testing/linux-grsec: upgrade to 2.6.30.10

testing/linux-grsec/APKBUILD

+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+
+_flavor=grsec
+pkgname=linux-${_flavor}
+pkgver=2.6.30.10
+_kernver=2.6.30
+pkgrel=0
+pkgdesc="Linux kernel with grsecurity"
+url=http://grsecurity.net
+depends="mkinitfs linux-firmware"
+makedepends="perl installkernel"
+_config=${config:-kernelconfig}
+install=
+source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
+	ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
+	grsecurity-2.1.14-2.6.30.8-200909262311.patch
+	net-next-2.6.git-5ef12d98a19254ee5dc851bd83e214b43ec1f725.patch
+	$_config
+	"
+subpackages="$pkgname-dev linux-firmware:firmware"
+license="GPL-2"
+
+_abi_release=${pkgver}-${_flavor}
+
+_prepare() {
+	cd "$srcdir"/linux-$_kernver
+	if [ "$_kernver" != "$pkgver" ]; then
+		bunzip2 -c < ../patch-$pkgver.bz2 | patch -p1 -N || return 1
+	fi
+
+	for i in ../*.diff ../*.patch; do
+		[ -f $i ] || continue
+		msg "Applying $i..."
+		patch -p1 -N < $i || return 1
+	done
+
+	mkdir -p "$srcdir"/build
+	cp "$srcdir"/$_config "$srcdir"/build/.config
+	make -C "$srcdir"/linux-$_kernver O="$srcdir"/build HOSTCC="$CC" \
+		silentoldconfig
+}
+
+# this is so we can do: 'abuild menuconfig' to reconfigure kernel
+menuconfig() {
+	_prepare
+	cd "$srcdir"/build
+	make menuconfig
+	cp .config "$startdir"/$_config
+}
+
+build() {
+	_prepare || return 1
+	cd "$srcdir"/build
+	make CC="$CC" || return 1
+
+	mkdir -p "$pkgdir"/boot "$pkgdir"/lib/modules
+	make modules_install install \
+		INSTALL_MOD_PATH="$pkgdir" \
+		INSTALL_PATH="$pkgdir"/boot
+
+#	ln -s vmlinuz-${_abi_release} "${pkgdir}"/boot/$_flavor
+
+	rm -f "$pkgdir"/lib/modules/${_abi_release}/build \
+		"$pkgdir"/lib/modules/${_abi_release}/source
+	install -D include/config/kernel.release \
+		"$pkgdir"/usr/share/kernel/$_flavor/kernel.release
+}
+
+dev() {
+	# copy the only the parts that we really need for build 3rd party
+	# kernel modules and install those as /usr/src/linux-headers,
+	# simlar to what ubuntu does
+	#
+	# this way you dont need to install the 300-400 kernel sources to 
+	# build a tiny kernel module
+	#
+	pkgdesc="Headers and script for third party modules for grsec kernel"
+	local dir="$subpkgdir"/usr/src/linux-headers-${_abi_release}
+
+	# first we import config, run prepare to set up for building 
+	# external modules, and create the scripts
+	mkdir -p "$dir"
+	cp "$srcdir"/kernelconfig "$dir"/.config
+	make -j1 -C "$srcdir"/linux-$_kernver O="$dir" HOSTCC="$CC" \
+		silentoldconfig prepare scripts
+
+	# remove the stuff that poits to real sources. we want 3rd party
+	# modules to believe this is the soruces
+	rm "$dir"/Makefile "$dir"/source
+
+	# copy the needed stuff from real sources
+	#
+	# this is taken from ubuntu kernel build script
+	# http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=blob;f=debian/rules.d/3-binary-indep.mk;hb=HEAD
+	cd "$srcdir"/linux-$_kernver
+	find . -path './include/*' -prune -o -path './scripts/*' -prune \
+		-o -type f \( -name 'Makefile*' -o -name 'Kconfig*' \
+		-o -name 'Kbuild*' -o -name '*.sh' -o -name '*.pl' \
+		-o -name '*.lds' \) | cpio -pdm "$dir"
+	cp -a drivers/media/dvb/dvb-core/*.h "$dir"/drivers/media/dvb/dvb-core
+	cp -a drivers/media/video/*.h "$dir"/drivers/media/video
+	cp -a drivers/media/dvb/frontends/*.h "$dir"/drivers/media/dvb/frontends
+	cp -a scripts include "$dir"
+	find $(find arch -name include -type d -print) -type f \
+		| cpio -pdm "$dir"
+
+	install -Dm644 "$srcdir"/build/Module.symvers \
+		"$dir"/Module.symvers
+
+	mkdir -p "$subpkgdir"/lib/modules/${_abi_release}
+	ln -sf /usr/src/linux-headers-${_abi_release} \
+		"$subpkgdir"/lib/modules/${_abi_release}/build
+}
+
+firmware() {
+	pkgdesc="Firmware for linux kernel"
+	replaces="linux-grsec linux-vserver"
+	mkdir -p "$subpkgdir"/lib
+	mv "$pkgdir"/lib/firmware "$subpkgdir"/lib/
+}
+
+md5sums="7a80058a6382e5108cdb5554d1609615  linux-2.6.30.tar.bz2
+6485fe0cf0f0220493647505bfd2f7b0  patch-2.6.30.10.bz2
+287a382cfb72043867d8092996875f5d  grsecurity-2.1.14-2.6.30.8-200909262311.patch
+ca05fd252783b82e01610e775cf56498  net-next-2.6.git-5ef12d98a19254ee5dc851bd83e214b43ec1f725.patch
+9f41d910914f5a516072f0aa500fa117  kernelconfig"

testing/linux-grsec/net-next-2.6.git-5ef12d98a19254ee5dc851bd83e214b43ec1f725.patch

+From: Timo Teras <timo.teras@iki.fi>
+Date: Thu, 11 Jun 2009 11:16:28 +0000 (-0700)
+Subject: neigh: fix state transition INCOMPLETE->FAILED via Netlink request
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=5ef12d98a19254ee5dc851bd83e214b43ec1f725;hp=2b85a34e911bf483c27cfdd124aeb1605145dc80
+
+neigh: fix state transition INCOMPLETE->FAILED via Netlink request
+
+The current code errors out the INCOMPLETE neigh entry skb queue only from
+the timer if maximum probes have been attempted and there has been no reply.
+This also causes the transtion to FAILED state.
+
+However, the neigh entry can be also updated via Netlink to inform that the
+address is unavailable.  Currently, neigh_update() just stops the timers and
+leaves the pending skb's unreleased. This results that the clean up code in
+the timer callback is never called, preventing also proper garbage collection.
+
+This fixes neigh_update() to process the pending skb queue immediately if
+INCOMPLETE -> FAILED state transtion occurs due to a Netlink request.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index c54229b..163b4f5 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -771,6 +771,28 @@ static __inline__ int neigh_max_probes(struct neighbour *n)
+ 		p->ucast_probes + p->app_probes + p->mcast_probes);
+ }
+ 
++static void neigh_invalidate(struct neighbour *neigh)
++{
++	struct sk_buff *skb;
++
++	NEIGH_CACHE_STAT_INC(neigh->tbl, res_failed);
++	NEIGH_PRINTK2("neigh %p is failed.\n", neigh);
++	neigh->updated = jiffies;
++
++	/* It is very thin place. report_unreachable is very complicated
++	   routine. Particularly, it can hit the same neighbour entry!
++
++	   So that, we try to be accurate and avoid dead loop. --ANK
++	 */
++	while (neigh->nud_state == NUD_FAILED &&
++	       (skb = __skb_dequeue(&neigh->arp_queue)) != NULL) {
++		write_unlock(&neigh->lock);
++		neigh->ops->error_report(neigh, skb);
++		write_lock(&neigh->lock);
++	}
++	skb_queue_purge(&neigh->arp_queue);
++}
++
+ /* Called when a timer expires for a neighbour entry. */
+ 
+ static void neigh_timer_handler(unsigned long arg)
+@@ -835,26 +857,9 @@ static void neigh_timer_handler(unsigned long arg)
+ 
+ 	if ((neigh->nud_state & (NUD_INCOMPLETE | NUD_PROBE)) &&
+ 	    atomic_read(&neigh->probes) >= neigh_max_probes(neigh)) {
+-		struct sk_buff *skb;
+-
+ 		neigh->nud_state = NUD_FAILED;
+-		neigh->updated = jiffies;
+ 		notify = 1;
+-		NEIGH_CACHE_STAT_INC(neigh->tbl, res_failed);
+-		NEIGH_PRINTK2("neigh %p is failed.\n", neigh);
+-
+-		/* It is very thin place. report_unreachable is very complicated
+-		   routine. Particularly, it can hit the same neighbour entry!
+-
+-		   So that, we try to be accurate and avoid dead loop. --ANK
+-		 */
+-		while (neigh->nud_state == NUD_FAILED &&
+-		       (skb = __skb_dequeue(&neigh->arp_queue)) != NULL) {
+-			write_unlock(&neigh->lock);
+-			neigh->ops->error_report(neigh, skb);
+-			write_lock(&neigh->lock);
+-		}
+-		skb_queue_purge(&neigh->arp_queue);
++		neigh_invalidate(neigh);
+ 	}
+ 
+ 	if (neigh->nud_state & NUD_IN_TIMER) {
+@@ -1001,6 +1006,11 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
+ 		neigh->nud_state = new;
+ 		err = 0;
+ 		notify = old & NUD_VALID;
++		if ((old & (NUD_INCOMPLETE | NUD_PROBE)) &&
++		    (new & NUD_FAILED)) {
++			neigh_invalidate(neigh);
++			notify = 1;
++		}
+ 		goto out;
+ 	}
+