Hi,
On Sun, Jun 25, 2023 at 05:08:32PM +0200, Salvatore Bonaccorso wrote:
> Hi Pablo,
>
> While checking netfilter backports to the stable series, I noticed
> that 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming
> from userspace.") was backported in various series for stable, and
> included in 4.14.316, 4.19.284, 5.4.244, 5.15.32, 5.16.18, 5.17.1,
> where the original fix was in 5.18-rc1.
>
> While the commit has
>
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
>
> the 6e1acfa387b9 change got not backported to the 5.10.y series.
>
> The backports to the other series are
>
> https://lore.kernel.org/stable/20230516151606.4892-1-pablo@xxxxxxxxxxxxx/
> https://lore.kernel.org/stable/20230516150613.4566-1-pablo@xxxxxxxxxxxxx/
> https://lore.kernel.org/stable/20230516144435.4010-1-pablo@xxxxxxxxxxxxx/
>
> Pablo, was this an oversight and can the change as well be applied to
> 5.10.y?
>
> From looking at the 5.4.y series, from the stable dependencies,
> 08a01c11a5bb ("netfilter: nftables: statify nft_parse_register()") is
> missing in 5.10.y, then 6e1acfa387b9 ("netfilter: nf_tables: validate
> registers coming from userspace.") can be applied (almost, the comment
> needs to be dropped, as done in the backports).
>
> I'm right now not understanding what I'm missing that it was for 5.4.y
> but not 5.10.y after the report of the failed apply by Greg.
>
> At least the two attached bring 5.10.y inline with 5.4.y up to 4) from
> https://lore.kernel.org/stable/20230516144435.4010-1-pablo@xxxxxxxxxxxxx/
> but I'm unsure if you want/need as well the remaining 5), 6), 7), 8)
> and 9).
Let me take a look, I can prepare a batch for 5.10.y based on 5.4.y as
you suggest. I'll keep you on Cc.
