Commit 4ba20c01 authored by Natanael Copa's avatar Natanael Copa

main/*-grsec: upgrade kernel to 3.0.9-201111121310

parent 9c0f229c
......@@ -2,8 +2,9 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
_flavor=grsec
_kver=3.0.8
_kpkgrel=4
_kver=3.0.9
_kpkgrel=0
_mypkgrel=0
# verify the kernel version before entering chroot
if [ -f ../linux-${_flavor}/APKBUILD ]; then
......@@ -20,7 +21,6 @@ pkgname=${_realname}-${_flavor}
pkgver=$_kver
# when chaning _dahdiver we *must* bump _mypkgrel
_dahdiver=2.5.0.2
_mypkgrel=0
pkgrel=$(( $_kpkgrel + $_mypkgrel ))
pkgdesc="Digium Asterisk Hardware Device Interface drivers $_dahdiver"
url="http://www.asterisk.org"
......
From b73233960a59ee66e09d642f13d0592b13651e94 Mon Sep 17 00:00:00 2001
From: "Yan, Zheng" <zheng.z.yan@intel.com>
Date: Sat, 22 Oct 2011 21:58:20 +0000
Subject: [PATCH] ipv4: fix ipsec forward performance regression
There is bug in commit 5e2b61f(ipv4: Remove flowi from struct rtable).
It makes xfrm4_fill_dst() modify wrong data structure.
Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Reported-by: Kim Phillips <kim.phillips@freescale.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/xfrm4_policy.c | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index fc5368a..a0b4c5d 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -79,13 +79,13 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
struct rtable *rt = (struct rtable *)xdst->route;
const struct flowi4 *fl4 = &fl->u.ip4;
- rt->rt_key_dst = fl4->daddr;
- rt->rt_key_src = fl4->saddr;
- rt->rt_key_tos = fl4->flowi4_tos;
- rt->rt_route_iif = fl4->flowi4_iif;
- rt->rt_iif = fl4->flowi4_iif;
- rt->rt_oif = fl4->flowi4_oif;
- rt->rt_mark = fl4->flowi4_mark;
+ xdst->u.rt.rt_key_dst = fl4->daddr;
+ xdst->u.rt.rt_key_src = fl4->saddr;
+ xdst->u.rt.rt_key_tos = fl4->flowi4_tos;
+ xdst->u.rt.rt_route_iif = fl4->flowi4_iif;
+ xdst->u.rt.rt_iif = fl4->flowi4_iif;
+ xdst->u.rt.rt_oif = fl4->flowi4_oif;
+ xdst->u.rt.rt_mark = fl4->flowi4_mark;
xdst->u.dst.dev = dev;
dev_hold(dev);
--
1.7.7
......@@ -2,9 +2,9 @@
_flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.0.8
pkgver=3.0.9
_kernver=3.0
pkgrel=4
pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -14,14 +14,11 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2
grsecurity-2.2.2-3.0.8-201110250925.patch
grsecurity-2.2.2-3.0.9-201111121310.patch
grsec-timblogiw-noconst.patch
0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
0001-ipv4-fix-ipsec-forward-performance-regression.patch
0004-arp-flush-arp-cache-on-device-change.patch
net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
net-align-af-specific-flowi-structs-to-long.patch
kernelconfig.x86
kernelconfig.x86_64
......@@ -142,13 +139,10 @@ dev() {
}
md5sums="398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2
49618d8c7a71549c8870eb709c7d3f81 patch-3.0.8.bz2
5015a2afce7d3665bf74e0896529fb90 grsecurity-2.2.2-3.0.8-201110250925.patch
0154d21e63d3f14fc1084cdb130fab2d patch-3.0.9.bz2
32508aac1ff87cdc72227c86141ed549 grsecurity-2.2.2-3.0.9-201111121310.patch
c41cf0ee9794f393423c6b2093072260 grsec-timblogiw-noconst.patch
ebb99ef6ad8cd2d9fd8f49d5c5849057 0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
b27bc150f7a3932de28fcb8803809cbc 0001-ipv4-fix-ipsec-forward-performance-regression.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
2b71de1af5539744e2d9f1c37c0ff520 net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
b41bd511f527e360643453de796376a8 net-align-af-specific-flowi-structs-to-long.patch
464e2356a1983e1ffe261904a1d76338 kernelconfig.x86
d97d1808eebdfb97734dccfbcaea35f2 kernelconfig.x86_64"
From 728871bc05afc8ff310b17dba3e57a2472792b13 Mon Sep 17 00:00:00 2001
From: David Ward <david.ward@ll.mit.edu>
Date: Mon, 5 Sep 2011 16:47:23 +0000
Subject: net: Align AF-specific flowi structs to long
From: David Ward <david.ward@ll.mit.edu>
commit 728871bc05afc8ff310b17dba3e57a2472792b13 upstream.
AF-specific flowi structs are now passed to flow_key_compare, which must
also be aligned to a long.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/net/flow.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -68,7 +68,7 @@ struct flowi4 {
#define fl4_ipsec_spi uli.spi
#define fl4_mh_type uli.mht.type
#define fl4_gre_key uli.gre_key
-};
+} __attribute__((__aligned__(BITS_PER_LONG/8)));
static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
__u32 mark, __u8 tos, __u8 scope,
@@ -112,7 +112,7 @@ struct flowi6 {
#define fl6_ipsec_spi uli.spi
#define fl6_mh_type uli.mht.type
#define fl6_gre_key uli.gre_key
-};
+} __attribute__((__aligned__(BITS_PER_LONG/8)));
struct flowidn {
struct flowi_common __fl_common;
@@ -127,7 +127,7 @@ struct flowidn {
union flowi_uli uli;
#define fld_sport uli.ports.sport
#define fld_dport uli.ports.dport
-};
+} __attribute__((__aligned__(BITS_PER_LONG/8)));
struct flowi {
union {
From aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 Mon Sep 17 00:00:00 2001
From: dpward <david.ward@ll.mit.edu>
Date: Mon, 5 Sep 2011 16:47:24 +0000
Subject: net: Handle different key sizes between address families in flow cache
From: dpward <david.ward@ll.mit.edu>
commit aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 upstream.
With the conversion of struct flowi to a union of AF-specific structs, some
operations on the flow cache need to account for the exact size of the key.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/net/flow.h | 19 +++++++++++++++++++
net/core/flow.c | 31 +++++++++++++++++--------------
2 files changed, 36 insertions(+), 14 deletions(-)
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -7,6 +7,7 @@
#ifndef _NET_FLOW_H
#define _NET_FLOW_H
+#include <linux/socket.h>
#include <linux/in6.h>
#include <asm/atomic.h>
@@ -161,6 +162,24 @@ static inline struct flowi *flowidn_to_f
return container_of(fldn, struct flowi, u.dn);
}
+typedef unsigned long flow_compare_t;
+
+static inline size_t flow_key_size(u16 family)
+{
+ switch (family) {
+ case AF_INET:
+ BUILD_BUG_ON(sizeof(struct flowi4) % sizeof(flow_compare_t));
+ return sizeof(struct flowi4) / sizeof(flow_compare_t);
+ case AF_INET6:
+ BUILD_BUG_ON(sizeof(struct flowi6) % sizeof(flow_compare_t));
+ return sizeof(struct flowi6) / sizeof(flow_compare_t);
+ case AF_DECnet:
+ BUILD_BUG_ON(sizeof(struct flowidn) % sizeof(flow_compare_t));
+ return sizeof(struct flowidn) / sizeof(flow_compare_t);
+ }
+ return 0;
+}
+
#define FLOW_DIR_IN 0
#define FLOW_DIR_OUT 1
#define FLOW_DIR_FWD 2
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -172,29 +172,26 @@ static void flow_new_hash_rnd(struct flo
static u32 flow_hash_code(struct flow_cache *fc,
struct flow_cache_percpu *fcp,
- const struct flowi *key)
+ const struct flowi *key,
+ size_t keysize)
{
const u32 *k = (const u32 *) key;
+ const u32 length = keysize * sizeof(flow_compare_t) / sizeof(u32);
- return jhash2(k, (sizeof(*key) / sizeof(u32)), fcp->hash_rnd)
+ return jhash2(k, length, fcp->hash_rnd)
& (flow_cache_hash_size(fc) - 1);
}
-typedef unsigned long flow_compare_t;
-
/* I hear what you're saying, use memcmp. But memcmp cannot make
- * important assumptions that we can here, such as alignment and
- * constant size.
