Commit 4d0ad813 authored by Natanael Copa's avatar Natanael Copa

main/linux-grsec: update to al5

corresponds to LTS kernel 3.4.35

We also add an ipsec related MTU fix
parent 2f5fa466
From patchwork Tue Jan 22 09:06:36 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [5/5] xfrm4: Invalidate all ipv4 routes on IPsec pmtu events
Date: Mon, 21 Jan 2013 23:06:36 -0000
From: Steffen Klassert <steffen.klassert@secunet.com>
X-Patchwork-Id: 214475
Message-Id: <1358845596-2066-6-git-send-email-steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>, netdev@vger.kernel.org
On IPsec pmtu events we can't access the transport headers of
the original packet, so we can't find the socket that sent
the packet. The only chance to notify the socket about the
pmtu change is to force a relookup for all routes. This
patch implenents this for the IPsec protocols.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/ah4.c | 7 +++++--
net/ipv4/esp4.c | 7 +++++--
net/ipv4/ipcomp.c | 7 +++++--
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index a154d0a..a69b4e4 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -420,9 +420,12 @@ static void ah4_err(struct sk_buff *skb, u32 info)
if (!x)
return;
- if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
+ if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
+ atomic_inc(&flow_cache_genid);
+ rt_genid_bump(net);
+
ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_AH, 0);
- else
+ } else
ipv4_redirect(skb, net, 0, 0, IPPROTO_AH, 0);
xfrm_state_put(x);
}
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index fd26ff4..3b4f0cd 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -502,9 +502,12 @@ static void esp4_err(struct sk_buff *skb, u32 info)
if (!x)
return;
- if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
+ if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
+ atomic_inc(&flow_cache_genid);
+ rt_genid_bump(net);
+
ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_ESP, 0);
- else
+ } else
ipv4_redirect(skb, net, 0, 0, IPPROTO_ESP, 0);
xfrm_state_put(x);
}
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index d3ab47e..9a46dae 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -47,9 +47,12 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
if (!x)
return;
- if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
+ if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
+ atomic_inc(&flow_cache_genid);
+ rt_genid_bump(net);
+
ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_COMP, 0);
- else
+ } else
ipv4_redirect(skb, net, 0, 0, IPPROTO_COMP, 0);
xfrm_state_put(x);
}
......@@ -4,7 +4,8 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.6.11
_kernver=3.6
pkgrel=15
pkgrel=16
_al=5
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -14,8 +15,8 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
patch-3.6.11-al4.patch
grsecurity-2.9.1-3.6.11-al4-unofficial-0.patch
patch-3.6.11-al${_al}.patch
grsecurity-2.9.1-3.6.11-al${_al}-unofficial-0.patch
0004-arp-flush-arp-cache-on-device-change.patch
r8169-num-rx-desc.patch
......@@ -23,6 +24,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
r8169-fix-vlan-tag-reordering.patch
xsa43-pvops.patch
5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch
kernelconfig.x86
kernelconfig.x86_64
......@@ -146,34 +148,37 @@ dev() {
md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz
bd4bba74093405887d521309a74c19e9 patch-3.6.11.xz
fa0ca65fb8e9f9d08c04f06ae5c316ec patch-3.6.11-al4.patch
0245ff3264fb1b046f24623947fb4eb7 grsecurity-2.9.1-3.6.11-al4-unofficial-0.patch
bc5dd29ae16718a7bdf3241313999122 patch-3.6.11-al5.patch
5de38a21b1217b13326a862c7b88f1da grsecurity-2.9.1-3.6.11-al5-unofficial-0.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch
d9b4a528e722d10ba53034ebd440c31b ipv4-remove-output-route-check-in-ipv4_mtu.patch
