[kernel] r13180 - in dists/lenny/linux-2.6/debian: . patches/features/all/openvz patches/series

Fri Mar 20 12:33:59 UTC 2009

Author: maks
Date: Fri Mar 20 12:33:57 2009
New Revision: 13180

Log:
openvz add several stable proposed patches

this first serie are selected non-ABI breaker from 0014-0039

Reported-by: Kir Kolyshkin <kir at openvz.org>
Tested-by: Ola Lundqvist <ola at inguza.com>

Added:
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0015--UB-Double-free-for-UDP-socket.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0021-autofs-fix-default-pgrp-vnr.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0022-conntrack-prevent-double-allocate-free-of-protos.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0023-conntrack-prevent-call-register_pernet_subsys-fro.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0024-conntrack-prevent-call-nf_register_hooks-from-VE.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0027-Fix-erratum-that-causes-memory-corruption.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0029-conntrack-adjust-context-during-freeing.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0033-netfilter-NAT-assign-nf_nat_seq_adjust_hook-from-V.patch
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/0034-netfilter-call-nf_register_hooks-from-VE0-context-o.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/14-extra

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny/linux-2.6/debian/changelog	(original)
+++ dists/lenny/linux-2.6/debian/changelog	Fri Mar 20 12:33:57 2009
@@ -47,6 +47,20 @@
   [ Aurelien Jarno ]
   * [mips/mipsel] Fix errno on inexistent syscalls. (Closes: #520034).
 
+  [ maximilian attems ]
+  * [openvz] 849af42 [UB]: Double free for UDP socket.
+  * [openvz] 7ebcbe3 autofs: fix default pgrp vnr.
+  * [openvz] 17b09e1 conntrack: prevent double allocate/free of protos.
+  * [openvz] 7d3f10f conntrack: prevent call register_pernet_subsys() from VE
+    context.
+  * [openvz] 482dd20 conntrack: prevent call nf_register_hooks() from VE
+    context.
+  * [openvz] ff3483a Fix erratum that causes memory corruption.
+  * [openvz] 5fff3eb conntrack: adjust context during freeing.
+  * [openvz] 3cb8bc3 netfilter: NAT: assign nf_nat_seq_adjust_hook from VE0
+    context only
+  * [openvz] 4909102 netfilter: call nf_register_hooks from VE0 context only.
+
  -- dann frazier <dannf at debian.org>  Tue, 17 Mar 2009 01:50:17 -0600
 
 linux-2.6 (2.6.26-13lenny2) stable-security; urgency=high

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0015--UB-Double-free-for-UDP-socket.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0015--UB-Double-free-for-UDP-socket.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,32 @@
+From 849af42466bed078e6953a4eeeff28c81f64a983 Mon Sep 17 00:00:00 2001
+From: Denis Lunev <den at openvz.org>
+Date: Tue, 9 Sep 2008 17:55:51 +0400
+Subject: [PATCH] [UB]: Double free for UDP socket
+
+The socket resided in UB space waiting queue could be released. In this
+case ub_snd_wakeup running on the another CPU could hold/release that
+socket effectively hitting 0 refcounter second time.
+
+Signed-off-by: Denis V. Lunev <den at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/socket.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index 58a9495..09d8fc5 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -518,6 +518,9 @@ const struct file_operations bad_sock_fops = {
+ 
+ void sock_release(struct socket *sock)
+ {
++	if (sock->sk)
++		ub_sock_sndqueuedel(sock->sk);
++
+ 	if (sock->ops) {
+ 		struct module *owner = sock->ops->owner;
+ 
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0021-autofs-fix-default-pgrp-vnr.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0021-autofs-fix-default-pgrp-vnr.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,30 @@
+From 7ebcbe3c7ad977f1a9bfb03a6d7f7dca9f883b83 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Date: Mon, 22 Sep 2008 13:21:20 +0400
+Subject: [PATCH] autofs: fix default pgrp vnr
+
+Default pgrp should be virtual-nr,
+because autofs lookup pid struct via find_get_pid.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ fs/autofs/inode.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
+index dda510d..1f6e222 100644
+--- a/fs/autofs/inode.c
++++ b/fs/autofs/inode.c
+@@ -78,7 +78,7 @@ static int parse_options(char *options, int *pipefd, uid_t *uid, gid_t *gid,
+ 
+ 	*uid = current->uid;
+ 	*gid = current->gid;
+-	*pgrp = task_pgrp_nr(current);
++	*pgrp = task_pgrp_vnr(current);
+ 
+ 	*minproto = *maxproto = AUTOFS_PROTO_VERSION;
+ 
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0022-conntrack-prevent-double-allocate-free-of-protos.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0022-conntrack-prevent-double-allocate-free-of-protos.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,132 @@
+From 17b09e1de42db77743ea9ae3dfd3a910ac57ee71 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Mon, 22 Sep 2008 13:53:27 +0400
+Subject: [PATCH] conntrack: prevent double allocate/free of protos
+
+Call nf_ct_proto_tcp_sysctl_xxx()/nf_ct_proto_tcp_sysctl_cleanup() from
+nf_conntrack_init_ve()/nf_conntrack_cleanup_ve() to prevent to be called twice
+from functions:
+
+  - init_nf_ct_l3proto_ipv4()
+  - init_nf_ct_l3proto_ipv6()
+  - fini_nf_ct_l3proto_ipv4()
+  - fini_nf_ct_l3proto_ipv6()
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   12 ------------
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   12 ------------
+ net/netfilter/nf_conntrack_standalone.c        |   13 +++++++++++++
+ 3 files changed, 13 insertions(+), 24 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+index dca8da7..b4bb436 100644
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -512,12 +512,6 @@ int init_nf_ct_l3proto_ipv4(void)
+ 	ret = nf_ct_proto_ipv4_sysctl_init();
+ 	if (ret < 0)
+ 		goto no_mem_ipv4;
+-	ret = nf_ct_proto_tcp_sysctl_init();
+-	if (ret < 0)
+-		goto no_mem_tcp;
+-	ret = nf_ct_proto_udp_sysctl_init();
+-	if (ret < 0)
+-		goto no_mem_udp;
+ 	ret = nf_ct_proto_icmp_sysctl_init();
+ 	if (ret < 0)
+ 		goto no_mem_icmp;
+@@ -575,10 +569,6 @@ unreg_tcp:
+ cleanup_sys:
+ #ifdef CONFIG_VE_IPTABLES
+ no_mem_icmp:
+-	nf_ct_proto_udp_sysctl_cleanup();
+-no_mem_udp:
+-	nf_ct_proto_tcp_sysctl_cleanup();
+-no_mem_tcp:
+ 	nf_ct_proto_ipv4_sysctl_cleanup();
+ no_mem_ipv4:
+ 	nf_ct_proto_ipv4_fini();
+@@ -606,8 +596,6 @@ void fini_nf_ct_l3proto_ipv4(void)
+ 
+ #ifdef CONFIG_VE_IPTABLES 
+ 	nf_ct_proto_icmp_sysctl_cleanup();
+-	nf_ct_proto_udp_sysctl_cleanup();
+-	nf_ct_proto_tcp_sysctl_cleanup();
+ 	nf_ct_proto_ipv4_sysctl_cleanup();
+ 	nf_ct_proto_ipv4_fini();
+ 	if (!ve_is_super(get_exec_env()))
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index e6f8f7d..cbfe1a2 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -368,12 +368,6 @@ int init_nf_ct_l3proto_ipv6(void)
+ 	if (!ve_is_super(get_exec_env())) 
+ 		__module_get(THIS_MODULE);
+ 
+-	ret = nf_ct_proto_tcp_sysctl_init();
+-	if (ret < 0)
+-		goto no_mem_tcp;
+-	ret = nf_ct_proto_udp_sysctl_init();
+-	if (ret < 0)
+-		goto no_mem_udp;
+ 	ret = nf_ct_proto_icmpv6_sysctl_init();
+ 	if (ret < 0)
+ 		goto no_mem_icmp;
+@@ -430,10 +424,6 @@ cleanup_frag6:
+ cleanup_sys:
+ #ifdef CONFIG_VE_IPTABLES
+ no_mem_icmp:
+-	nf_ct_proto_udp_sysctl_cleanup();
+-no_mem_udp:
+-	nf_ct_proto_tcp_sysctl_cleanup();
+-no_mem_tcp:
+ 	if (!ve_is_super(get_exec_env()))
+ 		module_put(THIS_MODULE);
+ #endif /* CONFIG_VE_IPTABLES */
+@@ -452,8 +442,6 @@ void fini_nf_ct_l3proto_ipv6(void)
+ 
+ #ifdef CONFIG_VE_IPTABLES
+ 	nf_ct_proto_icmpv6_sysctl_cleanup();
+-	nf_ct_proto_udp_sysctl_cleanup();
+-	nf_ct_proto_tcp_sysctl_cleanup();
+ 	if (!ve_is_super(get_exec_env()))
+ 		module_put(THIS_MODULE);
+ #endif /* CONFIG_VE_IPTABLES */
+diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
+index c4d8ef2..0439df6 100644
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -510,8 +510,19 @@ static int nf_conntrack_init_ve(void)
+ 	ret = nf_conntrack_standalone_init_sysctl();
+ 	if (ret < 0)
+ 		goto out_sysctl;
++	ret = nf_ct_proto_tcp_sysctl_init();
++	if (ret < 0)
++		goto out_tcp_sysctl;
++	ret = nf_ct_proto_udp_sysctl_init();
++	if (ret < 0)
++		goto out_udp_sysctl;
++
+ 	return 0;
+ 
++out_udp_sysctl:
++	nf_ct_proto_tcp_sysctl_cleanup();
++out_tcp_sysctl:
++	nf_conntrack_standalone_fini_sysctl();
+ out_sysctl:
+ 	nf_conntrack_standalone_fini_proc();
+ out_proc:
+@@ -522,6 +533,8 @@ out:
+ 
+ static void nf_conntrack_cleanup_ve(void)
+ {
++	nf_ct_proto_udp_sysctl_cleanup();
++	nf_ct_proto_tcp_sysctl_cleanup();
+ 	nf_conntrack_standalone_fini_sysctl();
+ 	nf_conntrack_standalone_fini_proc();
+ 	nf_conntrack_cleanup();
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0023-conntrack-prevent-call-register_pernet_subsys-fro.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0023-conntrack-prevent-call-register_pernet_subsys-fro.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,91 @@
+From 7d3f10fc5d8e268f7572cfdd2287c049bce3af7c Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Mon, 22 Sep 2008 14:04:45 +0400
+Subject: [PATCH] conntrack: prevent call register_pernet_subsys() from VE context
+
+nf_ct_frag6_init calls register_pernet_subsys. So move nf_ct_frag6_init to
+nf_conntrack_l3proto_ipv6_init() to prevent call from VE context.
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   24 +++++++++++++-----------
+ 1 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index cbfe1a2..b97914e 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -372,16 +372,10 @@ int init_nf_ct_l3proto_ipv6(void)
+ 	if (ret < 0)
+ 		goto no_mem_icmp;
+ #endif /* CONFIG_VE_IPTABLES */
+-	ret = nf_ct_frag6_init();
+-	if (ret < 0) {
+-		printk("nf_conntrack_ipv6: can't initialize frag6.\n");
+-		goto cleanup_sys;
+-	}
+-
+ 	ret = nf_conntrack_l4proto_register(ve_nf_conntrack_l4proto_tcp6);
+ 	if (ret < 0) {
+ 		printk("nf_conntrack_ipv6: can't register tcp.\n");
+-		goto cleanup_frag6;
++		goto cleanup_sys;
+ 	}
+ 
+ 	ret = nf_conntrack_l4proto_register(ve_nf_conntrack_l4proto_udp6);
+@@ -419,8 +413,6 @@ unreg_udp:
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_udp6);
+ unreg_tcp:
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_tcp6);
+-cleanup_frag6:
+-	nf_ct_frag6_cleanup();
+ cleanup_sys:
+ #ifdef CONFIG_VE_IPTABLES
+ no_mem_icmp:
+@@ -438,7 +430,6 @@ void fini_nf_ct_l3proto_ipv6(void)
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_icmpv6);
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_udp6);
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_tcp6);
+-	nf_ct_frag6_cleanup();
+ 
+ #ifdef CONFIG_VE_IPTABLES
+ 	nf_ct_proto_icmpv6_sysctl_cleanup();
+@@ -454,15 +445,25 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
+ 
+ 	need_conntrack();
+ 
++	ret = nf_ct_frag6_init();
++	if (ret < 0) {
++		printk("nf_conntrack_ipv6: can't initialize frag6.\n");
++		return ret;
++	}
++
+ 	ret = init_nf_ct_l3proto_ipv6();
+ 	if (ret < 0) {
+ 		printk(KERN_ERR "Unable to initialize netfilter protocols\n");
+-		return ret;
++		goto cleanup_frag6;
+ 	}
+ 	KSYMRESOLVE(init_nf_ct_l3proto_ipv6);
+ 	KSYMRESOLVE(fini_nf_ct_l3proto_ipv6);
+ 	KSYMMODRESOLVE(nf_conntrack_ipv6);
+ 	return 0;
++
++cleanup_frag6:
++	nf_ct_frag6_cleanup();
++	return ret;
+ }
+ 
+ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
+@@ -472,6 +473,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
+ 	KSYMUNRESOLVE(init_nf_ct_l3proto_ipv6);
+ 	KSYMUNRESOLVE(fini_nf_ct_l3proto_ipv6);
+ 	fini_nf_ct_l3proto_ipv6();
++	nf_ct_frag6_cleanup();
+ }
+ 
+ module_init(nf_conntrack_l3proto_ipv6_init);
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0024-conntrack-prevent-call-nf_register_hooks-from-VE.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0024-conntrack-prevent-call-nf_register_hooks-from-VE.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,71 @@
+From 482dd20be37f61b2f94e6b3f3de1c1b9b4f9e6f1 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Mon, 22 Sep 2008 14:05:54 +0400
+Subject: [PATCH] conntrack: prevent call nf_register_hooks() from VE context
+
+Move nf_register_hooks from init_nf_ct_l3proto_ipv6() to
+nf_conntrack_l3proto_ipv6_init() to prevent call from VE
+context.
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   19 +++++++++----------
+ 1 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index b97914e..71b15ab 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -396,17 +396,8 @@ int init_nf_ct_l3proto_ipv6(void)
+ 		goto unreg_icmpv6;
+ 	}
+ 
+-	ret = nf_register_hooks(ipv6_conntrack_ops,
+-				ARRAY_SIZE(ipv6_conntrack_ops));
+-	if (ret < 0) {
+-		printk("nf_conntrack_ipv6: can't register pre-routing defrag "
+-		       "hook.\n");
+-		goto unreg_ipv6;
+-	}
+ 	return 0;
+ 
+-unreg_ipv6:
+-	nf_conntrack_l3proto_unregister(ve_nf_conntrack_l3proto_ipv6);
+ unreg_icmpv6:
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_icmpv6);
+ unreg_udp:
+@@ -425,7 +416,6 @@ EXPORT_SYMBOL(init_nf_ct_l3proto_ipv6);
+ 
+ void fini_nf_ct_l3proto_ipv6(void)
+ {
+-	nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
+ 	nf_conntrack_l3proto_unregister(ve_nf_conntrack_l3proto_ipv6);
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_icmpv6);
+ 	nf_conntrack_l4proto_unregister(ve_nf_conntrack_l4proto_udp6);
+@@ -456,6 +446,14 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
+ 		printk(KERN_ERR "Unable to initialize netfilter protocols\n");
+ 		goto cleanup_frag6;
+ 	}
++
++	ret = nf_register_hooks(ipv6_conntrack_ops,
++				ARRAY_SIZE(ipv6_conntrack_ops));
++	if (ret < 0) {
++		printk(KERN_ERR "nf_conntrack_ipv6: can't register pre-routing "
++		       "defrag hook.\n");
++		return ret;
++	}
+ 	KSYMRESOLVE(init_nf_ct_l3proto_ipv6);
+ 	KSYMRESOLVE(fini_nf_ct_l3proto_ipv6);
+ 	KSYMMODRESOLVE(nf_conntrack_ipv6);
+@@ -472,6 +470,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
+ 	KSYMMODUNRESOLVE(nf_conntrack_ipv6);
+ 	KSYMUNRESOLVE(init_nf_ct_l3proto_ipv6);
+ 	KSYMUNRESOLVE(fini_nf_ct_l3proto_ipv6);
++	nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
+ 	fini_nf_ct_l3proto_ipv6();
+ 	nf_ct_frag6_cleanup();
+ }
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0027-Fix-erratum-that-causes-memory-corruption.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0027-Fix-erratum-that-causes-memory-corruption.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,27 @@
+From ff3483aef4dbbddf6ee5ca483555c0ef8f8a047f Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Thu, 25 Sep 2008 13:03:45 +0400
+Subject: [PATCH] Fix erratum that causes memory corruption.
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ drivers/base/core.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index 660ecc0..47d5db2 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -1089,7 +1089,7 @@ EXPORT_SYMBOL_GPL(devices_init);
+ 
+ void devices_fini(void)
+ {
+-	kset_unregister(devices_kset);
++	kset_unregister(ve_devices_kset);
+ }
+ EXPORT_SYMBOL_GPL(devices_fini);
+ 
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0029-conntrack-adjust-context-during-freeing.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0029-conntrack-adjust-context-during-freeing.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,38 @@
+From 5fff3eb60f78acaadcae8562de5d3e6504f4d4f9 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Fri, 26 Sep 2008 19:06:41 +0400
+Subject: [PATCH] conntrack: adjust context during freeing
+
+rcu callback are called from VE0 context, so we must specify
+context when accessing to virtualized variables (ve_nf_conntrack_count)
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/netfilter/nf_conntrack_core.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index b4050b0..b38699c 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -539,10 +539,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
+ static void nf_conntrack_free_rcu(struct rcu_head *head)
+ {
+ 	struct nf_conn *ct = container_of(head, struct nf_conn, rcu);
++#ifdef CONFIG_VE_IPTABLES
++	struct ve_struct *ve = set_exec_env(ct->ct_owner_env);
++#endif
+ 
+ 	nf_ct_ext_free(ct);
+ 	kmem_cache_free(nf_conntrack_cachep, ct);
+ 	atomic_dec(&ve_nf_conntrack_count);
++#ifdef CONFIG_VE_IPTABLES
++	set_exec_env(ve);
++#endif
+ }
+ 
+ void nf_conntrack_free(struct nf_conn *ct)
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0033-netfilter-NAT-assign-nf_nat_seq_adjust_hook-from-V.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0033-netfilter-NAT-assign-nf_nat_seq_adjust_hook-from-V.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,46 @@
+From 3cb8bc3781889ade74c02840b2eb8ddafb6d39c5 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Wed, 1 Oct 2008 12:10:51 +0400
+Subject: [PATCH] netfilter: NAT: assign nf_nat_seq_adjust_hook from VE0 context only
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/ipv4/netfilter/nf_nat_core.c |    9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
+index f7f832b..ac9319d 100644
+--- a/net/ipv4/netfilter/nf_nat_core.c
++++ b/net/ipv4/netfilter/nf_nat_core.c
+@@ -645,12 +645,12 @@ int nf_nat_init(void)
+ 	if (ve_is_super(get_exec_env())) {
+ 		/* Initialize fake conntrack so that NAT will skip it */
+ 		nf_conntrack_untracked.status |= IPS_NAT_DONE_MASK;
++		BUG_ON(nf_nat_seq_adjust_hook != NULL);
++		rcu_assign_pointer(nf_nat_seq_adjust_hook, nf_nat_seq_adjust);
+ 	}
+ 
+ 	ve_nf_nat_l3proto = nf_ct_l3proto_find_get((u_int16_t)AF_INET);
+ 
+-	BUG_ON(nf_nat_seq_adjust_hook != NULL);
+-	rcu_assign_pointer(nf_nat_seq_adjust_hook, nf_nat_seq_adjust);
+ 	return 0;
+ 
+ #ifdef CONFIG_VE_IPTABLES
+@@ -683,9 +683,10 @@ void nf_nat_cleanup(void)
+ #ifdef CONFIG_VE_IPTABLES
+ 	kfree(ve_nf_nat_protos);
+ #endif
+-	if (ve_is_super(get_exec_env()))
++	if (ve_is_super(get_exec_env())) {
+ 		nf_ct_extend_unregister(&nat_extend);
+-	rcu_assign_pointer(nf_nat_seq_adjust_hook, NULL);
++		rcu_assign_pointer(nf_nat_seq_adjust_hook, NULL);
++	}
+ 	synchronize_net();
+ }
+ 
+-- 
+1.6.0.6
+

Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0034-netfilter-call-nf_register_hooks-from-VE0-context-o.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0034-netfilter-call-nf_register_hooks-from-VE0-context-o.patch	Fri Mar 20 12:33:57 2009
@@ -0,0 +1,46 @@
+From 490910232ebe61f65e5e5c03b7286f11291b6092 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Wed, 1 Oct 2008 12:12:36 +0400
+Subject: [PATCH] netfilter: call nf_register_hooks from VE0 context only
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/ipv4/netfilter/nf_nat_standalone.c |   14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
+index 9aec464..72f45db 100644
+--- a/net/ipv4/netfilter/nf_nat_standalone.c
++++ b/net/ipv4/netfilter/nf_nat_standalone.c
+@@ -295,10 +295,13 @@ int init_nftable_nat(void)
+ 		printk("nf_nat_init: can't setup rules.\n");
+ 		goto out_modput;
+ 	}
+-	ret = nf_register_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
+-	if (ret < 0) {
+-		printk("nf_nat_init: can't register hooks.\n");
+-		goto cleanup_rule_init;
++
++	if (ve_is_super(get_exec_env())) {
++		ret = nf_register_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
++		if (ret < 0) {
++			printk("nf_nat_init: can't register hooks.\n");
++			goto cleanup_rule_init;
++		}
+ 	}
+ 	return 0;
+ 
+@@ -312,7 +315,8 @@ out_modput:
+ 
+ void fini_nftable_nat(void)
+ {
+-	nf_unregister_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
++	if (ve_is_super(get_exec_env()))
++		nf_unregister_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
+ 	nf_nat_rule_cleanup();
+ 	if (!ve_is_super(get_exec_env()))
+ 		module_put(THIS_MODULE);
+-- 
+1.6.0.6
+

Modified: dists/lenny/linux-2.6/debian/patches/series/14-extra
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/14-extra	(original)
+++ dists/lenny/linux-2.6/debian/patches/series/14-extra	Fri Mar 20 12:33:57 2009
@@ -1,3 +1,12 @@
 + features/all/openvz/fix-wrong-size-of-ub0_percpu.patch featureset=openvz
 + features/all/openvz/netlink-fix-conntrack-oops.patch featureset=openvz
 + features/all/openvz/cpt-revert-check-on-sk_reuse-gt-one.patch featureset=openvz
++ features/all/openvz/0015--UB-Double-free-for-UDP-socket.patch featureset=openvz
++ features/all/openvz/0021-autofs-fix-default-pgrp-vnr.patch featureset=openvz
++ features/all/openvz/0022-conntrack-prevent-double-allocate-free-of-protos.patch featureset=openvz
++ features/all/openvz/0023-conntrack-prevent-call-register_pernet_subsys-fro.patch featureset=openvz
++ features/all/openvz/0024-conntrack-prevent-call-nf_register_hooks-from-VE.patch featureset=openvz
++ features/all/openvz/0027-Fix-erratum-that-causes-memory-corruption.patch featureset=openvz
++ features/all/openvz/0029-conntrack-adjust-context-during-freeing.patch featureset=openvz
++ features/all/openvz/0033-netfilter-NAT-assign-nf_nat_seq_adjust_hook-from-V.patch featureset=openvz
++ features/all/openvz/0034-netfilter-call-nf_register_hooks-from-VE0-context-o.patch featureset=openvz

