Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2216439/?format=api
{ "id": 2216439, "url": "http://patchwork.ozlabs.org/api/patches/2216439/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326125153.685915-2-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260326125153.685915-2-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-03-26T12:51:42", "name": "[net,01/12] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry", "commit_ref": null, "pull_url": null, "state": "handled-elsewhere", "archived": true, "hash": "1a13e4180a405db3a2bcfcd0f7f52de9e11ec21f", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326125153.685915-2-pablo@netfilter.org/mbox/", "series": [ { "id": 497584, "url": "http://patchwork.ozlabs.org/api/series/497584/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=497584", "date": "2026-03-26T12:51:41", "name": "[net,01/12] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/497584/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2216439/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2216439/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11440-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=tzcgQO1z;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11440-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"tzcgQO1z\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhP0n4Bb1z1yGD\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 23:56:25 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 01B4A30C1B9E\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 12:52:06 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 82E8125F99B;\n\tThu, 26 Mar 2026 12:52:03 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B31142367CF;\n\tThu, 26 Mar 2026 12:52:00 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 6A13A6026C;\n\tThu, 26 Mar 2026 13:51:58 +0100 (CET)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774529523; cv=none;\n b=Bm3Md0o/aS2uLKuid7U1TpJeeY80RydhK/M0Jsl7miiXOGUpuE2aMDP1DLAM38PLFtZola4ggKu8Svz9j0qzZ0JorC1kzVOWGaZZK5ibHaSRvXAdXNxhx9UCO6MvLaauFCNYIdkruV8LDUYdUfBrWLpPDHcTmHcMPjWraH41p60=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774529523; c=relaxed/simple;\n\tbh=B/PR3ro6kDm/h1WL2reV58k4U8UyFxrpi+1XRIXQgsQ=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=BNMmV4CdpkLplZvS6m90kF6RQ/yNHBg2Jc+mwa+eUy9+YuIfOHelnrqHtL9pnw4QUOVLzz1hFe1wNx+GquSWaKCSLNa+6+mxdhhCGSFFnb+OcdIGVun99Q/eedOy+ADdQ0bPtwXkriS91zI3x0DXKtDES2LqbnI4Wjq2E15gKmM=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=tzcgQO1z; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774529518;\n\tbh=zNhPcQvv9ix+U6mE34OvR0ov6W+xNh0ysGj3Uq+7CXE=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=tzcgQO1zGG5o0mMaCT7VLY86K4f10Rg9kiqboO6Kfklqp7vQIbKuIiyMJHCkDsXgK\n\t p91fJNrsi1SRB5KxrFMNKGUmFTQd1wTOiLukNIUvXJIAy5uhJMAx4ueze0doGcw6uH\n\t Foxp3x0rHRYy3+G8tt3s8lGZQDGqP6a6vGSP7/qNZPP+NAuK23muz+BfTDfcX7eZEo\n\t 9RgTS4+KtorcqXqpqB+HyO6q8RTDuHvYMdPGoaqYt0gI7Wn3advPaAP9IfK3I6kVWc\n\t BG1PmMh/J+XDr3eInIR4bQR7awp/Ioo+0LCzqC8CYFJOd2IlGDwQNc6lfiXCbhabSS\n\t e2XfG6/fl1V+Q==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org", "Subject": "[PATCH net 01/12] netfilter: nft_set_pipapo_avx2: don't return\n non-matching entry on expiry", "Date": "Thu, 26 Mar 2026 13:51:42 +0100", "Message-ID": "<20260326125153.685915-2-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260326125153.685915-1-pablo@netfilter.org>", "References": "<20260326125153.685915-1-pablo@netfilter.org>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "From: Florian Westphal <fw@strlen.de>\n\nNew test case fails unexpectedly when avx2 matching functions are used.\n\nThe test first loads a ranomly generated pipapo set\nwith 'ipv4 . port' key, i.e. nft -f foo.\n\nThis works. Then, it reloads the set after a flush:\n(echo flush set t s; cat foo) | nft -f -\n\nThis is expected to work, because its the same set after all and it was\nalready loaded once.\n\nBut with avx2, this fails: nft reports a clashing element.\n\nThe reported clash is of following form:\n\n We successfully re-inserted\n a . b\n c . d\n\nThen we try to insert a . d\n\navx2 finds the already existing a . d, which (due to 'flush set') is marked\nas invalid in the new generation. It skips the element and moves to next.\n\nDue to incorrect masking, the skip-step finds the next matching\nelement *only considering the first field*,\n\ni.e. we return the already reinserted \"a . b\", even though the\nlast field is different and the entry should not have been matched.\n\nNo such error is reported for the generic c implementation (no avx2) or when\nthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.\n\nBisection points to\n7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\")\nbut that fix merely uncovers this bug.\n\nBefore this commit, the wrong element is returned, but erronously\nreported as a full, identical duplicate.\n\nThe root-cause is too early return in the avx2 match functions.\nWhen we process the last field, we should continue to process data\nuntil the entire input size has been consumed to make sure no stale\nbits remain in the map.\n\nLink: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/\nSigned-off-by: Florian Westphal <fw@strlen.de>\nReviewed-by: Stefano Brivio <sbrivio@redhat.com>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------\n 1 file changed, 10 insertions(+), 10 deletions(-)", "diff": "diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c\nindex 7ff90325c97f..6395982e4d95 100644\n--- a/net/netfilter/nft_set_pipapo_avx2.c\n+++ b/net/netfilter/nft_set_pipapo_avx2.c\n@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,\n \n \t\tb = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);\n \t\tif (last)\n-\t\t\treturn b;\n+\t\t\tret = b;\n \n \t\tif (unlikely(ret == -1))\n \t\t\tret = b / XSAVE_YMM_SIZE;\n", "prefixes": [ "net", "01/12" ] }