From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:21769 "EHLO
        smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726286AbeK1JWJ (ORCPT
        <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 04:22:09 -0500
Date: Tue, 27 Nov 2018 22:22:38 +0000
From: Alakesh Haloi <alakeshh@amazon.com>
To: Florian Westphal <fw@strlen.de>
CC: Pablo Neira Ayuso <pablo@netfilter.org>,
        Greg KH <gregkh@linuxfoundation.org>, <stable@vger.kernel.org>,
        Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
        "David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] netfilter: xt_connlimit: fix race in connection counting
Message-ID: <20181127222237.GA103860@dev-dsk-alakeshh-2c-f8a3e6e0.us-west-2.amazon.com>
References: <20181119221732.GA82454@dev-dsk-alakeshh-2c-f8a3e6e0.us-west-2.amazon.com>
 <20181120074839.GC15276@kroah.com>
 <20181120094436.so3m3kc5jqrbkpz7@salvia>
 <20181121002149.GA120849@dev-dsk-alakeshh-2c-f8a3e6e0.us-west-2.amazon.com>
 <20181121005131.eux4kzzmexij4qwt@breakpoint.cc>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20181121005131.eux4kzzmexij4qwt@breakpoint.cc>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, Nov 21, 2018 at 01:51:31AM +0100, Florian Westphal wrote:
> Alakesh Haloi <alakeshh@amazon.com> wrote:
> > Thanks Greg and Pablo for your suggestions! We found this issue on 4.14
> > stable kernel and hence the fix is based on 4.14. The xt_connlimit module
> > source seemed to have been refactored. At one point I tested 4.18-rc1 and
> > the issue was still present. However I have not tested the most recent
> > one. I will follow your suggestions and try to reproduce the issue in
> > master branch of  nf.git tree and in linus's tree and if i cannot reproduce
> > it then I will go ahead and pick the relevant  patches for backporting.
> > This patch fixes the issue without bringing in any refactor patches. But
> > that is probably not the right way to go for it.
> 
> Actually it might be needed, the changes in upstream are pretty invasive.
> 
> So, in case you can reproduce this with nf.git or linus tree it would
> be great if you could send a fix for nf.git.
> 
> But In case you can't reproduce, its possible your patch is still needed
> for stable.

Thanks Florian! I have tested linus's tree and i do not see the issue happening
there. I have not been able to test nf.git yet. Do you suggest that I should
start working on backporting relevant patches from mainline or it should be
possible to apply this patch to stable branches directly?