--- /dev/null
+From 0209f24554a4be5dcfacb9587c2c6b12da61e4f1 Mon Sep 17 00:00:00 2001
+From: Andrea Shepard <andrea@persephoneslair.org>
+Date: Sun, 19 Oct 2008 23:33:03 -0700
+Subject: sparc64: Fix race in arch/sparc64/kernel/trampoline.S
+
+From: Andrea Shepard <andrea@persephoneslair.org>
+
+[ Upstream commit e0037df3852b4b60edbe01f70f4968e4a9fdb272 ]
+
+Make arch/sparc64/kernel/trampoline.S in 2.6.27.1 lock prom_entry_lock
+when calling the PROM. This prevents a race condition that I observed
+causing a hang on startup on a 12-CPU E4500.
+
+I am not subscribed to this list, so please CC me on replies.
+
+Signed-off-by: Andrea Shepard <andrea@persephoneslair.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/trampoline.S | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/arch/sparc64/kernel/trampoline.S
++++ b/arch/sparc64/kernel/trampoline.S
+@@ -328,6 +328,12 @@ after_lock_tlb:
+
+ wrpr %g0, 0, %wstate
+
++ sethi %hi(prom_entry_lock), %g2
++1: ldstub [%g2 + %lo(prom_entry_lock)], %g1
++ membar #StoreLoad | #StoreStore
++ brnz,pn %g1, 1b
++ nop
++
+ /* As a hack, put &init_thread_union into %g6.
+ * prom_world() loads from here to restore the %asi
+ * register.
+@@ -337,7 +343,7 @@ after_lock_tlb:
+
+ sethi %hi(is_sun4v), %o0
+ lduw [%o0 + %lo(is_sun4v)], %o0
+- brz,pt %o0, 1f
++ brz,pt %o0, 2f
+ nop
+
+ TRAP_LOAD_TRAP_BLOCK(%g2, %g3)
+@@ -369,10 +375,10 @@ after_lock_tlb:
+ call %o1
+ add %sp, (2047 + 128), %o0
+
+- ba,pt %xcc, 2f
++ ba,pt %xcc, 3f
+ nop
+
+-1: sethi %hi(sparc64_ttable_tl0), %o0
++2: sethi %hi(sparc64_ttable_tl0), %o0
+ set prom_set_trap_table_name, %g2
+ stx %g2, [%sp + 2047 + 128 + 0x00]
+ mov 1, %g2
+@@ -386,7 +392,11 @@ after_lock_tlb:
+ call %o1
+ add %sp, (2047 + 128), %o0
+
+-2: ldx [%l0], %g6
++3: sethi %hi(prom_entry_lock), %g2
++ stb %g0, [%g2 + %lo(prom_entry_lock)]
++ membar #StoreStore | #StoreLoad
++
++ ldx [%l0], %g6
+ ldx [%g6 + TI_TASK], %g4
+
+ mov 1, %g5
--- /dev/null
+From c63ed9c55142da8e64ea092bb2f2fda464798243 Mon Sep 17 00:00:00 2001
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Wed, 8 Oct 2008 14:36:33 -0700
+Subject: tcpv6: fix option space offsets with md5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+[ Upstream commit 53b125779fb0b29e5b316bf3dc7d199e6dcea567 ]
+
+More breakage :-), part of timestamps just were previously
+overwritten.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1130,7 +1130,7 @@ static void tcp_v6_send_ack(struct tcp_t
+ *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
+ (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
+ *topt++ = htonl(tcp_time_stamp);
+- *topt = htonl(ts);
++ *topt++ = htonl(ts);
+ }
+
+ #ifdef CONFIG_TCP_MD5SIG
--- /dev/null
+From 9db87825d8d1587a5f928c476f499de0bb62fb42 Mon Sep 17 00:00:00 2001
+From: Kumar Gala <galak@kernel.crashing.org>
+Date: Tue, 21 Oct 2008 22:19:00 -0700
+Subject: math-emu: Fix signalling of underflow and inexact while packing result.
+
+From: Kumar Gala <galak@kernel.crashing.org>
+
+[ Upstream commit 930cc144a043ff95e56b6888fa51c618b33f89e7 ]
+
+I'm trying to move the powerpc math-emu code to use the include/math-emu bits.
+
+In doing so I've been using TestFloat to see how good or bad we are
+doing. For the most part the current math-emu code that PPC uses has
+a number of issues that the code in include/math-emu seems to solve
+(plus bugs we've had for ever that no one every realized).
+
+Anyways, I've come across a case that we are flagging underflow and
+inexact because we think we have a denormalized result from a double
+precision divide:
+
+000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE
+ soft: 001.0000000000000 ..... syst: 001.0000000000000 ...ux
+
+What it looks like is the results out of FP_DIV_D are:
+
+D:
+sign: 0
+mantissa: 01000000 00000000
+exp: -1023 (0)
+
+The problem seems like we aren't normalizing the result and bumping the exp.
+
+Now that I'm digging into this a bit I'm thinking my issue has to do with
+the fix DaveM put in place from back in Aug 2007 (commit
+405849610fd96b4f34cd1875c4c033228fea6c0f):
+
+[MATH-EMU]: Fix underflow exception reporting.
+
+ 2) we ended up rounding back up to normal (this is the case where
+ we set the exponent to 1 and set the fraction to zero), this
+ should set inexact too
+...
+
+ Another example, "0x0.0000000000001p-1022 / 16.0", should signal both
+ inexact and underflow. The cpu implementations and ieee1754
+ literature is very clear about this. This is case #2 above.
+
+Here is the distilled glibc test case from Jakub Jelinek which prompted that
+commit:
+
+--------------------
+#include <float.h>
+#include <fenv.h>
+#include <stdio.h>
+
+volatile double d = DBL_MIN;
+volatile double e = 0x0.0000000000001p-1022;
+volatile double f = 16.0;
+int
+main (void)
+{
+ printf ("%x\n", fetestexcept (FE_UNDERFLOW));
+ d /= f;
+ printf ("%x\n", fetestexcept (FE_UNDERFLOW));
+ e /= f;
+ printf ("%x\n", fetestexcept (FE_UNDERFLOW));
+ return 0;
+}
+--------------------
+
+It looks like the case I have we are exact before rounding, but think it
+looks like the rounding case since it appears as if "overflow is set".
+
+000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE = 001.0000000000000
+
+I think the following adds the check for my case and still works for the
+issue your commit was trying to resolve.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/math-emu/op-common.h | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/include/math-emu/op-common.h
++++ b/include/math-emu/op-common.h
+@@ -139,18 +139,27 @@ do { \
+ if (X##_e <= _FP_WFRACBITS_##fs) \
+ { \
+ _FP_FRAC_SRS_##wc(X, X##_e, _FP_WFRACBITS_##fs); \
+- _FP_ROUND(wc, X); \
+ if (_FP_FRAC_HIGH_##fs(X) \
+ & (_FP_OVERFLOW_##fs >> 1)) \
+ { \
+ X##_e = 1; \
+ _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
+- FP_SET_EXCEPTION(FP_EX_INEXACT); \
+ } \
+ else \
+ { \
+- X##_e = 0; \
+- _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
++ _FP_ROUND(wc, X); \
++ if (_FP_FRAC_HIGH_##fs(X) \
++ & (_FP_OVERFLOW_##fs >> 1)) \
++ { \
++ X##_e = 1; \
++ _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
++ FP_SET_EXCEPTION(FP_EX_INEXACT); \
++ } \
++ else \
++ { \
++ X##_e = 0; \
++ _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
++ } \
+ } \
+ if ((FP_CUR_EXCEPTIONS & FP_EX_INEXACT) || \
+ (FP_TRAPPING_EXCEPTIONS & FP_EX_UNDERFLOW)) \
--- /dev/null
+From d89246823524e1c6fc7ed42eab149ade32868f1b Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 7 Oct 2008 15:50:03 -0700
+Subject: net: Fix netdev_run_todo dead-lock
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 58ec3b4db9eb5a28e3aec5f407a54e28f7039c19 ]
+
+Benjamin Thery tracked down a bug that explains many instances
+of the error
+
+unregister_netdevice: waiting for %s to become free. Usage count = %d
+
+It turns out that netdev_run_todo can dead-lock with itself if
+a second instance of it is run in a thread that will then free
+a reference to the device waited on by the first instance.
+
+The problem is really quite silly. We were trying to create
+parallelism where none was required. As netdev_run_todo always
+follows a RTNL section, and that todo tasks can only be added
+with the RTNL held, by definition you should only need to wait
+for the very ones that you've added and be done with it.
+
+There is no need for a second mutex or spinlock.
+
+This is exactly what the following patch does.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/dev.c | 27 ++++++---------------------
+ net/core/rtnetlink.c | 2 +-
+ 2 files changed, 7 insertions(+), 22 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3593,14 +3593,11 @@ static int dev_new_index(struct net *net
+ }
+
+ /* Delayed registration/unregisteration */
+-static DEFINE_SPINLOCK(net_todo_list_lock);
+ static LIST_HEAD(net_todo_list);
+
+ static void net_set_todo(struct net_device *dev)
+ {
+- spin_lock(&net_todo_list_lock);
+ list_add_tail(&dev->todo_list, &net_todo_list);
+- spin_unlock(&net_todo_list_lock);
+ }
+
+ static void rollback_registered(struct net_device *dev)
+@@ -3909,33 +3906,24 @@ static void netdev_wait_allrefs(struct n
+ * free_netdev(y1);
+ * free_netdev(y2);
+ *
+- * We are invoked by rtnl_unlock() after it drops the semaphore.
++ * We are invoked by rtnl_unlock().
+ * This allows us to deal with problems:
+ * 1) We can delete sysfs objects which invoke hotplug
+ * without deadlocking with linkwatch via keventd.
+ * 2) Since we run with the RTNL semaphore not held, we can sleep
+ * safely in order to wait for the netdev refcnt to drop to zero.
++ *
++ * We must not return until all unregister events added during
++ * the interval the lock was held have been completed.
+ */
+-static DEFINE_MUTEX(net_todo_run_mutex);
+ void netdev_run_todo(void)
+ {
+ struct list_head list;
+
+- /* Need to guard against multiple cpu's getting out of order. */
+- mutex_lock(&net_todo_run_mutex);
+-
+- /* Not safe to do outside the semaphore. We must not return
+- * until all unregister events invoked by the local processor
+- * have been completed (either by this todo run, or one on
+- * another cpu).
+- */
+- if (list_empty(&net_todo_list))
+- goto out;
+-
+ /* Snapshot list, allow later requests */
+- spin_lock(&net_todo_list_lock);
+ list_replace_init(&net_todo_list, &list);
+- spin_unlock(&net_todo_list_lock);
++
++ __rtnl_unlock();
+
+ while (!list_empty(&list)) {
+ struct net_device *dev
+@@ -3965,9 +3953,6 @@ void netdev_run_todo(void)
+ /* Free network device */
+ kobject_put(&dev->dev.kobj);
+ }
+-
+-out:
+- mutex_unlock(&net_todo_run_mutex);
+ }
+
+ static struct net_device_stats *internal_stats(struct net_device *dev)
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -73,7 +73,7 @@ void __rtnl_unlock(void)
+
+ void rtnl_unlock(void)
+ {
+- mutex_unlock(&rtnl_mutex);
++ /* This fellow will unlock it for us. */
+ netdev_run_todo();
+ }
+
--- /dev/null
+From lenb@kernel.org Fri Nov 7 14:36:23 2008
+From: Julia Jomantaite <julia.jomantaite@gmail.com>
+Date: Mon, 27 Oct 2008 23:50:57 -0400 (EDT)
+Subject: ACPI: video: fix brightness allocation
+To: stable@kernel.org
+Cc: Julia Jomantaite <julia.jomantaite@gmail.com>, linux-acpi@vger.kernel.org, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Arjan van de Ven <arjan@infradead.org>
+Message-ID: <alpine.LFD.2.00.0810272345580.21631@localhost.localdomain>
+
+
+From: Julia Jomantaite <julia.jomantaite@gmail.com>
+
+Thanks to Arjan for spotting this for .stable:
+http://www.kerneloops.org/search.php?search=acpi_video_switch_brightness
+
+upstream commit 469778c1740fcf3113498b6fdf4559bdec25c58f
+
+ACPI: video: fix brightness allocation
+
+Fix use of uninitialized device->brightness.
+
+Signed-off-by: Julia Jomantaite <julia.jomantaite@gmail.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/video.c | 123 ++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 73 insertions(+), 50 deletions(-)
+
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -624,6 +624,76 @@ acpi_video_bus_DOS(struct acpi_video_bus
+ * device : video output device (LCD, CRT, ..)
+ *
+ * Return Value:
++ * Maximum brightness level
++ *
++ * Allocate and initialize device->brightness.
++ */
++
++static int
++acpi_video_init_brightness(struct acpi_video_device *device)
++{
++ union acpi_object *obj = NULL;
++ int i, max_level = 0, count = 0;
++ union acpi_object *o;
++ struct acpi_video_device_brightness *br = NULL;
++
++ if (!ACPI_SUCCESS(acpi_video_device_lcd_query_levels(device, &obj))) {
++ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Could not query available "
++ "LCD brightness level\n"));
++ goto out;
++ }
++
++ if (obj->package.count < 2)
++ goto out;
++
++ br = kzalloc(sizeof(*br), GFP_KERNEL);
++ if (!br) {
++ printk(KERN_ERR "can't allocate memory\n");
++ goto out;
++ }
++
++ br->levels = kmalloc(obj->package.count * sizeof *(br->levels),
++ GFP_KERNEL);
++ if (!br->levels)
++ goto out_free;
++
++ for (i = 0; i < obj->package.count; i++) {
++ o = (union acpi_object *)&obj->package.elements[i];
++ if (o->type != ACPI_TYPE_INTEGER) {
++ printk(KERN_ERR PREFIX "Invalid data\n");
++ continue;
++ }
++ br->levels[count] = (u32) o->integer.value;
++
++ if (br->levels[count] > max_level)
++ max_level = br->levels[count];
++ count++;
++ }
++
++ if (count < 2)
++ goto out_free_levels;
++
++ br->count = count;
++ device->brightness = br;
++ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "found %d brightness levels\n", count));
++ kfree(obj);
++ return max_level;
++
++out_free_levels:
++ kfree(br->levels);
++out_free:
++ kfree(br);
++out:
++ device->brightness = NULL;
++ kfree(obj);
++ return 0;
++}
++
++/*
++ * Arg:
++ * device : video output device (LCD, CRT, ..)
++ *
++ * Return Value:
+ * None
+ *
+ * Find out all required AML methods defined under the output
+@@ -633,10 +703,7 @@ acpi_video_bus_DOS(struct acpi_video_bus
+ static void acpi_video_device_find_cap(struct acpi_video_device *device)
+ {
+ acpi_handle h_dummy1;
+- int i;
+ u32 max_level = 0;
+- union acpi_object *obj = NULL;
+- struct acpi_video_device_brightness *br = NULL;
+
+
+ memset(&device->cap, 0, sizeof(device->cap));
+@@ -665,53 +732,7 @@ static void acpi_video_device_find_cap(s
+ device->cap._DSS = 1;
+ }
+
+- if (ACPI_SUCCESS(acpi_video_device_lcd_query_levels(device, &obj))) {
+-
+- if (obj->package.count >= 2) {
+- int count = 0;
+- union acpi_object *o;
+-
+- br = kzalloc(sizeof(*br), GFP_KERNEL);
+- if (!br) {
+- printk(KERN_ERR "can't allocate memory\n");
+- } else {
+- br->levels = kmalloc(obj->package.count *
+- sizeof *(br->levels), GFP_KERNEL);
+- if (!br->levels)
+- goto out;
+-
+- for (i = 0; i < obj->package.count; i++) {
+- o = (union acpi_object *)&obj->package.
+- elements[i];
+- if (o->type != ACPI_TYPE_INTEGER) {
+- printk(KERN_ERR PREFIX "Invalid data\n");
+- continue;
+- }
+- br->levels[count] = (u32) o->integer.value;
+-
+- if (br->levels[count] > max_level)
+- max_level = br->levels[count];
+- count++;
+- }
+- out:
+- if (count < 2) {
+- kfree(br->levels);
+- kfree(br);
+- } else {
+- br->count = count;
+- device->brightness = br;
+- ACPI_DEBUG_PRINT((ACPI_DB_INFO,
+- "found %d brightness levels\n",
+- count));
+- }
+- }
+- }
+-
+- } else {
+- ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Could not query available LCD brightness level\n"));
+- }
+-
+- kfree(obj);
++ max_level = acpi_video_init_brightness(device);
+
+ if (device->cap._BCL && device->cap._BCM && device->cap._BQC && max_level > 0){
+ int result;
+@@ -1710,6 +1731,8 @@ static void
+ acpi_video_switch_brightness(struct acpi_video_device *device, int event)
+ {
+ unsigned long level_current, level_next;
++ if (!device->brightness)
++ return;
+ acpi_video_device_lcd_get_level_current(device, &level_current);
+ level_next = acpi_video_get_next_level(device, level_current, event);
+ acpi_video_device_lcd_set_level(device, level_next);
--- /dev/null
+From kaber@trash.net Thu Oct 23 13:16:48 2008
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 22 Oct 2008 19:41:31 +0200 (MEST)
+Subject: netfilter: restore lost ifdef guarding defrag exception
+To: stable@kernel.org
+Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20081022174130.21341.48347.sendpatchset@x2.localnet>
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: restore lost #ifdef guarding defrag exception
+
+Upstream commit 38f7ac3eb:
+
+Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
+fragments over loopback with NAT:
+
+[ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
+
+The reason is that defragmentation is skipped for already tracked connections.
