netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration

pvts-mat · pvts-mat · commit b5c6baaa7eff · 2025-11-04T21:50:26.000+01:00
jira VULN-430 cve CVE-2023-4244 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit b079155 Skip GC run if iterator rewinds to the beginning with EAGAIN, otherwise GC might collect the same element more than once. Fixes: f6c383b ("netfilter: nf_tables: adapt set backend to use GC transaction API") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit b079155) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
@@ -338,12 +338,9 @@ static void nft_rhash_gc(struct work_struct *work)
 
 	while ((he = rhashtable_walk_next(&hti))) {
 		if (IS_ERR(he)) {
-			if (PTR_ERR(he) != -EAGAIN) {
-				nft_trans_gc_destroy(gc);
-				gc = NULL;
-				goto try_later;
-			}
-			continue;
+			nft_trans_gc_destroy(gc);
+			gc = NULL;
+			goto try_later;
 		}
 
 		/* Ruleset has been updated, try later. */
