From: Greg Kroah-Hartman Date: Wed, 11 Apr 2007 18:53:12 +0000 (-0700) Subject: network -stable patches added X-Git-Tag: v2.6.20.7~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3cb6fa72401e33f1973faf281b3f90fa843f4359;p=thirdparty%2Fkernel%2Fstable-queue.git network -stable patches added --- diff --git a/queue-2.6.20/8139too-rtnl-and-flush_scheduled_work-deadlock.patch b/queue-2.6.20/8139too-rtnl-and-flush_scheduled_work-deadlock.patch new file mode 100644 index 00000000000..06dfa6e7e91 --- /dev/null +++ b/queue-2.6.20/8139too-rtnl-and-flush_scheduled_work-deadlock.patch @@ -0,0 +1,110 @@ +From greearb@candelatech.com Thu Apr 5 22:52:18 2007 +From: Francois Romieu +Date: Thu, 05 Apr 2007 22:52:12 -0700 +Subject: 8139too: RTNL and flush_scheduled_work deadlock +To: gregkh@suse.de, NetDev +Message-ID: <4615E00C.9070406@candelatech.com> + +From: Francois Romieu + +Your usual dont-flush_scheduled_work-with-RTNL-held stuff. + +It is a bit different here since the thread runs permanently +or is only occasionally kicked for recovery depending on the +hardware revision. + +Signed-off-by: Francois Romieu +Cc: Ben Greear +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/8139too.c | 40 +++++++++++++++++----------------------- + 1 file changed, 17 insertions(+), 23 deletions(-) + +--- a/drivers/net/8139too.c ++++ b/drivers/net/8139too.c +@@ -1109,6 +1109,8 @@ static void __devexit rtl8139_remove_one + + assert (dev != NULL); + ++ flush_scheduled_work(); ++ + unregister_netdev (dev); + + __rtl8139_cleanup_dev (dev); +@@ -1603,18 +1605,21 @@ static void rtl8139_thread (struct work_ + struct net_device *dev = tp->mii.dev; + unsigned long thr_delay = next_tick; + ++ rtnl_lock(); ++ ++ if (!netif_running(dev)) ++ goto out_unlock; ++ + if (tp->watchdog_fired) { + tp->watchdog_fired = 0; + rtl8139_tx_timeout_task(work); +- } else if (rtnl_trylock()) { +- rtl8139_thread_iter (dev, tp, tp->mmio_addr); +- rtnl_unlock (); +- } else { +- /* unlikely race. mitigate with fast poll. */ +- thr_delay = HZ / 2; +- } ++ } else ++ rtl8139_thread_iter(dev, tp, tp->mmio_addr); + +- schedule_delayed_work(&tp->thread, thr_delay); ++ if (tp->have_thread) ++ schedule_delayed_work(&tp->thread, thr_delay); ++out_unlock: ++ rtnl_unlock (); + } + + static void rtl8139_start_thread(struct rtl8139_private *tp) +@@ -1626,19 +1631,11 @@ static void rtl8139_start_thread(struct + return; + + tp->have_thread = 1; ++ tp->watchdog_fired = 0; + + schedule_delayed_work(&tp->thread, next_tick); + } + +-static void rtl8139_stop_thread(struct rtl8139_private *tp) +-{ +- if (tp->have_thread) { +- cancel_rearming_delayed_work(&tp->thread); +- tp->have_thread = 0; +- } else +- flush_scheduled_work(); +-} +- + static inline void rtl8139_tx_clear (struct rtl8139_private *tp) + { + tp->cur_tx = 0; +@@ -1696,12 +1693,11 @@ static void rtl8139_tx_timeout (struct n + { + struct rtl8139_private *tp = netdev_priv(dev); + ++ tp->watchdog_fired = 1; + if (!tp->have_thread) { +- INIT_DELAYED_WORK(&tp->thread, rtl8139_tx_timeout_task); ++ INIT_DELAYED_WORK(&tp->thread, rtl8139_thread); + schedule_delayed_work(&tp->thread, next_tick); +- } else +- tp->watchdog_fired = 1; +- ++ } + } + + static int rtl8139_start_xmit (struct sk_buff *skb, struct net_device *dev) +@@ -2233,8 +2229,6 @@ static int rtl8139_close (struct net_dev + + netif_stop_queue (dev); + +- rtl8139_stop_thread(tp); +- + if (netif_msg_ifdown(tp)) + printk(KERN_DEBUG "%s: Shutting down ethercard, status was 0x%4.4x.\n", + dev->name, RTL_R16 (IntrStatus)); diff --git a/queue-2.6.20/fix-ifb-net-driver-input-device-crashes.patch b/queue-2.6.20/fix-ifb-net-driver-input-device-crashes.patch new file mode 100644 index 00000000000..3c0e88ddf42 --- /dev/null +++ b/queue-2.6.20/fix-ifb-net-driver-input-device-crashes.patch @@ -0,0 +1,177 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:31:04 2007 +From: Patrick McHardy +Date: Tue, 10 Apr 2007 13:29:44 -0700 (PDT) +Subject: Fix IFB net driver input device crashes +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.132944.74388435.davem@davemloft.net> + +From: Patrick McHardy + +[IFB]: Fix crash on input device removal + +The input_device pointer is not refcounted, which means the device may +disappear while packets are queued, causing a crash when ifb passes packets +with a stale skb->dev pointer to netif_rx(). + +Fix by storing the interface index instead and do a lookup where neccessary. + +Signed-off-by: Patrick McHardy +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ifb.c | 35 +++++++++++++---------------------- + include/linux/skbuff.h | 5 +++-- + include/net/pkt_cls.h | 7 +++++-- + net/core/dev.c | 8 ++++---- + net/core/skbuff.c | 2 +- + net/sched/act_mirred.c | 2 +- + 6 files changed, 27 insertions(+), 32 deletions(-) + +--- a/drivers/net/ifb.c ++++ b/drivers/net/ifb.c +@@ -96,17 +96,24 @@ static void ri_tasklet(unsigned long dev + skb->tc_verd = SET_TC_NCLS(skb->tc_verd); + stats->tx_packets++; + stats->tx_bytes +=skb->len; ++ ++ skb->dev = __dev_get_by_index(skb->iif); ++ if (!skb->dev) { ++ dev_kfree_skb(skb); ++ stats->tx_dropped++; ++ break; ++ } ++ skb->iif = _dev->ifindex; ++ + if (from & AT_EGRESS) { + dp->st_rx_frm_egr++; + dev_queue_xmit(skb); + } else if (from & AT_INGRESS) { +- + dp->st_rx_frm_ing++; ++ skb_pull(skb, skb->dev->hard_header_len); + netif_rx(skb); +- } else { +- dev_kfree_skb(skb); +- stats->tx_dropped++; +- } ++ } else ++ BUG(); + } + + if (netif_tx_trylock(_dev)) { +@@ -157,26 +164,10 @@ static int ifb_xmit(struct sk_buff *skb, + stats->rx_packets++; + stats->rx_bytes+=skb->len; + +- if (!from || !skb->input_dev) { +-dropped: ++ if (!(from & (AT_INGRESS|AT_EGRESS)) || !skb->iif) { + dev_kfree_skb(skb); + stats->rx_dropped++; + return ret; +- } else { +- /* +- * note we could be going +- * ingress -> egress or +- * egress -> ingress +- */ +- skb->dev = skb->input_dev; +- skb->input_dev = dev; +- if (from & AT_INGRESS) { +- skb_pull(skb, skb->dev->hard_header_len); +- } else { +- if (!(from & AT_EGRESS)) { +- goto dropped; +- } +- } + } + + if (skb_queue_len(&dp->rq) >= dev->tx_queue_len) { +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -188,7 +188,7 @@ enum { + * @sk: Socket we are owned by + * @tstamp: Time we arrived + * @dev: Device we arrived on/are leaving by +- * @input_dev: Device we arrived on ++ * @iif: ifindex of device we arrived on + * @h: Transport layer header + * @nh: Network layer header + * @mac: Link layer header +@@ -235,7 +235,8 @@ struct sk_buff { + struct sock *sk; + struct skb_timeval tstamp; + struct net_device *dev; +- struct net_device *input_dev; ++ int iif; ++ /* 4 byte hole on 64 bit*/ + + union { + struct tcphdr *th; +--- a/include/net/pkt_cls.h ++++ b/include/net/pkt_cls.h +@@ -352,10 +352,13 @@ tcf_change_indev(struct tcf_proto *tp, c + static inline int + tcf_match_indev(struct sk_buff *skb, char *indev) + { ++ struct net_device *dev; ++ + if (indev[0]) { +- if (!skb->input_dev) ++ if (!skb->iif) + return 0; +- if (strcmp(indev, skb->input_dev->name)) ++ dev = __dev_get_by_index(skb->iif); ++ if (!dev || strcmp(indev, dev->name)) + return 0; + } + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1741,8 +1741,8 @@ static int ing_filter(struct sk_buff *sk + if (dev->qdisc_ingress) { + __u32 ttl = (__u32) G_TC_RTTL(skb->tc_verd); + if (MAX_RED_LOOP < ttl++) { +- printk(KERN_WARNING "Redir loop detected Dropping packet (%s->%s)\n", +- skb->input_dev->name, skb->dev->name); ++ printk(KERN_WARNING "Redir loop detected Dropping packet (%d->%d)\n", ++ skb->iif, skb->dev->ifindex); + return TC_ACT_SHOT; + } + +@@ -1775,8 +1775,8 @@ int netif_receive_skb(struct sk_buff *sk + if (!skb->tstamp.off_sec) + net_timestamp(skb); + +- if (!skb->input_dev) +- skb->input_dev = skb->dev; ++ if (!skb->iif) ++ skb->iif = skb->dev->ifindex; + + orig_dev = skb_bond(skb); + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -497,7 +497,7 @@ struct sk_buff *skb_clone(struct sk_buff + n->tc_verd = SET_TC_VERD(skb->tc_verd,0); + n->tc_verd = CLR_TC_OK2MUNGE(n->tc_verd); + n->tc_verd = CLR_TC_MUNGED(n->tc_verd); +- C(input_dev); ++ C(iif); + #endif + skb_copy_secmark(n, skb); + #endif +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -199,7 +199,7 @@ bad_mirred: + skb2->tc_verd = SET_TC_FROM(skb2->tc_verd, at); + + skb2->dev = dev; +- skb2->input_dev = skb->dev; ++ skb2->iif = skb->dev->ifindex; + dev_queue_xmit(skb2); + spin_unlock(&m->tcf_lock); + return m->tcf_action; diff --git a/queue-2.6.20/fix-ipsec-replay-window-handling.patch b/queue-2.6.20/fix-ipsec-replay-window-handling.patch new file mode 100644 index 00000000000..a2b207ce868 --- /dev/null +++ b/queue-2.6.20/fix-ipsec-replay-window-handling.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:38:39 2007 +From: Herbert Xu +Date: Tue, 10 Apr 2007 13:37:24 -0700 (PDT) +Subject: Fix IPSEC replay window handling +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.133724.34759995.davem@davemloft.net> + +From: Herbert Xu + +[IPSEC]: Reject packets within replay window but outside the bit mask + +Up until this point we've accepted replay window settings greater than +32 but our bit mask can only accomodate 32 packets. Thus any packet +with a sequence number within the window but outside the bit mask would +be accepted. + +This patch causes those packets to be rejected instead. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_state.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1220,7 +1220,8 @@ int xfrm_replay_check(struct xfrm_state + return 0; + + diff = x->replay.seq - seq; +- if (diff >= x->props.replay_window) { ++ if (diff >= min_t(unsigned int, x->props.replay_window, ++ sizeof(x->replay.bitmap) * 8)) { + x->stats.replay_window++; + return -EINVAL; + } diff --git a/queue-2.6.20/fix-length-validation-in-rawv6_sendmsg.patch b/queue-2.6.20/fix-length-validation-in-rawv6_sendmsg.patch new file mode 100644 index 00000000000..9b4fa4cd146 --- /dev/null +++ b/queue-2.6.20/fix-length-validation-in-rawv6_sendmsg.patch @@ -0,0 +1,70 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:32:37 2007 +From: YOSHIFUJI Hideaki +Date: Tue, 10 Apr 2007 13:31:20 -0700 (PDT) +Subject: Fix length validation in rawv6_sendmsg() +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.133120.68040530.davem@davemloft.net> + +From: YOSHIFUJI Hideaki + +[IPv6]: Fix incorrect length check in rawv6_sendmsg() + +In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller says: + +> From: Sridhar Samudrala +> Date: Thu, 29 Mar 2007 14:17:28 -0700 +> +> > The check for length in rawv6_sendmsg() is incorrect. +> > As len is an unsigned int, (len < 0) will never be TRUE. +> > I think checking for IPV6_MAXPLEN(65535) is better. +> > +> > Is it possible to send ipv6 jumbo packets using raw +> > sockets? If so, we can remove this check. +> +> I don't see why such a limitation against jumbo would exist, +> does anyone else? +> +> Thanks for catching this Sridhar. A good compiler should simply +> fail to compile "if (x < 0)" when 'x' is an unsigned type, don't +> you think :-) + +Dave, we use "int" for returning value, +so we should fix this anyway, IMHO; +we should not allow len > INT_MAX. + +Signed-off-by: YOSHIFUJI Hideaki +Acked-by: Sridhar Samudrala +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/raw.c | 4 ++-- + net/ipv6/udp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -688,9 +688,9 @@ static int rawv6_sendmsg(struct kiocb *i + int err; + + /* Rough check on arithmetic overflow, +- better check is made in ip6_build_xmit ++ better check is made in ip6_append_data(). + */ +- if (len < 0) ++ if (len > INT_MAX) + return -EMSGSIZE; + + /* Mirror BSD error message compatibility */ +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -616,7 +616,7 @@ do_udp_sendmsg: + return udp_sendmsg(iocb, sk, msg, len); + + /* Rough check on arithmetic overflow, +- better check is made in ip6_build_xmit ++ better check is made in ip6_append_data(). + */ + if (len > INT_MAX - sizeof(struct udphdr)) + return -EMSGSIZE; diff --git a/queue-2.6.20/fix-scsi-sense-handling.patch b/queue-2.6.20/fix-scsi-sense-handling.patch new file mode 100644 index 00000000000..c8908e8b176 --- /dev/null +++ b/queue-2.6.20/fix-scsi-sense-handling.patch @@ -0,0 +1,62 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:37:04 2007 +From: David Miller +Date: Tue, 10 Apr 2007 13:35:41 -0700 (PDT) +Subject: Fix scsi sense handling +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.133541.55725996.davem@davemloft.net> + +From: David Miller + +[SCSI]: Fix scsi_send_eh_cmnd scatterlist handling + +This fixes a regression caused by commit: + +2dc611de5a3fd955cd0298c50691d4c05046db97 + +The sense buffer code in scsi_send_eh_cmnd was changed to use +alloc_page() and a scatter list, but the sense data copy was not +updated to match so what we actually get in the sense buffer is total +grabage starting with the kernel address of the struct page we got. +Basically the stack frame of scsi_send_eh_cmd() is what ends up +in the sense buffer. + +Depending upon how pointers look on a given platform, you can +end up getting sr_ioctl.c errors when you mount a cdrom. If +the CDROM gives a check condition for GPCMD_GET_CONFIGURATION issued +by drivers/cdrom/cdrom.c:cdrom_mmc_profile(), sr_ioctl will +spit out this error message in sr_do_ioctl() with the way pointers +are on sparc64: + + default: + printk(KERN_ERR "%s: CDROM (ioctl) error, command: ", cd->cdi.name); + __scsi_print_command(cgc->cmd); + scsi_print_sense_hdr("sr", &sshdr); + err = -EIO; + +This is the error Tom Callaway reported in: + +http://marc.info/?l=linux-sparc&m=117407453208101&w=2 + +Anyways, fix this by using page_address(sgl.page) which is OK +because we know this is low-mem due to GFP_ATOMIC. + +Signed-off-by: David S. Miller +Acked-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_error.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -595,7 +595,7 @@ static int scsi_send_eh_cmnd(struct scsi + */ + if (copy_sense) { + if (!SCSI_SENSE_VALID(scmd)) { +- memcpy(scmd->sense_buffer, scmd->request_buffer, ++ memcpy(scmd->sense_buffer, page_address(sgl.page), + sizeof(scmd->sense_buffer)); + } + __free_page(sgl.page); diff --git a/queue-2.6.20/fix-tcindex-classifier-abi-borkage.patch b/queue-2.6.20/fix-tcindex-classifier-abi-borkage.patch new file mode 100644 index 00000000000..7bd078f8d46 --- /dev/null +++ b/queue-2.6.20/fix-tcindex-classifier-abi-borkage.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:39:58 2007 +From: Patrick McHardy +Date: Tue, 10 Apr 2007 13:38:39 -0700 (PDT) +Subject: Fix tcindex classifier ABI borkage... +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.133839.02301998.davem@davemloft.net> + +From: Patrick McHardy + +[NET_SCHED]: cls_tcindex: fix compatibility breakage + +Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed +to expect and use a u16 value in 2.6.11, which broke compatibility on +big endian machines. Change back to use int. + +Reported by Ole Reinartz + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_tcindex.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -245,9 +245,9 @@ tcindex_set_parms(struct tcf_proto *tp, + } + + if (tb[TCA_TCINDEX_SHIFT-1]) { +- if (RTA_PAYLOAD(tb[TCA_TCINDEX_SHIFT-1]) < sizeof(u16)) ++ if (RTA_PAYLOAD(tb[TCA_TCINDEX_SHIFT-1]) < sizeof(int)) + goto errout; +- cp.shift = *(u16 *) RTA_DATA(tb[TCA_TCINDEX_SHIFT-1]); ++ cp.shift = *(int *) RTA_DATA(tb[TCA_TCINDEX_SHIFT-1]); + } + + err = -EBUSY; diff --git a/queue-2.6.20/fix-tcp-receiver-side-sws-handling.patch b/queue-2.6.20/fix-tcp-receiver-side-sws-handling.patch new file mode 100644 index 00000000000..425235079a4 --- /dev/null +++ b/queue-2.6.20/fix-tcp-receiver-side-sws-handling.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:38:09 2007 +From: John Heffner +Date: Tue, 10 Apr 2007 13:36:40 -0700 (PDT) +Subject: Fix TCP receiver side SWS handling. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.133640.10297825.davem@davemloft.net> + +From: John Heffner + +[TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS. + +Signed-off-by: John Heffner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_output.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1607,6 +1607,9 @@ u32 __tcp_select_window(struct sock *sk) + */ + if (window <= free_space - mss || window > free_space) + window = (free_space/mss)*mss; ++ else if (mss == full_space && ++ free_space > window + full_space/2) ++ window = free_space; + } + + return window; diff --git a/queue-2.6.20/fix-tcp-slow_start_after_idle-sysctl.patch b/queue-2.6.20/fix-tcp-slow_start_after_idle-sysctl.patch new file mode 100644 index 00000000000..b577f9ed21a --- /dev/null +++ b/queue-2.6.20/fix-tcp-slow_start_after_idle-sysctl.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 13:40:54 2007 +From: David Miller +Date: Tue, 10 Apr 2007 13:39:35 -0700 (PDT) +Subject: Fix TCP slow_start_after_idle sysctl +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070410.133935.68157585.davem@davemloft.net> + +From: David Miller + +[TCP]: slow_start_after_idle should influence cwnd validation too + +For the cases that slow_start_after_idle are meant to deal +with, it is almost a certainty that the congestion window +tests will think the connection is application limited and +we'll thus decrease the cwnd there too. This defeats the +whole point of setting slow_start_after_idle to zero. + +So test it there too. + +We do not cancel out the entire tcp_cwnd_validate() function +so that if the sysctl is changed we still have the validation +state maintained. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -943,7 +943,8 @@ static void tcp_cwnd_validate(struct soc + if (tp->packets_out > tp->snd_cwnd_used) + tp->snd_cwnd_used = tp->packets_out; + +- if ((s32)(tcp_time_stamp - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto) ++ if (sysctl_tcp_slow_start_after_idle && ++ (s32)(tcp_time_stamp - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto) + tcp_cwnd_application_limited(sk); + } + } diff --git a/queue-2.6.20/netfilter-ipt_clusterip-fix-oops-in-checkentry-function.patch b/queue-2.6.20/netfilter-ipt_clusterip-fix-oops-in-checkentry-function.patch new file mode 100644 index 00000000000..bf9748edfb7 --- /dev/null +++ b/queue-2.6.20/netfilter-ipt_clusterip-fix-oops-in-checkentry-function.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Tue Apr 10 05:49:18 2007 +From: Patrick McHardy +Date: Tue, 10 Apr 2007 14:47:21 +0200 +Subject: NETFILTER: ipt_CLUSTERIP: fix oops in checkentry function +To: stable@kernel.org +Cc: Netfilter Development Mailinglist , "David S. Miller" +Message-ID: <461B8759.1000507@trash.net> + +From: Patrick McHardy + +[NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function + +The clusterip_config_find_get() already increases entries reference +counter, so there is no reason to do it twice in checkentry() callback. + +This causes the config to be freed before it is removed from the list, +resulting in a crash when adding the next rule. + +Signed-off-by: Jaroslav Kysela +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -409,12 +409,10 @@ checkentry(const char *tablename, + "has invalid config pointer!\n"); + return 0; + } +- clusterip_config_entry_get(cipinfo->config); + } else { + /* Case B: This is a new rule referring to an existing + * clusterip config. */ + cipinfo->config = config; +- clusterip_config_entry_get(cipinfo->config); + } + } else { + /* Case C: This is a completely new clusterip config */ diff --git a/queue-2.6.20/series b/queue-2.6.20/series index 38409c9b12e..04200e87c77 100644 --- a/queue-2.6.20/series +++ b/queue-2.6.20/series @@ -9,3 +9,12 @@ dvb-tda10086-fix-diseqc-message-length.patch dvb-pluto2-fix-incorrect-tscr-register-setting.patch hid-do-not-discard-truncated-input-reports.patch fix-calculation-for-size-of-filemap_attr-array-in-md-bitmap.patch +8139too-rtnl-and-flush_scheduled_work-deadlock.patch +netfilter-ipt_clusterip-fix-oops-in-checkentry-function.patch +fix-ifb-net-driver-input-device-crashes.patch +fix-length-validation-in-rawv6_sendmsg.patch +fix-scsi-sense-handling.patch +fix-tcp-receiver-side-sws-handling.patch +fix-ipsec-replay-window-handling.patch +fix-tcindex-classifier-abi-borkage.patch +fix-tcp-slow_start_after_idle-sysctl.patch