2.6.22 network patches

diff --git a/queue-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch b/queue-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch
new file mode 100644 (file)
index 0000000..71f2ebc
--- /dev/null
+++ b/queue-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch
@@ -0,0 +1,46 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:26 2007
+From: Pavel Emelyanov <xemul@openvz.org>
+Date: Tue, 11 Dec 2007 09:39:30 +0800
+Subject: BRIDGE: Lost call to br_fdb_fini() in br_init() error path
+To: stable@kernel.org, bunk@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5q-0002KP-00@gondolin.me.apana.org.au>
+
+
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[BRIDGE]: Lost call to br_fdb_fini() in br_init() error path
+
+[ Upstream commit: 17efdd45755c0eb8d1418a1368ef7c7ebbe98c6e ]
+ 
+In case the br_netfilter_init() (or any subsequent call)
+fails, the br_fdb_fini() must be called to free the allocated
+in br_fdb_init() br_fdb_cache kmem cache.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -39,7 +39,7 @@ static int __init br_init(void)
+ 
+       err = br_fdb_init();
+       if (err)
+-              goto err_out1;
++              goto err_out;
+ 
+       err = br_netfilter_init();
+       if (err)
+@@ -65,6 +65,8 @@ err_out3:
+ err_out2:
+       br_netfilter_fini();
+ err_out1:
++      br_fdb_fini();
++err_out:
+       llc_sap_put(br_stp_sap);
+       return err;
+ }

diff --git a/queue-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch b/queue-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch
new file mode 100644 (file)
index 0000000..2cb9689
--- /dev/null
+++ b/queue-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch
@@ -0,0 +1,52 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:29 2007
+From: Pavel Emelyanov <xemul@openvz.org>
+Date: Tue, 11 Dec 2007 09:39:32 +0800
+Subject: DECNET: dn_nl_deladdr() almost always returns no error
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5s-0002Kj-00@gondolin.me.apana.org.au>
+
+
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[DECNET]: dn_nl_deladdr() almost always returns no error
+
+[ Upstream commit: 3ccd86241b277249d5ac08e91eddfade47184520 ]
+
+As far as I see from the err variable initialization
+the dn_nl_deladdr() routine was designed to report errors
+like "EADDRNOTAVAIL" and probaby "ENODEV".
+
+But the code sets this err to 0 after the first nlmsg_parse
+and goes on, returning this 0 in any case.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Acked-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/decnet/dn_dev.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/decnet/dn_dev.c
++++ b/net/decnet/dn_dev.c
+@@ -651,16 +651,18 @@ static int dn_nl_deladdr(struct sk_buff 
+       struct dn_dev *dn_db;
+       struct ifaddrmsg *ifm;
+       struct dn_ifaddr *ifa, **ifap;
+-      int err = -EADDRNOTAVAIL;
++      int err;
+ 
+       err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy);
+       if (err < 0)
+               goto errout;
+ 
++      err = -ENODEV;
+       ifm = nlmsg_data(nlh);
+       if ((dn_db = dn_dev_by_index(ifm->ifa_index)) == NULL)
+               goto errout;
+ 
++      err = -EADDRNOTAVAIL;
+       for (ifap = &dn_db->ifa_list; (ifa = *ifap); ifap = &ifa->ifa_next) {
+               if (tb[IFA_LOCAL] &&
+                   nla_memcmp(tb[IFA_LOCAL], &ifa->ifa_local, 2))

diff --git a/queue-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch b/queue-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch
new file mode 100644 (file)
index 0000000..ffe8381
--- /dev/null
+++ b/queue-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch
@@ -0,0 +1,65 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:29 2007
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Date: Tue, 11 Dec 2007 09:39:34 +0800
+Subject: IPV6: Restore IPv6 when MTU is big enough
+To: stable@kernel.org, bunk@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5u-0002Kq-00@gondolin.me.apana.org.au>
+
+
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+
+[IPV6]: Restore IPv6 when MTU is big enough
+
+[ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ]
+
+Avaid provided test application, so bug got fixed.
+
+IPv6 addrconf removes ipv6 inner device from netdev each time cmu
+changes and new value is less than IPV6_MIN_MTU (1280 bytes).
+When mtu is changed and new value is greater than IPV6_MIN_MTU,
+it does not add ipv6 addresses and inner device bac.
+
+This patch fixes that.
+
+Tested with Avaid's application, which works ok now.
+
+Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/addrconf.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2285,6 +2285,9 @@ static int addrconf_notify(struct notifi
+                               break;
+                       }
+ 
++                      if (!idev && dev->mtu >= IPV6_MIN_MTU)
++                              idev = ipv6_add_dev(dev);
++
+                       if (idev)
+                               idev->if_flags |= IF_READY;
+               } else {
+@@ -2349,12 +2352,18 @@ static int addrconf_notify(struct notifi
+               break;
+ 
+       case NETDEV_CHANGEMTU:
+-              if ( idev && dev->mtu >= IPV6_MIN_MTU) {
++              if (idev && dev->mtu >= IPV6_MIN_MTU) {
+                       rt6_mtu_change(dev, dev->mtu);
+                       idev->cnf.mtu6 = dev->mtu;
+                       break;
+               }
+ 
++              if (!idev && dev->mtu >= IPV6_MIN_MTU) {
++                      idev = ipv6_add_dev(dev);
++                      if (idev)
++                              break;
++              }
++
+               /* MTU falled under IPV6_MIN_MTU. Stop IPv6 on this interface. */
+ 
+       case NETDEV_DOWN:

