--- /dev/null
+From e4f61adea32e4323bf91103f1995d561e778b44d Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 15 Feb 2008 01:32:40 -0800
+Subject: AUDIT: Increase skb->truesize in audit_expand
+
+Upstream commit: 406a1d868001423c85a3165288e566e65f424fe6
+
+The recent UDP patch exposed this bug in the audit code. It
+was calling pskb_expand_head without increasing skb->truesize.
+The caller of pskb_expand_head needs to do so because that function
+is designed to be called in places where truesize is already fixed
+and therefore it doesn't update its value.
+
+Because the audit system is using it in a place where the truesize
+has not yet been fixed, it needs to update its value manually.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: James Morris <jmorris@namei.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/audit.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1200,13 +1200,17 @@ struct audit_buffer *audit_log_start(str
+ static inline int audit_expand(struct audit_buffer *ab, int extra)
+ {
+ struct sk_buff *skb = ab->skb;
+- int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
+- ab->gfp_mask);
++ int oldtail = skb_tailroom(skb);
++ int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
++ int newtail = skb_tailroom(skb);
++
+ if (ret < 0) {
+ audit_log_lost("out of memory in audit_expand");
+ return 0;
+ }
+- return skb_tailroom(skb);
++
++ skb->truesize += newtail - oldtail;
++ return newtail;
+ }
+
+ /*
--- /dev/null
+From 897b8f3e9ea50bb586fc3bf2d37457a7922ec558 Mon Sep 17 00:00:00 2001
+From: Dave Young <hidave.darkstar@gmail.com>
+Date: Fri, 15 Feb 2008 01:34:03 -0800
+Subject: BLUETOOTH: Add conn add/del workqueues to avoid connection fail.
+
+Upstream commit: b6c0632105f7d7548f1d642ba830088478d4f2b0
+
+The bluetooth hci_conn sysfs add/del executed in the default
+workqueue. If the del_conn is executed after the new add_conn with
+same target, add_conn will failed with warning of "same kobject name".
+
+Here add btaddconn & btdelconn workqueues, flush the btdelconn
+workqueue in the add_conn function to avoid the issue.
+
+Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/hci_sysfs.c | 48 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 37 insertions(+), 11 deletions(-)
+
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -12,6 +12,8 @@
+ #undef BT_DBG
+ #define BT_DBG(D...)
+ #endif
++static struct workqueue_struct *btaddconn;
++static struct workqueue_struct *btdelconn;
+
+ static inline char *typetostr(int type)
+ {
+@@ -279,6 +281,7 @@ static void add_conn(struct work_struct
+ struct hci_conn *conn = container_of(work, struct hci_conn, work);
+ int i;
+
++ flush_workqueue(btdelconn);
+ if (device_add(&conn->dev) < 0) {
+ BT_ERR("Failed to register connection device");
+ return;
+@@ -313,6 +316,7 @@ void hci_conn_add_sysfs(struct hci_conn
+
+ INIT_WORK(&conn->work, add_conn);
+
++ queue_work(btaddconn, &conn->work);
+ schedule_work(&conn->work);
+ }
+
+@@ -349,6 +353,7 @@ void hci_conn_del_sysfs(struct hci_conn
+
+ INIT_WORK(&conn->work, del_conn);
+
++ queue_work(btdelconn, &conn->work);
+ schedule_work(&conn->work);
+ }
+
+@@ -398,31 +403,52 @@ int __init bt_sysfs_init(void)
+ {
+ int err;
+
++ btaddconn = create_singlethread_workqueue("btaddconn");
++ if (!btaddconn) {
++ err = -ENOMEM;
++ goto out;
++ }
++ btdelconn = create_singlethread_workqueue("btdelconn");
++ if (!btdelconn) {
++ err = -ENOMEM;
++ goto out_del;
++ }
++
