netfilter: nft_set_pipapo: skip inactive elements during set walk

[bmastbergen]

jira VULN-8904
cve CVE-2023-6817

commit-author Florian Westphal <[email protected]>
commit 317eb9685095678f2c9f5a8189de698c5354316a
upstream-diff Additional newline because this kernel has not removed
              the nft_set_elem_expired call yet

Otherwise set elements can be deactivated twice which will cause a crash.

	Reported-by: Xingyuan Mo <[email protected]>
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
	Signed-off-by: Florian Westphal <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit 317eb9685095678f2c9f5a8189de698c5354316a)
	Signed-off-by: Brett Mastbergen <[email protected]>

Netfilter selftests were run because this is a netfilter change:
netfilter-selftest-before.log
netfilter-selftest-after.log

brett@lycia ~/ciq/vuln-8904 % grep ^ok netfilter-selftest-before.log | wc -l
12
brett@lycia ~/ciq/vuln-8904 % grep ^ok netfilter-selftest-after.log | wc -l
12
brett@lycia ~/ciq/vuln-8904 %

Full selftests were also run:
selftests-before.log
selftests-after.log

brett@lycia ~/ciq/vuln-8904 % grep ^ok selftests-before.log | wc -l
309
brett@lycia ~/ciq/vuln-8904 % grep ^ok selftests-after.log | wc -l
311
brett@lycia ~/ciq/vuln-8904 %

[PlaidCat]

upstream-diff Additional newline because this kernel has not removed
the nft_set_elem_expired call yet

Did the pr checker complain? It seemed like an obvious delta.

[gvrose8192]

upstream-diff Additional newline because this kernel has not removed
the nft_set_elem_expired call yet

Did the pr checker complain? It seemed like an obvious delta.

The PR checker will not complain about upstream diffs if the 'upstream-diff' tag is included in the first 7 or 8 lines of the commit message.

[gvrose8192]

LGTM - Thanks.