On Mon, Apr 19, 2021 at 8:04 AM Greg KH gregkh@linuxfoundation.org wrote:
On Sun, Apr 18, 2021 at 10:47:04AM -0400, Jonathon Reinhart wrote:
On Sun, Apr 18, 2021 at 8:46 AM gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
net: Make tcp_allowed_congestion_control readonly in non-init netnsto the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001 From: Jonathon Reinhart jonathon.reinhart@gmail.com Date: Tue, 13 Apr 2021 03:08:48 -0400 Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns
From: Jonathon Reinhart jonathon.reinhart@gmail.com
commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream.
Hi Greg,
Thanks for picking this into the stable trees.
There's an earlier, somewhat related fix, which is only on net-next:
2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in non-init netns")
That probably could have been on "net", but it followed this other commit which was not strictly a bug-fix. It's additional logic to detect bugs like the former:
31c4d2f160eb ("net: Ensure net namespace isolation of sysctls")
Here's the series on Patchwork: https://patchwork.kernel.org/project/netdevbpf/cover/20210412042453.32168-1-...
I'm not yet sure where the threshold is for inclusion into "net" or "stable". Could you please take a look and see if the first (or both) of these should be included into the stable trees? If so, please feel free to pick them yourself, or let me know which patches I should send to "stable".
I have to wait until a patch is in Linus's tree before we can add it to the stable queue, unless there is some big reason why this is not the case.
For something like this, how about just waiting until it hits Linus's tree and then email stable@vger.kernel.org saying, "please apply git commit <SHA1> to the stable trees." and we can do so then.
thanks,
greg k-h
Dave,
I originally submitted 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in non-init netns") to next-next as part of the "Ensuring net sysctl isolation" series. However, I think that may have been a mistake on my part, and that commit should have been a bugfix sent to "net". (I submitted it to "net-next" because the other commit in that series 31c4d2f160eb ("net: Ensure net namespace isolation of sysctls") was more of a feature than a bugfix.)
I sent the other bugfix "net: Make tcp_allowed_congestion_control readonly in non-init netns" to "net-next" but you made the right call and applied to "net"; thanks.
From my perspective, one of the two bugs I discovered is now fixed on
Linus' tree, but the other is on "net-next". Do you think we should pick that into "net"? Personally, I'd really like to see both of these fixes in the 5.10 / 5.11 stable trees so Debian 11 can be netns-safe out of the box, but I understand there may be bigger fish to fry from your perspective.
Thanks, Jonathon Reinhart