From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E8D9C169C4 for ; Sat, 9 Feb 2019 01:58:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 305AA2177B for ; Sat, 9 Feb 2019 01:58:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726791AbfBIB6g (ORCPT ); Fri, 8 Feb 2019 20:58:36 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:3184 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726747AbfBIB6g (ORCPT ); Fri, 8 Feb 2019 20:58:36 -0500 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 556CA1761374105C515F; Sat, 9 Feb 2019 09:58:33 +0800 (CST) Received: from [127.0.0.1] (10.177.96.96) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.408.0; Sat, 9 Feb 2019 09:58:28 +0800 Subject: Re: [4.4] FragmentSmack security fixes To: Greg Kroah-Hartman , Ben Hutchings References: <1549391183.2925.179.camel@codethink.co.uk> <20190205184105.GA22198@kroah.com> <1549395678.2925.236.camel@codethink.co.uk> <20190206211326.GA5425@kroah.com> <20190207112611.GA3120@kroah.com> CC: Sasha Levin , stable , Eric Dumazet , Peter Oskolkov From: maowenan Message-ID: Date: Sat, 9 Feb 2019 09:58:17 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20190207112611.GA3120@kroah.com> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.177.96.96] X-CFilter-Loop: Reflected Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On 2019/2/7 19:26, Greg Kroah-Hartman wrote: > On Wed, Feb 06, 2019 at 10:13:26PM +0100, Greg Kroah-Hartman wrote: >> On Tue, Feb 05, 2019 at 07:41:18PM +0000, Ben Hutchings wrote: >>>>> Peter Oskolkov checked an earlier version of this backport, but I have >>>>> since rebased and added another 3 commits to it. I tested with the >>>>> ip_defrag.sh self-test that he added upstream, and it passed. I have >>>>> included the fix that is currently queued for the 4.9, 4.14 and 4.19 >>>>> branches. >>>> >>>> That's a lot of patches, some of which I have already queued up in the >>>> next 4.4 release which will happen in a day or so. Are they all still >>>> needed after the changes there are merged? >>> >>> Ah, yes, a lot of the fragment-handling changes are already in your >>> queue and I'm not certain that all of mine are needed. However I don't >>> think the changes in your queue are complete and correct. When I run >>> the ip_defrag.sh self-test: >>> >>> 1. The ipv4 non-overlap case fails after a few seconds, with recv() >>> returning an EAGAIN error. If I modify the script to continue after an >>> error, the other cases do pass, however. This is not a regression from >>> 4.4.172, but with my changes all cases pass. >>> >>> 2. There is a reference leak which prevents the new network namespaces >>> being cleaned up ("unregister_netdevice: waiting for lo to become free. >>> Usage count = 61"). With 4.4.172 or with my changes applied, the >>> warnings appear, but only for about a minute with the number gradually >>> decreasing. So this is a regression. >>> >>> 3. If I run the test again, it hangs. Shutting down the VM also hangs. >>> I think this is related to the previous issue. Again, this is a >>> regression. >> >> Ok, I dropped those patches from the 4.4 queue before releasing it. Let >> me go add them back for the moment and then I'll dig through all of this >> over the next few days and see what it looks like... > > I've reviewed all of these and they look good. There were some > duplications with what was in my tree, but I have taken your versions > instead. > > Mao, you will note that 4.4.173 did not get released with your patches > in it. I have added your signed-off-by to the same ones that Ben did > here in this series, as the changes were minimal at most, to what you > had. If you have any objections to these, please let me know. > It looks well. > I'll probably just push out a -rc release for 4.4.y later today with > these in it to get some testing and a release out so that we can get > this issue finally resolved. > > thanks, > > greg k-h > > . >