Re: Patch "net: Make tcp_allowed_congestion_control readonly in non-init netns" has been added to the 5.10-stable tree

Re: Patch "net: Make tcp_allowed_congestion_control readonly in non-init netns" has been added to the 5.10-stable tree

[Jonathon Reinhart]

On Sun, Apr 18, 2021 at 8:46 AM <gregkh@linuxfoundation.org> wrote:
>
>
> This is a note to let you know that I've just added the patch titled
>
>     net: Make tcp_allowed_congestion_control readonly in non-init netns
>
> to the 5.10-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
>      net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch
> and it can be found in the queue-5.10 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
>
>
> From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001
> From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> Date: Tue, 13 Apr 2021 03:08:48 -0400
> Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns
>
> From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
>
> commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream.

Hi Greg,

Thanks for picking this into the stable trees.

There's an earlier, somewhat related fix, which is only on net-next:

2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in
non-init netns")

That probably could have been on "net", but it followed this other
commit which was not strictly a bug-fix. It's additional logic to
detect bugs like the former:

31c4d2f160eb ("net: Ensure net namespace isolation of sysctls")

Here's the series on Patchwork:
https://patchwork.kernel.org/project/netdevbpf/cover/20210412042453.32168-1-Jonathon.Reinhart@gmail.com/

I'm not yet sure where the threshold is for inclusion into "net" or
"stable". Could you please take a look and see if the first (or both)
of these should be included into the stable trees? If so, please feel
free to pick them yourself, or let me know which patches I should send
to "stable".

Thanks!
Jonathon Reinhart

Re: Patch "net: Make tcp_allowed_congestion_control readonly in non-init netns" has been added to the 5.10-stable tree

[Greg KH]

On Sun, Apr 18, 2021 at 10:47:04AM -0400, Jonathon Reinhart wrote:
> On Sun, Apr 18, 2021 at 8:46 AM <gregkh@linuxfoundation.org> wrote:
> >
> >
> > This is a note to let you know that I've just added the patch titled
> >
> >     net: Make tcp_allowed_congestion_control readonly in non-init netns
> >
> > to the 5.10-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >
> > The filename of the patch is:
> >      net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch
> > and it can be found in the queue-5.10 subdirectory.
> >
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> >
> >
> > From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001
> > From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> > Date: Tue, 13 Apr 2021 03:08:48 -0400
> > Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns
> >
> > From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> >
> > commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream.
> 
> Hi Greg,
> 
> Thanks for picking this into the stable trees.
> 
> There's an earlier, somewhat related fix, which is only on net-next:
> 
> 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in
> non-init netns")
> 
> That probably could have been on "net", but it followed this other
> commit which was not strictly a bug-fix. It's additional logic to
> detect bugs like the former:
> 
> 31c4d2f160eb ("net: Ensure net namespace isolation of sysctls")
> 
> Here's the series on Patchwork:
> https://patchwork.kernel.org/project/netdevbpf/cover/20210412042453.32168-1-Jonathon.Reinhart@gmail.com/
> 
> I'm not yet sure where the threshold is for inclusion into "net" or
> "stable". Could you please take a look and see if the first (or both)
> of these should be included into the stable trees? If so, please feel
> free to pick them yourself, or let me know which patches I should send
> to "stable".

I have to wait until a patch is in Linus's tree before we can add it to
the stable queue, unless there is some big reason why this is not the
case.

For something like this, how about just waiting until it hits Linus's
tree and then email stable@vger.kernel.org saying, "please apply git
commit <SHA1> to the stable trees." and we can do so then.

thanks,

greg k-h

Re: Patch "net: Make tcp_allowed_congestion_control readonly in non-init netns" has been added to the 5.10-stable tree

[Jonathon Reinhart]

