From a53f69f2f8ef7f5cba7e295d6c727a6545c7e05b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 17 Oct 2015 12:48:36 -0700
Subject: [PATCH] 3.10-stable patches

added patches:
	netfilter-nf_conntrack-support-expectations-in-different-zones.patch
---
 ...port-expectations-in-different-zones.patch | 36 +++++++++++++++++++
 queue-3.10/series                             |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 queue-3.10/netfilter-nf_conntrack-support-expectations-in-different-zones.patch

diff --git a/queue-3.10/netfilter-nf_conntrack-support-expectations-in-different-zones.patch b/queue-3.10/netfilter-nf_conntrack-support-expectations-in-different-zones.patch
new file mode 100644
index 00000000000..83943c592d2
--- /dev/null
+++ b/queue-3.10/netfilter-nf_conntrack-support-expectations-in-different-zones.patch
@@ -0,0 +1,36 @@
+From 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 Mon Sep 17 00:00:00 2001
+From: Joe Stringer <joestringer@nicira.com>
+Date: Tue, 21 Jul 2015 21:37:31 -0700
+Subject: netfilter: nf_conntrack: Support expectations in different zones
+
+From: Joe Stringer <joestringer@nicira.com>
+
+commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 upstream.
+
+When zones were originally introduced, the expectation functions were
+all extended to perform lookup using the zone. However, insertion was
+not modified to check the zone. This means that two expectations which
+are intended to apply for different connections that have the same tuple
+but exist in different zones cannot both be tracked.
+
+Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones")
+Signed-off-by: Joe Stringer <joestringer@nicira.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_expect.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -202,7 +202,8 @@ static inline int expect_clash(const str
+ 			a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
+ 	}
+ 
+-	return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
++	return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) &&
++	       nf_ct_zone(a->master) == nf_ct_zone(b->master);
+ }
+ 
+ static inline int expect_matches(const struct nf_conntrack_expect *a,
diff --git a/queue-3.10/series b/queue-3.10/series
index 8f0dc13842f..440afb75b93 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -18,3 +18,4 @@ staging-comedi-adl_pci7x3x-fix-digital-output-on-pci-7230.patch
 dm-btree-add-ref-counting-ops-for-the-leaves-of-top-level-btrees.patch
 usb-option-add-zte-pids.patch
 dm-raid-fix-round-up-of-default-region-size.patch
+netfilter-nf_conntrack-support-expectations-in-different-zones.patch
-- 
2.47.3