From 49d23722dfbdeca9a8cb66ba87104e31bb98e62f Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@mcmartin.ca>
Date: Nov 20 2010 13:28:57 +0000
Subject: fix BUG when using xt_SECMARK


---

diff --git a/kernel.spec b/kernel.spec
index d85d380..3fb5865 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -724,6 +724,8 @@ Patch12303: dmar-disable-when-ricoh-multifunction.patch
 
 Patch12305: xhci_hcd-suspend-resume.patch
 
+Patch12306: secmark-do-not-return-early-if-there-was-no-error.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1342,6 +1344,8 @@ ApplyPatch dmar-disable-when-ricoh-multifunction.patch
 
 ApplyPatch xhci_hcd-suspend-resume.patch
 
+ApplyPatch secmark-do-not-return-early-if-there-was-no-error.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1955,6 +1959,10 @@ fi
 #                 ||     ||
 
 %changelog
+* Sat Nov 20 2010 Kyle McMartin <kyle@redhat.com>
+- secmark-do-not-return-early-if-there-was-no-error.patch: requested
+  by eparis@. (Fixes a BUG when using secmark.)
+
 * Wed Nov 17 2010 Kyle McMartin <kyle@redhat.com> 2.6.36-5
 - Disable drm/intel rebase until it can be fixed.
 
diff --git a/secmark-do-not-return-early-if-there-was-no-error.patch b/secmark-do-not-return-early-if-there-was-no-error.patch
new file mode 100644
index 0000000..6515bd0
--- /dev/null
+++ b/secmark-do-not-return-early-if-there-was-no-error.patch
@@ -0,0 +1,33 @@
+From 15714f7b58011cf3948cab2988abea560240c74f Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Tue, 12 Oct 2010 11:40:08 -0400
+Subject: [PATCH] secmark: do not return early if there was no error
+
+Commit 4a5a5c73 attempted to pass decent error messages back to userspace for
+netfilter errors.  In xt_SECMARK.c however the patch screwed up and returned
+on 0 (aka no error) early and didn't finish setting up secmark.  This results
+in a kernel BUG if you use SECMARK.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Acked-by: Paul Moore <paul.moore@hp.com>
+Signed-off-by: James Morris <jmorris@namei.org>
+---
+ net/netfilter/xt_SECMARK.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
+index 23b2d6c..364ad16 100644
+--- a/net/netfilter/xt_SECMARK.c
++++ b/net/netfilter/xt_SECMARK.c
+@@ -101,7 +101,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
+ 	switch (info->mode) {
+ 	case SECMARK_MODE_SEL:
+ 		err = checkentry_selinux(info);
+-		if (err <= 0)
++		if (err)
+ 			return err;
+ 		break;
+ 
+-- 
+1.7.3.2
+