+ bt_platform = platform_device_register_simple("bluetooth", -1, NULL, 0);
+- if (IS_ERR(bt_platform))
+- return PTR_ERR(bt_platform);
++ if (IS_ERR(bt_platform)) {
++ err = PTR_ERR(bt_platform);
++ goto out_platform;
++ }
+
+ err = bus_register(&bt_bus);
+- if (err < 0) {
+- platform_device_unregister(bt_platform);
+- return err;
+- }
++ if (err < 0)
++ goto out_bus;
+
+ bt_class = class_create(THIS_MODULE, "bluetooth");
+ if (IS_ERR(bt_class)) {
+- bus_unregister(&bt_bus);
+- platform_device_unregister(bt_platform);
+- return PTR_ERR(bt_class);
++ err = PTR_ERR(bt_class);
++ goto out_class;
+ }
+
+ return 0;
++
++out_class:
++ bus_unregister(&bt_bus);
++out_bus:
++ platform_device_unregister(bt_platform);
++out_platform:
++ destroy_workqueue(btdelconn);
++out_del:
++ destroy_workqueue(btaddconn);
++out:
++ return err;
+ }
+
+ void bt_sysfs_cleanup(void)
+ {
++ destroy_workqueue(btaddconn);
++ destroy_workqueue(btdelconn);
+ class_destroy(bt_class);
+-
+ bus_unregister(&bt_bus);
+-
+ platform_device_unregister(bt_platform);
+ }
--- /dev/null
+From 102f413356dda01aeb0625e46e73b984e7d433ff Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 15 Feb 2008 01:55:06 -0800
+Subject: INET: Prevent out-of-sync truesize on ip_fragment slow path
+
+Upstream commit: 29ffe1a5c52dae13b6efead97aab9b058f38fce4
+
+When ip_fragment has to hit the slow path the value of skb->truesize
+may go out of sync because we would have updated it without changing
+the packet length. This violates the constraints on truesize.
+
+This patch postpones the update of skb->truesize to prevent this.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_output.c | 4 +++-
+ net/ipv6/ip6_output.c | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -462,6 +462,7 @@ int ip_fragment(struct sk_buff *skb, int
+ if (skb_shinfo(skb)->frag_list) {
+ struct sk_buff *frag;
+ int first_len = skb_pagelen(skb);
++ int truesizes = 0;
+
+ if (first_len - hlen > mtu ||
+ ((first_len - hlen) & 7) ||
+@@ -485,7 +486,7 @@ int ip_fragment(struct sk_buff *skb, int
+ sock_hold(skb->sk);
+ frag->sk = skb->sk;
+ frag->destructor = sock_wfree;
+- skb->truesize -= frag->truesize;
++ truesizes += frag->truesize;
+ }
+ }
+
+@@ -496,6 +497,7 @@ int ip_fragment(struct sk_buff *skb, int
+ frag = skb_shinfo(skb)->frag_list;
+ skb_shinfo(skb)->frag_list = NULL;
+ skb->data_len = first_len - skb_headlen(skb);
++ skb->truesize -= truesizes;
+ skb->len = first_len;
+ iph->tot_len = htons(first_len);
+ iph->frag_off = htons(IP_MF);
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -609,6 +609,7 @@ static int ip6_fragment(struct sk_buff *
+
+ if (skb_shinfo(skb)->frag_list) {
+ int first_len = skb_pagelen(skb);
++ int truesizes = 0;
+
+ if (first_len - hlen > mtu ||
+ ((first_len - hlen) & 7) ||
+@@ -631,7 +632,7 @@ static int ip6_fragment(struct sk_buff *
+ sock_hold(skb->sk);
+ frag->sk = skb->sk;
+ frag->destructor = sock_wfree;
+- skb->truesize -= frag->truesize;
++ truesizes += frag->truesize;
+ }
+ }
+
+@@ -662,6 +663,7 @@ static int ip6_fragment(struct sk_buff *
+
+ first_len = skb_pagelen(skb);
+ skb->data_len = first_len - skb_headlen(skb);
++ skb->truesize -= truesizes;
+ skb->len = first_len;
+ ipv6_hdr(skb)->payload_len = htons(first_len -
+ sizeof(struct ipv6hdr));
--- /dev/null
+From 24aad444738ff34ce203cea20c6de04cd597ac5e Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Fri, 15 Feb 2008 01:41:34 -0800
+Subject: INET_DIAG: Fix inet_diag_lock_handler error path.
