.34 patches

diff --git a/queue-2.6.34/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch b/queue-2.6.34/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch
new file mode 100644 (file)
index 0000000..43851e1
--- /dev/null
+++ b/queue-2.6.34/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch
@@ -0,0 +1,32 @@
+From af50818b7610e6b436fd543f4a6a5884cfbc5528 Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Thu, 29 Jul 2010 14:04:18 +0000
+Subject: act_nat: the checksum of ICMP doesn't have pseudo header
+
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+[ Upstream commit 3a3dfb062c2e086c202d34f09ce29634515ad256 ]
+
+after updating the value of the ICMP payload, inet_proto_csum_replace4() should
+be called with zero pseudohdr.
+
+Signed-off-by: Changli Gao <xiaosuo@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/act_nat.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -240,7 +240,7 @@ static int tcf_nat(struct sk_buff *skb,
+                       iph->saddr = new_addr;
+ 
+               inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr,
+-                                       1);
++                                       0);
+               break;
+       }
+       default:

diff --git a/queue-2.6.34/bridge-add-rcu_read_lock-on-transmit.patch b/queue-2.6.34/bridge-add-rcu_read_lock-on-transmit.patch
new file mode 100644 (file)
index 0000000..14cea5e
--- /dev/null
+++ b/queue-2.6.34/bridge-add-rcu_read_lock-on-transmit.patch
@@ -0,0 +1,104 @@
+From 2f8b061219c882296096fd087359a732acf633e6 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@vyatta.com>
+Date: Wed, 18 Aug 2010 22:56:36 -0700
+Subject: bridge: add rcu_read_lock on transmit
+
+
+From: Stephen Hemminger <shemminger@vyatta.com>
+
+[ Upstream commit eeaf61d8891f9c9ed12c1a667e72bf83f0857954 ]
+
+Long ago, when bridge was converted to RCU, rcu lock was equivalent
+to having preempt disabled. RCU has changed a lot since then and
+bridge code was still assuming the since transmit was called with
+bottom half disabled, it was RCU safe.
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Tested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_device.c   |    4 +++-
+ net/bridge/br_fdb.c      |    2 +-
+ net/bridge/br_input.c    |    6 +++---
+ net/bridge/br_stp_bpdu.c |    2 +-
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/bridge/br_device.c
++++ b/net/bridge/br_device.c
+@@ -19,7 +19,7 @@
+ #include <asm/uaccess.h>
+ #include "br_private.h"
+ 
+-/* net device transmit always called with no BH (preempt_disabled) */
++/* net device transmit always called with BH disabled */
+ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+       struct net_bridge *br = netdev_priv(dev);
+@@ -35,6 +35,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
+       skb_reset_mac_header(skb);
+       skb_pull(skb, ETH_HLEN);
+ 
++      rcu_read_lock();
+       if (dest[0] & 1) {
+               if (br_multicast_rcv(br, NULL, skb))
+                       goto out;
+@@ -50,6 +51,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
+               br_flood_deliver(br, skb);
+ 
+ out:
++      rcu_read_unlock();
+       return NETDEV_TX_OK;
+ }
+ 
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -214,7 +214,7 @@ void br_fdb_delete_by_port(struct net_br
+       spin_unlock_bh(&br->hash_lock);
+ }
+ 
+-/* No locking or refcounting, assumes caller has no preempt (rcu_read_lock) */
++/* No locking or refcounting, assumes caller has rcu_read_lock */
+ struct net_bridge_fdb_entry *__br_fdb_get(struct net_bridge *br,
+                                         const unsigned char *addr)
+ {
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -35,7 +35,7 @@ static int br_pass_frame_up(struct sk_bu
+                      netif_receive_skb);
+ }
+ 
+-/* note: already called with rcu_read_lock (preempt_disabled) */
++/* note: already called with rcu_read_lock */
+ int br_handle_frame_finish(struct sk_buff *skb)
+ {
+       const unsigned char *dest = eth_hdr(skb)->h_dest;
+@@ -106,7 +106,7 @@ drop:
+       goto out;
+ }
+ 
+-/* note: already called with rcu_read_lock (preempt_disabled) */
++/* note: already called with rcu_read_lock */
+ static int br_handle_local_finish(struct sk_buff *skb)
+ {
+       struct net_bridge_port *p = rcu_dereference(skb->dev->br_port);
+@@ -131,7 +131,7 @@ static inline int is_link_local(const un
+ /*
+  * Called via br_handle_frame_hook.
+  * Return NULL if skb is handled
+- * note: already called with rcu_read_lock (preempt_disabled)
++ * note: already called with rcu_read_lock
+  */
+ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
+ {
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -131,7 +131,7 @@ void br_send_tcn_bpdu(struct net_bridge_
+ /*
+  * Called from llc.
+  *
+- * NO locks, but rcu_read_lock (preempt_disabled)
++ * NO locks, but rcu_read_lock
+  */
+ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
+               struct net_device *dev)

diff --git a/queue-2.6.34/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch b/queue-2.6.34/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch
new file mode 100644 (file)
index 0000000..9e0f652
--- /dev/null
+++ b/queue-2.6.34/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch
@@ -0,0 +1,35 @@
+From 632d5220b7f175d7957b8cafea96a3df77a3d38c Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 29 Jul 2010 01:12:31 +0000
+Subject: bridge: Fix skb leak when multicast parsing fails on TX
+
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 6d1d1d398cb7db7a12c5d652d50f85355345234f ]
+
+On the bridge TX path we're leaking an skb when br_multicast_rcv
+returns an error.
+
+Reported-by: David Lamparter <equinox@diac24.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_device.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_device.c
++++ b/net/bridge/br_device.c
+@@ -37,8 +37,10 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
+ 
+       rcu_read_lock();
+       if (dest[0] & 1) {
+-              if (br_multicast_rcv(br, NULL, skb))
++              if (br_multicast_rcv(br, NULL, skb)) {
++                      kfree_skb(skb);
+                       goto out;
++              }
+ 
+               mdst = br_mdb_get(br, skb);
+               if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb))

diff --git a/queue-2.6.34/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch b/queue-2.6.34/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
new file mode 100644 (file)
index 0000000..8ccd485
--- /dev/null
+++ b/queue-2.6.34/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
@@ -0,0 +1,159 @@
+From 48135709d4a0ebfc1e6ea41698726a610b62b68e Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 11 Aug 2010 16:12:35 -0700
+Subject: can: add limit for nframes and clean up signed/unsigned variables
+
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 5b75c4973ce779520b9d1e392483207d6f842cde ]
+
+This patch adds a limit for nframes as the number of frames in TX_SETUP and
+RX_SETUP are derived from a single byte multiplex value by default.
+Use-cases that would require to send/filter more than 256 CAN frames should
+be implemented in userspace for complexity reasons anyway.
+
+Additionally the assignments of unsigned values from userspace to signed
+values in kernelspace and vice versa are fixed by using unsigned values in
+kernelspace consistently.
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Reported-by: Ben Hawkes <hawkes@google.com>
+Acked-by: Urs Thuermann <urs.thuermann@volkswagen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/can/bcm.c |   41 +++++++++++++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -60,6 +60,13 @@
+ #include <net/sock.h>
+ #include <net/net_namespace.h>
+ 
++/*
++ * To send multiple CAN frame content within TX_SETUP or to filter
++ * CAN messages with multiplex index within RX_SETUP, the number of
++ * different filters is limited to 256 due to the one byte index value.
++ */
++#define MAX_NFRAMES 256
++
+ /* use of last_frames[index].can_dlc */
+ #define RX_RECV    0x40 /* received data for this element */
+ #define RX_THR     0x80 /* element not been sent due to throttle feature */
+@@ -89,16 +96,16 @@ struct bcm_op {
+       struct list_head list;
+       int ifindex;
+       canid_t can_id;
+-      int flags;
++      u32 flags;
+       unsigned long frames_abs, frames_filtered;
+       struct timeval ival1, ival2;
+       struct hrtimer timer, thrtimer;
+       struct tasklet_struct tsklet, thrtsklet;
+       ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg;
+       int rx_ifindex;
+-      int count;
+-      int nframes;
+-      int currframe;
++      u32 count;
++      u32 nframes;
++      u32 currframe;
+       struct can_frame *frames;
+       struct can_frame *last_frames;
+       struct can_frame sframe;
+@@ -175,7 +182,7 @@ static int bcm_proc_show(struct seq_file
+ 
+               seq_printf(m, "rx_op: %03X %-5s ",
+                               op->can_id, bcm_proc_getifname(ifname, op->ifindex));
+-              seq_printf(m, "[%d]%c ", op->nframes,
++              seq_printf(m, "[%u]%c ", op->nframes,
+                               (op->flags & RX_CHECK_DLC)?'d':' ');
+               if (op->kt_ival1.tv64)
+                       seq_printf(m, "timeo=%lld ",
+@@ -198,7 +205,7 @@ static int bcm_proc_show(struct seq_file
+ 
+       list_for_each_entry(op, &bo->tx_ops, list) {
+ 
+-              seq_printf(m, "tx_op: %03X %s [%d] ",
++              seq_printf(m, "tx_op: %03X %s [%u] ",
+                               op->can_id,
+                               bcm_proc_getifname(ifname, op->ifindex),
+                               op->nframes);
+@@ -283,7 +290,7 @@ static void bcm_send_to_user(struct bcm_
+       struct can_frame *firstframe;
+       struct sockaddr_can *addr;
+       struct sock *sk = op->sk;
+-      int datalen = head->nframes * CFSIZ;
++      unsigned int datalen = head->nframes * CFSIZ;
+       int err;
+ 
+       skb = alloc_skb(sizeof(*head) + datalen, gfp_any());
+@@ -468,7 +475,7 @@ rx_changed_settime:
+  * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly
+  *                       received data stored in op->last_frames[]
+  */
+-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index,
++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index,
+                               const struct can_frame *rxdata)
+ {
+       /*
+@@ -554,7 +561,8 @@ static enum hrtimer_restart bcm_rx_timeo
+ /*
+  * bcm_rx_do_flush - helper for bcm_rx_thr_flush
+  */
+-static inline int bcm_rx_do_flush(struct bcm_op *op, int update, int index)
++static inline int bcm_rx_do_flush(struct bcm_op *op, int update,
++                                unsigned int index)
+ {
+       if ((op->last_frames) && (op->last_frames[index].can_dlc & RX_THR)) {
+               if (update)
+@@ -575,7 +583,7 @@ static int bcm_rx_thr_flush(struct bcm_o
+       int updated = 0;
+ 
+       if (op->nframes > 1) {
+-              int i;
++              unsigned int i;
+ 
+               /* for MUX filter we start at index 1 */
+               for (i = 1; i < op->nframes; i++)
+@@ -624,7 +632,7 @@ static void bcm_rx_handler(struct sk_buf
+ {
+       struct bcm_op *op = (struct bcm_op *)data;
+       const struct can_frame *rxframe = (struct can_frame *)skb->data;
+-      int i;
++      unsigned int i;
+ 
+       /* disable timeout */
+       hrtimer_cancel(&op->timer);
+@@ -824,14 +832,15 @@ static int bcm_tx_setup(struct bcm_msg_h
+ {
+       struct bcm_sock *bo = bcm_sk(sk);
+       struct bcm_op *op;
+-      int i, err;
++      unsigned int i;
++      int err;
+ 
+       /* we need a real device to send frames */
+       if (!ifindex)
+               return -ENODEV;
+ 
+-      /* we need at least one can_frame */
+-      if (msg_head->nframes < 1)
++      /* check nframes boundaries - we need at least one can_frame */
++      if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+               return -EINVAL;
+ 
+       /* check the given can_id */
+@@ -995,6 +1004,10 @@ static int bcm_rx_setup(struct bcm_msg_h
+               msg_head->nframes = 0;
+       }
+ 
++      /* the first element contains the mux-mask => MAX_NFRAMES + 1  */
++      if (msg_head->nframes > MAX_NFRAMES + 1)
++              return -EINVAL;
++
+       if ((msg_head->flags & RX_RTR_FRAME) &&
+           ((msg_head->nframes != 1) ||
+            (!(msg_head->can_id & CAN_RTR_FLAG))))

