--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:26 2007
+From: Pavel Emelyanov <xemul@openvz.org>
+Date: Tue, 11 Dec 2007 09:39:30 +0800
+Subject: BRIDGE: Lost call to br_fdb_fini() in br_init() error path
+To: stable@kernel.org, bunk@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5q-0002KP-00@gondolin.me.apana.org.au>
+
+
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[BRIDGE]: Lost call to br_fdb_fini() in br_init() error path
+
+[ Upstream commit: 17efdd45755c0eb8d1418a1368ef7c7ebbe98c6e ]
+
+In case the br_netfilter_init() (or any subsequent call)
+fails, the br_fdb_fini() must be called to free the allocated
+in br_fdb_init() br_fdb_cache kmem cache.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -39,7 +39,7 @@ static int __init br_init(void)
+
+ err = br_fdb_init();
+ if (err)
+- goto err_out1;
++ goto err_out;
+
+ err = br_netfilter_init();
+ if (err)
+@@ -65,6 +65,8 @@ err_out3:
+ err_out2:
+ br_netfilter_fini();
+ err_out1:
++ br_fdb_fini();
++err_out:
+ llc_sap_put(br_stp_sap);
+ return err;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:29 2007
+From: Pavel Emelyanov <xemul@openvz.org>
+Date: Tue, 11 Dec 2007 09:39:32 +0800
+Subject: DECNET: dn_nl_deladdr() almost always returns no error
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5s-0002Kj-00@gondolin.me.apana.org.au>
+
+
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[DECNET]: dn_nl_deladdr() almost always returns no error
+
+[ Upstream commit: 3ccd86241b277249d5ac08e91eddfade47184520 ]
+
+As far as I see from the err variable initialization
+the dn_nl_deladdr() routine was designed to report errors
+like "EADDRNOTAVAIL" and probaby "ENODEV".
+
+But the code sets this err to 0 after the first nlmsg_parse
+and goes on, returning this 0 in any case.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Acked-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/decnet/dn_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/decnet/dn_dev.c
++++ b/net/decnet/dn_dev.c
+@@ -651,16 +651,18 @@ static int dn_nl_deladdr(struct sk_buff
+ struct dn_dev *dn_db;
+ struct ifaddrmsg *ifm;
+ struct dn_ifaddr *ifa, **ifap;
+- int err = -EADDRNOTAVAIL;
++ int err;
+
+ err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy);
+ if (err < 0)
+ goto errout;
+
++ err = -ENODEV;
+ ifm = nlmsg_data(nlh);
+ if ((dn_db = dn_dev_by_index(ifm->ifa_index)) == NULL)
+ goto errout;
+
++ err = -EADDRNOTAVAIL;
+ for (ifap = &dn_db->ifa_list; (ifa = *ifap); ifap = &ifa->ifa_next) {
+ if (tb[IFA_LOCAL] &&
+ nla_memcmp(tb[IFA_LOCAL], &ifa->ifa_local, 2))
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:29 2007
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Date: Tue, 11 Dec 2007 09:39:34 +0800
+Subject: IPV6: Restore IPv6 when MTU is big enough
+To: stable@kernel.org, bunk@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5u-0002Kq-00@gondolin.me.apana.org.au>
+
+
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+
+[IPV6]: Restore IPv6 when MTU is big enough
+
+[ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ]
+
+Avaid provided test application, so bug got fixed.
+
+IPv6 addrconf removes ipv6 inner device from netdev each time cmu
+changes and new value is less than IPV6_MIN_MTU (1280 bytes).
+When mtu is changed and new value is greater than IPV6_MIN_MTU,
+it does not add ipv6 addresses and inner device bac.
+
+This patch fixes that.
+
+Tested with Avaid's application, which works ok now.
+
+Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/addrconf.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2285,6 +2285,9 @@ static int addrconf_notify(struct notifi
+ break;
+ }
+
++ if (!idev && dev->mtu >= IPV6_MIN_MTU)
++ idev = ipv6_add_dev(dev);
++
+ if (idev)
+ idev->if_flags |= IF_READY;
+ } else {
+@@ -2349,12 +2352,18 @@ static int addrconf_notify(struct notifi
+ break;
+
+ case NETDEV_CHANGEMTU:
+- if ( idev && dev->mtu >= IPV6_MIN_MTU) {
++ if (idev && dev->mtu >= IPV6_MIN_MTU) {
+ rt6_mtu_change(dev, dev->mtu);
+ idev->cnf.mtu6 = dev->mtu;
+ break;
+ }
+
++ if (!idev && dev->mtu >= IPV6_MIN_MTU) {
++ idev = ipv6_add_dev(dev);
++ if (idev)
++ break;
++ }
++
+ /* MTU falled under IPV6_MIN_MTU. Stop IPv6 on this interface. */
+
+ case NETDEV_DOWN:
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:26 2007
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 11 Dec 2007 09:39:36 +0800
+Subject: RXRPC: Add missing select on CRYPTO
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5w-0002L4-00@gondolin.me.apana.org.au>
+
+
+From: David Howells <dhowells@redhat.com>
+
+[RXRPC]: Add missing select on CRYPTO
+
+[ Upstream commit: d5a784b3719ae364f49ecff12a0248f6e4252720 ]
+
+AF_RXRPC uses the crypto services, so should depend on or select CRYPTO.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rxrpc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rxrpc/Kconfig
++++ b/net/rxrpc/Kconfig
+@@ -5,6 +5,7 @@
+ config AF_RXRPC
+ tristate "RxRPC session sockets"
+ depends on INET && EXPERIMENTAL
++ select CRYPTO
+ select KEYS
+ help
+ Say Y or M here to include support for RxRPC session sockets (just
ipv4-remove-bogus-ifdef-mess-in-arp_process.patch
crypto-api-fix-potential-race-in-crypto_remove_spawn.patch
atm-initialize-lock-and-tasklet-earlier.patch
+unix-eof-on-non-blocking-sock_seqpacket.patch
+textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch
+tcp-illinois-incorrect-beta-usage.patch
+rxrpc-add-missing-select-on-crypto.patch
+ipv6-restore-ipv6-when-mtu-is-big-enough.patch
+decnet-dn_nl_deladdr-almost-always-returns-no-error.patch
+bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:29 2007
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Tue, 11 Dec 2007 09:39:37 +0800
+Subject: TCP: illinois: Incorrect beta usage
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5x-0002LB-00@gondolin.me.apana.org.au>
+
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+[TCP] illinois: Incorrect beta usage
+
+[ Upstream commit: a357dde9df33f28611e6a3d4f88265e39bcc8880 ]
+
+Lachlan Andrew observed that my TCP-Illinois implementation uses the
+beta value incorrectly:
+The parameter beta in the paper specifies the amount to decrease
+*by*: that is, on loss,
+ W <- W - beta*W
+but in tcp_illinois_ssthresh() uses beta as the amount
+to decrease *to*: W <- beta*W
+
+This bug makes the Linux TCP-Illinois get less-aggressive on uncongested network,
+hurting performance. Note: since the base beta value is .5, it has no
+impact on a congested network.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_illinois.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -300,7 +300,7 @@ static u32 tcp_illinois_ssthresh(struct
+ struct illinois *ca = inet_csk_ca(sk);
+
+ /* Multiplicative decrease */
+- return max((tp->snd_cwnd * ca->beta) >> BETA_SHIFT, 2U);
++ return max(tp->snd_cwnd - ((tp->snd_cwnd * ca->beta) >> BETA_SHIFT), 2U);
+ }
+
+
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:26 2007
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 11 Dec 2007 09:39:38 +0800
+Subject: TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5y-0002LJ-00@gondolin.me.apana.org.au>
+
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure
+
+[ Upstream commit: e03ba84adb62fbc6049325a5bc00ef6932fa5e39 ]
+
+If a zero length pattern is passed then return EINVAL.
+Avoids infinite loops (bm) or invalid memory accesses (kmp).
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/textsearch.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/lib/textsearch.c
++++ b/lib/textsearch.c
+@@ -7,7 +7,7 @@
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Thomas Graf <tgraf@suug.ch>
+- * Pablo Neira Ayuso <pablo@eurodev.net>
++ * Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * ==========================================================================
+ *
+@@ -250,7 +250,8 @@ unsigned int textsearch_find_continuous(
+ * the various search algorithms.
+ *
+ * Returns a new textsearch configuration according to the specified
+- * parameters or a ERR_PTR().
++ * parameters or a ERR_PTR(). If a zero length pattern is passed, this
++ * function returns EINVAL.
+ */
+ struct ts_config *textsearch_prepare(const char *algo, const void *pattern,
+ unsigned int len, gfp_t gfp_mask, int flags)
+@@ -259,6 +260,9 @@ struct ts_config *textsearch_prepare(con
+ struct ts_config *conf;
+ struct ts_ops *ops;
+
++ if (len == 0)
++ return ERR_PTR(-EINVAL);
++
+ ops = lookup_ts_algo(algo);
+ #ifdef CONFIG_KMOD
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:35 2007
+From: Florian Zumbiehl <florz@florz.de>
+Date: Tue, 11 Dec 2007 09:39:39 +0800
+Subject: UNIX: EOF on non-blocking SOCK_SEQPACKET
+To: stable@kernel.org, bunk@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5z-0002LQ-00@gondolin.me.apana.org.au>
+
+
+From: Florian Zumbiehl <florz@florz.de>
+
+[UNIX]: EOF on non-blocking SOCK_SEQPACKET
+
+[ Upstream commit: 0a11225887fe6cbccd882404dc36ddc50f47daf9 ]
+
+I am not absolutely sure whether this actually is a bug (as in: I've got
+no clue what the standards say or what other implementations do), but at
+least I was pretty surprised when I noticed that a recv() on a
+non-blocking unix domain socket of type SOCK_SEQPACKET (which is connection
+oriented, after all) where the remote end has closed the connection
+returned -1 (EAGAIN) rather than 0 to indicate end of file.
+
+This is a test case:
+
+| #include <sys/types.h>
+| #include <unistd.h>
+| #include <sys/socket.h>
+| #include <sys/un.h>
+| #include <fcntl.h>
+| #include <string.h>
+| #include <stdlib.h>
+|
+| int main(){
+| int sock;
+| struct sockaddr_un addr;
+| char buf[4096];
+| int pfds[2];
+|
+| pipe(pfds);
+| sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
+| addr.sun_family=AF_UNIX;
+| strcpy(addr.sun_path,"/tmp/foobar_testsock");
+| bind(sock,(struct sockaddr *)&addr,sizeof(addr));
+| listen(sock,1);
+| if(fork()){
+| close(sock);
+| sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
+| connect(sock,(struct sockaddr *)&addr,sizeof(addr));
+| fcntl(sock,F_SETFL,fcntl(sock,F_GETFL)|O_NONBLOCK);
+| close(pfds[1]);
+| read(pfds[0],buf,sizeof(buf));
+| recv(sock,buf,sizeof(buf),0); // <-- this one
+| }else accept(sock,NULL,NULL);
+| exit(0);
+| }
+
+If you try it, make sure /tmp/foobar_testsock doesn't exist.
+
+The marked recv() returns -1 (EAGAIN) on 2.6.23.9. Below you find a
+patch that fixes that.
+
+Signed-off-by: Florian Zumbiehl <florz@florz.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/unix/af_unix.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1608,8 +1608,15 @@ static int unix_dgram_recvmsg(struct kio
+ mutex_lock(&u->readlock);
+
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+- if (!skb)
++ if (!skb) {
++ unix_state_lock(sk);
++ /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
++ if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
++ (sk->sk_shutdown & RCV_SHUTDOWN))
++ err = 0;
++ unix_state_unlock(sk);
+ goto out_unlock;
++ }
+
+ wake_up_interruptible(&u->peer_wait);
+