rpms/kernel/F-11 fix-conntrack-bug-with-namespaces.patch, 1.1, 1.2 prevent-runtime-conntrack-changes.patch, 1.1, 1.2 kernel.spec, 1.1805, 1.1806 linux-2.6-utrace.patch, 1.114, 1.115

Chuck Ebbert cebbert at fedoraproject.org
Thu Feb 4 21:06:35 UTC 2010 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7049

Modified Files:
	kernel.spec linux-2.6-utrace.patch 
Added Files:
	fix-conntrack-bug-with-namespaces.patch 
	prevent-runtime-conntrack-changes.patch 
Log Message:
Fix utrace header. (rhbz#561536)
fix-conntrack-bug-with-namespaces.patch: Fix for issue identified by jcm,
  http://lkml.org/lkml/2010/2/3/112
Fix another conntrack issue pointed out by jcm.

fix-conntrack-bug-with-namespaces.patch:
 nf_conntrack_core.c |   24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

Index: fix-conntrack-bug-with-namespaces.patch
===================================================================
RCS file: fix-conntrack-bug-with-namespaces.patch
diff -N fix-conntrack-bug-with-namespaces.patch
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ fix-conntrack-bug-with-namespaces.patch	4 Feb 2010 21:06:33 -0000	1.2
@@ -0,0 +1,58 @@
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 0e98c32..37e2b88 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1113,6 +1113,10 @@ static void nf_ct_release_dying_list(struct net *net)
+ 
+ static void nf_conntrack_cleanup_init_net(void)
+ {
++	/* wait until all references to nf_conntrack_untracked are dropped */
++	while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1)
++		schedule();
++
+ 	nf_conntrack_helper_fini();
+ 	nf_conntrack_proto_fini();
+ 	kmem_cache_destroy(nf_conntrack_cachep);
+@@ -1127,9 +1131,6 @@ static void nf_conntrack_cleanup_net(struct net *net)
+ 		schedule();
+ 		goto i_see_dead_people;
+ 	}
+-	/* wait until all references to nf_conntrack_untracked are dropped */
+-	while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1)
+-		schedule();
+ 
+ 	nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
+ 			     nf_conntrack_htable_size);
+@@ -1288,6 +1289,14 @@ static int nf_conntrack_init_init_net(void)
+ 	if (ret < 0)
+ 		goto err_helper;
+ 
++	/* Set up fake conntrack: to never be deleted, not in any hashes */
++#ifdef CONFIG_NET_NS
++	nf_conntrack_untracked.ct_net = &init_net;
++#endif
++	atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
++	/*  - and look it like as a confirmed connection */
++	set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
++
+ 	return 0;
+ 
+ err_helper:
+@@ -1333,15 +1342,6 @@ static int nf_conntrack_init_net(struct net *net)
+ 	if (ret < 0)
+ 		goto err_ecache;
+ 
+-	/* Set up fake conntrack:
+-	    - to never be deleted, not in any hashes */
+-#ifdef CONFIG_NET_NS
+-	nf_conntrack_untracked.ct_net = &init_net;
+-#endif
+-	atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
+-	/*  - and look it like as a confirmed connection */
+-	set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
+-
+ 	return 0;
+ 
+ err_ecache:
+
+  
\ No newline at end of file

prevent-runtime-conntrack-changes.patch:
 nf_conntrack_core.c   |   15 +++++++++++++++
 nf_conntrack_expect.c |    2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

Index: prevent-runtime-conntrack-changes.patch
===================================================================
RCS file: prevent-runtime-conntrack-changes.patch
diff -N prevent-runtime-conntrack-changes.patch
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ prevent-runtime-conntrack-changes.patch	4 Feb 2010 21:06:35 -0000	1.2
@@ -0,0 +1,74 @@
+Jon Masters correctly points out that conntrack hash sizes
+(nf_conntrack_htable_size) are global (not per-netns) and
+modifiable at runtime via /sys/module/nf_conntrack/hashsize .
+
+Steps to reproduce:
+	clone(CLONE_NEWNET)
+	[grow /sys/module/nf_conntrack/hashsize]
+	exit()
+
+At netns exit we are going to scan random memory for conntracks to be killed.
+
+Apparently there is a code which deals with hashtable resize for
+init_net (and it was there befode netns conntrack code), so prohibit
+hashsize modification if there is more than one netns exists.
+
+To change hashtable sizes, you need to reload module.
+
+Expectation hashtable size was simply glued to a variable with no code
+to rehash expectations, so it was a bug to allow writing to it.
+Make "expect_hashsize" readonly.
+
+This is temporarily until we figure out what to do.
+
+Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+Cc: stable at kernel.org
+---
+
+ net/netfilter/nf_conntrack_core.c   |   15 +++++++++++++++
+ net/netfilter/nf_conntrack_expect.c |    2 +-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -21,6 +21,7 @@
+ #include <linux/stddef.h>
+ #include <linux/slab.h>
+ #include <linux/random.h>
++#include <linux/rtnetlink.h>
+ #include <linux/jhash.h>
+ #include <linux/err.h>
+ #include <linux/percpu.h>
+@@ -1198,6 +1199,20 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
+ 	if (!nf_conntrack_htable_size)
+ 		return param_set_uint(val, kp);
+ 
++	{
++		struct net *net;
++		unsigned int nr;
++
++		nr = 0;
++		rtnl_lock();
++		for_each_net(net)
++			nr++;
++		rtnl_unlock();
++		/* init_net always exists */
++		if (nr != 1)
++			return -EINVAL;
++	}
++
+ 	hashsize = simple_strtoul(val, NULL, 0);
+ 	if (!hashsize)
+ 		return -EINVAL;
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -569,7 +569,7 @@ static void exp_proc_remove(struct net *net)
+ #endif /* CONFIG_PROC_FS */
+ }
+ 
+-module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
++module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
+ 
+ int nf_conntrack_expect_init(struct net *net)
+ {
+


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1805
retrieving revision 1.1806
diff -u -p -r1.1805 -r1.1806
--- kernel.spec	4 Feb 2010 18:12:45 -0000	1.1805
+++ kernel.spec	4 Feb 2010 21:06:33 -0000	1.1806
@@ -747,6 +747,10 @@ Patch12013: linux-2.6-rfkill-all.patch
 Patch12101: wmi-free-the-allocated-acpi-objects.patch
 Patch12102: wmi-check-wmi-get-event-data-return-value.patch
 
+Patch12301: fix-conntrack-bug-with-namespaces.patch
+Patch12302: prevent-runtime-conntrack-changes.patch
+
+#===============================================================================
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1364,7 +1368,10 @@ ApplyPatch linux-2.6-rfkill-all.patch
 ApplyPatch wmi-free-the-allocated-acpi-objects.patch
 ApplyPatch wmi-check-wmi-get-event-data-return-value.patch
 
-# END OF PATCH APPLICATIONS
+ApplyPatch fix-conntrack-bug-with-namespaces.patch
+ApplyPatch prevent-runtime-conntrack-changes.patch
+
+# END OF PATCH APPLICATIONS ====================================================
 
 %endif
 
@@ -2019,6 +2026,12 @@ fi
 # and build.
 
 %changelog
+* Wed Feb 03 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.32.8-21.rc1
+- Fix utrace header. (rhbz#561536)
+- fix-conntrack-bug-with-namespaces.patch: Fix for issue identified by jcm,
+  http://lkml.org/lkml/2010/2/3/112
+- Fix another conntrack issue pointed out by jcm.
+
 * Wed Feb 03 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.32.8-20.rc1
 - Linux 2.6.32.8-rc1
 - Drop patches merged in -stable:

linux-2.6-utrace.patch:
 Documentation/DocBook/Makefile    |    2 
 Documentation/DocBook/utrace.tmpl |  590 +++++++++
 fs/proc/array.c                   |    3 
 include/linux/sched.h             |    5 
 include/linux/tracehook.h         |   87 +
 include/linux/utrace.h            |  692 ++++++++++
 init/Kconfig                      |    9 
 kernel/Makefile                   |    1 
 kernel/fork.c                     |    3 
 kernel/ptrace.c                   |   14 
 kernel/utrace.c                   | 2427 ++++++++++++++++++++++++++++++++++++++
 11 files changed, 3831 insertions(+), 2 deletions(-)

Index: linux-2.6-utrace.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/linux-2.6-utrace.patch,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -p -r1.114 -r1.115
--- linux-2.6-utrace.patch	4 Jan 2010 15:25:49 -0000	1.114
+++ linux-2.6-utrace.patch	4 Feb 2010 21:06:34 -0000	1.115
@@ -927,7 +927,7 @@ new file mode 100644
 index ...c3036c8 100644  
 --- /dev/null
 +++ b/include/linux/utrace.h
-@@ -0,0 +1,694 @@
+@@ -0,0 +1,692 @@
 +/*
 + * utrace infrastructure interface for debugging user processes
 + *
@@ -1053,8 +1053,6 @@ index ...c3036c8 100644  
 +static inline void utrace_init_task(struct task_struct *child)
 +{
 +}
-+{
-+}
 +
 +static inline void task_utrace_proc_status(struct seq_file *m,
 +					   struct task_struct *p)

More information about the scm-commits mailing list