On Mon, Apr 19, 2021 at 8:04 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > On Sun, Apr 18, 2021 at 10:47:04AM -0400, Jonathon Reinhart wrote: > > On Sun, Apr 18, 2021 at 8:46 AM <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > > This is a note to let you know that I've just added the patch titled > > > > > > net: Make tcp_allowed_congestion_control readonly in non-init netns > > > > > > to the 5.10-stable tree which can be found at: > > > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > > > > > The filename of the patch is: > > > net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch > > > and it can be found in the queue-5.10 subdirectory. > > > > > > If you, or anyone else, feels it should not be added to the stable tree, > > > please let <stable@xxxxxxxxxxxxxxx> know about it. > > > > > > > > > From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001 > > > From: Jonathon Reinhart <jonathon.reinhart@xxxxxxxxx> > > > Date: Tue, 13 Apr 2021 03:08:48 -0400 > > > Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns > > > > > > From: Jonathon Reinhart <jonathon.reinhart@xxxxxxxxx> > > > > > > commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream. > > > > Hi Greg, > > > > Thanks for picking this into the stable trees. > > > > There's an earlier, somewhat related fix, which is only on net-next: > > > > 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in > > non-init netns") > > > > That probably could have been on "net", but it followed this other > > commit which was not strictly a bug-fix. It's additional logic to > > detect bugs like the former: > > > > 31c4d2f160eb ("net: Ensure net namespace isolation of sysctls") > > > > Here's the series on Patchwork: > > https://patchwork.kernel.org/project/netdevbpf/cover/20210412042453.32168-1-Jonathon.Reinhart@xxxxxxxxx/ > > > > I'm not yet sure where the threshold is for inclusion into "net" or > > "stable". Could you please take a look and see if the first (or both) > > of these should be included into the stable trees? If so, please feel > > free to pick them yourself, or let me know which patches I should send > > to "stable". > > I have to wait until a patch is in Linus's tree before we can add it to > the stable queue, unless there is some big reason why this is not the > case. > > For something like this, how about just waiting until it hits Linus's > tree and then email stable@xxxxxxxxxxxxxxx saying, "please apply git > commit <SHA1> to the stable trees." and we can do so then. > > thanks, > > greg k-h Dave, I originally submitted 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in non-init netns") to next-next as part of the "Ensuring net sysctl isolation" series. However, I think that may have been a mistake on my part, and that commit should have been a bugfix sent to "net". (I submitted it to "net-next" because the other commit in that series 31c4d2f160eb ("net: Ensure net namespace isolation of sysctls") was more of a feature than a bugfix.) I sent the other bugfix "net: Make tcp_allowed_congestion_control readonly in non-init netns" to "net-next" but you made the right call and applied to "net"; thanks. >From my perspective, one of the two bugs I discovered is now fixed on Linus' tree, but the other is on "net-next". Do you think we should pick that into "net"? Personally, I'd really like to see both of these fixes in the 5.10 / 5.11 stable trees so Debian 11 can be netns-safe out of the box, but I understand there may be bigger fish to fry from your perspective. Thanks, Jonathon Reinhart
