Re: Patch "net: Make tcp_allowed_congestion_control readonly in non-init netns" has been added to the 5.10-stable tree

Re: Patch "net: Make tcp_allowed_congestion_control readonly in non-init netns" has been added to the 5.10-stable tree

[Jonathon Reinhart]

On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Sun, Apr 18, 2021 at 10:47:04AM -0400, Jonathon Reinhart wrote:
> > On Sun, Apr 18, 2021 at 8:46 AM <gregkh@linuxfoundation.org> wrote:
> > >
> > >
> > > This is a note to let you know that I've just added the patch titled
> > >
> > >     net: Make tcp_allowed_congestion_control readonly in non-init netns
> > >
> > > to the 5.10-stable tree which can be found at:
> > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > >
> > > The filename of the patch is:
> > >      net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch
> > > and it can be found in the queue-5.10 subdirectory.
> > >
> > > If you, or anyone else, feels it should not be added to the stable tree,
> > > please let <stable@vger.kernel.org> know about it.
> > >
> > >
> > > From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001
> > > From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> > > Date: Tue, 13 Apr 2021 03:08:48 -0400
> > > Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns
> > >
> > > From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> > >
> > > commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream.
> >
> > Hi Greg,
> >
> > Thanks for picking this into the stable trees.
> >
> > There's an earlier, somewhat related fix, which is only on net-next:
> >
> > 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in
> > non-init netns")
> >
> > That probably could have been on "net", but it followed this other
> > commit which was not strictly a bug-fix. It's additional logic to
> > detect bugs like the former:
> >
> > 31c4d2f160eb ("net: Ensure net namespace isolation of sysctls")
> >
> > Here's the series on Patchwork:
> > https://patchwork.kernel.org/project/netdevbpf/cover/20210412042453.32168-1-Jonathon.Reinhart@gmail.com/
> >
> > I'm not yet sure where the threshold is for inclusion into "net" or
> > "stable". Could you please take a look and see if the first (or both)
> > of these should be included into the stable trees? If so, please feel
> > free to pick them yourself, or let me know which patches I should send
> > to "stable".
>
> I have to wait until a patch is in Linus's tree before we can add it to
> the stable queue, unless there is some big reason why this is not the
> case.
>
> For something like this, how about just waiting until it hits Linus's
> tree and then email stable@vger.kernel.org saying, "please apply git
> commit <SHA1> to the stable trees." and we can do so then.
>
> thanks,
>
> greg k-h

Dave,

I originally submitted 2671fa4dc010 ("netfilter: conntrack: Make
global sysctls readonly in non-init netns") to next-next as part of
the "Ensuring net sysctl isolation" series. However, I think that may
have been a mistake on my part, and that commit should have been a
bugfix sent to "net". (I submitted it to "net-next" because the other
commit in that series 31c4d2f160eb ("net: Ensure net namespace
isolation of sysctls") was more of a feature than a bugfix.)

I sent the other bugfix "net: Make tcp_allowed_congestion_control
readonly in non-init netns" to "net-next" but you made the right call
and applied to "net"; thanks.

From my perspective, one of the two bugs I discovered is now fixed on
Linus' tree, but the other is on "net-next". Do you think we should
pick that into "net"? Personally, I'd really like to see both of these
fixes in the 5.10 / 5.11 stable trees so Debian 11 can be netns-safe
out of the box, but I understand there may be bigger fish to fry from
your perspective.

Thanks,
Jonathon Reinhart

Backport: "net: Make tcp_allowed_congestion_control readonly in non-init netns"

[Jonathon Reinhart]

Hello,

Please apply upstream git commit 2671fa4dc010 ("netfilter: conntrack:
Make global sysctls readonly in non-init netns") to the stable trees.

BTW netdev-FAQ.txt said not to send networking patches to stable, but
Greg suggested I do it this way :-)

On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> For something like this, how about just waiting until it hits Linus's
> tree and then email stable@vger.kernel.org saying, "please apply git
> commit <SHA1> to the stable trees." and we can do so then.

If there's a better way I should go about this, please let me know!

Thanks,
Jonathon Reinhart

Re: Backport: "net: Make tcp_allowed_congestion_control readonly in non-init netns"

[Greg KH]

On Fri, Apr 30, 2021 at 11:45:51PM -0400, Jonathon Reinhart wrote:
> Hello,
> 
> Please apply upstream git commit 2671fa4dc010 ("netfilter: conntrack:
> Make global sysctls readonly in non-init netns") to the stable trees.
> 
> BTW netdev-FAQ.txt said not to send networking patches to stable, but
> Greg suggested I do it this way :-)
> 
> On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> > For something like this, how about just waiting until it hits Linus's
> > tree and then email stable@vger.kernel.org saying, "please apply git
> > commit <SHA1> to the stable trees." and we can do so then.
> 
> If there's a better way I should go about this, please let me know!

That's all that's needed, now queued up, thanks!

greg k-h