+
+Upstream commit: 8cf8e5a67fb07f583aac94482ba51a7930dab493
+
+Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825
+
+The inet_diag_lock_handler function uses ERR_PTR to encode errors but
+its callers were testing against NULL.
+
+This only happens when the only inet_diag modular user, DCCP, is not
+built into the kernel or available as a module.
+
+Also there was a problem with not dropping the mutex lock when a handler
+was not found, also fixed in this patch.
+
+This caused an OOPS and ss would then hang on subsequent calls, as
+&inet_diag_table_mutex was being left locked.
+
+Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d'
+on a kernel that doesn't have DCCP available.
+
+This bug was introduced in cset
+d523a328fb0271e1a763e985a21f2488fd816e7e ("Fix inet_diag dead-lock
+regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected.
+
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/inet_diag.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -259,8 +259,10 @@ static int inet_diag_get_exact(struct sk
+ const struct inet_diag_handler *handler;
+
+ handler = inet_diag_lock_handler(nlh->nlmsg_type);
+- if (!handler)
+- return -ENOENT;
++ if (IS_ERR(handler)) {
++ err = PTR_ERR(handler);
++ goto unlock;
++ }
+
+ hashinfo = handler->idiag_hashinfo;
+ err = -EINVAL;
+@@ -708,8 +710,8 @@ static int inet_diag_dump(struct sk_buff
+ struct inet_hashinfo *hashinfo;
+
+ handler = inet_diag_lock_handler(cb->nlh->nlmsg_type);
+- if (!handler)
+- goto no_handler;
++ if (IS_ERR(handler))
++ goto unlock;
+
+ hashinfo = handler->idiag_hashinfo;
+
+@@ -838,7 +840,6 @@ done:
+ cb->args[2] = num;
+ unlock:
+ inet_diag_unlock_handler(handler);
+-no_handler:
+ return skb->len;
+ }
+
--- /dev/null
+From d2c668b640154180650bf32e14ccd6bd89048448 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 15 Feb 2008 01:44:03 -0800
+Subject: IPCOMP: Fetch nexthdr before ipch is destroyed
+
+Upstream commit: 2614fa59fa805cd488083c5602eb48533cdbc018
+
+When I moved the nexthdr setting out of IPComp I accidently moved
+the reading of ipch->nexthdr after the decompression. Unfortunately
+this means that we'd be reading from a stale ipch pointer which
+doesn't work very well.
+
+This patch moves the reading up so that we get the correct nexthdr
+value.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ipcomp.c | 5 ++++-
+ net/ipv6/ipcomp6.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ipcomp.c
++++ b/net/ipv4/ipcomp.c
+@@ -74,6 +74,7 @@ out:
+
+ static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
++ int nexthdr;
+ int err = -ENOMEM;
+ struct ip_comp_hdr *ipch;
+
+@@ -84,13 +85,15 @@ static int ipcomp_input(struct xfrm_stat
+
+ /* Remove ipcomp header and decompress original payload */
+ ipch = (void *)skb->data;
++ nexthdr = ipch->nexthdr;
++
+ skb->transport_header = skb->network_header + sizeof(*ipch);
+ __skb_pull(skb, sizeof(*ipch));
+ err = ipcomp_decompress(x, skb);
+ if (err)
+ goto out;
+
+- err = ipch->nexthdr;
++ err = nexthdr;
+
+ out:
+ return err;
+--- a/net/ipv6/ipcomp6.c
++++ b/net/ipv6/ipcomp6.c
+@@ -64,6 +64,7 @@ static LIST_HEAD(ipcomp6_tfms_list);
+
+ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
++ int nexthdr;
+ int err = -ENOMEM;
+ struct ip_comp_hdr *ipch;
+ int plen, dlen;
+@@ -79,6 +80,8 @@ static int ipcomp6_input(struct xfrm_sta
+
+ /* Remove ipcomp header and decompress original payload */
