From: Greg Kroah-Hartman Date: Mon, 23 Aug 2010 22:02:03 +0000 (-0700) Subject: .34 patches X-Git-Tag: v2.6.32.21~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1596c1d44ba1c2bf4b43bee1326c177300266dc5;p=thirdparty%2Fkernel%2Fstable-queue.git .34 patches --- diff --git a/queue-2.6.34/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch b/queue-2.6.34/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch new file mode 100644 index 00000000000..43851e1f602 --- /dev/null +++ b/queue-2.6.34/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch @@ -0,0 +1,32 @@ +From af50818b7610e6b436fd543f4a6a5884cfbc5528 Mon Sep 17 00:00:00 2001 +From: Changli Gao +Date: Thu, 29 Jul 2010 14:04:18 +0000 +Subject: act_nat: the checksum of ICMP doesn't have pseudo header + + +From: Changli Gao + +[ Upstream commit 3a3dfb062c2e086c202d34f09ce29634515ad256 ] + +after updating the value of the ICMP payload, inet_proto_csum_replace4() should +be called with zero pseudohdr. + +Signed-off-by: Changli Gao +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_nat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_nat.c ++++ b/net/sched/act_nat.c +@@ -240,7 +240,7 @@ static int tcf_nat(struct sk_buff *skb, + iph->saddr = new_addr; + + inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr, +- 1); ++ 0); + break; + } + default: diff --git a/queue-2.6.34/bridge-add-rcu_read_lock-on-transmit.patch b/queue-2.6.34/bridge-add-rcu_read_lock-on-transmit.patch new file mode 100644 index 00000000000..14cea5ebf01 --- /dev/null +++ b/queue-2.6.34/bridge-add-rcu_read_lock-on-transmit.patch @@ -0,0 +1,104 @@ +From 2f8b061219c882296096fd087359a732acf633e6 Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Wed, 18 Aug 2010 22:56:36 -0700 +Subject: bridge: add rcu_read_lock on transmit + + +From: Stephen Hemminger + +[ Upstream commit eeaf61d8891f9c9ed12c1a667e72bf83f0857954 ] + +Long ago, when bridge was converted to RCU, rcu lock was equivalent +to having preempt disabled. RCU has changed a lot since then and +bridge code was still assuming the since transmit was called with +bottom half disabled, it was RCU safe. + +Signed-off-by: Stephen Hemminger +Tested-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_device.c | 4 +++- + net/bridge/br_fdb.c | 2 +- + net/bridge/br_input.c | 6 +++--- + net/bridge/br_stp_bpdu.c | 2 +- + 4 files changed, 8 insertions(+), 6 deletions(-) + +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -19,7 +19,7 @@ + #include + #include "br_private.h" + +-/* net device transmit always called with no BH (preempt_disabled) */ ++/* net device transmit always called with BH disabled */ + netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct net_bridge *br = netdev_priv(dev); +@@ -35,6 +35,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + skb_reset_mac_header(skb); + skb_pull(skb, ETH_HLEN); + ++ rcu_read_lock(); + if (dest[0] & 1) { + if (br_multicast_rcv(br, NULL, skb)) + goto out; +@@ -50,6 +51,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + br_flood_deliver(br, skb); + + out: ++ rcu_read_unlock(); + return NETDEV_TX_OK; + } + +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -214,7 +214,7 @@ void br_fdb_delete_by_port(struct net_br + spin_unlock_bh(&br->hash_lock); + } + +-/* No locking or refcounting, assumes caller has no preempt (rcu_read_lock) */ ++/* No locking or refcounting, assumes caller has rcu_read_lock */ + struct net_bridge_fdb_entry *__br_fdb_get(struct net_bridge *br, + const unsigned char *addr) + { +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -35,7 +35,7 @@ static int br_pass_frame_up(struct sk_bu + netif_receive_skb); + } + +-/* note: already called with rcu_read_lock (preempt_disabled) */ ++/* note: already called with rcu_read_lock */ + int br_handle_frame_finish(struct sk_buff *skb) + { + const unsigned char *dest = eth_hdr(skb)->h_dest; +@@ -106,7 +106,7 @@ drop: + goto out; + } + +-/* note: already called with rcu_read_lock (preempt_disabled) */ ++/* note: already called with rcu_read_lock */ + static int br_handle_local_finish(struct sk_buff *skb) + { + struct net_bridge_port *p = rcu_dereference(skb->dev->br_port); +@@ -131,7 +131,7 @@ static inline int is_link_local(const un + /* + * Called via br_handle_frame_hook. + * Return NULL if skb is handled +- * note: already called with rcu_read_lock (preempt_disabled) ++ * note: already called with rcu_read_lock + */ + struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb) + { +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -131,7 +131,7 @@ void br_send_tcn_bpdu(struct net_bridge_ + /* + * Called from llc. + * +- * NO locks, but rcu_read_lock (preempt_disabled) ++ * NO locks, but rcu_read_lock + */ + void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb, + struct net_device *dev) diff --git a/queue-2.6.34/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch b/queue-2.6.34/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch new file mode 100644 index 00000000000..9e0f6524fc7 --- /dev/null +++ b/queue-2.6.34/bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch @@ -0,0 +1,35 @@ +From 632d5220b7f175d7957b8cafea96a3df77a3d38c Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 29 Jul 2010 01:12:31 +0000 +Subject: bridge: Fix skb leak when multicast parsing fails on TX + + +From: Herbert Xu + +[ Upstream commit 6d1d1d398cb7db7a12c5d652d50f85355345234f ] + +On the bridge TX path we're leaking an skb when br_multicast_rcv +returns an error. + +Reported-by: David Lamparter +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_device.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -37,8 +37,10 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + + rcu_read_lock(); + if (dest[0] & 1) { +- if (br_multicast_rcv(br, NULL, skb)) ++ if (br_multicast_rcv(br, NULL, skb)) { ++ kfree_skb(skb); + goto out; ++ } + + mdst = br_mdb_get(br, skb); + if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) diff --git a/queue-2.6.34/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch b/queue-2.6.34/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch new file mode 100644 index 00000000000..8ccd4856691 --- /dev/null +++ b/queue-2.6.34/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch @@ -0,0 +1,159 @@ +From 48135709d4a0ebfc1e6ea41698726a610b62b68e Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 11 Aug 2010 16:12:35 -0700 +Subject: can: add limit for nframes and clean up signed/unsigned variables + + +From: Oliver Hartkopp + +[ Upstream commit 5b75c4973ce779520b9d1e392483207d6f842cde ] + +This patch adds a limit for nframes as the number of frames in TX_SETUP and +RX_SETUP are derived from a single byte multiplex value by default. +Use-cases that would require to send/filter more than 256 CAN frames should +be implemented in userspace for complexity reasons anyway. + +Additionally the assignments of unsigned values from userspace to signed +values in kernelspace and vice versa are fixed by using unsigned values in +kernelspace consistently. + +Signed-off-by: Oliver Hartkopp +Reported-by: Ben Hawkes +Acked-by: Urs Thuermann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 41 +++++++++++++++++++++++++++-------------- + 1 file changed, 27 insertions(+), 14 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -60,6 +60,13 @@ + #include + #include + ++/* ++ * To send multiple CAN frame content within TX_SETUP or to filter ++ * CAN messages with multiplex index within RX_SETUP, the number of ++ * different filters is limited to 256 due to the one byte index value. ++ */ ++#define MAX_NFRAMES 256 ++ + /* use of last_frames[index].can_dlc */ + #define RX_RECV 0x40 /* received data for this element */ + #define RX_THR 0x80 /* element not been sent due to throttle feature */ +@@ -89,16 +96,16 @@ struct bcm_op { + struct list_head list; + int ifindex; + canid_t can_id; +- int flags; ++ u32 flags; + unsigned long frames_abs, frames_filtered; + struct timeval ival1, ival2; + struct hrtimer timer, thrtimer; + struct tasklet_struct tsklet, thrtsklet; + ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg; + int rx_ifindex; +- int count; +- int nframes; +- int currframe; ++ u32 count; ++ u32 nframes; ++ u32 currframe; + struct can_frame *frames; + struct can_frame *last_frames; + struct can_frame sframe; +@@ -175,7 +182,7 @@ static int bcm_proc_show(struct seq_file + + seq_printf(m, "rx_op: %03X %-5s ", + op->can_id, bcm_proc_getifname(ifname, op->ifindex)); +- seq_printf(m, "[%d]%c ", op->nframes, ++ seq_printf(m, "[%u]%c ", op->nframes, + (op->flags & RX_CHECK_DLC)?'d':' '); + if (op->kt_ival1.tv64) + seq_printf(m, "timeo=%lld ", +@@ -198,7 +205,7 @@ static int bcm_proc_show(struct seq_file + + list_for_each_entry(op, &bo->tx_ops, list) { + +- seq_printf(m, "tx_op: %03X %s [%d] ", ++ seq_printf(m, "tx_op: %03X %s [%u] ", + op->can_id, + bcm_proc_getifname(ifname, op->ifindex), + op->nframes); +@@ -283,7 +290,7 @@ static void bcm_send_to_user(struct bcm_ + struct can_frame *firstframe; + struct sockaddr_can *addr; + struct sock *sk = op->sk; +- int datalen = head->nframes * CFSIZ; ++ unsigned int datalen = head->nframes * CFSIZ; + int err; + + skb = alloc_skb(sizeof(*head) + datalen, gfp_any()); +@@ -468,7 +475,7 @@ rx_changed_settime: + * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly + * received data stored in op->last_frames[] + */ +-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index, ++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index, + const struct can_frame *rxdata) + { + /* +@@ -554,7 +561,8 @@ static enum hrtimer_restart bcm_rx_timeo + /* + * bcm_rx_do_flush - helper for bcm_rx_thr_flush + */ +-static inline int bcm_rx_do_flush(struct bcm_op *op, int update, int index) ++static inline int bcm_rx_do_flush(struct bcm_op *op, int update, ++ unsigned int index) + { + if ((op->last_frames) && (op->last_frames[index].can_dlc & RX_THR)) { + if (update) +@@ -575,7 +583,7 @@ static int bcm_rx_thr_flush(struct bcm_o + int updated = 0; + + if (op->nframes > 1) { +- int i; ++ unsigned int i; + + /* for MUX filter we start at index 1 */ + for (i = 1; i < op->nframes; i++) +@@ -624,7 +632,7 @@ static void bcm_rx_handler(struct sk_buf + { + struct bcm_op *op = (struct bcm_op *)data; + const struct can_frame *rxframe = (struct can_frame *)skb->data; +- int i; ++ unsigned int i; + + /* disable timeout */ + hrtimer_cancel(&op->timer); +@@ -824,14 +832,15 @@ static int bcm_tx_setup(struct bcm_msg_h + { + struct bcm_sock *bo = bcm_sk(sk); + struct bcm_op *op; +- int i, err; ++ unsigned int i; ++ int err; + + /* we need a real device to send frames */ + if (!ifindex) + return -ENODEV; + +- /* we need at least one can_frame */ +- if (msg_head->nframes < 1) ++ /* check nframes boundaries - we need at least one can_frame */ ++ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES) + return -EINVAL; + + /* check the given can_id */ +@@ -995,6 +1004,10 @@ static int bcm_rx_setup(struct bcm_msg_h + msg_head->nframes = 0; + } + ++ /* the first element contains the mux-mask => MAX_NFRAMES + 1 */ ++ if (msg_head->nframes > MAX_NFRAMES + 1) ++ return -EINVAL; ++ + if ((msg_head->flags & RX_RTR_FRAME) && + ((msg_head->nframes != 1) || + (!