From: Greg Kroah-Hartman Date: Fri, 22 Feb 2008 21:28:30 +0000 (-0800) Subject: .23 patches X-Git-Tag: v2.6.22.19~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=69407d0c6cefd6c7984aa0486f083393c5189ff7;p=thirdparty%2Fkernel%2Fstable-queue.git .23 patches --- diff --git a/queue-2.6.23/netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch b/queue-2.6.23/netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch new file mode 100644 index 00000000000..effaed7fff9 --- /dev/null +++ b/queue-2.6.23/netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch @@ -0,0 +1,111 @@ +From stable-bounces@linux.kernel.org Tue Feb 19 07:43:54 2008 +From: Jozsef Kadlecsik +From: Patrick McHardy +Date: Tue, 19 Feb 2008 16:24:01 +0100 +Subject: NETFILTER: nf_conntrack_tcp: conntrack reopening fix +To: stable@kernel.org +Cc: Netfilter Development Mailinglist , "David S. Miller" +Message-ID: <47BAF491.6060601@trash.net> + +From: Jozsef Kadlecsik + +[NETFILTER]: nf_conntrack_tcp: conntrack reopening fix + +[Upstream commits b2155e7f + d0c1fd7a] + +TCP connection tracking in netfilter did not handle TCP reopening +properly: active close was taken into account for one side only and +not for any side, which is fixed now. The patch includes more comments +to explain the logic how the different cases are handled. +The bug was discovered by Jeff Chua. + +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_proto_tcp.c | 35 +++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -135,7 +135,7 @@ enum tcp_bit_set { + * CLOSE_WAIT: ACK seen (after FIN) + * LAST_ACK: FIN seen (after FIN) + * TIME_WAIT: last ACK seen +- * CLOSE: closed connection ++ * CLOSE: closed connection (RST) + * + * LISTEN state is not used. + * +@@ -834,8 +834,21 @@ static int tcp_packet(struct nf_conn *co + case TCP_CONNTRACK_SYN_SENT: + if (old_state < TCP_CONNTRACK_TIME_WAIT) + break; +- if ((conntrack->proto.tcp.seen[!dir].flags & +- IP_CT_TCP_FLAG_CLOSE_INIT) ++ /* RFC 1122: "When a connection is closed actively, ++ * it MUST linger in TIME-WAIT state for a time 2xMSL ++ * (Maximum Segment Lifetime). However, it MAY accept ++ * a new SYN from the remote TCP to reopen the connection ++ * directly from TIME-WAIT state, if..." ++ * We ignore the conditions because we are in the ++ * TIME-WAIT state anyway. ++ * ++ * Handle aborted connections: we and the server ++ * think there is an existing connection but the client ++ * aborts it and starts a new one. ++ */ ++ if (((conntrack->proto.tcp.seen[dir].flags ++ | conntrack->proto.tcp.seen[!dir].flags) ++ & IP_CT_TCP_FLAG_CLOSE_INIT) + || (conntrack->proto.tcp.last_dir == dir + && conntrack->proto.tcp.last_index == TCP_RST_SET)) { + /* Attempt to reopen a closed/aborted connection. +@@ -848,18 +861,25 @@ static int tcp_packet(struct nf_conn *co + } + /* Fall through */ + case TCP_CONNTRACK_IGNORE: +- /* Ignored packets: ++ /* Ignored packets: ++ * ++ * Our connection entry may be out of sync, so ignore ++ * packets which may signal the real connection between ++ * the client and the server. + * + * a) SYN in ORIGINAL + * b) SYN/ACK in REPLY + * c) ACK in reply direction after initial SYN in original. ++ * ++ * If the ignored packet is invalid, the receiver will send ++ * a RST we'll catch below. + */ + if (index == TCP_SYNACK_SET + && conntrack->proto.tcp.last_index == TCP_SYN_SET + && conntrack->proto.tcp.last_dir != dir + && ntohl(th->ack_seq) == + conntrack->proto.tcp.last_end) { +- /* This SYN/ACK acknowledges a SYN that we earlier ++ /* b) This SYN/ACK acknowledges a SYN that we