | 1 + net/netfilter/nft_flow_offload.c | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-)
From: wenxu wenxu@ucloud.cn
commit 8ca79606cdfde2e37ee4f0707b9d1874a6f0eb38 upstream.
The .deactivate and .activate interfaces already deal with the reference counter. Otherwise, this results in spurious "Device is busy" errors.
Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: wenxu wenxu@ucloud.cn Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org --- net/netfilter/nft_flow_offload.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 7055088e91c2..ec35a41c7262 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -197,9 +197,6 @@ static void nft_flow_offload_activate(const struct nft_ctx *ctx, static void nft_flow_offload_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr) { - struct nft_flow_offload *priv = nft_expr_priv(expr); - - priv->flowtable->use--; nf_ct_netns_put(ctx->net, ctx->family); }
commit 26b5a5712eb85e253724e56a54c17f8519bd8e4e upstream.
Missing NFT_TRANS_PREPARE_ERROR in 1df28fde1270 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") in 4.19.
Fixes: 1df28fde1270 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") in 4.19 Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index eeadb638f448..0ff8f1006c6b 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5555,6 +5555,7 @@ void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, enum nft_trans_phase phase) { switch (phase) { + case NFT_TRANS_PREPARE_ERROR: case NFT_TRANS_PREPARE: case NFT_TRANS_ABORT: case NFT_TRANS_RELEASE:
On Mon, Sep 18, 2023 at 02:06:54PM +0200, Pablo Neira Ayuso wrote:
Hi Greg, Sasha,
This batch contains a fixes for 4.19:
Missing fix in 4.19, you can cherry-pick it from 8ca79606cdfd ("netfilter: nft_flow_offload: fix underflow in flowtable reference counter")
Oneliner that includes missing chunk in 4.19 backport. Fixes: 1df28fde1270 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") in 4.19 This patch you have to manually apply it.
All now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Pablo Neira Ayuso