+ * important assumptions that we can here, such as alignment.
*/
-static int flow_key_compare(const struct flowi *key1, const struct flowi *key2)
+static int flow_key_compare(const struct flowi *key1, const struct flowi *key2,
+ size_t keysize)
{
const flow_compare_t *k1, *k1_lim, *k2;
- const int n_elem = sizeof(struct flowi) / sizeof(flow_compare_t);
-
- BUILD_BUG_ON(sizeof(struct flowi) % sizeof(flow_compare_t));
k1 = (const flow_compare_t *) key1;
- k1_lim = k1 + n_elem;
+ k1_lim = k1 + keysize;
k2 = (const flow_compare_t *) key2;
@@ -215,6 +212,7 @@ flow_cache_lookup(struct net *net, const
struct flow_cache_entry *fle, *tfle;
struct hlist_node *entry;
struct flow_cache_object *flo;
+ size_t keysize;
unsigned int hash;
local_bh_disable();
@@ -222,6 +220,11 @@ flow_cache_lookup(struct net *net, const
fle = NULL;
flo = NULL;
+
+ keysize = flow_key_size(family);
+ if (!keysize)
+ goto nocache;
+
/* Packet really early in init? Making flow_cache_init a
* pre-smp initcall would solve this. --RR */
if (!fcp->hash_table)
@@ -230,11 +233,11 @@ flow_cache_lookup(struct net *net, const
if (fcp->hash_rnd_recalc)
flow_new_hash_rnd(fc, fcp);
- hash = flow_hash_code(fc, fcp, key);
+ hash = flow_hash_code(fc, fcp, key, keysize);
hlist_for_each_entry(tfle, entry, &fcp->hash_table[hash], u.hlist) {
if (tfle->family == family &&
tfle->dir == dir &&
- flow_key_compare(key, &tfle->key) == 0) {
+ flow_key_compare(key, &tfle->key, keysize) == 0) {
fle = tfle;
break;
}
@@ -248,7 +251,7 @@ flow_cache_lookup(struct net *net, const
if (fle) {
fle->family = family;
fle->dir = dir;
- memcpy(&fle->key, key, sizeof(*key));
+ memcpy(&fle->key, key, keysize * sizeof(flow_compare_t));
fle->object = NULL;
hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
fcp->hash_count++;
......@@ -3,8 +3,8 @@
_flavor=grsec
_realname=open-iscsi
_realver=2.0-872
_kver=3.0.8
_kpkgrel=4
_kver=3.0.9
_kpkgrel=0
# verify the kernel version before entering chroot
if [ -f ../linux-${_flavor}/APKBUILD ]; then
......@@ -56,4 +56,4 @@ package() {
}
md5sums="b4df94f08c241352bb964043b3e44779 open-iscsi-2.0-872.tar.gz
3d0806dc1c3c61b40a1e10eef63a1007 Makefile-Alpine-kernels-support.patch"
e6c2588a1b1e9ed6a946e87c153b60dd Makefile-Alpine-kernels-support.patch"
......@@ -26,7 +26,7 @@
linux_2_6_35: $(unpatch_code)
+
+linux_3_0_8: $(unpatch_code)
+linux_3_0_9: $(unpatch_code)
do_unpatch_code:
echo "Un-patching source code for use with linux-2.6.14 and up ..."
......
......@@ -6,8 +6,8 @@ _mypkgrel=0
_realver=2011.09.23
_realsubver=491607
_kver=3.0.8
_kpkgrel=4
_kver=3.0.9
_kpkgrel=0
# source open-vm-tools version
if [ -f ../main/$_realname/APKBUILD ]; then
......
......@@ -3,8 +3,8 @@ _flavor=${FLAVOR:-grsec}
_realname=xtables-addons
_name=$_realname-$_flavor
_kver=3.0.8
_kpkgrel=4
_kver=3.0.9
_kpkgrel=0
# source the kernel version
if [ -f ../linux-$_flavor/APKBUILD ]; then
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment