From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE9B3269D18 for ; Wed, 4 Mar 2026 13:50:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772632217; cv=none; b=tiVpr1IhdbjzuPUWcJ3q/mOCI54sSfTIRalwVZHF+tG+ok5Q9Y6rokkGE03Vf7nj7A+G9oJ4GhUcj10V4uCUx9iQJizeIu4X6cd1vV7EZxWaLlJlNkbspcuFvJS7gsAxc+xMe+0Md030SYB/TvpazeZQJJfCw6K6EHcgUtWYgLE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772632217; c=relaxed/simple; bh=oUCBHwoYpdLB/hcFTz8xMw46AcE2qwmnTC+aNLoCrbI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=bKn1tDMdL0gTDdRMzWh9T4kcXyM6ipoTJ3x4oriChnOlkDBqiG/sgu8prGvkuBpBwi/4EzZ2nclYWTQzpLnD/pRfCGZvI9/hCaPNlB7oYEEJdMLsy1FwUSFQdsW5sZ8+whydFoxPVosnSNDRjSgT903es/3OxQCD2j6pR1vvLwg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=strlen.de Received: by Chamillionaire.breakpoint.cc (Postfix, from userid 1003) id 43A42602AB; Wed, 04 Mar 2026 14:50:14 +0100 (CET) Date: Wed, 4 Mar 2026 14:50:14 +0100 From: Florian Westphal To: Natarajan KV Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org, pablo@netfilter.org, kadlec@netfilter.org Subject: Re: [PATCH] netfilter: nft_set_pipapo: clear dirty flag on abort/commit clone failure Message-ID: References: <20260304133859.28372-1-natarajankv91@gmail.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260304133859.28372-1-natarajankv91@gmail.com> Natarajan KV wrote: > nft_pipapo_abort() and nft_pipapo_commit() call pipapo_clone() which > can fail under memory pressure. When this happens, the functions return > diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c > index 4274831b6e67..34a108399fd3 100644 > --- a/net/netfilter/nft_set_pipapo.c > +++ b/net/netfilter/nft_set_pipapo.c > @@ -1708,8 +1708,10 @@ static void nft_pipapo_commit(struct nft_set *set) > return; > > new_clone = pipapo_clone(priv->clone); > - if (IS_ERR(new_clone)) > + if (IS_ERR(new_clone)) { > + priv->dirty = false; > return; > + } > > priv->dirty = false; > > @@ -1743,8 +1745,10 @@ static void nft_pipapo_abort(const struct nft_set *set) > m = rcu_dereference_protected(priv->match, nft_pipapo_transaction_mutex_held(set)); > > new_clone = pipapo_clone(m); > - if (IS_ERR(new_clone)) > + if (IS_ERR(new_clone)) { > + priv->dirty = false; > return; > + } As I said, I don't think this really helps. Cloning must only happen in locations where we can still reject the transaction, e.g. during insert or delete operations.