Add three netfilter patches from Patrick.

diff --git a/queue/netfilter-NAT-memory-corruption.patch b/queue/netfilter-NAT-memory-corruption.patch
new file mode 100644 (file)
index 0000000..c6aa7a6
--- /dev/null
+++ b/queue/netfilter-NAT-memory-corruption.patch
@@ -0,0 +1,50 @@
+From stable-bounces@linux.kernel.org  Fri Jul 22 00:35:55 2005
+Date: Fri, 22 Jul 2005 09:35:43 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>,
+        stable@kernel.org
+Subject: [PATCH][NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+The portptr pointing to the port in the conntrack tuple is declared static,
+which could result in memory corruption when two packets of the same
+protocol are NATed at the same time and one conntrack goes away.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_nat_proto_tcp.c |    3 ++-
+ net/ipv4/netfilter/ip_nat_proto_udp.c |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_tcp.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c
++++ linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_tcp.c
+@@ -40,7 +40,8 @@ tcp_unique_tuple(struct ip_conntrack_tup
+                enum ip_nat_manip_type maniptype,
+                const struct ip_conntrack *conntrack)
+ {
+-      static u_int16_t port, *portptr;
++      static u_int16_t port;
++      u_int16_t *portptr;
+       unsigned int range_size, min, i;
+ 
+       if (maniptype == IP_NAT_MANIP_SRC)
+Index: linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_udp.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/netfilter/ip_nat_proto_udp.c
++++ linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_udp.c
+@@ -41,7 +41,8 @@ udp_unique_tuple(struct ip_conntrack_tup
+                enum ip_nat_manip_type maniptype,
+                const struct ip_conntrack *conntrack)
+ {
+-      static u_int16_t port, *portptr;
++      static u_int16_t port;
++      u_int16_t *portptr;
+       unsigned int range_size, min, i;
+ 
+       if (maniptype == IP_NAT_MANIP_SRC)

diff --git a/queue/netfilter-deadlock-ip6_queue.patch b/queue/netfilter-deadlock-ip6_queue.patch
new file mode 100644 (file)
index 0000000..26529e8
--- /dev/null
+++ b/queue/netfilter-deadlock-ip6_queue.patch
@@ -0,0 +1,33 @@
+From stable-bounces@linux.kernel.org  Fri Jul 22 00:35:49 2005
+Date: Fri, 22 Jul 2005 09:35:34 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>,
+        stable@kernel.org
+Subject: [PATCH] [NETFILTER]: Fix deadlock in ip6_queue
+
+[NETFILTER]: Fix deadlock in ip6_queue
+
+Already fixed in ip_queue, ip6_queue was missed.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv6/netfilter/ip6_queue.c |    2 ++
+ 1 files changed, 2 insertions(+)
+
+Index: linux-2.6.12.y/net/ipv6/netfilter/ip6_queue.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv6/netfilter/ip6_queue.c
++++ linux-2.6.12.y/net/ipv6/netfilter/ip6_queue.c
+@@ -76,7 +76,9 @@ static DECLARE_MUTEX(ipqnl_sem);
+ static void
+ ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
+ {
++      local_bh_disable();
+       nf_reinject(entry->skb, entry->info, verdict);
++      local_bh_enable();
+       kfree(entry);
+ }
+ 

diff --git a/queue/netfilter-ip_conntrack_untracked-refcount.patch b/queue/netfilter-ip_conntrack_untracked-refcount.patch
new file mode 100644 (file)
index 0000000..49d6ebe
--- /dev/null
+++ b/queue/netfilter-ip_conntrack_untracked-refcount.patch
@@ -0,0 +1,34 @@
+From stable-bounces@linux.kernel.org  Fri Jul 22 00:35:58 2005
+Date: Fri, 22 Jul 2005 09:35:51 +0200
+From: Patrick McHardy <kaber@trash.net>
+User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050602)
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>,
+        stable@kernel.org
+Subject: [PATCH][NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+[NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+Fixes a crash when unloading ip_conntrack.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_core.c |    3 +++
+ 1 files changed, 3 insertions(+)
+
+Index: linux-2.6.12.y/net/ipv4/netfilter/ip_conntrack_core.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/netfilter/ip_conntrack_core.c
++++ linux-2.6.12.y/net/ipv4/netfilter/ip_conntrack_core.c
+@@ -1124,6 +1124,9 @@ void ip_conntrack_cleanup(void)
+               schedule();
+               goto i_see_dead_people;
+       }
++      /* wait until all references to ip_conntrack_untracked are dropped */
++      while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
++              schedule();
+ 
+       kmem_cache_destroy(ip_conntrack_cachep);
+       kmem_cache_destroy(ip_conntrack_expect_cachep);

diff --git a/queue/series b/queue/series
index b64d8bf8e372fb8f5378dd31efc9919222f01230..6adb897d3cf67460af3b57220b854ec673f69b91 100644 (file)
--- a/queue/series
+++ b/queue/series
@@ -3,3 +3,6 @@ qla2xxx-fc_remote_port_add-failure-fix.patch
 rocket_c-fix-ldisc-ref-count.patch
 x86_64-32bit-memleak.patch
 skb-signedness-fix.patch
+netfilter-deadlock-ip6_queue.patch
+netfilter-NAT-memory-corruption.patch
+netfilter-ip_conntrack_untracked-refcount.patch