From: Chris Wright Date: Fri, 6 Jun 2008 17:30:42 +0000 (-0700) Subject: added netfilter patches to 2.6.25 queue X-Git-Tag: v2.6.25.5~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb39a45de0fd1a1d3ba14583cb19ea401278e21a;p=thirdparty%2Fkernel%2Fstable-queue.git added netfilter patches to 2.6.25 queue --- diff --git a/queue-2.6.25/netfilter-nf_conntrack_expect-fix-error-path-unwind-in-nf_conntrack_expect_init.patch b/queue-2.6.25/netfilter-nf_conntrack_expect-fix-error-path-unwind-in-nf_conntrack_expect_init.patch new file mode 100644 index 00000000000..b943ec9abd4 --- /dev/null +++ b/queue-2.6.25/netfilter-nf_conntrack_expect-fix-error-path-unwind-in-nf_conntrack_expect_init.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Fri Jun 6 10:20:18 2008 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20080606171602.28057.10402.sendpatchset@localhost.localdomain> +Date: Fri, 6 Jun 2008 19:16:04 +0200 (MEST) +Cc: netfilter-devel@vger.kernel.org, Patrick McHardy , davem@davemloft.net +Subject: netfilter: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init() + +upstream commit: 12293bf91126ad253a25e2840b307fdc7c2754c3 + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/netfilter/nf_conntrack_expect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -550,10 +550,10 @@ int __init nf_conntrack_expect_init(void + return 0; + + err3: ++ kmem_cache_destroy(nf_ct_expect_cachep); ++err2: + nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc, + nf_ct_expect_hsize); +-err2: +- kmem_cache_destroy(nf_ct_expect_cachep); + err1: + return err; + } diff --git a/queue-2.6.25/netfilter-nf_conntrack_ipv6-fix-inconsistent-lock-state-in-nf_ct_frag6_gather.patch b/queue-2.6.25/netfilter-nf_conntrack_ipv6-fix-inconsistent-lock-state-in-nf_ct_frag6_gather.patch new file mode 100644 index 00000000000..b8a2e87a466 --- /dev/null +++ b/queue-2.6.25/netfilter-nf_conntrack_ipv6-fix-inconsistent-lock-state-in-nf_ct_frag6_gather.patch @@ -0,0 +1,72 @@ +From stable-bounces@linux.kernel.org Fri Jun 6 10:21:53 2008 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20080606171605.28057.8694.sendpatchset@localhost.localdomain> +Date: Fri, 6 Jun 2008 19:16:07 +0200 (MEST) +Cc: netfilter-devel@vger.kernel.org, Patrick McHardy , davem@davemloft.net +Subject: netfilter: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather() + +upstream commit: b9c698964614f71b9c8afeca163a945b4c2e2d20 + +[ 63.531438] ================================= +[ 63.531520] [ INFO: inconsistent lock state ] +[ 63.531520] 2.6.26-rc4 #7 +[ 63.531520] --------------------------------- +[ 63.531520] inconsistent {softirq-on-W} -> {in-softirq-W} usage. +[ 63.531520] tcpsic6/3864 [HC0[0]:SC1[1]:HE1:SE0] takes: +[ 63.531520] (&q->lock#2){-+..}, at: [] ipv6_frag_rcv+0xd0/0xbd0 +[ 63.531520] {softirq-on-W} state was registered at: +[ 63.531520] [] __lock_acquire+0x3aa/0x1080 +[ 63.531520] [] lock_acquire+0x76/0xa0 +[ 63.531520] [] _spin_lock+0x2b/0x40 +[ 63.531520] [] nf_ct_frag6_gather+0x3f6/0x910 + ... + +According to this and another similar lockdep report inet_fragment +locks are taken from nf_ct_frag6_gather() with softirqs enabled, but +these locks are mainly used in softirq context, so disabling BHs is +necessary. + +Reported-and-tested-by: Eric Sesterhenn +Signed-off-by: Jarek Poplawski +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + + net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -209,7 +209,9 @@ fq_find(__be32 id, struct in6_addr *src, + arg.dst = dst; + hash = ip6qhashfn(id, src, dst); + ++ local_bh_disable(); + q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash); ++ local_bh_enable(); + if (q == NULL) + goto oom; + +@@ -638,10 +640,10 @@ struct sk_buff *nf_ct_frag6_gather(struc + goto ret_orig; + } + +- spin_lock(&fq->q.lock); ++ spin_lock_bh(&fq->q.lock); + + if (nf_ct_frag6_queue(fq, clone, fhdr, nhoff) < 0) { +- spin_unlock(&fq->q.lock); ++ spin_unlock_bh(&fq->q.lock); + pr_debug("Can't insert skb to queue\n"); + fq_put(fq); + goto ret_orig; +@@ -652,7 +654,7 @@ struct sk_buff *nf_ct_frag6_gather(struc + if (ret_skb == NULL) + pr_debug("Can't reassemble fragmented packets\n"); + } +- spin_unlock(&fq->q.lock); ++ spin_unlock_bh(&fq->q.lock); + + fq_put(fq); + return ret_skb; diff --git a/queue-2.6.25/netfilter-xt_connlimit-fix-accouning-when-receive-rst-packet-in-established-state.patch b/queue-2.6.25/netfilter-xt_connlimit-fix-accouning-when-receive-rst-packet-in-established-state.patch new file mode 100644 index 00000000000..2dd657a5f53 --- /dev/null +++ b/queue-2.6.25/netfilter-xt_connlimit-fix-accouning-when-receive-rst-packet-in-established-state.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Fri Jun 6 10:21:20 2008 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20080606171604.28057.17617.sendpatchset@localhost.localdomain> +Date: Fri, 6 Jun 2008 19:16:05 +0200 (MEST) +Cc: netfilter-devel@vger.kernel.org, Patrick McHardy , davem@davemloft.net +Subject: netfilter: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state + +upstream commit: d2ee3f2c4b1db1320c1efb4dcaceeaf6c7e6c2d3 + +In xt_connlimit match module, the counter of an IP is decreased when +the TCP packet is go through the chain with ip_conntrack state TW. +Well, it's very natural that the server and client close the socket +with FIN packet. But when the client/server close the socket with RST +packet(using so_linger), the counter for this connection still exsit. +The following patch can fix it which is based on linux-2.6.25.4 + +Signed-off-by: Dong Wei +Acked-by: Jan Engelhardt +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + + net/netfilter/xt_connlimit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/xt_connlimit.c ++++ b/net/netfilter/xt_connlimit.c +@@ -75,7 +75,8 @@ static inline bool already_closed(const + u_int16_t proto = conn->tuplehash[0].tuple.dst.protonum; + + if (proto == IPPROTO_TCP) +- return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT; ++ return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT || ++ conn->proto.tcp.state == TCP_CONNTRACK_CLOSE; + else + return 0; + } diff --git a/queue-2.6.25/series b/queue-2.6.25/series index 3ad3a9c8153..3e9052cbee4 100644 --- a/queue-2.6.25/series +++ b/queue-2.6.25/series @@ -34,3 +34,6 @@ netfilter-xt_iprange-module-aliases-for-xt_iprange.patch hid-split-numlock-emulation-quirk-from-hid_quirk_apple_has_fn.patch make-acpi-cpufreq-more-robust-against-bios-freq-changes-behind-our-back.patch x86-fpu-fix-config_preempt-y-corruption-of-application-s-fpu-stack.patch +netfilter-nf_conntrack_expect-fix-error-path-unwind-in-nf_conntrack_expect_init.patch +netfilter-xt_connlimit-fix-accouning-when-receive-rst-packet-in-established-state.patch +netfilter-nf_conntrack_ipv6-fix-inconsistent-lock-state-in-nf_ct_frag6_gather.patch