diff --git a/queue-2.6.34/isdn-fix-information-leak.patch b/queue-2.6.34/isdn-fix-information-leak.patch
new file mode 100644 (file)
index 0000000..b8cb3a9
--- /dev/null
+++ b/queue-2.6.34/isdn-fix-information-leak.patch
@@ -0,0 +1,67 @@
+From 64260976bfe9cf75a89b34bc65f2e101494e3e44 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Wed, 4 Aug 2010 23:38:06 +0000
+Subject: isdn: fix information leak
+
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 4b030d4288a569d6bdeca884d7f102d951f097f2 ]
+
+The main motivation of this patch changing strcpy() to strlcpy().
+We strcpy() to copy a 48 byte buffers into a 49 byte buffers.  So at
+best the last byte has leaked information, or maybe there is an
+overflow?  Anyway, this patch closes the information leaks by zeroing
+the memory and the calls to strlcpy() prevent overflows.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/isdn/sc/ioctl.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/isdn/sc/ioctl.c
++++ b/drivers/isdn/sc/ioctl.c
+@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+               pr_debug("%s: SCIOGETSPID: ioctl received\n",
+                               sc_adapter[card]->devicename);
+ 
+-              spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
++              spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
+               if (!spid) {
+                       kfree(rcvmsg);
+                       return -ENOMEM;
+@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+                       kfree(rcvmsg);
+                       return status;
+               }
+-              strcpy(spid, rcvmsg->msg_data.byte_array);
++              strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE);
+ 
+               /*
+                * Package the switch type and send to user space
+@@ -272,12 +272,12 @@ int sc_ioctl(int card, scs_ioctl *data)
+                       return status;
+               }
+ 
+-              dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL);
++              dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL);
+               if (!dn) {
+                       kfree(rcvmsg);
+                       return -ENOMEM;
+               }
+-              strcpy(dn, rcvmsg->msg_data.byte_array);
++              strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE);
+               kfree(rcvmsg);
+ 
+               /*
+@@ -348,7 +348,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+               pr_debug("%s: SCIOSTAT: ioctl received\n",
+                               sc_adapter[card]->devicename);
+ 
+-              bi = kmalloc (sizeof(boardInfo), GFP_KERNEL);
++              bi = kzalloc(sizeof(boardInfo), GFP_KERNEL);
+               if (!bi) {
+                       kfree(rcvmsg);
+                       return -ENOMEM;

diff --git a/queue-2.6.34/net-dev_forward_skb-should-call-nf_reset.patch b/queue-2.6.34/net-dev_forward_skb-should-call-nf_reset.patch
new file mode 100644 (file)
index 0000000..b9936e8
--- /dev/null
+++ b/queue-2.6.34/net-dev_forward_skb-should-call-nf_reset.patch
@@ -0,0 +1,33 @@
+From 6692f594de706f1d3c085c132a53dba0fde3e8ed Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Thu, 22 Jul 2010 09:54:47 +0000
+Subject: net: dev_forward_skb should call nf_reset
+
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit c736eefadb71a01a5e61e0de700f28f6952b4444 ]
+
+With conn-track zones and probably with different network
+namespaces, the netfilter logic needs to be re-calculated
+on packet receive.  If the netfilter logic is not reset,
+it will not be recalculated properly.  This patch adds
+the nf_reset logic to dev_forward_skb.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1464,6 +1464,7 @@ static inline void net_timestamp(struct
+ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+ {
+       skb_orphan(skb);
++      nf_reset(skb);
+ 
+       if (!(dev->flags & IFF_UP) ||
+           (skb->len > (dev->mtu + dev->hard_header_len))) {

diff --git a/queue-2.6.34/net-fix-a-memmove-bug-in-dev_gro_receive.patch b/queue-2.6.34/net-fix-a-memmove-bug-in-dev_gro_receive.patch
new file mode 100644 (file)
index 0000000..8087bea
--- /dev/null
+++ b/queue-2.6.34/net-fix-a-memmove-bug-in-dev_gro_receive.patch
@@ -0,0 +1,41 @@
+From da731c05b107dcc3feff6a109b66fa5b71e51e43 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Wed, 11 Aug 2010 02:02:10 +0000
+Subject: net: Fix a memmove bug in dev_gro_receive()
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 ]
+
+>Xin Xiaohui wrote:
+> I looked into the code dev_gro_receive(), found the code here:
+> if the frags[0] is pulled to 0, then the page will be released,
+> and memmove() frags left.
+> Is that right? I'm not sure if memmove do right or not, but
+> frags[0].size is never set after memove at least. what I think
+> a simple way is not to do anything if we found frags[0].size == 0.
+> The patch is as followed.
+...
+
+This version of the patch fixes the bug directly in memmove.
+
+Reported-by: "Xin, Xiaohui" <xiaohui.xin@intel.com>
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2735,7 +2735,7 @@ pull:
+                       put_page(skb_shinfo(skb)->frags[0].page);
+                       memmove(skb_shinfo(skb)->frags,
+                               skb_shinfo(skb)->frags + 1,
+-                              --skb_shinfo(skb)->nr_frags);
++                              --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t));
+               }
+       }
+ 

diff --git a/queue-2.6.34/net-fix-napi_gro_frags-vs-netpoll-path.patch b/queue-2.6.34/net-fix-napi_gro_frags-vs-netpoll-path.patch
new file mode 100644 (file)
index 0000000..bfb7819
--- /dev/null
+++ b/queue-2.6.34/net-fix-napi_gro_frags-vs-netpoll-path.patch
@@ -0,0 +1,43 @@
+From 27191bcf61d33883e18df3fce79f2a3fff08c2b1 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Thu, 5 Aug 2010 01:19:11 +0000
+Subject: net: Fix napi_gro_frags vs netpoll path
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit ce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 ]
+
+The netpoll_rx_on() check in __napi_gro_receive() skips part of the
+"common" GRO_NORMAL path, especially "pull:" in dev_gro_receive(),
+where at least eth header should be copied for entirely paged skbs.
+
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2666,7 +2666,7 @@ enum gro_result dev_gro_receive(struct n
+       int mac_len;
+       enum gro_result ret;
+ 
+-      if (!(skb->dev->features & NETIF_F_GRO))
++      if (!(skb->dev->features & NETIF_F_GRO) || netpoll_rx_on(skb))
+               goto normal;
+ 
+       if (skb_is_gso(skb) || skb_has_frags(skb))
+@@ -2753,9 +2753,6 @@ __napi_gro_receive(struct napi_struct *n
+ {
+       struct sk_buff *p;
+ 
+-      if (netpoll_rx_on(skb))
+-              return GRO_NORMAL;
+-
+       for (p = napi->gro_list; p; p = p->next) {
+               NAPI_GRO_CB(p)->same_flow =
+                       (p->dev == skb->dev) &&

diff --git a/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch
new file mode 100644 (file)
index 0000000..6ed5ab3
--- /dev/null
+++ b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch
@@ -0,0 +1,44 @@
+From 263b932701c9c5bfed21e62e5c9caf164d5daebc Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Tue, 10 Aug 2010 22:31:02 +0000
+Subject: pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit 41065fba846e795b31b17e4dec01cb904d56c6cd ]
+
+sch_sfq as a classful qdisc needs the .leaf handler. Otherwise, there
+is an oops possible in tc_modify_qdisc()/check_loop().
+
+Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998
+
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/sch_sfq.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -497,6 +497,11 @@ nla_put_failure:
+       return -1;
+ }
+ 
++static struct Qdisc *sfq_leaf(struct Qdisc *sch, unsigned long arg)
++{
++      return NULL;
++}
++
+ static unsigned long sfq_get(struct Qdisc *sch, u32 classid)
+ {
+       return 0;
+@@ -560,6 +565,7 @@ static void sfq_walk(struct Qdisc *sch,
+ }
+ 
+ static const struct Qdisc_class_ops sfq_class_ops = {
++      .leaf           =       sfq_leaf,
+       .get            =       sfq_get,
+       .tcf_chain      =       sfq_find_tcf,
+       .bind_tcf       =       sfq_bind,

