main/linux-grsec: grsec 2.1.14-2.6.32.9-201003112025 + fixes for ipsec and gre

1 files changed, 109 insertions, 0 deletions

diff --git a/main/linux-grsec/net-2.6.git-87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9.patch b/main/linux-grsec/net-2.6.git-87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9.patch
new file mode 100644
index 0000000000..7cc9bf7896
--- /dev/null
+++ b/main/linux-grsec/net-2.6.git-87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9.patch
@@ -0,0 +1,109 @@
+From 87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 2 Mar 2010 02:51:56 +0000
+Subject: [PATCH] ipsec: Fix bogus bundle flowi
+
+When I merged the bundle creation code, I introduced a bogus
+flowi value in the bundle.  Instead of getting from the caller,
+it was instead set to the flow in the route object, which is
+totally different.
+
+The end result is that the bundles we created never match, and
+we instead end up with an ever growing bundle list.
+
+Thanks to Jamal for find this problem.
+
+Reported-by: Jamal Hadi Salim <hadi@cyberus.ca>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/xfrm.h      |    3 ++-
+ net/ipv4/xfrm4_policy.c |    5 +++--
+ net/ipv6/xfrm6_policy.c |    3 ++-
+ net/xfrm/xfrm_policy.c  |    7 ++++---
+ 4 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index a7df327..d74e080 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -275,7 +275,8 @@ struct xfrm_policy_afinfo {
+ 					     struct dst_entry *dst,
+ 					     int nfheader_len);
+ 	int			(*fill_dst)(struct xfrm_dst *xdst,
+-					    struct net_device *dev);
++					    struct net_device *dev,
++					    struct flowi *fl);
+ };
+ 
+ extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
+diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
+index 67107d6..e4a1483 100644
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -91,11 +91,12 @@ static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
+ 	return 0;
+ }
+ 
+-static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
++static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
++			  struct flowi *fl)
+ {
+ 	struct rtable *rt = (struct rtable *)xdst->route;
+ 
+-	xdst->u.rt.fl = rt->fl;
++	xdst->u.rt.fl = *fl;
+ 
+ 	xdst->u.dst.dev = dev;
+ 	dev_hold(dev);
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index dbdc696..ae18165 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -116,7 +116,8 @@ static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
+ 	return 0;
+ }
+ 
+-static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
++static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
++			  struct flowi *fl)
+ {
+ 	struct rt6_info *rt = (struct rt6_info*)xdst->route;
+ 
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 34a5ef8..843e066 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1372,7 +1372,8 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
+ 	return err;
+ }
+ 
+-static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
++static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
++				struct flowi *fl)
+ {
+ 	struct xfrm_policy_afinfo *afinfo =
+ 		xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
+@@ -1381,7 +1382,7 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
+ 	if (!afinfo)
+ 		return -EINVAL;
+ 
+-	err = afinfo->fill_dst(xdst, dev);
++	err = afinfo->fill_dst(xdst, dev, fl);
+ 
+ 	xfrm_policy_put_afinfo(afinfo);
+ 
+@@ -1486,7 +1487,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
+ 	for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
+ 		struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
+ 
+-		err = xfrm_fill_dst(xdst, dev);
++		err = xfrm_fill_dst(xdst, dev, fl);
+ 		if (err)
+ 			goto free_dst;
+ 
+-- 
+1.7.0.2
+