* netfilter/x_tables patches for v4.4.y..v4.14.y @ 2021-04-15 16:28 Guenter Roeck 2021-04-15 16:37 ` Greg Kroah-Hartman 0 siblings, 1 reply; 8+ messages in thread From: Guenter Roeck @ 2021-04-15 16:28 UTC (permalink / raw) To: stable, Greg Kroah-Hartman Hi Greg, please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") to fix CVE-2021-29650 in those branches. Thanks, Guenter ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-15 16:28 netfilter/x_tables patches for v4.4.y..v4.14.y Guenter Roeck @ 2021-04-15 16:37 ` Greg Kroah-Hartman 2021-04-15 17:41 ` Guenter Roeck 2021-04-15 17:49 ` Guenter Roeck 0 siblings, 2 replies; 8+ messages in thread From: Greg Kroah-Hartman @ 2021-04-15 16:37 UTC (permalink / raw) To: Guenter Roeck; +Cc: stable On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: > Hi Greg, > > please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y > > 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") > 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") The second patch here says that it's only needed to go back until: Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") Which is only backported to 4.19. So why do older kernels need that, is the fixes tag wrong? thanks, greg k-h ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-15 16:37 ` Greg Kroah-Hartman @ 2021-04-15 17:41 ` Guenter Roeck 2021-04-16 5:21 ` Greg Kroah-Hartman 2021-04-15 17:49 ` Guenter Roeck 1 sibling, 1 reply; 8+ messages in thread From: Guenter Roeck @ 2021-04-15 17:41 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: stable On Thu, Apr 15, 2021 at 06:37:41PM +0200, Greg Kroah-Hartman wrote: > On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: > > Hi Greg, > > > > please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y > > > > 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") > > 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") > > The second patch here says that it's only needed to go back until: > Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") > > Which is only backported to 4.19. So why do older kernels need that, is > the fixes tag wrong? > Where do you get that from ? 7f5c6d4f665b is, from what I can see, in v3.0. $ git describe 7f5c6d4f665b v2.6.39-rc1-159-g7f5c6d4f665b $ git log --oneline v2.6.39..v3.0 | grep "netfilter: get rid of atomic ops in fast path" 7f5c6d4f665b netfilter: get rid of atomic ops in fast path Thanks, Guenter ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-15 17:41 ` Guenter Roeck @ 2021-04-16 5:21 ` Greg Kroah-Hartman 2021-04-16 5:25 ` Guenter Roeck 0 siblings, 1 reply; 8+ messages in thread From: Greg Kroah-Hartman @ 2021-04-16 5:21 UTC (permalink / raw) To: Guenter Roeck; +Cc: stable On Thu, Apr 15, 2021 at 10:41:46AM -0700, Guenter Roeck wrote: > On Thu, Apr 15, 2021 at 06:37:41PM +0200, Greg Kroah-Hartman wrote: > > On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: > > > Hi Greg, > > > > > > please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y > > > > > > 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") > > > 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") > > > > The second patch here says that it's only needed to go back until: > > Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") > > > > Which is only backported to 4.19. So why do older kernels need that, is > > the fixes tag wrong? > > > Where do you get that from ? 7f5c6d4f665b is, from what I can see, in v3.0. > > $ git describe 7f5c6d4f665b > v2.6.39-rc1-159-g7f5c6d4f665b > $ git log --oneline v2.6.39..v3.0 | grep "netfilter: get rid of atomic ops in fast path" > 7f5c6d4f665b netfilter: get rid of atomic ops in fast path Ah, my tool that checks where a patch comes from doesn't look past 3.1 if it finds that it was mentioned in a released tree for various reasons, but when I look at the full sha1, it finds it properly, my fault... thanks, greg k-h ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-16 5:21 ` Greg Kroah-Hartman @ 2021-04-16 5:25 ` Guenter Roeck 0 siblings, 0 replies; 8+ messages in thread From: Guenter Roeck @ 2021-04-16 5:25 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: stable On 4/15/21 10:21 PM, Greg Kroah-Hartman wrote: > On Thu, Apr 15, 2021 at 10:41:46AM -0700, Guenter Roeck wrote: >> On Thu, Apr 15, 2021 at 06:37:41PM +0200, Greg Kroah-Hartman wrote: >>> On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: >>>> Hi Greg, >>>> >>>> please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y >>>> >>>> 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") >>>> 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") >>> >>> The second patch here says that it's only needed to go back until: >>> Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") >>> >>> Which is only backported to 4.19. So why do older kernels need that, is >>> the fixes tag wrong? >>> >> Where do you get that from ? 7f5c6d4f665b is, from what I can see, in v3.0. >> >> $ git describe 7f5c6d4f665b >> v2.6.39-rc1-159-g7f5c6d4f665b >> $ git log --oneline v2.6.39..v3.0 | grep "netfilter: get rid of atomic ops in fast path" >> 7f5c6d4f665b netfilter: get rid of atomic ops in fast path > > Ah, my tool that checks where a patch comes from doesn't look past 3.1 > if it finds that it was mentioned in a released tree for various > reasons, but when I look at the full sha1, it finds it properly, my > fault... > Yes, but still please don't apply anything. As mentioned in the other patch, 80055dab5de0 was fixed twice subsequently, and those fixes don't apply cleanly. Better leave this alone. Thanks, Guenter ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-15 16:37 ` Greg Kroah-Hartman 2021-04-15 17:41 ` Guenter Roeck @ 2021-04-15 17:49 ` Guenter Roeck 2021-04-15 17:54 ` Guenter Roeck 1 sibling, 1 reply; 8+ messages in thread From: Guenter Roeck @ 2021-04-15 17:49 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: stable On Thu, Apr 15, 2021 at 06:37:41PM +0200, Greg Kroah-Hartman wrote: > On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: > > Hi Greg, > > > > please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y > > > > 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") > > 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") > > The second patch here says that it's only needed to go back until: > Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") > > Which is only backported to 4.19. So why do older kernels need that, is > the fixes tag wrong? > Outch, it looks like 80055dab5de0 was fixed later with cc00bcaa5899, which in turn was fixed with 443d6e86f821. Ok, back to the drawing board, but it may just be easier to forget about this. I'll let you know. Thanks, Guenter ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-15 17:49 ` Guenter Roeck @ 2021-04-15 17:54 ` Guenter Roeck 2021-04-16 5:21 ` Greg Kroah-Hartman 0 siblings, 1 reply; 8+ messages in thread From: Guenter Roeck @ 2021-04-15 17:54 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: stable On Thu, Apr 15, 2021 at 10:49:50AM -0700, Guenter Roeck wrote: > On Thu, Apr 15, 2021 at 06:37:41PM +0200, Greg Kroah-Hartman wrote: > > On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: > > > Hi Greg, > > > > > > please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y > > > > > > 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") > > > 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") > > > > The second patch here says that it's only needed to go back until: > > Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") > > > > Which is only backported to 4.19. So why do older kernels need that, is > > the fixes tag wrong? > > > > Outch, it looks like 80055dab5de0 was fixed later with cc00bcaa5899, which in > turn was fixed with 443d6e86f821. Ok, back to the drawing board, but it may > just be easier to forget about this. I'll let you know. > I tried to apply cc00bcaa5899 on top of the above, and got lots of conflicts. Please ignore this request; it adds more risk than gain. Sorry for the noise. Guenter ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: netfilter/x_tables patches for v4.4.y..v4.14.y 2021-04-15 17:54 ` Guenter Roeck @ 2021-04-16 5:21 ` Greg Kroah-Hartman 0 siblings, 0 replies; 8+ messages in thread From: Greg Kroah-Hartman @ 2021-04-16 5:21 UTC (permalink / raw) To: Guenter Roeck; +Cc: stable On Thu, Apr 15, 2021 at 10:54:17AM -0700, Guenter Roeck wrote: > On Thu, Apr 15, 2021 at 10:49:50AM -0700, Guenter Roeck wrote: > > On Thu, Apr 15, 2021 at 06:37:41PM +0200, Greg Kroah-Hartman wrote: > > > On Thu, Apr 15, 2021 at 09:28:15AM -0700, Guenter Roeck wrote: > > > > Hi Greg, > > > > > > > > please consider applying the following two patches to v4.4.y, v4.9.y, and v4.14.y > > > > > > > > 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") > > > > 175e476b8cdf ("netfilter: x_tables: Use correct memory barriers.") > > > > > > The second patch here says that it's only needed to go back until: > > > Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") > > > > > > Which is only backported to 4.19. So why do older kernels need that, is > > > the fixes tag wrong? > > > > > > > Outch, it looks like 80055dab5de0 was fixed later with cc00bcaa5899, which in > > turn was fixed with 443d6e86f821. Ok, back to the drawing board, but it may > > just be easier to forget about this. I'll let you know. > > > I tried to apply cc00bcaa5899 on top of the above, and got lots of conflicts. > Please ignore this request; it adds more risk than gain. Sorry for the noise. No worries, now ignored :) ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-04-16 5:25 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-15 16:28 netfilter/x_tables patches for v4.4.y..v4.14.y Guenter Roeck 2021-04-15 16:37 ` Greg Kroah-Hartman 2021-04-15 17:41 ` Guenter Roeck 2021-04-16 5:21 ` Greg Kroah-Hartman 2021-04-16 5:25 ` Guenter Roeck 2021-04-15 17:49 ` Guenter Roeck 2021-04-15 17:54 ` Guenter Roeck 2021-04-16 5:21 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).