diff --git a/queue-2.6.22/rxrpc-add-missing-select-on-crypto.patch b/queue-2.6.22/rxrpc-add-missing-select-on-crypto.patch
new file mode 100644 (file)
index 0000000..9e5546e
--- /dev/null
+++ b/queue-2.6.22/rxrpc-add-missing-select-on-crypto.patch
@@ -0,0 +1,34 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:26 2007
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 11 Dec 2007 09:39:36 +0800
+Subject: RXRPC: Add missing select on CRYPTO
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5w-0002L4-00@gondolin.me.apana.org.au>
+
+
+From: David Howells <dhowells@redhat.com>
+
+[RXRPC]: Add missing select on CRYPTO
+
+[ Upstream commit: d5a784b3719ae364f49ecff12a0248f6e4252720 ]
+
+AF_RXRPC uses the crypto services, so should depend on or select CRYPTO.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rxrpc/Kconfig |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rxrpc/Kconfig
++++ b/net/rxrpc/Kconfig
+@@ -5,6 +5,7 @@
+ config AF_RXRPC
+       tristate "RxRPC session sockets"
+       depends on INET && EXPERIMENTAL
++      select CRYPTO
+       select KEYS
+       help
+         Say Y or M here to include support for RxRPC session sockets (just

diff --git a/queue-2.6.22/series b/queue-2.6.22/series
index a8af781031a731ea0dd96792f37a7fe6a7964182..e4014d260d94f31103c13945cd761fdf98e71530 100644 (file)
--- a/queue-2.6.22/series
+++ b/queue-2.6.22/series
@@ -20,3 +20,10 @@ net-corrects-a-bug-in-ip_rt_acct_read.patch
 ipv4-remove-bogus-ifdef-mess-in-arp_process.patch
 crypto-api-fix-potential-race-in-crypto_remove_spawn.patch
 atm-initialize-lock-and-tasklet-earlier.patch
+unix-eof-on-non-blocking-sock_seqpacket.patch
+textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch
+tcp-illinois-incorrect-beta-usage.patch
+rxrpc-add-missing-select-on-crypto.patch
+ipv6-restore-ipv6-when-mtu-is-big-enough.patch
+decnet-dn_nl_deladdr-almost-always-returns-no-error.patch
+bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch

diff --git a/queue-2.6.22/tcp-illinois-incorrect-beta-usage.patch b/queue-2.6.22/tcp-illinois-incorrect-beta-usage.patch
new file mode 100644 (file)
index 0000000..15366c5
--- /dev/null
+++ b/queue-2.6.22/tcp-illinois-incorrect-beta-usage.patch
@@ -0,0 +1,45 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:29 2007
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Tue, 11 Dec 2007 09:39:37 +0800
+Subject: TCP: illinois: Incorrect beta usage
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5x-0002LB-00@gondolin.me.apana.org.au>
+
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+[TCP] illinois: Incorrect beta usage
+
+[ Upstream commit: a357dde9df33f28611e6a3d4f88265e39bcc8880 ]
+
+Lachlan Andrew observed that my TCP-Illinois implementation uses the
+beta value incorrectly:
+The parameter  beta  in the paper specifies the amount to decrease
+*by*:  that is, on loss,
+ W <-  W -  beta*W
+but in   tcp_illinois_ssthresh() uses  beta  as the amount
+to decrease  *to*: W <- beta*W
+
+This bug makes the Linux TCP-Illinois get less-aggressive on uncongested network,
+hurting performance. Note: since the base beta value is .5, it has no
+impact on a congested network.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_illinois.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -300,7 +300,7 @@ static u32 tcp_illinois_ssthresh(struct 
+       struct illinois *ca = inet_csk_ca(sk);
+ 
+       /* Multiplicative decrease */
+-      return max((tp->snd_cwnd * ca->beta) >> BETA_SHIFT, 2U);
++      return max(tp->snd_cwnd - ((tp->snd_cwnd * ca->beta) >> BETA_SHIFT), 2U);
+ }
+ 
+ 

