lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200413163900.GO27528@sasha-vm>
Date:   Mon, 13 Apr 2020 12:39:00 -0400
From:   Sasha Levin <sashal@...nel.org>
To:     Stefano Brivio <sbrivio@...hat.com>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Pablo Neira Ayuso <pablo@...filter.org>,
        Phil Sutter <phil@....cc>, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org, netdev@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 5.5 27/35] netfilter: nf_tables: Allow set
 back-ends to report partial overlaps on insertion

On Tue, Apr 07, 2020 at 02:18:48AM +0200, Stefano Brivio wrote:
>Hi Sasha,
>
>On Mon,  6 Apr 2020 20:00:49 -0400
>Sasha Levin <sashal@...nel.org> wrote:
>
>> From: Pablo Neira Ayuso <pablo@...filter.org>
>>
>> [ Upstream commit 8c2d45b2b65ca1f215244be1c600236e83f9815f ]
>
>This patch, together with 28/35 and 29/35 in this series, and all the
>equivalent patches for 5.4 and 4.19, that is:
>	[PATCH AUTOSEL 5.5 27/35] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
>	[PATCH AUTOSEL 5.5 28/35] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
>	[PATCH AUTOSEL 5.5 29/35] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
>	[PATCH AUTOSEL 5.4 24/32] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
>	[PATCH AUTOSEL 5.4 25/32] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
>	[PATCH AUTOSEL 5.4 26/32] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
>	[PATCH AUTOSEL 4.19 08/13] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
>	[PATCH AUTOSEL 4.19 09/13] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
>	[PATCH AUTOSEL 4.19 10/13] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
>
>should only be backported together with nf.git commit
>	72239f2795fa ("netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion")
>
>as they would otherwise introduce a regression. In general, those changes
>are not really relevant before 5.6, as nft_set_pipapo wasn't there and the
>main purpose here is to make the nft_set_rbtree back-end consistent with it:
>they also prevent a malfunction in nft_set_rbtree itself, but nothing that
>would be triggered using 'nft' alone, and no memory badnesses or critical
>issues whatsoever. So it's also safe to drop them, in my opinion.
>
>Also patches for 4.14 and 4.9:
>	[PATCH AUTOSEL 4.14 6/9] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
>	[PATCH AUTOSEL 4.9 3/5] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
>
>can safely be dropped, because there are no set back-ends there, without
>the following patches, that use this way of reporting a partial overlap.

I've just dropped them all as 72239f2795fa ("netfilter: nft_set_rbtree:
Drop spurious condition for overlap detection on insertion") didn't make
it into Linus's tree yet.

>I'm used to not Cc: stable on networking patches (Dave's net.git),
>but I guess I should instead if they go through nf.git (Pablo's tree),
>right?

Yup, this confusion has caused for quite a few netfilter fixes to not
land in -stable. If it goes through Pablo's tree (and unless he intructs
otherwise), you should Cc stable.

-- 
Thanks,
Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