main/linux-grsec: fix for fragmentation issue on tunnel devices

ref #1782

2 files changed, 183 insertions, 1 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 215678fa53..c6a209d9df 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
 esac
-pkgrel=1
+pkgrel=2
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 	leds-leds-gpio-reserve-gpio-before-using-it.patch
 	ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+	RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -151,6 +152,7 @@ e881cf0db639205660f237ceea58f708  grsecurity-2.9.1-3.9.3-201305201732.patch
 699e92148cc9a55b6fc4d7d81e476717  v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 83db7136608d8101ae130728539dc376  leds-leds-gpio-reserve-gpio-before-using-it.patch
 ac9a50bdbe91ba6e5205e83f7e734ff5  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+12d3647755bebcd3b114f50de2729455  RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 fd6fd35309c0e8c1f05cb725df958f22  kernelconfig.x86
 fd61ff58d25155997c0d6f73e7ca7a7d  kernelconfig.x86_64"
 sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541  linux-3.9.tar.xz
@@ -159,6 +161,7 @@ c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c  grsecurity-2.9
 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3  v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4  leds-leds-gpio-reserve-gpio-before-using-it.patch
 ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+667babfafe4dc3449cd04853f532712188af557cbac41c461cf8236c4238f5a3  RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a  kernelconfig.x86
 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79  kernelconfig.x86_64"
 sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790  linux-3.9.tar.xz
@@ -167,5 +170,6 @@ d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec5
 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b  v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d  leds-leds-gpio-reserve-gpio-before-using-it.patch
 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+d35c939967d5696e477e2c5181f96e9cb92e1db88477576615f36209d276e0a2a866111d43e4abe076c455e32b063d6a97d42e5bc9ca04702d78b13826bf3afb  RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611  kernelconfig.x86
 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9  kernelconfig.x86_64"
diff --git a/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
new file mode 100644
index 0000000000..2310927e81
--- /dev/null
+++ b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
@@ -0,0 +1,178 @@
+From patchwork Thu May 23 13:15:46 2013
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: [RFC] net/ipv4: Use next hop exceptions also for input routes
+Date: Thu, 23 May 2013 03:15:46 -0000
+From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
+X-Patchwork-Id: 245949
+Message-Id: <1369314946-12692-1-git-send-email-timo.teras@iki.fi>
+To: netdev@vger.kernel.org
+Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+
+Commit d2d68ba9 (ipv4: Cache input routes in fib_info nexthops)
+assmued that "locally destined, and routed packets, never trigger
+PMTU events or redirects that will be processed by us".
+
+However, it seems that tunnel devices do trigger PMTU events in certain
+cases. At least ip_gre, ip6_gre, sit, and ipip do use the inner flow's
+skb_dst(skb)->ops->update_pmtu to propage mtu information from the
+outer flows. These can cause the inner flow mtu to be decreased. If
+next hop exceptions are not consulted for pmtu, IP fragmentation will
+not be done properly for these routes.
+
+It also seems that we really need to have the PMTU information always
+for netfilter TCPMSS' clamp-to-pmtu feature to work properly.
+
+So for the time being, cache separate copies of input routes for
+each next hop exception.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+
+---
+I had ideas to make optimizations where pmtu information would not
+be needed. This includes:
+- Target devices with IFF_XMIT_DST_RELEASE set (practically all devices
+  except tunnels). If skb_dst() is early freed the target device cannot
+  generate PMTU events
+- Add flag for input route generation if pmtu info is needed for
+  fragmentation. Basically a flag saying if DF bit was set in ip_hdr.
+
+However, TCPMSS clamp-to-pmtu prevents both optimizations.
+
+I'm not yet all familiar with the recent changes in routing caching,
+so there might be caveats that I missed. Basic testing shows this fixes
+the fragmentation issues I'm seeing, and I have not yet found any ill
+side effects either.
+
+ include/net/ip_fib.h     |  3 ++-
+ net/ipv4/fib_semantics.c |  3 ++-
+ net/ipv4/route.c         | 41 +++++++++++++++++++++++++++++++----------
+ 3 files changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index e49db91..20529a6 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -55,7 +55,8 @@ struct fib_nh_exception {
+ 	u32				fnhe_pmtu;
+ 	__be32				fnhe_gw;
+ 	unsigned long			fnhe_expires;
+-	struct rtable __rcu		*fnhe_rth;
++	struct rtable __rcu		*fnhe_rth_input;
++	struct rtable __rcu		*fnhe_rth_output;
+ 	unsigned long			fnhe_stamp;
+ };
+ 
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 8f6cb7a..d5dbca5 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -169,7 +169,8 @@ static void free_nh_exceptions(struct fib_nh *nh)
+ 			
+ 			next = rcu_dereference_protected(fnhe->fnhe_next, 1);
+ 
+-			rt_fibinfo_free(&fnhe->fnhe_rth);
++			rt_fibinfo_free(&fnhe->fnhe_rth_input);
++			rt_fibinfo_free(&fnhe->fnhe_rth_output);
+ 
+ 			kfree(fnhe);
+ 
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 550781a..073df96 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -576,9 +576,14 @@ static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash)
+ 		if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp))
+ 			oldest = fnhe;
+ 	}
+-	orig = rcu_dereference(oldest->fnhe_rth);
++	orig = rcu_dereference(oldest->fnhe_rth_input);
+ 	if (orig) {
+-		RCU_INIT_POINTER(oldest->fnhe_rth, NULL);
++		RCU_INIT_POINTER(oldest->fnhe_rth_input, NULL);
++		rt_free(orig);
++	}
++	orig = rcu_dereference(oldest->fnhe_rth_output);
++	if (orig) {
++		RCU_INIT_POINTER(oldest->fnhe_rth_output, NULL);
+ 		rt_free(orig);
+ 	}
+ 	return oldest;
+@@ -1209,7 +1214,15 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
+ 	spin_lock_bh(&fnhe_lock);
+ 
+ 	if (daddr == fnhe->fnhe_daddr) {
+-		struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
++		struct rtable __rcu **porig;
++		struct rtable *orig;
++
++		if (rt_is_input_route(rt))
++			porig = &fnhe->fnhe_rth_input;
++		else
++			porig = &fnhe->fnhe_rth_output;
++
++		orig = rcu_dereference(*porig);
+ 		if (orig && rt_is_expired(orig)) {
+ 			fnhe->fnhe_gw = 0;
+ 			fnhe->fnhe_pmtu = 0;
+@@ -1231,12 +1244,14 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
+ 		} else if (!rt->rt_gateway)
+ 			rt->rt_gateway = daddr;
+ 
+-		rcu_assign_pointer(fnhe->fnhe_rth, rt);
+-		if (orig)
+-			rt_free(orig);
++		if (!(rt->dst.flags & DST_NOCACHE)) {
++			rcu_assign_pointer(*porig, rt);
++			if (orig)
++				rt_free(orig);
++			ret = true;
++		}
+ 
+ 		fnhe->fnhe_stamp = jiffies;
+-		ret = true;
+ 	}
+ 	spin_unlock_bh(&fnhe_lock);
+ 
+@@ -1468,6 +1483,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ 			   struct in_device *in_dev,
+ 			   __be32 daddr, __be32 saddr, u32 tos)
+ {
++	struct fib_nh_exception *fnhe;
+ 	struct rtable *rth;
+ 	int err;
+ 	struct in_device *out_dev;
+@@ -1514,8 +1530,13 @@ static int __mkroute_input(struct sk_buff *skb,
+ 		}
+ 	}
+ 
++	fnhe = find_exception(&FIB_RES_NH(*res), daddr);
+ 	if (do_cache) {
+-		rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
++		if (fnhe != NULL)
++			rth = rcu_dereference(fnhe->fnhe_rth_input);
++		else
++			rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
++
+ 		if (rt_cache_valid(rth)) {
+ 			skb_dst_set_noref(skb, &rth->dst);
+ 			goto out;
+@@ -1543,7 +1564,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ 	rth->dst.input = ip_forward;
+ 	rth->dst.output = ip_output;
+ 
+-	rt_set_nexthop(rth, daddr, res, NULL, res->fi, res->type, itag);
++	rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag);
+ 	skb_dst_set(skb, &rth->dst);
+ out:
+ 	err = 0;
+@@ -1858,7 +1879,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
+ 
+ 		fnhe = find_exception(nh, fl4->daddr);
+ 		if (fnhe)
+-			prth = &fnhe->fnhe_rth;
++			prth = &fnhe->fnhe_rth_output;
+ 		else {
+ 			if (unlikely(fl4->flowi4_flags &
+ 				     FLOWI_FLAG_KNOWN_NH &&