aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2011-11-10 15:38:14 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2011-11-10 15:38:14 +0000
commit2d674ead26a228e6ae79d0ecf1d1bcf8748e5b7e (patch)
tree72790b7cf261c3cb6429902a6b519a6d60772443 /main/linux-grsec
parentef4265d5191940fb1bf13ce91110488fc1fda219 (diff)
downloadaports-2d674ead26a228e6ae79d0ecf1d1bcf8748e5b7e.tar.bz2
aports-2d674ead26a228e6ae79d0ecf1d1bcf8748e5b7e.tar.xz
main/linux-grsec: backport flow patch from upstream
fixes performance regression
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD4
-rw-r--r--main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch140
2 files changed, 143 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 92b5737b1d..907caf33ca 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.0.8
_kernver=3.0
-pkgrel=2
+pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -20,6 +20,7 @@ source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2
0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
0001-ipv4-fix-ipsec-forward-performance-regression.patch
0004-arp-flush-arp-cache-on-device-change.patch
+ net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
kernelconfig.x86
kernelconfig.x86_64
@@ -146,5 +147,6 @@ c41cf0ee9794f393423c6b2093072260 grsec-timblogiw-noconst.patch
ebb99ef6ad8cd2d9fd8f49d5c5849057 0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch
b27bc150f7a3932de28fcb8803809cbc 0001-ipv4-fix-ipsec-forward-performance-regression.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
+2b71de1af5539744e2d9f1c37c0ff520 net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
464e2356a1983e1ffe261904a1d76338 kernelconfig.x86
d97d1808eebdfb97734dccfbcaea35f2 kernelconfig.x86_64"
diff --git a/main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch b/main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
new file mode 100644
index 0000000000..9fe93a1a6b
--- /dev/null
+++ b/main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch
@@ -0,0 +1,140 @@
+From aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 Mon Sep 17 00:00:00 2001
+From: dpward <david.ward@ll.mit.edu>
+Date: Mon, 5 Sep 2011 16:47:24 +0000
+Subject: net: Handle different key sizes between address families in flow cache
+
+From: dpward <david.ward@ll.mit.edu>
+
+commit aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 upstream.
+
+With the conversion of struct flowi to a union of AF-specific structs, some
+operations on the flow cache need to account for the exact size of the key.
+
+Signed-off-by: David Ward <david.ward@ll.mit.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Kim Phillips <kim.phillips@freescale.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/flow.h | 19 +++++++++++++++++++
+ net/core/flow.c | 31 +++++++++++++++++--------------
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+--- a/include/net/flow.h
++++ b/include/net/flow.h
+@@ -7,6 +7,7 @@
+ #ifndef _NET_FLOW_H
+ #define _NET_FLOW_H
+
++#include <linux/socket.h>
+ #include <linux/in6.h>
+ #include <asm/atomic.h>
+
+@@ -161,6 +162,24 @@ static inline struct flowi *flowidn_to_f
+ return container_of(fldn, struct flowi, u.dn);
+ }
+
++typedef unsigned long flow_compare_t;
++
++static inline size_t flow_key_size(u16 family)
++{
++ switch (family) {
++ case AF_INET:
++ BUILD_BUG_ON(sizeof(struct flowi4) % sizeof(flow_compare_t));
++ return sizeof(struct flowi4) / sizeof(flow_compare_t);
++ case AF_INET6:
++ BUILD_BUG_ON(sizeof(struct flowi6) % sizeof(flow_compare_t));
++ return sizeof(struct flowi6) / sizeof(flow_compare_t);
++ case AF_DECnet:
++ BUILD_BUG_ON(sizeof(struct flowidn) % sizeof(flow_compare_t));
++ return sizeof(struct flowidn) / sizeof(flow_compare_t);
++ }
++ return 0;
++}
++
+ #define FLOW_DIR_IN 0
+ #define FLOW_DIR_OUT 1
+ #define FLOW_DIR_FWD 2
+--- a/net/core/flow.c
++++ b/net/core/flow.c
+@@ -172,29 +172,26 @@ static void flow_new_hash_rnd(struct flo
+
+ static u32 flow_hash_code(struct flow_cache *fc,
+ struct flow_cache_percpu *fcp,
+- const struct flowi *key)
++ const struct flowi *key,
++ size_t keysize)
+ {
+ const u32 *k = (const u32 *) key;
++ const u32 length = keysize * sizeof(flow_compare_t) / sizeof(u32);
+
+- return jhash2(k, (sizeof(*key) / sizeof(u32)), fcp->hash_rnd)
++ return jhash2(k, length, fcp->hash_rnd)
+ & (flow_cache_hash_size(fc) - 1);
+ }
+
+-typedef unsigned long flow_compare_t;
+-
+ /* I hear what you're saying, use memcmp. But memcmp cannot make
+- * important assumptions that we can here, such as alignment and
+- * constant size.
++ * important assumptions that we can here, such as alignment.
+ */
+-static int flow_key_compare(const struct flowi *key1, const struct flowi *key2)
++static int flow_key_compare(const struct flowi *key1, const struct flowi *key2,
++ size_t keysize)
+ {
+ const flow_compare_t *k1, *k1_lim, *k2;
+- const int n_elem = sizeof(struct flowi) / sizeof(flow_compare_t);
+-
+- BUILD_BUG_ON(sizeof(struct flowi) % sizeof(flow_compare_t));
+
+ k1 = (const flow_compare_t *) key1;
+- k1_lim = k1 + n_elem;
++ k1_lim = k1 + keysize;
+
+ k2 = (const flow_compare_t *) key2;
+
+@@ -215,6 +212,7 @@ flow_cache_lookup(struct net *net, const
+ struct flow_cache_entry *fle, *tfle;
+ struct hlist_node *entry;
+ struct flow_cache_object *flo;
++ size_t keysize;
+ unsigned int hash;
+
+ local_bh_disable();
+@@ -222,6 +220,11 @@ flow_cache_lookup(struct net *net, const
+
+ fle = NULL;
+ flo = NULL;
++
++ keysize = flow_key_size(family);
++ if (!keysize)
++ goto nocache;
++
+ /* Packet really early in init? Making flow_cache_init a
+ * pre-smp initcall would solve this. --RR */
+ if (!fcp->hash_table)
+@@ -230,11 +233,11 @@ flow_cache_lookup(struct net *net, const
+ if (fcp->hash_rnd_recalc)
+ flow_new_hash_rnd(fc, fcp);
+
+- hash = flow_hash_code(fc, fcp, key);
++ hash = flow_hash_code(fc, fcp, key, keysize);
+ hlist_for_each_entry(tfle, entry, &fcp->hash_table[hash], u.hlist) {
+ if (tfle->family == family &&
+ tfle->dir == dir &&
+- flow_key_compare(key, &tfle->key) == 0) {
++ flow_key_compare(key, &tfle->key, keysize) == 0) {
+ fle = tfle;
+ break;
+ }
+@@ -248,7 +251,7 @@ flow_cache_lookup(struct net *net, const
+ if (fle) {
+ fle->family = family;
+ fle->dir = dir;
+- memcpy(&fle->key, key, sizeof(*key));
++ memcpy(&fle->key, key, keysize * sizeof(flow_compare_t));
+ fle->object = NULL;
+ hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
+ fcp->hash_count++;