44a37e1289e1056300574848aea8bd31 r8169-fix-vlan-tag-reordering.patch
2399192c10ba600a086a4c946f1b72f2 xsa43-pvops.patch
3c84d36165b43f0f0f0bdde77c6f68c0 5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch
02ed0c981afbf6a1fc81d5fa9b44e7df kernelconfig.x86
4927251c008b2c2bf5648d732ec63f9d kernelconfig.x86_64"
sha256sums="4ab9a6ef1c1735713f9f659d67f92efa7c1dfbffb2a2ad544005b30f9791784f linux-3.6.tar.xz
4bdc3822571a4a765bf6f347aad8b899730acef549ae4236813fd17f254f4327 patch-3.6.11.xz
897ed38d778dfd76256f065f81ad02f16d126dc2e67631253520b8fe0685b444 patch-3.6.11-al4.patch
d67eb0d4437e1c80e3289ef442d68e0b84235d0971b8b347b6340043b869b3ca grsecurity-2.9.1-3.6.11-al4-unofficial-0.patch
7b06dc536709a68cd03918231a8c9c59d236ab7ae898fd80f042413422e6e210 patch-3.6.11-al5.patch
d44e17a36af283c2cfe2d07dc4e0325a110ccf9d29253f605d7f6793d3166ce4 grsecurity-2.9.1-3.6.11-al5-unofficial-0.patch
e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde 0004-arp-flush-arp-cache-on-device-change.patch
fdce1143aa10a48582b5bb9cf441b75c6f52701a61f28139970f3110a170fb97 r8169-num-rx-desc.patch
c3673636d7604b7b3df665acc0fc0153a76ac6b7f36bb931d235ea1132ac1852 ipv4-remove-output-route-check-in-ipv4_mtu.patch
7ba9b10b04197d3009ad3facabd0bdb2cab870fabcc841716efb1041412a20cd r8169-fix-vlan-tag-reordering.patch
6efe83c9951dcba20f18095814d19089e19230c6876bbdab32cc2f1165bb07c8 xsa43-pvops.patch
ea006140f59d820c61996290434ca6a16f66e6b175e33488b36b650af3592787 5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch
c4236fa6150c9cba98280aadc2daccd917410148e06d2231cc8c5370d1735577 kernelconfig.x86
3afefde6d92e1c41f6487c2279c5b707ef42ce42e4f7fe9e37d482c3e24ec3b1 kernelconfig.x86_64"
sha512sums="6e3354184d1799228a2d33b92e4a6b743cc24352b8ccc1fd487fab07ab97be2aa03ba87b8406a177581692db1fd40674fbd4e213a782cbe0a6a969b10c4c17a1 linux-3.6.tar.xz
08423f145ee7aef49f50d95032595ee79250135b6ecfa72f802502a277f215b63c4dc04ed149fe4ed7cdaa5ef063b8003b7f72f41d8417e45efbe7e30e621387 patch-3.6.11.xz
477ee6c8bdf8884355efafc29e58810c097a4b1e3ecd84890bf582cf513510266d85a26e38d05ae463429ccfe9dd84cedc2fb1ed0a5fcf662a8a489ca30e6495 patch-3.6.11-al4.patch
bc1e60473292f58c2884e016ba2e5f4e3fbacccd8fdc8856bd46c82e2de2811c6022c458ca5307d57bc1a512e5a65dd350cfe8ab28bc820072e9eec716f0e2c1 grsecurity-2.9.1-3.6.11-al4-unofficial-0.patch
1aaae390ee31a77bd4fa8acc4563ed4a438c6143074364853dcf5126d973d6ad5d39713e76086f36cf06c9027df676b30332f02cfc0de607f4b89e1d3f2ed21f patch-3.6.11-al5.patch
5cefb9bf53bf99a0173a6e1037427d75a4d926b3d9c66fff38355007efa48a07ed6be3e6796537c9e068eb3ea09085d3cf86df5833238318d201c95ca3ed9583 grsecurity-2.9.1-3.6.11-al5-unofficial-0.patch
b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e 0004-arp-flush-arp-cache-on-device-change.patch
d9c91b57415c7c3c365add35565f72ba6225e48212f55abb209e1f426902206543edefb9fc01715357e445b69222a6fb94c3469d701e465450919bad3c83d874 r8169-num-rx-desc.patch
fbbaa9c940f70823f5672db04b78de71233ecdda83d0cbeaeac941d732b0e3b18be38a0ed85d7bd03818114d00d9fe00935532968bee5b4673e8fadfda8c0281 ipv4-remove-output-route-check-in-ipv4_mtu.patch
958f5dfb57b6760e92d39027e8ec8d0abc2d99f6b40ef3c108fe90acfe00f3d5fdc2ccebddeffbf70794f6d7a394d985adf40808c2d4c8f7d0591c589b88bbbc r8169-fix-vlan-tag-reordering.patch
383c00a2520f0e27a4e51ef4e499cd8dc33f75ef4d3d5eab22944126c41de20dccf563d1d05cd557cae4091167de78f44ec5bfb76e33f503b36b5e3d756fcaed xsa43-pvops.patch
7016cdac82e9969636920e5e8accafcf7b160fb5afa2ce79fc43ee0b0591afe825f047efa18c7e7b0b310085298221a8b751ff1dd51eee940fa262f0b7054813 5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch
065fff74ab7f885a45d98a1cd2bc5aaf6cb9a08d830297aaab54b512b7c90d692e37101810ee36a1f26e757990f763b664788a858b3ab40d0b4821205b9d3995 kernelconfig.x86
