| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2020 12:39:00 -0400
From: Sasha Levin <sashal@...nel.org>
To: Stefano Brivio <sbrivio@...hat.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Pablo Neira Ayuso <pablo@...filter.org>,
Phil Sutter <phil@....cc>, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, netdev@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 5.5 27/35] netfilter: nf_tables: Allow set
back-ends to report partial overlaps on insertion
On Tue, Apr 07, 2020 at 02:18:48AM +0200, Stefano Brivio wrote:
>Hi Sasha,
>
>On Mon, 6 Apr 2020 20:00:49 -0400
>Sasha Levin <sashal@...nel.org> wrote:
>
>> From: Pablo Neira Ayuso <pablo@...filter.org>
>>
>> [ Upstream commit 8c2d45b2b65ca1f215244be1c600236e83f9815f ]
>
>This patch, together with 28/35 and 29/35 in this series, and all the
>equivalent patches for 5.4 and 4.19, that is:
> [PATCH AUTOSEL 5.5 27/35] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
> [PATCH AUTOSEL 5.5 28/35] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
> [PATCH AUTOSEL 5.5 29/35] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
> [PATCH AUTOSEL 5.4 24/32] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
> [PATCH AUTOSEL 5.4 25/32] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
> [PATCH AUTOSEL 5.4 26/32] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
> [PATCH AUTOSEL 4.19 08/13] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
> [PATCH AUTOSEL 4.19 09/13] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
> [PATCH AUTOSEL 4.19 10/13] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
>
>should only be backported together with nf.git commit
> 72239f2795fa ("netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion")
>
>as they would otherwise introduce a regression. In general, those changes
>are not really relevant before 5.6, as nft_set_pipapo wasn't there and the
>main purpose here is to make the nft_set_rbtree back-end consistent with it:
>they also prevent a malfunction in nft_set_rbtree itself, but nothing that
>would be triggered using 'nft' alone, and no memory badnesses or critical
>issues whatsoever. So it's also safe to drop them, in my opinion.
>
>Also patches for 4.14 and 4.9:
> [PATCH AUTOSEL 4.14 6/9] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
> [PATCH AUTOSEL 4.9 3/5] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
>
>can safely be dropped, because there are no set back-ends there, without
>the following patches, that use this way of reporting a partial overlap.
I've just dropped them all as 72239f2795fa ("netfilter: nft_set_rbtree:
Drop spurious condition for overlap detection on insertion") didn't make
it into Linus's tree yet.
>I'm used to not Cc: stable on networking patches (Dave's net.git),
>but I guess I should instead if they go through nf.git (Pablo's tree),
>right?
Yup, this confusion has caused for quite a few netfilter fixes to not
land in -stable. If it goes through Pablo's tree (and unless he intructs
otherwise), you should Cc stable.
--
Thanks,
Sasha
Powered by blists - more mailing lists