+This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
+to avoid this behaviour when NAT is compiled in.
+
+The entire "optimization" may seem a bit silly, for now simply restoring the
+lost #ifdef is the easiest solution until we can come up with something better.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -138,10 +138,12 @@ static unsigned int ipv4_conntrack_defra
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+ {
++#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
+ /* Previously seen (loopback)? Ignore. Do this before
+ fragment check. */
+ if (skb->nfct)
+ return NF_ACCEPT;
++#endif
+
+ /* Gather fragments. */
+ if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
--- /dev/null
+From kaber@trash.net Thu Oct 23 13:16:08 2008
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Wed, 22 Oct 2008 19:41:29 +0200 (MEST)
+Subject: netfilter: snmp nat leaks memory in case of failure
+To: stable@kernel.org
+Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20081022174129.21341.93881.sendpatchset@x2.localnet>
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+netfilter: snmp nat leaks memory in case of failure
+
+Upstream commit 311670f3e:
+
+Signed-off-by: Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -742,6 +742,7 @@ static unsigned char snmp_object_decode(
+ *obj = kmalloc(sizeof(struct snmp_object) + len,
+ GFP_ATOMIC);
+ if (*obj == NULL) {
++ kfree(p);
+ kfree(id);
+ if (net_ratelimit())
+ printk("OOM in bsalg (%d)\n", __LINE__);
--- /dev/null
+From kaber@trash.net Thu Oct 23 13:14:58 2008
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Wed, 22 Oct 2008 19:41:28 +0200 (MEST)
+Subject: netfilter: xt_iprange: fix range inversion match
+To: stable@kernel.org
+Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20081022174128.21341.79877.sendpatchset@x2.localnet>
+
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+netfilter: xt_iprange: fix range inversion match
+
+Upstream commit 6def1eb48:
+
+Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Acked-by: Jan Engelhardt <jengelh@medozas.de>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/xt_iprange.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/xt_iprange.c
++++ b/net/netfilter/xt_iprange.c
+@@ -67,7 +67,7 @@ iprange_mt4(const struct sk_buff *skb, c
+ if (info->flags & IPRANGE_SRC) {
+ m = ntohl(iph->saddr) < ntohl(info->src_min.ip);
+ m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
+- m ^= info->flags & IPRANGE_SRC_INV;
++ m ^= !!(info->flags & IPRANGE_SRC_INV);
+ if (m) {
+ pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+@@ -81,7 +81,7 @@ iprange_mt4(const struct sk_buff *skb, c
+ if (info->flags & IPRANGE_DST) {
+ m = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
+ m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
+- m ^= info->flags & IPRANGE_DST_INV;
++ m ^= !!(info->flags & IPRANGE_DST_INV);
+ if (m) {
+ pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+@@ -123,14 +123,14 @@ iprange_mt6(const struct sk_buff *skb, c
+ if (info->flags & IPRANGE_SRC) {
+ m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
+- m ^= info->flags & IPRANGE_SRC_INV;
++ m ^= !!(info->flags & IPRANGE_SRC_INV);
+ if (m)
+ return false;
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
+- m ^= info->flags & IPRANGE_DST_INV;
++ m ^= !!(info->flags & IPRANGE_DST_INV);
+ if (m)
+ return false;
+ }
file-caps-always-start-with-clear-bprm-caps_.patch
alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch
acpi-dock-avoid-check-_sta-method.patch
+0001-tcpv6-fix-option-space-offsets-with-md5.patch
+0002-net-Fix-netdev_run_todo-dead-lock.patch
+0001-sparc64-Fix-race-in-arch-sparc64-kernel-trampoline.patch
+0002-math-emu-Fix-signalling-of-underflow-and-inexact-wh.patch
+acpi-video-fix-brightness-allocation.patch
+netfilter-xt_iprange-fix-range-inversion-match.patch
+netfilter-snmp-nat-leaks-memory-in-case-of-failure.patch
+netfilter-restore-lost-ifdef-guarding-defrag-exception.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