(msg_head->can_id & CAN_RTR_FLAG)))) diff --git a/queue-2.6.34/isdn-fix-information-leak.patch b/queue-2.6.34/isdn-fix-information-leak.patch new file mode 100644 index 00000000000..b8cb3a9c83a --- /dev/null +++ b/queue-2.6.34/isdn-fix-information-leak.patch @@ -0,0 +1,67 @@ +From 64260976bfe9cf75a89b34bc65f2e101494e3e44 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 4 Aug 2010 23:38:06 +0000 +Subject: isdn: fix information leak + + +From: Dan Carpenter + +[ Upstream commit 4b030d4288a569d6bdeca884d7f102d951f097f2 ] + +The main motivation of this patch changing strcpy() to strlcpy(). +We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at +best the last byte has leaked information, or maybe there is an +overflow? Anyway, this patch closes the information leaks by zeroing +the memory and the calls to strlcpy() prevent overflows. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/sc/ioctl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/isdn/sc/ioctl.c ++++ b/drivers/isdn/sc/ioctl.c +@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data) + pr_debug("%s: SCIOGETSPID: ioctl received\n", + sc_adapter[card]->devicename); + +- spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL); ++ spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL); + if (!spid) { + kfree(rcvmsg); + return -ENOMEM; +@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data) + kfree(rcvmsg); + return status; + } +- strcpy(spid, rcvmsg->msg_data.byte_array); ++ strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE); + + /* + * Package the switch type and send to user space +@@ -272,12 +272,12 @@ int sc_ioctl(int card, scs_ioctl *data) + return status; + } + +- dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL); ++ dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL); + if (!dn) { + kfree(rcvmsg); + return -ENOMEM; + } +- strcpy(dn, rcvmsg->msg_data.byte_array); ++ strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE); + kfree(rcvmsg); + + /* +@@ -348,7 +348,7 @@ int sc_ioctl(int card, scs_ioctl *data) + pr_debug("%s: SCIOSTAT: ioctl received\n", + sc_adapter[card]->devicename); + +- bi = kmalloc (sizeof(boardInfo), GFP_KERNEL); ++ bi = kzalloc(sizeof(boardInfo), GFP_KERNEL); + if (!bi) { + kfree(rcvmsg); + return -ENOMEM; diff --git a/queue-2.6.34/net-dev_forward_skb-should-call-nf_reset.patch b/queue-2.6.34/net-dev_forward_skb-should-call-nf_reset.patch new file mode 100644 index 00000000000..b9936e85095 --- /dev/null +++ b/queue-2.6.34/net-dev_forward_skb-should-call-nf_reset.patch @@ -0,0 +1,33 @@ +From 6692f594de706f1d3c085c132a53dba0fde3e8ed Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Thu, 22 Jul 2010 09:54:47 +0000 +Subject: net: dev_forward_skb should call nf_reset + + +From: Ben Greear + +[ Upstream commit c736eefadb71a01a5e61e0de700f28f6952b4444 ] + +With conn-track zones and probably with different network +namespaces, the netfilter logic needs to be re-calculated +on packet receive. If the netfilter logic is not reset, +it will not be recalculated properly. This patch adds +the nf_reset logic to dev_forward_skb. + +Signed-off-by: Ben Greear +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1464,6 +1464,7 @@ static inline void net_timestamp(struct + int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) + { + skb_orphan(skb); ++ nf_reset(skb); + + if (!(dev->flags & IFF_UP) || + (skb->len > (dev->mtu + dev->hard_header_len))) { diff --git a/queue-2.6.34/net-fix-a-memmove-bug-in-dev_gro_receive.patch b/queue-2.6.34/net-fix-a-memmove-bug-in-dev_gro_receive.patch new file mode 100644 index 00000000000..8087beace5f --- /dev/null +++ b/queue-2.6.34/net-fix-a-memmove-bug-in-dev_gro_receive.patch @@ -0,0 +1,41 @@ +From da731c05b107dcc3feff6a109b66fa5b71e51e43 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Wed, 11 Aug 2010 02:02:10 +0000 +Subject: net: Fix a memmove bug in dev_gro_receive() + + +From: Jarek Poplawski + +[ Upstream commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 ] + +>Xin Xiaohui wrote: +> I looked into the code dev_gro_receive(), found the code here: +> if the frags[0] is pulled to 0, then the page will be released, +> and memmove() frags left. +> Is that right? I'm not sure if memmove do right or not, but +> frags[0].size is never set after memove at least. what I think +> a simple way is not to do anything if we found frags[0].size == 0. +> The patch is as followed. +... + +This version of the patch fixes the bug directly in memmove. + +Reported-by: "Xin, Xiaohui" +Signed-off-by: Jarek Poplawski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2735,7 +2735,7 @@ pull: + put_page(skb_shinfo(skb)->frags[0].page); + memmove(skb_shinfo(skb)->frags, + skb_shinfo(skb)->frags + 1, +- --skb_shinfo(skb)->nr_frags); ++ --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t)); + } + } + diff --git a/queue-2.6.34/net-fix-napi_gro_frags-vs-netpoll-path.patch b/queue-2.6.34/net-fix-napi_gro_frags-vs-netpoll-path.patch new file mode 100644 index 00000000000..bfb7819802b --- /dev/null +++ b/queue-2.6.34/net-fix-napi_gro_frags-vs-netpoll-path.patch @@ -0,0 +1,43 @@ +From 27191bcf61d33883e18df3fce79f2a3fff08c2b1 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Thu, 5 Aug 2010 01:19:11 +0000 +Subject: net: Fix napi_gro_frags vs netpoll path + + +From: Jarek Poplawski + +[ Upstream commit ce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 ] + +The netpoll_rx_on() check in __napi_gro_receive() skips part of the +"common" GRO_NORMAL path, especially "pull:" in dev_gro_receive(), +where at least eth header should be copied for entirely paged skbs. + +Signed-off-by: Jarek Poplawski +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2666,7 +2666,7 @@ enum gro_result dev_gro_receive(struct n + int mac_len; + enum gro_result ret; + +- if (!(skb->dev->features & NETIF_F_GRO)) ++ if (!(skb->dev->features & NETIF_F_GRO) || netpoll_rx_on(skb)) + goto normal; + + if (skb_is_gso(skb) || skb_has_frags(skb)) +@@ -2753,9 +2753,6 @@ __napi_gro_receive(struct napi_struct *n + { + struct sk_buff *p; + +- if (netpoll_rx_on(skb)) +- return GRO_NORMAL; +- + for (p = napi->gro_list; p; p = p->next) { + NAPI_GRO_CB(p)->same_flow = + (p->dev == skb->dev) && diff --git a/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch new file mode 100644 index 00000000000..6ed5ab3c9af --- /dev/null +++ b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch @@ -0,0 +1,44 @@ +From 263b932701c9c5bfed21e62e5c9caf164d5daebc Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Tue, 10 Aug 2010 22:31:02 +0000 +Subject: pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops + + +From: Jarek Poplawski + +[ Upstream commit 41065fba846e795b31b17e4dec01cb904d56c6cd ] + +sch_sfq as a classful qdisc needs the .leaf handler. Otherwise, there +is an oops possible in tc_modify_qdisc()/check_loop(). + +Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998 + +Signed-off-by: Jarek Poplawski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -497,6 +497,11 @@ nla_put_failure: + return -1; + } + ++static struct Qdisc *sfq_leaf(struct Qdisc *sch, unsigned long arg) ++{ ++ return NULL; ++} ++ + static unsigned long sfq_get(struct Qdisc *sch, u32 classid) + { + return 0; +@@ -560,6 +565,7 @@ static void sfq_walk(struct Qdisc *sch, + } + + static const struct Qdisc_class_ops sfq_class_ops = { ++ .leaf = sfq_leaf, + .get = sfq_get, + .tcf_chain = sfq_find_tcf, + .bind_tcf = sfq_bind, diff --git a/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch new file mode 100644 index 00000000000..538f3b5fac8 --- /dev/null +++ b/queue-2.6.34/pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch @@ -0,0 +1,48 @@ +From b993d672ab5eff4a4ee43ac66b1d0801d896f47f Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Fri, 6 Aug 2010 00:22:35 +0000 +Subject: pkt_sched: Fix sch_sfq vs tcf_bind_filter oops + + +From: Jarek Poplawski + +[ Upstream commit eb4a5527b1f0d581ac217c80ef3278ed5e38693c ] + +Since there was added ->tcf_chain() method without ->bind_tcf() to +sch_sfq class options, there is oops when a filter is added with +the classid parameter. + +Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998 +netdev thread: null pointer at cls_api.c + +Signed-off-by: Jarek Poplawski +Reported-by: Franchoze Eric +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfq.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -502,6 +502,12 @@ static unsigned long sfq_get(struct Qdis + return 0; + } + ++static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent, ++ u32 classid) ++{ ++ return 0; ++} ++ + static struct tcf_proto **sfq_find_tcf(struct Qdisc *sch, unsigned long cl) + { + struct sfq_sched_data *q = qdisc_priv(sch); +@@ -556,6 +562,7 @@ static void sfq_walk(struct Qdisc *sch, + static const struct Qdisc_class_ops sfq_class_ops = { + .get = sfq_get, + .tcf_chain = sfq_find_tcf, ++ .bind_tcf = sfq_bind, + .dump = sfq_dump_class, + .dump_stats = sfq_dump_class_stats, + .walk = sfq_walk, diff --git a/queue-2.6.34/series b/queue-2.6.34/series index 9a1b002cd83..73eda4b9a3c 100644 --- a/queue-2.6.34/series +++ b/queue-2.6.34/series @@ -48,3 +48,14 @@ slab-fix-object-alignment.patch sparc64-fix-atomic64_t-routine-return-values.patch sparc64-add-missing-id-to-parport-probing-code.patch sparc64-fix-rwsem-constant-bug-leading-to-hangs.patch +bridge-add-rcu_read_lock-on-transmit.patch +tcp-cookie-transactions-setsockopt-memory-leak.patch +bridge-fix-skb-leak-when-multicast-parsing-fails-on-tx.patch +act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch +can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch +net-dev_forward_skb-should-call-nf_reset.patch +isdn-fix-information-leak.patch +net-fix-napi_gro_frags-vs-netpoll-path.patch +net-fix-a-memmove-bug-in-dev_gro_receive.patch +pkt_sched-fix-sch_sfq-vs-tcf_bind_filter-oops.patch +pkt_sched-fix-sch_sfq-vs-tc_modify_qdisc-oops.patch diff --git a/queue-2.6.34/tcp-cookie-transactions-setsockopt-memory-leak.patch b/queue-2.6.34/tcp-cookie-transactions-setsockopt-memory-leak.patch new file mode 100644 index 00000000000..275a22ca106 --- /dev/null +++ b/queue-2.6.34/tcp-cookie-transactions-setsockopt-memory-leak.patch @@ -0,0 +1,57 @@ +From 0a704e7e728720f51c66957653eef0dd4cc858c6 Mon Sep 17 00:00:00 2001 +From: Dmitry Popov +Date: Thu, 29 Jul 2010 01:59:36 +0000 +Subject: tcp: cookie transactions setsockopt memory leak + + +From: Dmitry Popov + +[ Upstream commit a3bdb549e30e7a263f7a589747c40e9c50110315 ] + +There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c), +TCP_COOKIE_TRANSACTIONS case. +In some cases (when tp->cookie_values == NULL) new tcp_cookie_values +structure can be allocated (at cvp), but not bound to +tp->cookie_values. So a memory leak occurs. + +Signed-off-by: Dmitry Popov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2175,6 +2175,8 @@ static int do_tcp_setsockopt(struct sock + GFP_KERNEL); + if (cvp == NULL) + return -ENOMEM; ++ ++ kref_init(&cvp->kref); + } + lock_sock(sk); + tp->rx_opt.cookie_in_always = +@@ -2189,12 +2191,11 @@ static int do_tcp_setsockopt(struct sock + */ + kref_put(&tp->cookie_values->kref, + tcp_cookie_values_release); +- kref_init(&cvp->kref); +- tp->cookie_values = cvp; + } else { + cvp = tp->cookie_values; + } + } ++ + if (cvp != NULL) { + cvp->cookie_desired = ctd.tcpct_cookie_desired; + +@@ -2208,6 +2209,8 @@ static int do_tcp_setsockopt(struct sock + cvp->s_data_desired = ctd.tcpct_s_data_desired; + cvp->s_data_constant = 0; /* false */ + } ++ ++ tp->cookie_values = cvp; + } + release_sock(sk); + return err;