ba9a0b035a97089e51e0a0b723c69148866dabb4baf74c870a005350f7bfd789ab47595c7bc7e218de6d7479d16279cb906aee2ffeda9a6b141ad43ecc26dd4f kernelconfig.x86_64"
......@@ -223,10 +223,10 @@ index 39462cf..611a556 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index ad7e2e5..199f49e 100644
index 15199ed..6ee9267 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -905,6 +905,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -910,6 +910,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
gpt [EFI] Forces disk with valid GPT signature but
invalid Protective MBR to be treated as GPT.
......@@ -236,7 +236,7 @@ index ad7e2e5..199f49e 100644
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
@@ -2050,6 +2053,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -2055,6 +2058,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
......@@ -31907,10 +31907,10 @@ index 8a8725c..afed796 100644
marker = list_first_entry(&queue->head,
struct vmw_marker, head);
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 10ef742..9025b12 100644
index 545eab4..b7d5269 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2178,7 +2178,7 @@ static bool hid_ignore(struct hid_device *hdev)
@@ -2179,7 +2179,7 @@ static bool hid_ignore(struct hid_device *hdev)
int hid_add_device(struct hid_device *hdev)
{
......@@ -31919,7 +31919,7 @@ index 10ef742..9025b12 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
@@ -2213,7 +2213,7 @@ int hid_add_device(struct hid_device *hdev)
@@ -2214,7 +2214,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
......@@ -36265,7 +36265,7 @@ index 78816b8..1fcdfae 100644
static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
index de6968f..29ac4c1 100644
index c59edc7..7818de5 100644
--- a/drivers/net/wireless/ath/ath9k/hw.h
+++ b/drivers/net/wireless/ath/ath9k/hw.h
@@ -656,7 +656,7 @@ struct ath_hw_private_ops {
......@@ -40004,7 +40004,7 @@ index 57c01ab..8a05959 100644
/*
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index ef82a0d..78a026b 100644
index fd38945..78a026b 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -634,7 +634,7 @@ static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m)
......@@ -40016,15 +40016,6 @@ index ef82a0d..78a026b 100644
{
struct file *eventfp, *filep = NULL,
*pollstart = NULL, *pollstop = NULL;
@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len,
}
_iov = iov + ret;
size = reg->memory_size - addr + reg->guest_phys_addr;
- _iov->iov_len = min((u64)len, size);
+ _iov->iov_len = min((u64)len - s, size);
_iov->iov_base = (void __user *)(unsigned long)
(reg->userspace_addr + addr - reg->guest_phys_addr);
s += size;
diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c
index 747442d..7c0c434 100644
--- a/drivers/video/aty/aty128fb.c
......@@ -46280,10 +46271,10 @@ index 90d901f..159975f 100644
}
return 1;
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index cf18217..8f6b9c3 100644
index 2f2e0da..89b113a 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -498,8 +498,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
@@ -505,8 +505,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
/* Hm, nope. Are (enough) root reserved clusters available? */
if (uid_eq(sbi->s_resuid, current_fsuid()) ||
(!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
......@@ -46329,7 +46320,7 @@ index b686b43..4b46d01 100644
/* locality groups */
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index b26410c..7383d90 100644
index 24e5c78..a9e7619 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1746,7 +1746,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
......@@ -48100,10 +48091,10 @@ index f4246cf..b4aed1d 100644
if (!ret)
ret = -EPIPE;
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 324bc08..4fdd56e 100644
index 68cc9ef..ce0f6c0 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1226,7 +1226,7 @@ static char *read_link(struct dentry *dentry)
@@ -1233,7 +1233,7 @@ static char *read_link(struct dentry *dentry)
return link;
}
......@@ -49173,7 +49164,7 @@ index d355e6e..578d905 100644
enum ocfs2_local_alloc_state
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index f169da4..9112253 100644
index b7e74b5..19c6536 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
......@@ -49185,7 +49176,7 @@ index f169da4..9112253 100644
/* You should never ask for this much metadata */
BUG_ON(bits_wanted >
@@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handle,
@@ -2007,7 +2007,7 @@ int ocfs2_claim_metadata(handle_t *handle,
mlog_errno(status);
goto bail;
}
......@@ -49194,7 +49185,7 @@ index f169da4..9112253 100644
*suballoc_loc = res.sr_bg_blkno;
*suballoc_bit_start = res.sr_bit_offset;
@@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_t *handle,
@@ -2171,7 +2171,7 @@ int ocfs2_claim_new_inode_at_loc(handle_t *handle,
trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
res->sr_bits);
......@@ -49203,7 +49194,7 @@ index f169da4..9112253 100644
BUG_ON(res->sr_bits != 1);
@@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *handle,
@@ -2213,7 +2213,7 @@ int ocfs2_claim_new_inode(handle_t *handle,
mlog_errno(status);
goto bail;
}
......@@ -49212,7 +49203,7 @@ index f169da4..9112253 100644
BUG_ON(res.sr_bits != 1);
@@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
@@ -2317,7 +2317,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
cluster_start,
num_clusters);
if (!status)
......@@ -49221,7 +49212,7 @@ index f169da4..9112253 100644
} else {
if (min_clusters > (osb->bitmap_cpg - 1)) {
/* The only paths asking for contiguousness
@@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
@@ -2343,7 +2343,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
res.sr_bg_blkno,
res.sr_bit_offset);
......@@ -67517,10 +67508,10 @@ index 493d972..ea17248 100644
+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
+}
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 2c0d5d0..1b229f2 100644
index 2cd3492..bda346c 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -5388,7 +5388,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
@@ -5396,7 +5396,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
struct css_set *cg = link->cg;
struct task_struct *task;
int count = 0;
......@@ -69927,7 +69918,7 @@ index acbb79c..8d1adc5 100644
.clock_get = thread_cpu_clock_get,
.timer_create = thread_cpu_timer_create,
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index 69185ae..cc2847a 100644
index e885be1..380fe76 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -43,6 +43,7 @@
......@@ -70010,7 +70001,7 @@ index 69185ae..cc2847a 100644
}
static int common_timer_create(struct k_itimer *new_timer)
@@ -959,6 +960,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
@@ -966,6 +967,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
if (copy_from_user(&new_tp, tp, sizeof (*tp)))
return -EFAULT;
......@@ -71480,7 +71471,7 @@ index 87174ef..68cbb82 100644
EXPORT_SYMBOL(proc_doulongvec_minmax);
EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
index 65bdcf1..21eb831 100644
index c2f6d47..26517d3 100644
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *file,
......@@ -71537,7 +71528,7 @@ index 65bdcf1..21eb831 100644
set_fs(old_fs);
if (result < 0)
goto out;
@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struct file *file,
@@ -1234,7 +1234,7 @@ static ssize_t bin_dn_node_address(struct file *file,
le16_to_cpu(dnaddr) & 0x3ff);
set_fs(KERNEL_DS);
......@@ -71799,7 +71790,7 @@ index c0bd030..62a1927 100644
ret = -EIO;
bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 7f8a8df..caa26f4 100644
index 384699f..73238cb 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1785,12 +1785,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment