On Tue, Apr 07, 2020 at 02:18:48AM +0200, Stefano Brivio wrote:
Hi Sasha,
On Mon, 6 Apr 2020 20:00:49 -0400 Sasha Levin sashal@kernel.org wrote:
From: Pablo Neira Ayuso pablo@netfilter.org
[ Upstream commit 8c2d45b2b65ca1f215244be1c600236e83f9815f ]
This patch, together with 28/35 and 29/35 in this series, and all the equivalent patches for 5.4 and 4.19, that is: [PATCH AUTOSEL 5.5 27/35] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion [PATCH AUTOSEL 5.5 28/35] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() [PATCH AUTOSEL 5.5 29/35] netfilter: nft_set_rbtree: Detect partial overlaps on insertion [PATCH AUTOSEL 5.4 24/32] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion [PATCH AUTOSEL 5.4 25/32] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() [PATCH AUTOSEL 5.4 26/32] netfilter: nft_set_rbtree: Detect partial overlaps on insertion [PATCH AUTOSEL 4.19 08/13] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion [PATCH AUTOSEL 4.19 09/13] netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() [PATCH AUTOSEL 4.19 10/13] netfilter: nft_set_rbtree: Detect partial overlaps on insertion
should only be backported together with nf.git commit 72239f2795fa ("netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion")
as they would otherwise introduce a regression. In general, those changes are not really relevant before 5.6, as nft_set_pipapo wasn't there and the main purpose here is to make the nft_set_rbtree back-end consistent with it: they also prevent a malfunction in nft_set_rbtree itself, but nothing that would be triggered using 'nft' alone, and no memory badnesses or critical issues whatsoever. So it's also safe to drop them, in my opinion.
Also patches for 4.14 and 4.9: [PATCH AUTOSEL 4.14 6/9] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion [PATCH AUTOSEL 4.9 3/5] netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
can safely be dropped, because there are no set back-ends there, without the following patches, that use this way of reporting a partial overlap.
I've just dropped them all as 72239f2795fa ("netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion") didn't make it into Linus's tree yet.
I'm used to not Cc: stable on networking patches (Dave's net.git), but I guess I should instead if they go through nf.git (Pablo's tree), right?
Yup, this confusion has caused for quite a few netfilter fixes to not land in -stable. If it goes through Pablo's tree (and unless he intructs otherwise), you should Cc stable.