stable fixes for nf_conncount 4.19.x

stable fixes for nf_conncount 4.19.x

[Pablo Neira Ayuso]

Hi Greg,

Could you cherry-pick the follow list of patches into -stable 4.19.x, please?

a007232066f6 netfilter: nf_conncount: fix argument order to find_next_bit
c80f10bc973a netfilter: nf_conncount: speculative garbage collection on empty lists
2f971a8f4255 netfilter: nf_conncount: move all list iterations under spinlock
df4a90250976 netfilter: nf_conncount: merge lookup and add functions
e8cfb372b38a netfilter: nf_conncount: restart search when nodes have been erased
f7fcc98dfc2d netfilter: nf_conncount: split gc in two phases
4cd273bb91b3 netfilter: nf_conncount: don't skip eviction when age is negative
c78e7818f16f netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS

conncount infrastructure is not in good shape, for more details see:

https://bugzilla.kernel.org/show_bug.cgi?id=202013

Thanks.

Re: stable fixes for nf_conncount 4.19.x

[Greg Kroah-Hartman]

On Fri, Jan 18, 2019 at 02:24:14AM +0100, Pablo Neira Ayuso wrote:
> Hi Greg,
> 
> Could you cherry-pick the follow list of patches into -stable 4.19.x, please?
> 
> a007232066f6 netfilter: nf_conncount: fix argument order to find_next_bit
> c80f10bc973a netfilter: nf_conncount: speculative garbage collection on empty lists
> 2f971a8f4255 netfilter: nf_conncount: move all list iterations under spinlock
> df4a90250976 netfilter: nf_conncount: merge lookup and add functions
> e8cfb372b38a netfilter: nf_conncount: restart search when nodes have been erased
> f7fcc98dfc2d netfilter: nf_conncount: split gc in two phases
> 4cd273bb91b3 netfilter: nf_conncount: don't skip eviction when age is negative
> c78e7818f16f netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
> 
> conncount infrastructure is not in good shape, for more details see:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=202013

These should also go into 4.20.y as well, right?  I don't want people to
experience regressions moving from 4.19 to a newer kernel release.

thanks,

greg k-h

Re: stable fixes for nf_conncount 4.19.x

[Greg Kroah-Hartman]

On Fri, Jan 18, 2019 at 07:57:07AM +0100, Greg Kroah-Hartman wrote:
> On Fri, Jan 18, 2019 at 02:24:14AM +0100, Pablo Neira Ayuso wrote:
> > Hi Greg,
> > 
> > Could you cherry-pick the follow list of patches into -stable 4.19.x, please?
> > 
> > a007232066f6 netfilter: nf_conncount: fix argument order to find_next_bit
> > c80f10bc973a netfilter: nf_conncount: speculative garbage collection on empty lists
> > 2f971a8f4255 netfilter: nf_conncount: move all list iterations under spinlock
> > df4a90250976 netfilter: nf_conncount: merge lookup and add functions
> > e8cfb372b38a netfilter: nf_conncount: restart search when nodes have been erased
> > f7fcc98dfc2d netfilter: nf_conncount: split gc in two phases
> > 4cd273bb91b3 netfilter: nf_conncount: don't skip eviction when age is negative
> > c78e7818f16f netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
> > 
> > conncount infrastructure is not in good shape, for more details see:
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=202013
> 
> These should also go into 4.20.y as well, right?  I don't want people to
> experience regressions moving from 4.19 to a newer kernel release.

I've queued them up to both now, thanks.

greg k-h

Re: stable fixes for nf_conncount 4.19.x

[Reindl Harald]

Am 18.01.19 um 09:14 schrieb Greg Kroah-Hartman:
> On Fri, Jan 18, 2019 at 07:57:07AM +0100, Greg Kroah-Hartman wrote:
>> On Fri, Jan 18, 2019 at 02:24:14AM +0100, Pablo Neira Ayuso wrote:
>>> Hi Greg,
>>>
>>> Could you cherry-pick the follow list of patches into -stable 4.19.x, please?
>>>
>>> a007232066f6 netfilter: nf_conncount: fix argument order to find_next_bit
>>> c80f10bc973a netfilter: nf_conncount: speculative garbage collection on empty lists
>>> 2f971a8f4255 netfilter: nf_conncount: move all list iterations under spinlock
>>> df4a90250976 netfilter: nf_conncount: merge lookup and add functions
>>> e8cfb372b38a netfilter: nf_conncount: restart search when nodes have been erased
>>> f7fcc98dfc2d netfilter: nf_conncount: split gc in two phases
>>> 4cd273bb91b3 netfilter: nf_conncount: don't skip eviction when age is negative
>>> c78e7818f16f netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
>>>
>>> conncount infrastructure is not in good shape, for more details see:
>>>
>>> https://bugzilla.kernel.org/show_bug.cgi?id=202013
>>
>> These should also go into 4.20.y as well, right?  I don't want people to
>> experience regressions moving from 4.19 to a newer kernel release.

there is a 4.20.3 Fedora build with the patches
https://koji.fedoraproject.org/koji/taskinfo?taskID=32096601

[harry@srv-rhsoft:~]$ uname -a
Linux srv-rhsoft.rhsoft.net 4.20.3-200.rhbz1659706.fc29.x86_64 #1 SMP
Thu Jan 17 22:47:56 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[harry@srv-rhsoft:~]$ uptime
10:29:17 up  8:40,  9 users,  load average: 0,63, 0,64, 0,82

[root@srv-rhsoft:~]$ firewall_status | grep conn
7        0     0 DROP       tcp  --  *      *       0.0.0.0/0
 0.0.0.0/0            #conn src/32 > 50
8        0     0 DROP       tcp  --  *      *       0.0.0.0/0
 0.0.0.0/0            #conn src/24 > 150

before this machine crashed within 4 hours from 4.19.0 until recent

Re: stable fixes for nf_conncount 4.19.x

[Pablo Neira Ayuso]

On Fri, Jan 18, 2019 at 07:57:07AM +0100, Greg Kroah-Hartman wrote:
> On Fri, Jan 18, 2019 at 02:24:14AM +0100, Pablo Neira Ayuso wrote:
> > Hi Greg,
> > 
> > Could you cherry-pick the follow list of patches into -stable 4.19.x, please?
> > 
> > a007232066f6 netfilter: nf_conncount: fix argument order to find_next_bit
> > c80f10bc973a netfilter: nf_conncount: speculative garbage collection on empty lists
> > 2f971a8f4255 netfilter: nf_conncount: move all list iterations under spinlock
> > df4a90250976 netfilter: nf_conncount: merge lookup and add functions
> > e8cfb372b38a netfilter: nf_conncount: restart search when nodes have been erased
> > f7fcc98dfc2d netfilter: nf_conncount: split gc in two phases
> > 4cd273bb91b3 netfilter: nf_conncount: don't skip eviction when age is negative
> > c78e7818f16f netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
> > 
> > conncount infrastructure is not in good shape, for more details see:
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=202013
> 
> These should also go into 4.20.y as well, right?  I don't want people to
> experience regressions moving from 4.19 to a newer kernel release.

Yes, those are also good for 4.20.

Thanks.