.35 patches

diff --git a/queue-2.6.35/act_nat-fix-wild-pointer.patch b/queue-2.6.35/act_nat-fix-wild-pointer.patch
new file mode 100644 (file)
index 0000000..fdf9071
--- /dev/null
+++ b/queue-2.6.35/act_nat-fix-wild-pointer.patch
@@ -0,0 +1,30 @@
+From 7429d21622d36a934901b43cd2c1784db8bbe93e Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Thu, 29 Jul 2010 13:41:46 +0000
+Subject: act_nat: fix wild pointer
+
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+[ Upstream commit 072d79a31a3b870b49886f4347e23f81b7eca3ac ]
+
+pskb_may_pull() may change skb pointers, so adjust icmph after pskb_may_pull().
+
+Signed-off-by: Changli Gao <xiaosuo@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/act_nat.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -218,6 +218,7 @@ static int tcf_nat(struct sk_buff *skb,
+               if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph)))
+                       goto drop;
+ 
++              icmph = (void *)(skb_network_header(skb) + ihl);
+               iph = (void *)(icmph + 1);
+               if (egress)
+                       addr = iph->daddr;

diff --git a/queue-2.6.35/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch b/queue-2.6.35/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch
new file mode 100644 (file)
index 0000000..35d1676
--- /dev/null
+++ b/queue-2.6.35/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch
@@ -0,0 +1,32 @@
+From 9403046c9d46389ff12b386cbdb6520a30ec2f36 Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Thu, 29 Jul 2010 14:04:18 +0000
+Subject: act_nat: the checksum of ICMP doesn't have pseudo header
+
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+[ Upstream commit 3a3dfb062c2e086c202d34f09ce29634515ad256 ]
+
+after updating the value of the ICMP payload, inet_proto_csum_replace4() should
+be called with zero pseudohdr.
+
+Signed-off-by: Changli Gao <xiaosuo@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/act_nat.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -246,7 +246,7 @@ static int tcf_nat(struct sk_buff *skb,
+                       iph->saddr = new_addr;
+ 
+               inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr,
+-                                       1);
++                                       0);
+               break;
+       }
+       default:

diff --git a/queue-2.6.35/bridge-add-rcu_read_lock-on-transmit.patch b/queue-2.6.35/bridge-add-rcu_read_lock-on-transmit.patch
new file mode 100644 (file)
index 0000000..a98fdfb
--- /dev/null
+++ b/queue-2.6.35/bridge-add-rcu_read_lock-on-transmit.patch
@@ -0,0 +1,104 @@
+From 394acd858a35a7566857f713150aa4105c1c3518 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@vyatta.com>
+Date: Wed, 18 Aug 2010 22:56:36 -0700
+Subject: bridge: add rcu_read_lock on transmit
+
+
+From: Stephen Hemminger <shemminger@vyatta.com>
+
+[ Upstream commit eeaf61d8891f9c9ed12c1a667e72bf83f0857954 ]
+
+Long ago, when bridge was converted to RCU, rcu lock was equivalent
+to having preempt disabled. RCU has changed a lot since then and
+bridge code was still assuming the since transmit was called with
+bottom half disabled, it was RCU safe.
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Tested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_device.c   |    4 +++-
+ net/bridge/br_fdb.c      |    2 +-
+ net/bridge/br_input.c    |    6 +++---
+ net/bridge/br_stp_bpdu.c |    2 +-
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/bridge/br_device.c
++++ b/net/bridge/br_device.c
+@@ -22,7 +22,7 @@
+ #include <asm/uaccess.h>
+ #include "br_private.h"
+ 
+-/* net device transmit always called with no BH (preempt_disabled) */
++/* net device transmit always called with BH disabled */
+ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+       struct net_bridge *br = netdev_priv(dev);
+@@ -46,6 +46,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
+       skb_reset_mac_header(skb);
+       skb_pull(skb, ETH_HLEN);
+ 
++      rcu_read_lock();
+       if (is_multicast_ether_addr(dest)) {
+               if (br_multicast_rcv(br, NULL, skb))
+                       goto out;
+@@ -61,6 +62,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
+               br_flood_deliver(br, skb);
+ 
+ out:
++      rcu_read_unlock();
+       return NETDEV_TX_OK;
+ }
+ 
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -214,7 +214,7 @@ void br_fdb_delete_by_port(struct net_br
+       spin_unlock_bh(&br->hash_lock);
+ }
+ 
+-/* No locking or refcounting, assumes caller has no preempt (rcu_read_lock) */
++/* No locking or refcounting, assumes caller has rcu_read_lock */
+ struct net_bridge_fdb_entry *__br_fdb_get(struct net_bridge *br,
+                                         const unsigned char *addr)
+ {
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -37,7 +37,7 @@ static int br_pass_frame_up(struct sk_bu
+                      netif_receive_skb);
+ }
+ 
+-/* note: already called with rcu_read_lock (preempt_disabled) */
++/* note: already called with rcu_read_lock */
+ int br_handle_frame_finish(struct sk_buff *skb)
+ {
+       const unsigned char *dest = eth_hdr(skb)->h_dest;
+@@ -108,7 +108,7 @@ drop:
+       goto out;
+ }
+ 
+-/* note: already called with rcu_read_lock (preempt_disabled) */
++/* note: already called with rcu_read_lock */
+ static int br_handle_local_finish(struct sk_buff *skb)
+ {
+       struct net_bridge_port *p = rcu_dereference(skb->dev->br_port);
+@@ -133,7 +133,7 @@ static inline int is_link_local(const un
+ /*
+  * Called via br_handle_frame_hook.
+  * Return NULL if skb is handled
+- * note: already called with rcu_read_lock (preempt_disabled)
++ * note: already called with rcu_read_lock
+  */
+ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
+ {
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -131,7 +131,7 @@ void br_send_tcn_bpdu(struct net_bridge_
+ /*
+  * Called from llc.
+  *
+- * NO locks, but rcu_read_lock (preempt_disabled)
++ * NO locks, but rcu_read_lock
+  */
+ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
+               struct net_device *dev)

diff --git a/queue-2.6.35/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch b/queue-2.6.35/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch
new file mode 100644 (file)
index 0000000..e47aa45
--- /dev/null
+++ b/queue-2.6.35/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch
@@ -0,0 +1,35 @@
+From bef8d86ead7aba6757a2e9a14b7588812471b1a8 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 29 Jul 2010 01:12:31 +0000
+Subject: bridge: Fix skb leak when multicast parsing fails on TX
+
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 6d1d1d398cb7db7a12c5d652d50f85355345234f ]
+
+On the bridge TX path we're leaking an skb when br_multicast_rcv
+returns an error.
+
+Reported-by: David Lamparter <equinox@diac24.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_device.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_device.c
++++ b/net/bridge/br_device.c
+@@ -48,8 +48,10 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
+ 
+       rcu_read_lock();
+       if (is_multicast_ether_addr(dest)) {
+-              if (br_multicast_rcv(br, NULL, skb))
++              if (br_multicast_rcv(br, NULL, skb)) {
++                      kfree_skb(skb);
+                       goto out;
++              }
+ 
+               mdst = br_mdb_get(br, skb);
+               if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb))

diff --git a/queue-2.6.35/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch b/queue-2.6.35/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
new file mode 100644 (file)
index 0000000..3f1c4e8
--- /dev/null
+++ b/queue-2.6.35/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
@@ -0,0 +1,159 @@
+From 730cc5a78988344cff13340bbf0e1ab63f05d641 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 11 Aug 2010 16:12:35 -0700
+Subject: can: add limit for nframes and clean up signed/unsigned variables
+
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 5b75c4973ce779520b9d1e392483207d6f842cde ]
+
+This patch adds a limit for nframes as the number of frames in TX_SETUP and
+RX_SETUP are derived from a single byte multiplex value by default.
+Use-cases that would require to send/filter more than 256 CAN frames should
+be implemented in userspace for complexity reasons anyway.
+
+Additionally the assignments of unsigned values from userspace to signed
+values in kernelspace and vice versa are fixed by using unsigned values in
+kernelspace consistently.
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Reported-by: Ben Hawkes <hawkes@google.com>
+Acked-by: Urs Thuermann <urs.thuermann@volkswagen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/can/bcm.c |   41 +++++++++++++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -60,6 +60,13 @@
+ #include <net/sock.h>
+ #include <net/net_namespace.h>
+ 
++/*
++ * To send multiple CAN frame content within TX_SETUP or to filter
++ * CAN messages with multiplex index within RX_SETUP, the number of
++ * different filters is limited to 256 due to the one byte index value.
++ */
++#define MAX_NFRAMES 256
++
+ /* use of last_frames[index].can_dlc */
+ #define RX_RECV    0x40 /* received data for this element */
+ #define RX_THR     0x80 /* element not been sent due to throttle feature */
+@@ -89,16 +96,16 @@ struct bcm_op {
+       struct list_head list;
+       int ifindex;
+       canid_t can_id;
+-      int flags;
++      u32 flags;
+       unsigned long frames_abs, frames_filtered;
+       struct timeval ival1, ival2;
+       struct hrtimer timer, thrtimer;
+       struct tasklet_struct tsklet, thrtsklet;
+       ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg;
+       int rx_ifindex;
+-      int count;
+-      int nframes;
+-      int currframe;
++      u32 count;
++      u32 nframes;
++      u32 currframe;
+       struct can_frame *frames;
+       struct can_frame *last_frames;
+       struct can_frame sframe;
+@@ -175,7 +182,7 @@ static int bcm_proc_show(struct seq_file
+ 
+               seq_printf(m, "rx_op: %03X %-5s ",
+                               op->can_id, bcm_proc_getifname(ifname, op->ifindex));
+-              seq_printf(m, "[%d]%c ", op->nframes,
++              seq_printf(m, "[%u]%c ", op->nframes,
+                               (op->flags & RX_CHECK_DLC)?'d':' ');
+               if (op->kt_ival1.tv64)
+                       seq_printf(m, "timeo=%lld ",
+@@ -198,7 +205,7 @@ static int bcm_proc_show(struct seq_file
+ 
+       list_for_each_entry(op, &bo->tx_ops, list) {
+ 
+-              seq_printf(m, "tx_op: %03X %s [%d] ",
++              seq_printf(m, "tx_op: %03X %s [%u] ",
+                               op->can_id,
+                               bcm_proc_getifname(ifname, op->ifindex),
+                               op->nframes);
+@@ -283,7 +290,7 @@ static void bcm_send_to_user(struct bcm_
+       struct can_frame *firstframe;
+       struct sockaddr_can *addr;
+       struct sock *sk = op->sk;
+-      int datalen = head->nframes * CFSIZ;
++      unsigned int datalen = head->nframes * CFSIZ;
+       int err;
+ 
+       skb = alloc_skb(sizeof(*head) + datalen, gfp_any());
+@@ -468,7 +475,7 @@ rx_changed_settime:
+  * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly
+  *                       received data stored in op->last_frames[]
+  */
+-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index,
++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index,
+                               const struct can_frame *rxdata)
+ {
+       /*
+@@ -554,7 +561,8 @@ static enum hrtimer_restart bcm_rx_timeo
+ /*
+  * bcm_rx_do_flush - helper for bcm_rx_thr_flush
+  */
+-static inline int bcm_rx_do_flush(struct bcm_op *op, int update, int index)
++static inline int bcm_rx_do_flush(struct bcm_op *op, int update,
++                                unsigned int index)
+ {
+       if ((op->last_frames) && (op->last_frames[index].can_dlc & RX_THR)) {
+               if (update)
+@@ -575,7 +583,7 @@ static int bcm_rx_thr_flush(struct bcm_o
+       int updated = 0;
+ 
+       if (op->nframes > 1) {
+-              int i;
++              unsigned int i;
+ 
+               /* for MUX filter we start at index 1 */
+               for (i = 1; i < op->nframes; i++)
+@@ -624,7 +632,7 @@ static void bcm_rx_handler(struct sk_buf
+ {
+       struct bcm_op *op = (struct bcm_op *)data;
+       const struct can_frame *rxframe = (struct can_frame *)skb->data;
+-      int i;
++      unsigned int i;
+ 
+       /* disable timeout */
+       hrtimer_cancel(&op->timer);
+@@ -822,14 +830,15 @@ static int bcm_tx_setup(struct bcm_msg_h
+ {
+       struct bcm_sock *bo = bcm_sk(sk);
+       struct bcm_op *op;
+-      int i, err;
++      unsigned int i;
++      int err;
+ 
+       /* we need a real device to send frames */
+       if (!ifindex)
+               return -ENODEV;
+ 
+-      /* we need at least one can_frame */
+-      if (msg_head->nframes < 1)
++      /* check nframes boundaries - we need at least one can_frame */
++      if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+               return -EINVAL;
+ 
+       /* check the given can_id */
+@@ -993,6 +1002,10 @@ static int bcm_rx_setup(struct bcm_msg_h
+               msg_head->nframes = 0;
+       }
+ 
++      /* the first element contains the mux-mask => MAX_NFRAMES + 1  */
++      if (msg_head->nframes > MAX_NFRAMES + 1)
++              return -EINVAL;
++
+       if ((msg_head->flags & RX_RTR_FRAME) &&
+           ((msg_head->nframes != 1) ||
+            (!(msg_head->can_id & CAN_RTR_FLAG))))

diff --git a/queue-2.6.35/isdn-fix-information-leak.patch b/queue-2.6.35/isdn-fix-information-leak.patch
new file mode 100644 (file)
index 0000000..400aa00
--- /dev/null
+++ b/queue-2.6.35/isdn-fix-information-leak.patch
@@ -0,0 +1,67 @@
+From c4940d0b98d459c9dd824d0ea0e44c6e1d294f59 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Wed, 4 Aug 2010 23:38:06 +0000
+Subject: isdn: fix information leak
+
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 4b030d4288a569d6bdeca884d7f102d951f097f2 ]
+
+The main motivation of this patch changing strcpy() to strlcpy().
+We strcpy() to copy a 48 byte buffers into a 49 byte buffers.  So at
+best the last byte has leaked information, or maybe there is an
+overflow?  Anyway, this patch closes the information leaks by zeroing
+the memory and the calls to strlcpy() prevent overflows.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/isdn/sc/ioctl.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/isdn/sc/ioctl.c
++++ b/drivers/isdn/sc/ioctl.c
+@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+               pr_debug("%s: SCIOGETSPID: ioctl received\n",
+                               sc_adapter[card]->devicename);
+ 
+-              spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
++              spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
+               if (!spid) {
+                       kfree(rcvmsg);
+                       return -ENOMEM;
+@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+                       kfree(rcvmsg);
+                       return status;
+               }
+-              strcpy(spid, rcvmsg->msg_data.byte_array);
++              strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE);
+ 
+               /*
+                * Package the switch type and send to user space
+@@ -272,12 +272,12 @@ int sc_ioctl(int card, scs_ioctl *data)
+                       return status;
+               }
+ 
+-              dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL);
++              dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL);
+               if (!dn) {
+                       kfree(rcvmsg);
+                       return -ENOMEM;
+               }
+-              strcpy(dn, rcvmsg->msg_data.byte_array);
++              strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE);
+               kfree(rcvmsg);
+ 
+               /*
+@@ -348,7 +348,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+               pr_debug("%s: SCIOSTAT: ioctl received\n",
+                               sc_adapter[card]->devicename);
+ 
+-              bi = kmalloc (sizeof(boardInfo), GFP_KERNEL);
++              bi = kzalloc(sizeof(boardInfo), GFP_KERNEL);
+               if (!bi) {
+                       kfree(rcvmsg);
+                       return -ENOMEM;

diff --git a/queue-2.6.35/net-disable-preemption-before-call-smp_processor_id.patch b/queue-2.6.35/net-disable-preemption-before-call-smp_processor_id.patch
new file mode 100644 (file)
index 0000000..03a159e
--- /dev/null
+++ b/queue-2.6.35/net-disable-preemption-before-call-smp_processor_id.patch
@@ -0,0 +1,41 @@
+From 65e18b6f40c6884db0ef245d90716c826a2c225b Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Sat, 7 Aug 2010 20:35:43 -0700
+Subject: net: disable preemption before call smp_processor_id()
+
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+[ Upstream commit cece1945bffcf1a823cdfa36669beae118419351 ]
+
+Although netif_rx() isn't expected to be called in process context with
+preemption enabled, it'd better handle this case. And this is why get_cpu()
+is used in the non-RPS #ifdef branch. If tree RCU is selected,
+rcu_read_lock() won't disable preemption, so preempt_disable() should be
+called explictly.
+
+Signed-off-by: Changli Gao <xiaosuo@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2504,6 +2504,7 @@ int netif_rx(struct sk_buff *skb)
+               struct rps_dev_flow voidflow, *rflow = &voidflow;
+               int cpu;
+ 
++              preempt_disable();
+               rcu_read_lock();
+ 
+               cpu = get_rps_cpu(skb->dev, skb, &rflow);
+@@ -2513,6 +2514,7 @@ int netif_rx(struct sk_buff *skb)
+               ret = enqueue_to_backlog(skb, cpu, &rflow->last_qtail);
+ 
+               rcu_read_unlock();
++              preempt_enable();
+       }
+ #else
+       {

diff --git a/queue-2.6.35/net-fix-a-memmove-bug-in-dev_gro_receive.patch b/queue-2.6.35/net-fix-a-memmove-bug-in-dev_gro_receive.patch
new file mode 100644 (file)
index 0000000..09f219b
--- /dev/null
+++ b/queue-2.6.35/net-fix-a-memmove-bug-in-dev_gro_receive.patch
@@ -0,0 +1,41 @@
+From dc541cd3c6ec5b2a50cb46b59edb922a08517538 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Wed, 11 Aug 2010 02:02:10 +0000
+Subject: net: Fix a memmove bug in dev_gro_receive()
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 ]
+
+>Xin Xiaohui wrote:
+> I looked into the code dev_gro_receive(), found the code here:
+> if the frags[0] is pulled to 0, then the page will be released,
+> and memmove() frags left.
+> Is that right? I'm not sure if memmove do right or not, but
+> frags[0].size is never set after memove at least. what I think
+> a simple way is not to do anything if we found frags[0].size == 0.
+> The patch is as followed.
+...
+
+This version of the patch fixes the bug directly in memmove.
+
+Reported-by: "Xin, Xiaohui" <xiaohui.xin@intel.com>
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3133,7 +3133,7 @@ pull:
+                       put_page(skb_shinfo(skb)->frags[0].page);
+                       memmove(skb_shinfo(skb)->frags,
+                               skb_shinfo(skb)->frags + 1,
+-                              --skb_shinfo(skb)->nr_frags);
++                              --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t));
+               }
+       }
+ 

diff --git a/queue-2.6.35/net-fix-napi_gro_frags-vs-netpoll-path.patch b/queue-2.6.35/net-fix-napi_gro_frags-vs-netpoll-path.patch
new file mode 100644 (file)
index 0000000..d207aca
--- /dev/null
+++ b/queue-2.6.35/net-fix-napi_gro_frags-vs-netpoll-path.patch
@@ -0,0 +1,43 @@
+From f84e663447f8d595c06a771baba4f54af2f13143 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Thu, 5 Aug 2010 01:19:11 +0000
+Subject: net: Fix napi_gro_frags vs netpoll path
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit ce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 ]
+
+The netpoll_rx_on() check in __napi_gro_receive() skips part of the
+"common" GRO_NORMAL path, especially "pull:" in dev_gro_receive(),
+where at least eth header should be copied for entirely paged skbs.
+
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3064,7 +3064,7 @@ enum gro_result dev_gro_receive(struct n
+       int mac_len;
+       enum gro_result ret;
+ 
+-      if (!(skb->dev->features & NETIF_F_GRO))
++      if (!(skb->dev->features & NETIF_F_GRO) || netpoll_rx_on(skb))
+               goto normal;
+ 
+       if (skb_is_gso(skb) || skb_has_frags(skb))
+@@ -3151,9 +3151,6 @@ __napi_gro_receive(struct napi_struct *n
+ {
+       struct sk_buff *p;
+ 
+-      if (netpoll_rx_on(skb))
+-              return GRO_NORMAL;
+-
+       for (p = napi->gro_list; p; p = p->next) {
+               NAPI_GRO_CB(p)->same_flow =
+                       (p->dev == skb->dev) &&

diff --git a/queue-2.6.35/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch b/queue-2.6.35/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch
new file mode 100644 (file)
index 0000000..88ef381
--- /dev/null
+++ b/queue-2.6.35/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch
@@ -0,0 +1,44 @@
+From 76f728b3edc62ccb510d2a477660de1a59e737ea Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Tue, 10 Aug 2010 22:31:02 +0000
+Subject: pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit 41065fba846e795b31b17e4dec01cb904d56c6cd ]
+
+sch_sfq as a classful qdisc needs the .leaf handler. Otherwise, there
+is an oops possible in tc_modify_qdisc()/check_loop().
+
+Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998
+
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/sch_sfq.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -497,6 +497,11 @@ nla_put_failure:
+       return -1;
+ }
+ 
++static struct Qdisc *sfq_leaf(struct Qdisc *sch, unsigned long arg)
++{
++      return NULL;
++}
++
+ static unsigned long sfq_get(struct Qdisc *sch, u32 classid)
+ {
+       return 0;
+@@ -560,6 +565,7 @@ static void sfq_walk(struct Qdisc *sch,
+ }
+ 
+ static const struct Qdisc_class_ops sfq_class_ops = {
++      .leaf           =       sfq_leaf,
+       .get            =       sfq_get,
+       .tcf_chain      =       sfq_find_tcf,
+       .bind_tcf       =       sfq_bind,

diff --git a/queue-2.6.35/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch b/queue-2.6.35/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch
new file mode 100644 (file)
index 0000000..58868b6
--- /dev/null
+++ b/queue-2.6.35/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch
@@ -0,0 +1,48 @@
+From 293004895ffe978a0cebe2230422d8bcf7fa3165 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Fri, 6 Aug 2010 00:22:35 +0000
+Subject: pkt_sched: Fix sch_sfq vs tcf_bind_filter oops
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit eb4a5527b1f0d581ac217c80ef3278ed5e38693c ]
+
+Since there was added ->tcf_chain() method without ->bind_tcf() to
+sch_sfq class options, there is oops when a filter is added with
+the classid parameter.
+
+Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998
+netdev thread: null pointer at cls_api.c
+
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Reported-by: Franchoze Eric <franchoze@yandex.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/sch_sfq.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -502,6 +502,12 @@ static unsigned long sfq_get(struct Qdis
+       return 0;
+ }
+ 
++static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent,
++                            u32 classid)
++{
++      return 0;
++}
++
+ static struct tcf_proto **sfq_find_tcf(struct Qdisc *sch, unsigned long cl)
+ {
+       struct sfq_sched_data *q = qdisc_priv(sch);
+@@ -556,6 +562,7 @@ static void sfq_walk(struct Qdisc *sch,
+ static const struct Qdisc_class_ops sfq_class_ops = {
+       .get            =       sfq_get,
+       .tcf_chain      =       sfq_find_tcf,
++      .bind_tcf       =       sfq_bind,
+       .dump           =       sfq_dump_class,
+       .dump_stats     =       sfq_dump_class_stats,
+       .walk           =       sfq_walk,

diff --git a/queue-2.6.35/series b/queue-2.6.35/series
index b2d0d70e0e3b4a1dc4078413f752ee770ee61ca7..690b39e9f0a826f5af6422da52f28ad5d977bb70 100644 (file)
--- a/queue-2.6.35/series
+++ b/queue-2.6.35/series
@@ -58,3 +58,15 @@ sparc64-add-missing-id-to-parport-probing-code.patch
 sparc64-fix-rwsem-constant-bug-leading-to-hangs.patch
 sparc64-fix-atomic64_t-routine-return-values.patch
 sparc-really-fix-console-for-serial-consoles.patch
+bridge-add-rcu_read_lock-on-transmit.patch
+tcp-cookie-transactions-setsockopt-memory-leak.patch
+bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch
+act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch
+can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch
+isdn-fix-information-leak.patch
+net-fix-napi_gro_frags-vs-netpoll-path.patch
+net-fix-a-memmove-bug-in-dev_gro_receive.patch
+pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch
+pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch
+net-disable-preemption-before-call-smp_processor_id.patch
+act_nat-fix-wild-pointer.patch

diff --git a/queue-2.6.35/tcp-cookie-transactions-setsockopt-memory-leak.patch b/queue-2.6.35/tcp-cookie-transactions-setsockopt-memory-leak.patch
new file mode 100644 (file)
index 0000000..da0cf6a
--- /dev/null
+++ b/queue-2.6.35/tcp-cookie-transactions-setsockopt-memory-leak.patch
@@ -0,0 +1,57 @@
+From 1db5842bdc3879df1c20922758954dd4f1c6b682 Mon Sep 17 00:00:00 2001
+From: Dmitry Popov <dp@highloadlab.com>
+Date: Thu, 29 Jul 2010 01:59:36 +0000
+Subject: tcp: cookie transactions setsockopt memory leak
+
+
+From: Dmitry Popov <dp@highloadlab.com>
+
+[ Upstream commit a3bdb549e30e7a263f7a589747c40e9c50110315 ]
+
+There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c),
+TCP_COOKIE_TRANSACTIONS case.
+In some cases (when tp->cookie_values == NULL) new tcp_cookie_values
+structure can be allocated (at cvp), but not bound to
+tp->cookie_values. So a memory leak occurs.
+
+Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/tcp.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2176,6 +2176,8 @@ static int do_tcp_setsockopt(struct sock
+                                     GFP_KERNEL);
+                       if (cvp == NULL)
+                               return -ENOMEM;
++
++                      kref_init(&cvp->kref);
+               }
+               lock_sock(sk);
+               tp->rx_opt.cookie_in_always =
+@@ -2190,12 +2192,11 @@ static int do_tcp_setsockopt(struct sock
+                                */
+                               kref_put(&tp->cookie_values->kref,
+                                        tcp_cookie_values_release);
+-                              kref_init(&cvp->kref);
+-                              tp->cookie_values = cvp;
+                       } else {
+                               cvp = tp->cookie_values;
+                       }
+               }
++
+               if (cvp != NULL) {
+                       cvp->cookie_desired = ctd.tcpct_cookie_desired;
+ 
+@@ -2209,6 +2210,8 @@ static int do_tcp_setsockopt(struct sock
+                               cvp->s_data_desired = ctd.tcpct_s_data_desired;
+                               cvp->s_data_constant = 0; /* false */
+                       }
++
++                      tp->cookie_values = cvp;
+               }
+               release_sock(sk);
+               return err;