diff --git a/queue-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch b/queue-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch
new file mode 100644 (file)
index 0000000..23c04d3
--- /dev/null
+++ b/queue-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch
@@ -0,0 +1,57 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:26 2007
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 11 Dec 2007 09:39:38 +0800
+Subject: TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure
+To: stable@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5y-0002LJ-00@gondolin.me.apana.org.au>
+
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure
+
+[ Upstream commit: e03ba84adb62fbc6049325a5bc00ef6932fa5e39 ]
+
+If a zero length pattern is passed then return EINVAL.
+Avoids infinite loops (bm) or invalid memory accesses (kmp).
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/textsearch.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/lib/textsearch.c
++++ b/lib/textsearch.c
+@@ -7,7 +7,7 @@
+  *            2 of the License, or (at your option) any later version.
+  *
+  * Authors:   Thomas Graf <tgraf@suug.ch>
+- *            Pablo Neira Ayuso <pablo@eurodev.net>
++ *            Pablo Neira Ayuso <pablo@netfilter.org>
+  *
+  * ==========================================================================
+  *
+@@ -250,7 +250,8 @@ unsigned int textsearch_find_continuous(
+  *       the various search algorithms.
+  *
+  * Returns a new textsearch configuration according to the specified
+- *         parameters or a ERR_PTR().
++ * parameters or a ERR_PTR(). If a zero length pattern is passed, this
++ * function returns EINVAL.
+  */
+ struct ts_config *textsearch_prepare(const char *algo, const void *pattern,
+                                    unsigned int len, gfp_t gfp_mask, int flags)
+@@ -259,6 +260,9 @@ struct ts_config *textsearch_prepare(con
+       struct ts_config *conf;
+       struct ts_ops *ops;
+       
++      if (len == 0)
++              return ERR_PTR(-EINVAL);
++
+       ops = lookup_ts_algo(algo);
+ #ifdef CONFIG_KMOD
+       /*

diff --git a/queue-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch b/queue-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch
new file mode 100644 (file)
index 0000000..f991da5
--- /dev/null
+++ b/queue-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch
@@ -0,0 +1,87 @@
+From stable-bounces@linux.kernel.org Mon Dec 10 20:32:35 2007
+From: Florian Zumbiehl <florz@florz.de>
+Date: Tue, 11 Dec 2007 09:39:39 +0800
+Subject: UNIX: EOF on non-blocking SOCK_SEQPACKET
+To: stable@kernel.org, bunk@kernel.org, <davem@davemloft.net>
+Message-ID: <E1J1u5z-0002LQ-00@gondolin.me.apana.org.au>
+
+
+From: Florian Zumbiehl <florz@florz.de>
+
+[UNIX]: EOF on non-blocking SOCK_SEQPACKET
+
+[ Upstream commit: 0a11225887fe6cbccd882404dc36ddc50f47daf9 ]
+
+I am not absolutely sure whether this actually is a bug (as in: I've got
+no clue what the standards say or what other implementations do), but at
+least I was pretty surprised when I noticed that a recv() on a
+non-blocking unix domain socket of type SOCK_SEQPACKET (which is connection
+oriented, after all) where the remote end has closed the connection
+returned -1 (EAGAIN) rather than 0 to indicate end of file.
+
+This is a test case:
+
+| #include <sys/types.h>
+| #include <unistd.h>
+| #include <sys/socket.h>
+| #include <sys/un.h>
+| #include <fcntl.h>
+| #include <string.h>
+| #include <stdlib.h>
+|
+| int main(){
+|      int sock;
+|      struct sockaddr_un addr;
+|      char buf[4096];
+|      int pfds[2];
+|
+|      pipe(pfds);
+|      sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
+|      addr.sun_family=AF_UNIX;
+|      strcpy(addr.sun_path,"/tmp/foobar_testsock");
+|      bind(sock,(struct sockaddr *)&addr,sizeof(addr));
+|      listen(sock,1);
+|      if(fork()){
+|              close(sock);
+|              sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
+|              connect(sock,(struct sockaddr *)&addr,sizeof(addr));
+|              fcntl(sock,F_SETFL,fcntl(sock,F_GETFL)|O_NONBLOCK);
+|              close(pfds[1]);
+|              read(pfds[0],buf,sizeof(buf));
+|              recv(sock,buf,sizeof(buf),0); // <-- this one
+|      }else accept(sock,NULL,NULL);
+|      exit(0);
+| }
+
+If you try it, make sure /tmp/foobar_testsock doesn't exist.
+
+The marked recv() returns -1 (EAGAIN) on 2.6.23.9. Below you find a
+patch that fixes that.
+
+Signed-off-by: Florian Zumbiehl <florz@florz.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/unix/af_unix.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1608,8 +1608,15 @@ static int unix_dgram_recvmsg(struct kio
+       mutex_lock(&u->readlock);
+ 
+       skb = skb_recv_datagram(sk, flags, noblock, &err);
+-      if (!skb)
++      if (!skb) {
++              unix_state_lock(sk);
++              /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
++              if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
++                  (sk->sk_shutdown & RCV_SHUTDOWN))
++                      err = 0;
++              unix_state_unlock(sk);
+               goto out_unlock;
++      }
+ 
+       wake_up_interruptible(&u->peer_wait);
+