+ ipch = (void *)skb->data;
++ nexthdr = ipch->nexthdr;
++
+ skb->transport_header = skb->network_header + sizeof(*ipch);
+ __skb_pull(skb, sizeof(*ipch));
+
+@@ -108,7 +111,7 @@ static int ipcomp6_input(struct xfrm_sta
+ skb->truesize += dlen - plen;
+ __skb_put(skb, dlen - plen);
+ skb_copy_to_linear_data(skb, scratch, dlen);
+- err = ipch->nexthdr;
++ err = nexthdr;
+
+ out_put_cpu:
+ put_cpu();
--- /dev/null
+From 1bbc52a93dd7023d82f1d831a6bd2bd86ea71264 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 15 Feb 2008 01:42:57 -0800
+Subject: IPCOMP: Fix reception of incompressible packets
+
+Upstream commit: b1641064a3f4a58644bc2e8edf40c025c58473b4
+
+I made a silly typo by entering IPPROTO_IP (== 0) instead of
+IPPROTO_IPIP (== 4). This broke the reception of incompressible
+packets.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/xfrm4_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/xfrm4_tunnel.c
++++ b/net/ipv4/xfrm4_tunnel.c
+@@ -50,7 +50,7 @@ static struct xfrm_type ipip_type = {
+
+ static int xfrm_tunnel_rcv(struct sk_buff *skb)
+ {
+- return xfrm4_rcv_spi(skb, IPPROTO_IP, ip_hdr(skb)->saddr);
++ return xfrm4_rcv_spi(skb, IPPROTO_IPIP, ip_hdr(skb)->saddr);
+ }
+
+ static int xfrm_tunnel_err(struct sk_buff *skb, u32 info)
--- /dev/null
+From 79d10b62ca6e194298db9d09c3dc375c8a109e45 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Fri, 15 Feb 2008 01:38:53 -0800
+Subject: IPV4: fib: fix route replacement, fib_info is shared
+
+Upstream commit: c18865f39276435abb9286f9a816cb5b66c99a00
+
+fib_info can be shared by many route prefixes but we don't want
+duplicate alternative routes for a prefix+tos+priority. Last change
+was not correct to check fib_treeref because it accounts usage from
+other prefixes. Additionally, avoid replacement without error if new
+route is same, as Joonwoo Park suggests.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/fib_hash.c | 47 +++++++++++++++++++++++++++++++----------------
+ 1 file changed, 31 insertions(+), 16 deletions(-)
+
+--- a/net/ipv4/fib_hash.c
++++ b/net/ipv4/fib_hash.c
+@@ -434,19 +434,43 @@ static int fn_hash_insert(struct fib_tab
+
+ if (fa && fa->fa_tos == tos &&
+ fa->fa_info->fib_priority == fi->fib_priority) {
+- struct fib_alias *fa_orig;
++ struct fib_alias *fa_first, *fa_match;
+
+ err = -EEXIST;
+ if (cfg->fc_nlflags & NLM_F_EXCL)
+ goto out;
+
++ /* We have 2 goals:
++ * 1. Find exact match for type, scope, fib_info to avoid
++ * duplicate routes
++ * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
++ */
++ fa_match = NULL;
++ fa_first = fa;
++ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
++ list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
++ if (fa->fa_tos != tos)
++ break;
++ if (fa->fa_info->fib_priority != fi->fib_priority)
++ break;
++ if (fa->fa_type == cfg->fc_type &&
++ fa->fa_scope == cfg->fc_scope &&
++ fa->fa_info == fi) {
++ fa_match = fa;
++ break;
++ }
++ }
++
+ if (cfg->fc_nlflags & NLM_F_REPLACE) {
+ struct fib_info *fi_drop;
+ u8 state;
+
+- if (fi->fib_treeref > 1)
++ fa = fa_first;
++ if (fa_match) {
++ if (fa == fa_match)
++ err = 0;
+ goto out;
+-
++ }
+ write_lock_bh(&fib_hash_lock);
+ fi_drop = fa->fa_info;
+ fa->fa_info = fi;
+@@ -469,20 +493,11 @@ static int fn_hash_insert(struct fib_tab
+ * uses the same scope, type, and nexthop
+ * information.
+ */
+- fa_orig = fa;
+- fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
+- list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
+- if (fa->fa_tos != tos)
+- break;
+- if (fa->fa_info->fib_priority != fi->fib_priority)
+- break;
+- if (fa->fa_type == cfg->fc_type &&
+- fa->fa_scope == cfg->fc_scope &&
+- fa->fa_info == fi)
+- goto out;
+- }
++ if (fa_match)
++ goto out;
++
+ if (!(cfg->fc_nlflags & NLM_F_APPEND))
+- fa = fa_orig;
++ fa = fa_first;
+ }
+
+ err = -ENOENT;
--- /dev/null
+From 598f593dc34868629e9f1abae6ae5e4c16195b70 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Fri, 15 Feb 2008 01:39:42 -0800
+Subject: IPV4: fib_trie: apply fixes from fib_hash
+
+Upstream commit: 936f6f8e1bc46834bbb3e3fa3ac13ab44f1e7ba6
+
+ Update fib_trie with some fib_hash fixes:
+- check for duplicate alternative routes for prefix+tos+priority when
+replacing route
+- properly insert by matching tos together with priority
+- fix alias walking to use list_for_each_entry_continue for insertion
+and deletion when fa_head is not NULL
+- copy state from fa to new_fa on replace (not a problem for now)
+- additionally, avoid replacement without error if new route is same,
+as Joonwoo Park suggests.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/fib_trie.c | 57 ++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1203,20 +1203,45 @@ static int fn_trie_insert(struct fib_tab
+ * and we need to allocate a new one of those as well.
+ */
+
+- if (fa && fa->fa_info->fib_priority == fi->fib_priority) {
+- struct fib_alias *fa_orig;
++ if (fa && fa->fa_tos == tos &&
++ fa->fa_info->fib_priority == fi->fib_priority) {
++ struct fib_alias *fa_first, *fa_match;
+
+ err = -EEXIST;
+ if (cfg->fc_nlflags & NLM_F_EXCL)
+ goto out;
+
++ /* We have 2 goals:
++ * 1. Find exact match for type, scope, fib_info to avoid
++ * duplicate routes
++ * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
++ */
++ fa_match = NULL;
++ fa_first = fa;
++ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
++ list_for_each_entry_continue(fa, fa_head, fa_list) {
++ if (fa->fa_tos != tos)
++ break;
++ if (fa->fa_info->fib_priority != fi->fib_priority)
++ break;
++ if (fa->fa_type == cfg->fc_type &&
++ fa->fa_scope == cfg->fc_scope &&
++ fa->fa_info == fi) {
++ fa_match = fa;
++ break;
++ }
++ }
++
+ if (cfg->fc_nlflags & NLM_F_REPLACE) {
+ struct fib_info *fi_drop;
+ u8 state;
+
+- if (fi->fib_treeref > 1)
++ fa = fa_first;
++ if (fa_match) {
++ if (fa == fa_match)
++ err = 0;
+ goto out;
+-
++ }
+ err = -ENOBUFS;
+ new_fa = kmem_cache_alloc(fn_alias_kmem, GFP_KERNEL);
+ if (new_fa == NULL)
+@@ -1228,7 +1253,7 @@ static int fn_trie_insert(struct fib_tab
+ new_fa->fa_type = cfg->fc_type;
+ new_fa->fa_scope = cfg->fc_scope;
+ state = fa->fa_state;
+- new_fa->fa_state &= ~FA_S_ACCESSED;
++ new_fa->fa_state = state & ~FA_S_ACCESSED;
+
+ list_replace_rcu(&fa->fa_list, &new_fa->fa_list);
+ alias_free_mem_rcu(fa);
+@@ -1245,20 +1270,11 @@ static int fn_trie_insert(struct fib_tab
+ * uses the same scope, type, and nexthop
+ * information.
+ */
+- fa_orig = fa;
+- list_for_each_entry(fa, fa_orig->fa_list.prev, fa_list) {
+- if (fa->fa_tos != tos)
+- break;
+- if (fa->fa_info->fib_priority != fi->fib_priority)
+- break;
+- if (fa->fa_type == cfg->fc_type &&
+- fa->fa_scope == cfg->fc_scope &&
+- fa->fa_info == fi) {
+- goto out;
+- }
+- }
++ if (fa_match)
++ goto out;
++
+ if (!(cfg->fc_nlflags & NLM_F_APPEND))
+- fa = fa_orig;
++ fa = fa_first;
+ }
+ err = -ENOENT;
+ if (!(cfg->fc_nlflags & NLM_F_CREATE))
+@@ -1614,9 +1630,8 @@ static int fn_trie_delete(struct fib_tab
+ pr_debug("Deleting %08x/%d tos=%d t=%p\n", key, plen, tos, t);
+
+ fa_to_delete = NULL;
+- fa_head = fa->fa_list.prev;
+-
+- list_for_each_entry(fa, fa_head, fa_list) {
++ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
++ list_for_each_entry_continue(fa, fa_head, fa_list) {
+ struct fib_info *fi = fa->fa_info;
+
+ if (fa->fa_tos != tos)
--- /dev/null
+From ad89bc65f887c6fe6034a080f26755b2f4702aa9 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen.hemminger@vyatta.com>
+Date: Fri, 15 Feb 2008 01:31:32 -0800
+Subject: NET: Add if_addrlabel.h to sanitized headers.
+
+Upstream commit: dded91611a728d65721cdab3dd41d801a356fa15
+
+if_addrlabel.h is needed for iproute2 usage.
+
+Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -217,6 +217,7 @@ unifdef-y += i2o-dev.h
+ unifdef-y += icmp.h
+ unifdef-y += icmpv6.h
+ unifdef-y += if_addr.h
++unifdef-y += if_addrlabel.h
+ unifdef-y += if_arp.h
+ unifdef-y += if_bridge.h
+ unifdef-y += if_ec.h
--- /dev/null
+From bc664f3434bff6bcaaa8b7247311fcfb9ff86b86 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@vyatta.com>
+Date: Fri, 15 Feb 2008 01:36:36 -0800
+Subject: PKT_SCHED: ematch: oops from uninitialized variable (resend)
+
+Upstream commit: 268bcca1e7b0d244afd07ea89cda672e61b0fc4a
+
+Setting up a meta match causes a kernel OOPS because of uninitialized
+elements in tree.
+
+[ 37.322381] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+[ 37.322381] IP: [<ffffffff883fc717>] :em_meta:em_meta_destroy+0x17/0x80
+
+[ 37.322381] Call Trace:
+[ 37.322381] [<ffffffff803ec83d>] tcf_em_tree_destroy+0x2d/0xa0
+[ 37.322381] [<ffffffff803ecc8c>] tcf_em_tree_validate+0x2dc/0x4a0
+[ 37.322381] [<ffffffff803f06d2>] nla_parse+0x92/0xe0
+[ 37.322381] [<ffffffff883f9672>] :cls_basic:basic_change+0x202/0x3c0
+[ 37.322381] [<ffffffff802a3917>] kmem_cache_alloc+0x67/0xa0
+[ 37.322381] [<ffffffff803ea221>] tc_ctl_tfilter+0x3b1/0x580
+[ 37.322381] [<ffffffff803dffd0>] rtnetlink_rcv_msg+0x0/0x260
+[ 37.322381] [<ffffffff803ee944>] netlink_rcv_skb+0x74/0xa0
+[ 37.322381] [<ffffffff803dffc8>] rtnetlink_rcv+0x18/0x20
+[ 37.322381] [<ffffffff803ee6c3>] netlink_unicast+0x263/0x290
+[ 37.322381] [<ffffffff803cf276>] __alloc_skb+0x96/0x160
+[ 37.322381] [<ffffffff803ef014>] netlink_sendmsg+0x274/0x340
+[ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
+[ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
+[ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
+[ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
+[ 37.322381] [<ffffffff80288611>] zone_statistics+0xb1/0xc0
+[ 37.322381] [<ffffffff803c7e5e>] sys_sendmsg+0x20e/0x360
+[ 37.322381] [<ffffffff803c7411>] sockfd_lookup_light+0x41/0x80
+[ 37.322381] [<ffffffff8028d04b>] handle_mm_fault+0x3eb/0x7f0
+[ 37.322381] [<ffffffff8020c2fb>] system_call_after_swapgs+0x7b/0x80
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/ematch.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/sched/ematch.c
++++ b/net/sched/ematch.c
+@@ -305,10 +305,9 @@ int tcf_em_tree_validate(struct tcf_prot
+ struct tcf_ematch_tree_hdr *tree_hdr;
+ struct tcf_ematch *em;
+
+- if (!rta) {
+- memset(tree, 0, sizeof(*tree));
++ memset(tree, 0, sizeof(*tree));
++ if (!rta)
+ return 0;
+- }
+
+ if (rtattr_parse_nested(tb, TCA_EMATCH_TREE_MAX, rta) < 0)
+ goto errout;
--- /dev/null
+From 7d24c57e75b93bd3324d2337bd603bdd3ef5ac1d Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul.moore@hp.com>
+Date: Fri, 15 Feb 2008 01:46:10 -0800
+Subject: SELinux: Fix double free in selinux_netlbl_sock_setsid()
+
+Upstream commit: e1770d97a730ff4c3aa1775d98f4d0558390607f
+
+As pointed out by Adrian Bunk, commit
+45c950e0f839fded922ebc0bfd59b1081cc71b70 ("fix memory leak in netlabel
+code") caused a double-free when security_netlbl_sid_to_secattr()
+fails. This patch fixes this by removing the netlbl_secattr_destroy()
+call from that function since we are already releasing the secattr
+memory in selinux_netlbl_sock_setsid().
+
+Signed-off-by: Paul Moore <paul.moore@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/ss/services.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -2629,7 +2629,6 @@ int security_netlbl_sid_to_secattr(u32 s
+
+ netlbl_sid_to_secattr_failure:
+ POLICY_RDUNLOCK;
+- netlbl_secattr_destroy(secattr);
+ return rc;
+ }
+ #endif /* CONFIG_NETLABEL */
+sparc-sparc64-fix-usage-of-.section-.sched.text-in-assembler-code.patch
netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch
nfs-fix-a-potential-file-corruption-issue-when-writing.patch
inotify-fix-check-for-one-shot-watches-before-destroying-them.patch
xfs-fix-oops-in-xfs_file_readdir.patch
fix-dl2k-constants.patch
scsi-sd-handle-bad-lba-in-sense-information.patch
+tcp-fix-a-bug-in-strategy_allowed_congestion_control.patch
+tc-oops-in-em_meta.patch
+selinux-fix-double-free-in-selinux_netlbl_sock_setsid.patch
+pkt_sched-ematch-oops-from-uninitialized-variable.patch
+net-add-if_addrlabel.h-to-sanitized-headers.patch
+ipv4-fib_trie-apply-fixes-from-fib_hash.patch
+ipv4-fib-fix-route-replacement-fib_info-is-shared.patch
+ipcomp-fix-reception-of-incompressible-packets.patch
+ipcomp-fetch-nexthdr-before-ipch-is-destroyed.patch
+inet_diag-fix-inet_diag_lock_handler-error-path.patch
+inet-prevent-out-of-sync-truesize-on-ip_fragment-slow-path.patch
+bluetooth-add-conn-add-del-workqueues-to-avoid-connection-fail.patch
+audit-increase-skb-truesize-in-audit_expand.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Feb 15 02:05:43 2008
+From: David Miller <davem@davemloft.net>
+Date: Fri, 15 Feb 2008 02:05:53 -0800 (PST)
+Subject: SPARC/SPARC64: Fix usage of .section .sched.text in assembler code.
+To: stable@kernel.org
+Message-ID: <20080215.020553.10103536.davem@davemloft.net>
+
+[SPARC/SPARC64]: Fix usage of .section .sched.text in assembler code.
+
+Upstream commit: c6d64c16bb193c8ca2ccc0b3c556a4574a02408b
+
+ld will generate an unique named section when assembler do not use
+"ax" but gcc does. Add the missing annotation.
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc/lib/rwsem.S | 2 +-
+ arch/sparc64/lib/rwsem.S | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/sparc/lib/rwsem.S
++++ b/arch/sparc/lib/rwsem.S
+@@ -7,7 +7,7 @@
+ #include <asm/ptrace.h>
+ #include <asm/psr.h>
+
+- .section .sched.text
++ .section .sched.text, "ax"
+ .align 4
+
+ .globl ___down_read
+--- a/arch/sparc64/lib/rwsem.S
++++ b/arch/sparc64/lib/rwsem.S
+@@ -6,7 +6,7 @@
+
+ #include <asm/rwsem-const.h>
+
+- .section .sched.text
++ .section .sched.text, "ax"
+
+ .globl __down_read
+ __down_read:
--- /dev/null
+From 9efbf453d7ad3253a8ac4d928eb399fd4c7c1141 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@vyatta.com>
+Date: Fri, 15 Feb 2008 01:37:49 -0800
+Subject: TC: oops in em_meta
+
+Upstream commit: 04f217aca4d803fe72c2c54fe460d68f5233ce52
+
+If userspace passes a unknown match index into em_meta, then
+em_meta_change will return an error and the data for the match will
+not be set. This then causes an null pointer dereference when the
+cleanup is done in the error path via tcf_em_tree_destroy. Since the
+tree structure comes kzalloc, it is initialized to NULL.
+
+Discovered when testing a new version of tc command against an
+accidental older kernel.
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/em_meta.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/sched/em_meta.c
++++ b/net/sched/em_meta.c
+@@ -719,11 +719,13 @@ static int em_meta_match(struct sk_buff
+
+ static inline void meta_delete(struct meta_match *meta)
+ {
+- struct meta_type_ops *ops = meta_type_ops(&meta->lvalue);
++ if (meta) {
++ struct meta_type_ops *ops = meta_type_ops(&meta->lvalue);
+
+- if (ops && ops->destroy) {
+- ops->destroy(&meta->lvalue);
+- ops->destroy(&meta->rvalue);
++ if (ops && ops->destroy) {
++ ops->destroy(&meta->lvalue);
++ ops->destroy(&meta->rvalue);
++ }
+ }
+
+ kfree(meta);
--- /dev/null
+From e2c36f4ee195839f8c90a650ff78756d8b3bed4b Mon Sep 17 00:00:00 2001
+From: Shan Wei <shanwei@cn.fujitsu.com>
+Date: Fri, 15 Feb 2008 01:48:20 -0800
+Subject: TCP: Fix a bug in strategy_allowed_congestion_control
+
+Upstream commit: 16ca3f913001efdb6171a2781ef41c77474e3895
+
+In strategy_allowed_congestion_control of the 2.6.24 kernel, when
+sysctl_string return 1 on success,it should call
+tcp_set_allowed_congestion_control to set the allowed congestion
+control.But, it don't. the sysctl_string return 1 on success,
+otherwise return negative, never return 0.The patch fix the problem.
+
+Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -248,7 +248,7 @@ static int strategy_allowed_congestion_c
+
+ tcp_get_available_congestion_control(tbl.data, tbl.maxlen);
+ ret = sysctl_string(&tbl, name, nlen, oldval, oldlenp, newval, newlen);
+- if (ret == 0 && newval && newlen)
++ if (ret == 1 && newval && newlen)
+ ret = tcp_set_allowed_congestion_control(tbl.data);
+ kfree(tbl.data);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