On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Sun, Apr 18, 2021 at 10:47:04AM -0400, Jonathon Reinhart wrote:
> > On Sun, Apr 18, 2021 at 8:46 AM <gregkh@linuxfoundation.org> wrote:
> > >
> > >
> > > This is a note to let you know that I've just added the patch titled
> > >
> > >     net: Make tcp_allowed_congestion_control readonly in non-init netns
> > >
> > > to the 5.10-stable tree which can be found at:
> > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > >
> > > The filename of the patch is:
> > >      net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch
> > > and it can be found in the queue-5.10 subdirectory.
> > >
> > > If you, or anyone else, feels it should not be added to the stable tree,
> > > please let <stable@vger.kernel.org> know about it.
> > >
> > >
> > > From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001
> > > From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> > > Date: Tue, 13 Apr 2021 03:08:48 -0400
> > > Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns
> > >
> > > From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
> > >
> > > commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream.
> >
> > Hi Greg,
> >
> > Thanks for picking this into the stable trees.
> >
> > There's an earlier, somewhat related fix, which is only on net-next:
> >
> > 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in
> > non-init netns")
> >
> > That probably could have been on "net", but it followed this other
> > commit which was not strictly a bug-fix. It's additional logic to
> > detect bugs like the former:
> >
> > 31c4d2f160eb ("net: Ensure net namespace isolation of sysctls")
> >
> > Here's the series on Patchwork:
> > https://patchwork.kernel.org/project/netdevbpf/cover/20210412042453.32168-1-Jonathon.Reinhart@gmail.com/
> >
> > I'm not yet sure where the threshold is for inclusion into "net" or
> > "stable". Could you please take a look and see if the first (or both)
> > of these should be included into the stable trees? If so, please feel
> > free to pick them yourself, or let me know which patches I should send
> > to "stable".
>
> I have to wait until a patch is in Linus's tree before we can add it to
> the stable queue, unless there is some big reason why this is not the
> case.
>
> For something like this, how about just waiting until it hits Linus's
> tree and then email stable@vger.kernel.org saying, "please apply git
> commit <SHA1> to the stable trees." and we can do so then.
>
> thanks,
>
> greg k-h

Dave,

I originally submitted 2671fa4dc010 ("netfilter: conntrack: Make
global sysctls readonly in non-init netns") to next-next as part of
the "Ensuring net sysctl isolation" series. However, I think that may
have been a mistake on my part, and that commit should have been a
bugfix sent to "net". (I submitted it to "net-next" because the other
commit in that series 31c4d2f160eb ("net: Ensure net namespace
isolation of sysctls") was more of a feature than a bugfix.)

I sent the other bugfix "net: Make tcp_allowed_congestion_control
readonly in non-init netns" to "net-next" but you made the right call
and applied to "net"; thanks.

From my perspective, one of the two bugs I discovered is now fixed on
Linus' tree, but the other is on "net-next". Do you think we should
pick that into "net"? Personally, I'd really like to see both of these
fixes in the 5.10 / 5.11 stable trees so Debian 11 can be netns-safe
out of the box, but I understand there may be bigger fish to fry from
your perspective.

Thanks,
Jonathon Reinhart

Backport: "net: Make tcp_allowed_congestion_control readonly in non-init netns"

[Jonathon Reinhart]

Hello,

Please apply upstream git commit 2671fa4dc010 ("netfilter: conntrack:
Make global sysctls readonly in non-init netns") to the stable trees.

BTW netdev-FAQ.txt said not to send networking patches to stable, but
Greg suggested I do it this way :-)

On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> For something like this, how about just waiting until it hits Linus's
> tree and then email stable@vger.kernel.org saying, "please apply git
> commit <SHA1> to the stable trees." and we can do so then.

If there's a better way I should go about this, please let me know!

Thanks,
Jonathon Reinhart

Re: Backport: "net: Make tcp_allowed_congestion_control readonly in non-init netns"

[Greg KH]

On Fri, Apr 30, 2021 at 11:45:51PM -0400, Jonathon Reinhart wrote:
> Hello,
> 
> Please apply upstream git commit 2671fa4dc010 ("netfilter: conntrack:
> Make global sysctls readonly in non-init netns") to the stable trees.
> 
> BTW netdev-FAQ.txt said not to send networking patches to stable, but
> Greg suggested I do it this way :-)
> 
> On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> > For something like this, how about just waiting until it hits Linus's
> > tree and then email stable@vger.kernel.org saying, "please apply git
> > commit <SHA1> to the stable trees." and we can do so then.
> 
> If there's a better way I should go about this, please let me know!

That's all that's needed, now queued up, thanks!

greg k-h