Please find attached a report generated by keyword matching commits from upstream that may be suitable for stable and probably as CVEs as well.
I exclude commits that are already tagged with CC stable in upstream and also commits already in stable/linux-rolling-stable.
I can send these type of reports weekly if you want. I plan to add more keywords to check for. But let's start small.
A question about commits that have a Fixes: tag. There are ~2000 of them since v6.8. As these are definitely bugfixes, do you want me to add commits that include a Fixes: tag in future reports/scans?
Also let me know if/how I can change the format of the scan so that it is easier for you to parse in your tooling.
regards ronnie sahlberg
On Sat, May 11, 2024 at 09:13:25PM -0400, Ronnie Sahlberg wrote:
Please find attached a report generated by keyword matching commits from upstream that may be suitable for stable and probably as CVEs as well.
This is great, thanks for looking into this and sending this out!
I exclude commits that are already tagged with CC stable in upstream and also commits already in stable/linux-rolling-stable.
I took a very short look, and just picked one commit at random on the bottom of the list: cf2df0080bd59cb97a15
And it's included in 6.8.2 already, as commit 9c68e3497b61 ("wifi: ath11k: fix a possible dead lock caused by ab->base_lock").
So is your tooling working?
Also, give us a chance to catch up on commits that are in Linus's tree, but not in a -rc release, which you list a few at the top of the list. We aren't allowed to apply them until after they hit a -rc release.
thanks,
greg k-h
On Sun, May 12, 2024 at 8:21 AM Greg KH gregkh@linuxfoundation.org wrote:
On Sat, May 11, 2024 at 09:13:25PM -0400, Ronnie Sahlberg wrote:
Please find attached a report generated by keyword matching commits from upstream that may be suitable for stable and probably as CVEs as well.
This is great, thanks for looking into this and sending this out!
I exclude commits that are already tagged with CC stable in upstream and also commits already in stable/linux-rolling-stable.
I took a very short look, and just picked one commit at random on the bottom of the list: cf2df0080bd59cb97a15
And it's included in 6.8.2 already, as commit `0 ("wifi: ath11k: fix a possible dead lock caused by ab->base_lock").
So is your tooling working?
Thankyou. Ah, the marking of which upstream commit that stable uses is not consistent. That one (and another ~150) used the form : "^ [ Upstream commit cf2df0080bd59cb97a1519ddefaf59788febdaa5 ]" and my regex did not accept that. I have changed the regex to be more permissive in detecting what is a reference to an upstream commit and it should be detecting this varient correctly now.
Also, give us a chance to catch up on commits that are in Linus's tree, but not in a -rc release, which you list a few at the top of the list. We aren't allowed to apply them until after they hit a -rc release.
I see. So we should not backporting anything more recent than the most recent tag in upstream master? Ok. I have done that change to fix that.
Please find attached a new version of the report. I also change the format slightly on how the commits are listed so that it IMO becomes easier to read and check for specific types of hits.
I have attached an updated scan with 1, fix for being more tolerant when detecting commit references 2, stops scanning at the most recent tag in upstream master
Once this format of the report is in a good shape and we sort out all the bugs in it I can set it up to scan and automatically post to the list once a week or so.
regards ronnie s
thanks,
greg k-h
On Sun, May 12, 2024 at 06:35:05PM -0400, Ronnie Sahlberg wrote:
On Sun, May 12, 2024 at 8:21 AM Greg KH gregkh@linuxfoundation.org wrote:
On Sat, May 11, 2024 at 09:13:25PM -0400, Ronnie Sahlberg wrote:
Please find attached a report generated by keyword matching commits from upstream that may be suitable for stable and probably as CVEs as well.
This is great, thanks for looking into this and sending this out!
I exclude commits that are already tagged with CC stable in upstream and also commits already in stable/linux-rolling-stable.
I took a very short look, and just picked one commit at random on the bottom of the list: cf2df0080bd59cb97a15
And it's included in 6.8.2 already, as commit `0 ("wifi: ath11k: fix a possible dead lock caused by ab->base_lock").
So is your tooling working?
Thankyou. Ah, the marking of which upstream commit that stable uses is not consistent. That one (and another ~150) used the form : "^ [ Upstream commit cf2df0080bd59cb97a1519ddefaf59788febdaa5 ]" and my regex did not accept that. I have changed the regex to be more permissive in detecting what is a reference to an upstream commit and it should be detecting this varient correctly now.
Also, give us a chance to catch up on commits that are in Linus's tree, but not in a -rc release, which you list a few at the top of the list. We aren't allowed to apply them until after they hit a -rc release.
I see. So we should not backporting anything more recent than the most recent tag in upstream master? Ok. I have done that change to fix that.
Please find attached a new version of the report. I also change the format slightly on how the commits are listed so that it IMO becomes easier to read and check for specific types of hits.
I have attached an updated scan with 1, fix for being more tolerant when detecting commit references 2, stops scanning at the most recent tag in upstream master
Once this format of the report is in a good shape and we sort out all the bugs in it I can set it up to scan and automatically post to the list once a week or so.
Thanks, I'll look at this later this week after this latest round of -rc releases are out.
greg k-h
For some reason I can't quote your attachment.
But I looked at one random commit: bbc094b3052647c188d6 and that obviously is not for stable inclusion. So while keywords are nice to search on, doing a pass "manually" is needed as well as sometimes those keywords aren't bringing up what you think they are :)
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Ronnie Sahlberg