diff --git a/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch
new file mode 100644 (file)
index 0000000..538f3b5
--- /dev/null
+++ b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch
@@ -0,0 +1,48 @@
+From b993d672ab5eff4a4ee43ac66b1d0801d896f47f Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Fri, 6 Aug 2010 00:22:35 +0000
+Subject: pkt_sched: Fix sch_sfq vs tcf_bind_filter oops
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit eb4a5527b1f0d581ac217c80ef3278ed5e38693c ]
+
+Since there was added ->tcf_chain() method without ->bind_tcf() to
+sch_sfq class options, there is oops when a filter is added with
+the classid parameter.
+
+Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998
+netdev thread: null pointer at cls_api.c
+
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Reported-by: Franchoze Eric <franchoze@yandex.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/sch_sfq.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -502,6 +502,12 @@ static unsigned long sfq_get(struct Qdis
+       return 0;
+ }
+ 
++static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent,
++                            u32 classid)
++{
++      return 0;
++}
++
+ static struct tcf_proto **sfq_find_tcf(struct Qdisc *sch, unsigned long cl)
+ {
+       struct sfq_sched_data *q = qdisc_priv(sch);
+@@ -556,6 +562,7 @@ static void sfq_walk(struct Qdisc *sch,
+ static const struct Qdisc_class_ops sfq_class_ops = {
+       .get            =       sfq_get,
+       .tcf_chain      =       sfq_find_tcf,
++      .bind_tcf       =       sfq_bind,
+       .dump           =       sfq_dump_class,
+       .dump_stats     =       sfq_dump_class_stats,
+       .walk           =       sfq_walk,

diff --git a/queue-2.6.34/series b/queue-2.6.34/series
index 9a1b002cd8313c19b43096e8734dec7a9b2962bf..73eda4b9a3c48c0ea868fece965bea16af38df6d 100644 (file)
--- a/queue-2.6.34/series
+++ b/queue-2.6.34/series
@@ -48,3 +48,14 @@ slab-fix-object-alignment.patch
 sparc64-fix-atomic64_t-routine-return-values.patch
 sparc64-add-missing-id-to-parport-probing-code.patch
 sparc64-fix-rwsem-constant-bug-leading-to-hangs.patch
+bridge-add-rcu_read_lock-on-transmit.patch
+tcp-cookie-transactions-setsockopt-memory-leak.patch
+bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch
+act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch
+can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
+net-dev_forward_skb-should-call-nf_reset.patch
+isdn-fix-information-leak.patch
+net-fix-napi_gro_frags-vs-netpoll-path.patch
+net-fix-a-memmove-bug-in-dev_gro_receive.patch
+pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch
+pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch

diff --git a/queue-2.6.34/tcp-cookie-transactions-setsockopt-memory-leak.patch b/queue-2.6.34/tcp-cookie-transactions-setsockopt-memory-leak.patch
new file mode 100644 (file)
index 0000000..275a22c
--- /dev/null
+++ b/queue-2.6.34/tcp-cookie-transactions-setsockopt-memory-leak.patch
@@ -0,0 +1,57 @@
+From 0a704e7e728720f51c66957653eef0dd4cc858c6 Mon Sep 17 00:00:00 2001
+From: Dmitry Popov <dp@highloadlab.com>
+Date: Thu, 29 Jul 2010 01:59:36 +0000
+Subject: tcp: cookie transactions setsockopt memory leak
+
+
+From: Dmitry Popov <dp@highloadlab.com>
+
+[ Upstream commit a3bdb549e30e7a263f7a589747c40e9c50110315 ]
+
+There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c),
+TCP_COOKIE_TRANSACTIONS case.
+In some cases (when tp->cookie_values == NULL) new tcp_cookie_values
+structure can be allocated (at cvp), but not bound to
+tp->cookie_values. So a memory leak occurs.
+
+Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/tcp.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2175,6 +2175,8 @@ static int do_tcp_setsockopt(struct sock
+                                     GFP_KERNEL);
+                       if (cvp == NULL)
+                               return -ENOMEM;
++
++                      kref_init(&cvp->kref);
+               }
+               lock_sock(sk);
+               tp->rx_opt.cookie_in_always =
+@@ -2189,12 +2191,11 @@ static int do_tcp_setsockopt(struct sock
+                                */
+                               kref_put(&tp->cookie_values->kref,
+                                        tcp_cookie_values_release);
+-                              kref_init(&cvp->kref);
+-                              tp->cookie_values = cvp;
+                       } else {
+                               cvp = tp->cookie_values;
+                       }
+               }
++
+               if (cvp != NULL) {
+                       cvp->cookie_desired = ctd.tcpct_cookie_desired;
+ 
+@@ -2208,6 +2209,8 @@ static int do_tcp_setsockopt(struct sock
+                               cvp->s_data_desired = ctd.tcpct_s_data_desired;
+                               cvp->s_data_constant = 0; /* false */
+                       }
++
++                      tp->cookie_values = cvp;
+               }
+               release_sock(sk);
+               return err;