earlier + * ignored as invalid. This means that the client and + * the server are both in sync, while the firewall is + * not. We kill this session and block the SYN/ACK so +@@ -884,7 +904,7 @@ static int tcp_packet(struct nf_conn *co + write_unlock_bh(&tcp_lock); + if (LOG_INVALID(IPPROTO_TCP)) + nf_log_packet(pf, 0, skb, NULL, NULL, NULL, +- "nf_ct_tcp: invalid packed ignored "); ++ "nf_ct_tcp: invalid packet ignored "); + return NF_ACCEPT; + case TCP_CONNTRACK_MAX: + /* Invalid packet */ +@@ -938,8 +958,7 @@ static int tcp_packet(struct nf_conn *co + + conntrack->proto.tcp.state = new_state; + if (old_state != new_state +- && (new_state == TCP_CONNTRACK_FIN_WAIT +- || new_state == TCP_CONNTRACK_CLOSE)) ++ && new_state == TCP_CONNTRACK_FIN_WAIT) + conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; + timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans + && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans diff --git a/queue-2.6.23/scsi-sd-handle-bad-lba-in-sense-information.patch b/queue-2.6.23/scsi-sd-handle-bad-lba-in-sense-information.patch new file mode 100644 index 00000000000..de309e4ad79 --- /dev/null +++ b/queue-2.6.23/scsi-sd-handle-bad-lba-in-sense-information.patch @@ -0,0 +1,76 @@ +From 366c246de9cec909c5eba4f784c92d1e75b4dc38 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Sat, 2 Feb 2008 16:06:23 -0600 +Subject: SCSI: sd: handle bad lba in sense information + +From: James Bottomley + +patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline. + +Some devices report medium error locations incorrectly. Add guards to +make sure the reported bad lba is actually in the request that caused +it. Additionally remove the large case statment for sector sizes and +replace it with the proper u64 divisions. + +Tested-by: Mike Snitzer +Cc: Stable Tree +Cc: Tony Battersby +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -901,6 +901,7 @@ static void sd_rw_intr(struct scsi_cmnd + unsigned int xfer_size = SCpnt->request_bufflen; + unsigned int good_bytes = result ? 0 : xfer_size; + u64 start_lba = SCpnt->request->sector; ++ u64 end_lba = SCpnt->request->sector + (xfer_size / 512); + u64 bad_lba; + struct scsi_sense_hdr sshdr; + int sense_valid = 0; +@@ -939,26 +940,23 @@ static void sd_rw_intr(struct scsi_cmnd + goto out; + if (xfer_size <= SCpnt->device->sector_size) + goto out; +- switch (SCpnt->device->sector_size) { +- case 256: ++ if (SCpnt->device->sector_size < 512) { ++ /* only legitimate sector_size here is 256 */ + start_lba <<= 1; +- break; +- case 512: +- break; +- case 1024: +- start_lba >>= 1; +- break; +- case 2048: +- start_lba >>= 2; +- break; +- case 4096: +- start_lba >>= 3; +- break; +- default: +- /* Print something here with limiting frequency. */ +- goto out; +- break; ++ end_lba <<= 1; ++ } else { ++ /* be careful ... don't want any overflows */ ++ u64 factor = SCpnt->device->sector_size / 512; ++ do_div(start_lba, factor); ++ do_div(end_lba, factor); + } ++ ++ if (bad_lba < start_lba || bad_lba >= end_lba) ++ /* the bad lba was reported incorrectly, we have ++ * no idea where the error is ++ */ ++ goto out; ++ + /* This computation should always be done in terms of + * the resolution of the device's medium. + */ diff --git a/queue-2.6.23/series b/queue-2.6.23/series index b5c0061e8c9..208cf470b63 100644 --- a/queue-2.6.23/series +++ b/queue-2.6.23/series @@ -1 +1,3 @@ +scsi-sd-handle-bad-lba-in-sense-information.patch nfs-fix-a-potential-file-corruption-issue-when-writing.patch +netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch