Commit 2d674ead authored by Natanael Copa's avatar Natanael Copa

main/linux-grsec: backport flow patch from upstream

fixes performance regression
parent ef4265d5
......@@ -3,7 +3,7 @@
_flavor=grsec
_kver=3.0.8
_kpkgrel=2
_kpkgrel=3
# verify the kernel version before entering chroot
if [ -f ../linux-${_flavor}/APKBUILD ]; then
......
......@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.0.8
_kernver=3.0
pkgrel=2
pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -20,6 +20,7 @@ source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2
0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
0001-ipv4-fix-ipsec-forward-performance-regression.patch
0004-arp-flush-arp-cache-on-device-change.patch
net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
kernelconfig.x86
kernelconfig.x86_64
......@@ -146,5 +147,6 @@ c41cf0ee9794f393423c6b2093072260 grsec-timblogiw-noconst.patch
ebb99ef6ad8cd2d9fd8f49d5c5849057 0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
b27bc150f7a3932de28fcb8803809cbc 0001-ipv4-fix-ipsec-forward-performance-regression.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
2b71de1af5539744e2d9f1c37c0ff520 net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
464e2356a1983e1ffe261904a1d76338 kernelconfig.x86
d97d1808eebdfb97734dccfbcaea35f2 kernelconfig.x86_64"
From aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 Mon Sep 17 00:00:00 2001
From: dpward <david.ward@ll.mit.edu>
Date: Mon, 5 Sep 2011 16:47:24 +0000
Subject: net: Handle different key sizes between address families in flow cache
From: dpward <david.ward@ll.mit.edu>
commit aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 upstream.
With the conversion of struct flowi to a union of AF-specific structs, some
operations on the flow cache need to account for the exact size of the key.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/net/flow.h | 19 +++++++++++++++++++
net/core/flow.c | 31 +++++++++++++++++--------------
2 files changed, 36 insertions(+), 14 deletions(-)
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -7,6 +7,7 @@
#ifndef _NET_FLOW_H
#define _NET_FLOW_H
+#include <linux/socket.h>
#include <linux/in6.h>
#include <asm/atomic.h>
@@ -161,6 +162,24 @@ static inline struct flowi *flowidn_to_f
return container_of(fldn, struct flowi, u.dn);
}
+typedef unsigned long flow_compare_t;
+
+static inline size_t flow_key_size(u16 family)
+{
+ switch (family) {
+ case AF_INET:
+ BUILD_BUG_ON(sizeof(struct flowi4) % sizeof(flow_compare_t));
+ return sizeof(struct flowi4) / sizeof(flow_compare_t);
+ case AF_INET6:
+ BUILD_BUG_ON(sizeof(struct flowi6) % sizeof(flow_compare_t));
+ return sizeof(struct flowi6) / sizeof(flow_compare_t);
+ case AF_DECnet:
+ BUILD_BUG_ON(sizeof(struct flowidn) % sizeof(flow_compare_t));
+ return sizeof(struct flowidn) / sizeof(flow_compare_t);
+ }
+ return 0;
+}
+
#define FLOW_DIR_IN 0
#define FLOW_DIR_OUT 1
#define FLOW_DIR_FWD 2
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -172,29 +172,26 @@ static void flow_new_hash_rnd(struct flo
static u32 flow_hash_code(struct flow_cache *fc,
struct flow_cache_percpu *fcp,
- const struct flowi *key)
+ const struct flowi *key,
+ size_t keysize)
{
const u32 *k = (const u32 *) key;
+ const u32 length = keysize * sizeof(flow_compare_t) / sizeof(u32);
- return jhash2(k, (sizeof(*key) / sizeof(u32)), fcp->hash_rnd)
+ return jhash2(k, length, fcp->hash_rnd)
& (flow_cache_hash_size(fc) - 1);
}
-typedef unsigned long flow_compare_t;
-
/* I hear what you're saying, use memcmp. But memcmp cannot make
- * important assumptions that we can here, such as alignment and
- * constant size.
+ * important assumptions that we can here, such as alignment.
*/
-static int flow_key_compare(const struct flowi *key1, const struct flowi *key2)
+static int flow_key_compare(const struct flowi *key1, const struct flowi *key2,
+ size_t keysize)
{
const flow_compare_t *k1, *k1_lim, *k2;
- const int n_elem = sizeof(struct flowi) / sizeof(flow_compare_t);
-
- BUILD_BUG_ON(sizeof(struct flowi) % sizeof(flow_compare_t));
k1 = (const flow_compare_t *) key1;
- k1_lim = k1 + n_elem;
+ k1_lim = k1 + keysize;
k2 = (const flow_compare_t *) key2;
@@ -215,6 +212,7 @@ flow_cache_lookup(struct net *net, const
struct flow_cache_entry *fle, *tfle;
struct hlist_node *entry;
struct flow_cache_object *flo;
+ size_t keysize;
unsigned int hash;
local_bh_disable();
@@ -222,6 +220,11 @@ flow_cache_lookup(struct net *net, const
fle = NULL;
flo = NULL;
+
+ keysize = flow_key_size(family);
+ if (!keysize)
+ goto nocache;
+
/* Packet really early in init? Making flow_cache_init a
* pre-smp initcall would solve this. --RR */
if (!fcp->hash_table)
@@ -230,11 +233,11 @@ flow_cache_lookup(struct net *net, const
if (fcp->hash_rnd_recalc)
flow_new_hash_rnd(fc, fcp);
- hash = flow_hash_code(fc, fcp, key);
+ hash = flow_hash_code(fc, fcp, key, keysize);
hlist_for_each_entry(tfle, entry, &fcp->hash_table[hash], u.hlist) {
if (tfle->family == family &&
tfle->dir == dir &&
- flow_key_compare(key, &tfle->key) == 0) {
+ flow_key_compare(key, &tfle->key, keysize) == 0) {
fle = tfle;
break;
}
@@ -248,7 +251,7 @@ flow_cache_lookup(struct net *net, const
if (fle) {
fle->family = family;
fle->dir = dir;
- memcpy(&fle->key, key, sizeof(*key));
+ memcpy(&fle->key, key, keysize * sizeof(flow_compare_t));
fle->object = NULL;
hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
fcp->hash_count++;
......@@ -4,7 +4,7 @@ _flavor=grsec
_realname=open-iscsi
_realver=2.0-872
_kver=3.0.8
_kpkgrel=2
_kpkgrel=3
# verify the kernel version before entering chroot
if [ -f ../linux-${_flavor}/APKBUILD ]; then
......
......@@ -6,6 +6,9 @@ _mypkgrel=0
_realver=2011.09.23
_realsubver=491607
_kver=3.0.8
_kpkgrel=3
# source open-vm-tools version
if [ -f ../main/$_realname/APKBUILD ]; then
. ../main/$_realname/APKBUILD
......@@ -14,9 +17,6 @@ if [ -f ../main/$_realname/APKBUILD ]; then
&& die "please set _realsubver to $_pkgsubver"
fi
_kver=3.0.8
_kpkgrel=2
# source the kernel version
if [ -f ../main/linux-${_flavor}/APKBUILD ]; then
. ../main/linux-${_flavor}/APKBUILD
......
......@@ -4,7 +4,7 @@ _realname=xtables-addons
_name=$_realname-$_flavor
_kver=3.0.8
_kpkgrel=2
_kpkgrel=3
# source the kernel version
if [ -f ../linux-$_flavor/APKBUILD ]; then
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment