From 4a89733319663d22a1890930bc0c7881c9afa2a1 Mon Sep 17 00:00:00 2001
From: Chris Wright <chrisw@osdl.org>
Date: Mon, 25 Jul 2005 12:13:35 -0700
Subject: [PATCH] Add three netfilter patches from Patrick.

---
 queue/netfilter-NAT-memory-corruption.patch   | 50 +++++++++++++++++++
 queue/netfilter-deadlock-ip6_queue.patch      | 33 ++++++++++++
 ...lter-ip_conntrack_untracked-refcount.patch | 34 +++++++++++++
 queue/series                                  |  3 ++
 4 files changed, 120 insertions(+)
 create mode 100644 queue/netfilter-NAT-memory-corruption.patch
 create mode 100644 queue/netfilter-deadlock-ip6_queue.patch
 create mode 100644 queue/netfilter-ip_conntrack_untracked-refcount.patch

diff --git a/queue/netfilter-NAT-memory-corruption.patch b/queue/netfilter-NAT-memory-corruption.patch
new file mode 100644
index 00000000000..c6aa7a6c75f
--- /dev/null
+++ b/queue/netfilter-NAT-memory-corruption.patch
@@ -0,0 +1,50 @@
+From stable-bounces@linux.kernel.org  Fri Jul 22 00:35:55 2005
+Date: Fri, 22 Jul 2005 09:35:43 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>,
+        stable@kernel.org
+Subject: [PATCH][NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+The portptr pointing to the port in the conntrack tuple is declared static,
+which could result in memory corruption when two packets of the same
+protocol are NATed at the same time and one conntrack goes away.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_nat_proto_tcp.c |    3 ++-
+ net/ipv4/netfilter/ip_nat_proto_udp.c |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_tcp.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c
++++ linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_tcp.c
+@@ -40,7 +40,8 @@ tcp_unique_tuple(struct ip_conntrack_tup
+ 		 enum ip_nat_manip_type maniptype,
+ 		 const struct ip_conntrack *conntrack)
+ {
+-	static u_int16_t port, *portptr;
++	static u_int16_t port;
++	u_int16_t *portptr;
+ 	unsigned int range_size, min, i;
+ 
+ 	if (maniptype == IP_NAT_MANIP_SRC)
+Index: linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_udp.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/netfilter/ip_nat_proto_udp.c
++++ linux-2.6.12.y/net/ipv4/netfilter/ip_nat_proto_udp.c
+@@ -41,7 +41,8 @@ udp_unique_tuple(struct ip_conntrack_tup
+ 		 enum ip_nat_manip_type maniptype,
+ 		 const struct ip_conntrack *conntrack)
+ {
+-	static u_int16_t port, *portptr;
++	static u_int16_t port;
++	u_int16_t *portptr;
+ 	unsigned int range_size, min, i;
+ 
+ 	if (maniptype == IP_NAT_MANIP_SRC)
diff --git a/queue/netfilter-deadlock-ip6_queue.patch b/queue/netfilter-deadlock-ip6_queue.patch
new file mode 100644
index 00000000000..26529e8911a
--- /dev/null
+++ b/queue/netfilter-deadlock-ip6_queue.patch
@@ -0,0 +1,33 @@
+From stable-bounces@linux.kernel.org  Fri Jul 22 00:35:49 2005
+Date: Fri, 22 Jul 2005 09:35:34 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>,
+        stable@kernel.org
+Subject: [PATCH] [NETFILTER]: Fix deadlock in ip6_queue
+
+[NETFILTER]: Fix deadlock in ip6_queue
+
+Already fixed in ip_queue, ip6_queue was missed.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv6/netfilter/ip6_queue.c |    2 ++
+ 1 files changed, 2 insertions(+)
+
+Index: linux-2.6.12.y/net/ipv6/netfilter/ip6_queue.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv6/netfilter/ip6_queue.c
++++ linux-2.6.12.y/net/ipv6/netfilter/ip6_queue.c
+@@ -76,7 +76,9 @@ static DECLARE_MUTEX(ipqnl_sem);
+ static void
+ ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
+ {
++	local_bh_disable();
+ 	nf_reinject(entry->skb, entry->info, verdict);
++	local_bh_enable();
+ 	kfree(entry);
+ }
+ 
diff --git a/queue/netfilter-ip_conntrack_untracked-refcount.patch b/queue/netfilter-ip_conntrack_untracked-refcount.patch
new file mode 100644
index 00000000000..49d6ebe822c
--- /dev/null
+++ b/queue/netfilter-ip_conntrack_untracked-refcount.patch
@@ -0,0 +1,34 @@
+From stable-bounces@linux.kernel.org  Fri Jul 22 00:35:58 2005
+Date: Fri, 22 Jul 2005 09:35:51 +0200
+From: Patrick McHardy <kaber@trash.net>
+User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050602)
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>,
+        stable@kernel.org
+Subject: [PATCH][NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+[NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+Fixes a crash when unloading ip_conntrack.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_core.c |    3 +++
+ 1 files changed, 3 insertions(+)
+
+Index: linux-2.6.12.y/net/ipv4/netfilter/ip_conntrack_core.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/netfilter/ip_conntrack_core.c
++++ linux-2.6.12.y/net/ipv4/netfilter/ip_conntrack_core.c
+@@ -1124,6 +1124,9 @@ void ip_conntrack_cleanup(void)
+ 		schedule();
+ 		goto i_see_dead_people;
+ 	}
++	/* wait until all references to ip_conntrack_untracked are dropped */
++	while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
++		schedule();
+ 
+ 	kmem_cache_destroy(ip_conntrack_cachep);
+ 	kmem_cache_destroy(ip_conntrack_expect_cachep);
diff --git a/queue/series b/queue/series
index b64d8bf8e37..6adb897d3cf 100644
--- a/queue/series
+++ b/queue/series
@@ -3,3 +3,6 @@ qla2xxx-fc_remote_port_add-failure-fix.patch
 rocket_c-fix-ldisc-ref-count.patch
 x86_64-32bit-memleak.patch
 skb-signedness-fix.patch
+netfilter-deadlock-ip6_queue.patch
+netfilter-NAT-memory-corruption.patch
+netfilter-ip_conntrack_untracked-refcount.patch
-- 
2.47.3