rpms/kernel/F-11 fix-conntrack-bug-with-namespaces.patch, 1.1, 1.2 prevent-runtime-conntrack-changes.patch, 1.1, 1.2 kernel.spec, 1.1805, 1.1806 linux-2.6-utrace.patch, 1.114, 1.115
Chuck Ebbert
cebbert at fedoraproject.org
Thu Feb 4 21:06:35 UTC 2010
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7049
Modified Files:
kernel.spec linux-2.6-utrace.patch
Added Files:
fix-conntrack-bug-with-namespaces.patch
prevent-runtime-conntrack-changes.patch
Log Message:
Fix utrace header. (rhbz#561536)
fix-conntrack-bug-with-namespaces.patch: Fix for issue identified by jcm,
http://lkml.org/lkml/2010/2/3/112
Fix another conntrack issue pointed out by jcm.
fix-conntrack-bug-with-namespaces.patch:
nf_conntrack_core.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
Index: fix-conntrack-bug-with-namespaces.patch
===================================================================
RCS file: fix-conntrack-bug-with-namespaces.patch
diff -N fix-conntrack-bug-with-namespaces.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fix-conntrack-bug-with-namespaces.patch 4 Feb 2010 21:06:33 -0000 1.2
@@ -0,0 +1,58 @@
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 0e98c32..37e2b88 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1113,6 +1113,10 @@ static void nf_ct_release_dying_list(struct net *net)
+
+ static void nf_conntrack_cleanup_init_net(void)
+ {
++ /* wait until all references to nf_conntrack_untracked are dropped */
++ while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1)
++ schedule();
++
+ nf_conntrack_helper_fini();
+ nf_conntrack_proto_fini();
+ kmem_cache_destroy(nf_conntrack_cachep);
+@@ -1127,9 +1131,6 @@ static void nf_conntrack_cleanup_net(struct net *net)
+ schedule();
+ goto i_see_dead_people;
+ }
+- /* wait until all references to nf_conntrack_untracked are dropped */
+- while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1)
+- schedule();
+
+ nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
+ nf_conntrack_htable_size);
+@@ -1288,6 +1289,14 @@ static int nf_conntrack_init_init_net(void)
+ if (ret < 0)
+ goto err_helper;
+
++ /* Set up fake conntrack: to never be deleted, not in any hashes */
++#ifdef CONFIG_NET_NS
++ nf_conntrack_untracked.ct_net = &init_net;
++#endif
++ atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
++ /* - and look it like as a confirmed connection */
++ set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
++
+ return 0;
+
+ err_helper:
+@@ -1333,15 +1342,6 @@ static int nf_conntrack_init_net(struct net *net)
+ if (ret < 0)
+ goto err_ecache;
+
+- /* Set up fake conntrack:
+- - to never be deleted, not in any hashes */
+-#ifdef CONFIG_NET_NS
+- nf_conntrack_untracked.ct_net = &init_net;
+-#endif
+- atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
+- /* - and look it like as a confirmed connection */
+- set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
+-
+ return 0;
+
+ err_ecache:
+
+
\ No newline at end of file
prevent-runtime-conntrack-changes.patch:
nf_conntrack_core.c | 15 +++++++++++++++
nf_conntrack_expect.c | 2 +-
2 files changed, 16 insertions(+), 1 deletion(-)
Index: prevent-runtime-conntrack-changes.patch
===================================================================
RCS file: prevent-runtime-conntrack-changes.patch
diff -N prevent-runtime-conntrack-changes.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ prevent-runtime-conntrack-changes.patch 4 Feb 2010 21:06:35 -0000 1.2
@@ -0,0 +1,74 @@
+Jon Masters correctly points out that conntrack hash sizes
+(nf_conntrack_htable_size) are global (not per-netns) and
+modifiable at runtime via /sys/module/nf_conntrack/hashsize .
+
+Steps to reproduce:
+ clone(CLONE_NEWNET)
+ [grow /sys/module/nf_conntrack/hashsize]
+ exit()
+
+At netns exit we are going to scan random memory for conntracks to be killed.
+
+Apparently there is a code which deals with hashtable resize for
+init_net (and it was there befode netns conntrack code), so prohibit
+hashsize modification if there is more than one netns exists.
+
+To change hashtable sizes, you need to reload module.
+
+Expectation hashtable size was simply glued to a variable with no code
+to rehash expectations, so it was a bug to allow writing to it.
+Make "expect_hashsize" readonly.
+
+This is temporarily until we figure out what to do.
+
+Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+Cc: stable at kernel.org
+---
+
+ net/netfilter/nf_conntrack_core.c | 15 +++++++++++++++
+ net/netfilter/nf_conntrack_expect.c | 2 +-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -21,6 +21,7 @@
+ #include <linux/stddef.h>
+ #include <linux/slab.h>
+ #include <linux/random.h>
++#include <linux/rtnetlink.h>
+ #include <linux/jhash.h>
+ #include <linux/err.h>
+ #include <linux/percpu.h>
+@@ -1198,6 +1199,20 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
+ if (!nf_conntrack_htable_size)
+ return param_set_uint(val, kp);
+
++ {
++ struct net *net;
++ unsigned int nr;
++
++ nr = 0;
++ rtnl_lock();
++ for_each_net(net)
++ nr++;
++ rtnl_unlock();
++ /* init_net always exists */
++ if (nr != 1)
++ return -EINVAL;
++ }
++
+ hashsize = simple_strtoul(val, NULL, 0);
+ if (!hashsize)
+ return -EINVAL;
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -569,7 +569,7 @@ static void exp_proc_remove(struct net *net)
+ #endif /* CONFIG_PROC_FS */
+ }
+
+-module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
++module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
+
+ int nf_conntrack_expect_init(struct net *net)
+ {
+
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1805
retrieving revision 1.1806
diff -u -p -r1.1805 -r1.1806
--- kernel.spec 4 Feb 2010 18:12:45 -0000 1.1805
+++ kernel.spec 4 Feb 2010 21:06:33 -0000 1.1806
@@ -747,6 +747,10 @@ Patch12013: linux-2.6-rfkill-all.patch
Patch12101: wmi-free-the-allocated-acpi-objects.patch
Patch12102: wmi-check-wmi-get-event-data-return-value.patch
+Patch12301: fix-conntrack-bug-with-namespaces.patch
+Patch12302: prevent-runtime-conntrack-changes.patch
+
+#===============================================================================
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1364,7 +1368,10 @@ ApplyPatch linux-2.6-rfkill-all.patch
ApplyPatch wmi-free-the-allocated-acpi-objects.patch
ApplyPatch wmi-check-wmi-get-event-data-return-value.patch
-# END OF PATCH APPLICATIONS
+ApplyPatch fix-conntrack-bug-with-namespaces.patch
+ApplyPatch prevent-runtime-conntrack-changes.patch
+
+# END OF PATCH APPLICATIONS ====================================================
%endif
@@ -2019,6 +2026,12 @@ fi
# and build.
%changelog
+* Wed Feb 03 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.32.8-21.rc1
+- Fix utrace header. (rhbz#561536)
+- fix-conntrack-bug-with-namespaces.patch: Fix for issue identified by jcm,
+ http://lkml.org/lkml/2010/2/3/112
+- Fix another conntrack issue pointed out by jcm.
+
* Wed Feb 03 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.32.8-20.rc1
- Linux 2.6.32.8-rc1
- Drop patches merged in -stable:
linux-2.6-utrace.patch:
Documentation/DocBook/Makefile | 2
Documentation/DocBook/utrace.tmpl | 590 +++++++++
fs/proc/array.c | 3
include/linux/sched.h | 5
include/linux/tracehook.h | 87 +
include/linux/utrace.h | 692 ++++++++++
init/Kconfig | 9
kernel/Makefile | 1
kernel/fork.c | 3
kernel/ptrace.c | 14
kernel/utrace.c | 2427 ++++++++++++++++++++++++++++++++++++++
11 files changed, 3831 insertions(+), 2 deletions(-)
Index: linux-2.6-utrace.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/linux-2.6-utrace.patch,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -p -r1.114 -r1.115
--- linux-2.6-utrace.patch 4 Jan 2010 15:25:49 -0000 1.114
+++ linux-2.6-utrace.patch 4 Feb 2010 21:06:34 -0000 1.115
@@ -927,7 +927,7 @@ new file mode 100644
index ...c3036c8 100644
--- /dev/null
+++ b/include/linux/utrace.h
-@@ -0,0 +1,694 @@
+@@ -0,0 +1,692 @@
+/*
+ * utrace infrastructure interface for debugging user processes
+ *
@@ -1053,8 +1053,6 @@ index ...c3036c8 100644
+static inline void utrace_init_task(struct task_struct *child)
+{
+}
-+{
-+}
+
+static inline void task_utrace_proc_status(struct seq_file *m,
+ struct task_struct *p)
More information about the scm-commits
mailing list