Commit: 589114a53db7565044809c9cf279f3732cd1f36e Author: Adrian Bunk Sat, 24 Mar 2007 21:54:43 +0100 Linux 2.6.16.45-rc1 Commit: 33ef46f5c96de664a20fec7b4525735549371ef6 Author: Patrick McHardy Sat, 24 Mar 2007 21:36:52 +0100 [NETFILTER]: tcp conntrack: accept SYN|URG as valid Some stacks apparently send packets with SYN|URG set. Linux accepts these packets, so TCP conntrack should to. Pointed out by Martijn Posthuma . Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 95a917c1d7f83b89995651cd753008c20bed3302 Author: Michał Mirosław Sat, 24 Mar 2007 21:36:24 +0100 [NETFILTER]: nfnetlink_log: fix use after free Paranoia: instance_put() might have freed the inst pointer when we spin_unlock_bh(). Signed-off-by: Michał Mirosław Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 3c927506670aabede5d65e0085384d9108d8d96d Author: Michał Mirosław Sat, 24 Mar 2007 21:34:37 +0100 [NETFILTER]: nfnetlink_log: fix reference leak Stop reference leaking in nfulnl_log_packet(). If we start a timer we are already taking another reference. Signed-off-by: Michał Mirosław Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 4ed30ae44614fce21c5917fda7c513990915f363 Author: Michał Mirosław Sat, 24 Mar 2007 21:33:56 +0100 [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference Eliminate possible NULL pointer dereference in nfulnl_recv_config(). Signed-off-by: Michał Mirosław Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 27e24517f7de0fc20335295ebe1b83e7ce5bee20 Author: Michał Mirosław Sat, 24 Mar 2007 21:32:13 +0100 [NETFILTER]: nfnetlink_log: fix NULL pointer dereference Fix the nasty NULL dereference on multiple packets per netlink message. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004 printing eip: f8a4b3bf *pde = 00000000 Oops: 0002 [#1] SMP Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack _ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_ cd cdrom CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00010206 (2.6.20 #5) EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log] eax: 00000000 ebx: f2b5cbc0 ecx: c03f5f54 edx: c03f4000 esi: f2b5cbc8 edi: c03f5f54 ebp: f8a4b3ec esp: c03f5f30 ds: 007b es: 007b ss: 0068 Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000) Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000 c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009 c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000 Call Trace: [] nfulnl_timer+0x15/0x25 [nfnetlink_log] [] run_timer_softirq+0x10a/0x164 [] __do_softirq+0x60/0xba [] do_softirq+0x31/0x35 [] do_IRQ+0x62/0x74 [] common_interrupt+0x23/0x28 [] default_idle+0x0/0x3f [] default_idle+0x2d/0x3f [] cpu_idle+0xa0/0xb9 [] start_kernel+0x1a8/0x1ac [] unknown_bootoption+0x0/0x181 ======================= Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8 08 9a 84 EIP: [] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30 <0>Kernel panic - not syncing: Fatal exception in interrupt <0>Rebooting in 5 seconds.. Panic no more! Signed-off-by: Michał Mirosław Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: f5590ccb7b19261f33fe915feb816e37788c273b Author: Patrick McHardy Sat, 24 Mar 2007 21:30:53 +0100 [NETFILTER]: nfnetlink_log: fix crash on bridged packet physoutdev is only set on purely bridged packet, when nfnetlink_log is used in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a bridge it crashes when trying to dereference skb->nf_bridge->physoutdev. Reported by Holger Eitzenberger Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 72d9f2d497cbd34b77cd47ce3c79d846a63fc9fc Author: Patrick McHardy Sat, 24 Mar 2007 21:30:06 +0100 [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED The individual fragments of a packet reassembled by conntrack have the conntrack reference from the reassembled packet attached, but nfctinfo is not copied. This leaves it initialized to 0, which unfortunately is the value of IP_CT_ESTABLISHED. The result is that all IPv6 fragments are tracked as ESTABLISHED, allowing them to bypass a usual ruleset which accepts ESTABLISHED packets early. Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: b7dc23da852c9507c138f46911e504e0943a5661 Author: Michał Mirosław Sat, 24 Mar 2007 21:27:27 +0100 Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing. Signed-off-by: Michał Mirosław Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk Commit: 18adb12b78b7c4d4a04401bd42c23b3f157c7ac1 Author: Patrick McHardy Sat, 24 Mar 2007 21:26:20 +0100 NETFILTER: xt_connbytes: fix division by zero When the packet counter of a connection is zero a division by zero occurs in div64_64(). Fix that by using zero as average value, which is correct as long as the packet counter didn't overflow, at which point we have lost anyway. Based on patch from Jonas Berlin , with suggestions from KOVACS Krisztian . Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 0fbd895ff3731da9b7d7e2f1d182354297747b7b Author: Patrick McHardy Sat, 24 Mar 2007 21:22:57 +0100 NETFILTER: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM. Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: fbe2454a0d10bdbf27680d4bfc93cf0293bc6a6e Author: Patrick McHardy Sat, 24 Mar 2007 21:22:33 +0100 NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: ae686b6a075bc8a95e8b4cda3f3eb4e8d5ac270c Author: Patrick McHardy Sat, 24 Mar 2007 21:22:09 +0100 NETFILTER: Fix iptables ABI breakage on (at least) CRIS With the introduction of x_tables we accidentally broke compatibility by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of XT_TABLE_MAXNAMELEN, which is two bytes larger. On most architectures it doesn't really matter since we don't have any tables with names that long in the kernel and the structure layout didn't change because of alignment requirements of following members. On CRIS however (and other architectures that don't align data) this changed the structure layout and thus broke compatibility with old iptables binaries. Changing it back will break compatibility with binaries compiled against recent kernels again, but since the breakage has only been there for three releases this seems like the better choice. Spotted by Jonas Berlin . Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 3a52770aa9ebaf59e6ae8da8f718e169ecfe61ec Author: Bart De Schuymer Sat, 24 Mar 2007 21:19:35 +0100 NETFILTER: arp_tables: fix userspace compilation The included patch translates arpt_counters to xt_counters, making userspace arptables compile against recent kernels. Signed-off-by: Bart De Schuymer Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 9003d12b0a6ae9b19e5f60296c2dec37ff84f73b Author: Pablo Neira Ayuso Sat, 24 Mar 2007 21:18:36 +0100 NETFILTER: ctnetlink: check for status attribute existence on conntrack creation Check that status flags are available in the netlink message received to create a new conntrack. Fixes a crash in ctnetlink_create_conntrack when the CTA_STATUS attribute is not present. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 1bed543f180803523b5baa5b10e9432ea2de5afb Author: Patrick McHardy Sat, 24 Mar 2007 21:18:01 +0100 NETFILTER: Kconfig: fix xt_physdev dependencies xt_physdev depends on bridge netfilter, which is a boolean, but can still be built modular because of special handling in the bridge makefile. Add a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m. Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: de37843b235a600c2402a44ab235d0d1634f82ca Author: Ed Swierk Wed, 21 Mar 2007 00:28:30 +0100 load_module: no BUG if module_subsys uninitialized Invoking load_module() before param_sysfs_init() is called crashes in mod_sysfs_setup(), since the kset in module_subsys is not initialized yet. In my case, net-pf-1 is getting modprobed as a result of hotplug trying to create a UNIX socket. Calls to hotplug begin after the topology_init initcall. Another patch for the same symptom (module_subsys-initialize-earlier.patch) moves param_sysfs_init() to the subsys initcalls, but this is still not early enough in the boot process in some cases. In particular, topology_init() causes /sbin/hotplug to run, which requests net-pf-1 (the UNIX socket protocol) which can be compiled as a module. Moving param_sysfs_init() to the postcore initcalls fixes this particular race, but there might well be other cases where a usermodehelper causes a module to load earlier still. The patch makes load_module() return an error rather than crashing the kernel if invoked before module_subsys is initialized. Signed-off-by: Adrian Bunk Commit: 799a734f0342670020fd446532a22ddf4c0f3c08 Author: Keith Mannthey Wed, 21 Mar 2007 00:21:48 +0100 i386 bootioremap / kexec fix With CONFIG_PHYSICAL_START set to a non default values the i386 boot_ioremap code calculated its pte index wrong and users of boot_ioremap have their areas incorrectly mapped (for me SRAT table not mapped during early boot). This patch removes the addr < BOOT_PTE_PTRS constraint. Signed-off-by: Keith Mannthey Signed-off-by: Adrian Bunk Commit: 521c8225cc9cb09c7cfe626ee12afe8cc76e9ed5 Author: David S. Miller Tue, 20 Mar 2007 23:26:06 +0100 [SPARC64]: Add missing HPAGE_MASK masks on address parameters. These pte loops all assume the passed in address is HPAGE aligned, make sure that is actually true. [ This also includes other hugepage bug fixes for sparc64 that occurred between 2.6.16 to 2.6.20 ] Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: f2654bc1df0c27d3be0167fddae403515e80dc9b Author: Alexey Dobriyan Tue, 20 Mar 2007 23:24:20 +0100 [NET]: Copy mac_len in skb_clone() as well ANK says: "It is rarely used, that's wy it was not noticed. But in the places, where it is used, it should be disaster." Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 202e363b00807107da624289eb2257ea32b29420 Author: Masayuki Nakagawa Tue, 20 Mar 2007 23:23:13 +0100 [IPV6]: ipv6_fl_socklist is inadvertently shared. The ipv6_fl_socklist from listening socket is inadvertently shared with new socket created for connection. This leads to a variety of interesting, but fatal, bugs. For example, removing one of the sockets may lead to the other socket's encountering a page fault when the now freed list is referenced. The fix is to not share the flow label list with the new socket. Signed-off-by: Masayuki Nakagawa Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 7f1b44d7f0758a6e46280969880435c91b60b5cc Author: Robert Olsson Tue, 20 Mar 2007 23:21:39 +0100 [IPV4]: Do not disable preemption in trie_leaf_remove(). Hello, Just discussed this Patrick... We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete both are holding RTNL. So there shouldn't be need for this preempt stuff. This is assumed to a leftover from an older RCU-take. > Mhh .. I think I just remembered something - me incorrectly suggesting > to add it there while we were talking about this at OLS :) IIRC the > idea was to make sure tnode_free (which at that time didn't use > call_rcu) wouldn't free memory while still in use in a rcu read-side > critical section. It should have been synchronize_rcu of course, > but with tnode_free using call_rcu it seems to be completely > unnecessary. So I guess we can simply remove it. Signed-off-by: Robert Olsson Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: cf2c008865ae7d62d28e3d63f14935f19a4cb6f5 Author: Joy Latten Tue, 20 Mar 2007 23:19:34 +0100 [XFRM]: Fix missing protocol comparison of larval SAs. I noticed that in xfrm_state_add we look for the larval SA in a few places without checking for protocol match. So when using both AH and ESP, whichever one gets added first, deletes the larval SA. It seems AH always gets added first and ESP is always the larval SA's protocol since the xfrm->tmpl has it first. Thus causing the additional km_query() Adding the check eliminates accidental double SA creation. Signed-off-by: Joy Latten Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk