diff options
-rw-r--r-- | main/dahdi-linux-grsec/APKBUILD | 2 | ||||
-rw-r--r-- | main/linux-grsec/APKBUILD | 4 | ||||
-rw-r--r-- | main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch | 140 | ||||
-rw-r--r-- | main/open-iscsi-grsec/APKBUILD | 2 | ||||
-rw-r--r-- | main/open-vm-tools-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/xtables-addons-grsec/APKBUILD | 2 |
6 files changed, 149 insertions, 7 deletions
diff --git a/main/dahdi-linux-grsec/APKBUILD b/main/dahdi-linux-grsec/APKBUILD index e6406173df..679bb74c41 100644 --- a/main/dahdi-linux-grsec/APKBUILD +++ b/main/dahdi-linux-grsec/APKBUILD @@ -3,7 +3,7 @@ _flavor=grsec _kver=3.0.8 -_kpkgrel=2 +_kpkgrel=3 # verify the kernel version before entering chroot if [ -f ../linux-${_flavor}/APKBUILD ]; then diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 92b5737b1d..907caf33ca 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.0.8 _kernver=3.0 -pkgrel=2 +pkgrel=3 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -20,6 +20,7 @@ source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch 0001-ipv4-fix-ipsec-forward-performance-regression.patch 0004-arp-flush-arp-cache-on-device-change.patch + net-handle-different-key-sizes-between-address-families-in-flow-cache.patch kernelconfig.x86 kernelconfig.x86_64 @@ -146,5 +147,6 @@ c41cf0ee9794f393423c6b2093072260 grsec-timblogiw-noconst.patch ebb99ef6ad8cd2d9fd8f49d5c5849057 0001-ip_gre-dont-increase-dev-needed_headroom-on-a-live-d.patch b27bc150f7a3932de28fcb8803809cbc 0001-ipv4-fix-ipsec-forward-performance-regression.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch +2b71de1af5539744e2d9f1c37c0ff520 net-handle-different-key-sizes-between-address-families-in-flow-cache.patch 464e2356a1983e1ffe261904a1d76338 kernelconfig.x86 d97d1808eebdfb97734dccfbcaea35f2 kernelconfig.x86_64" diff --git a/main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch b/main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch new file mode 100644 index 0000000000..9fe93a1a6b --- /dev/null +++ b/main/linux-grsec/net-handle-different-key-sizes-between-address-families-in-flow-cache.patch @@ -0,0 +1,140 @@ +From aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 Mon Sep 17 00:00:00 2001 +From: dpward <david.ward@ll.mit.edu> +Date: Mon, 5 Sep 2011 16:47:24 +0000 +Subject: net: Handle different key sizes between address families in flow cache + +From: dpward <david.ward@ll.mit.edu> + +commit aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 upstream. + +With the conversion of struct flowi to a union of AF-specific structs, some +operations on the flow cache need to account for the exact size of the key. + +Signed-off-by: David Ward <david.ward@ll.mit.edu> +Signed-off-by: David S. Miller <davem@davemloft.net> +Cc: Kim Phillips <kim.phillips@freescale.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/net/flow.h | 19 +++++++++++++++++++ + net/core/flow.c | 31 +++++++++++++++++-------------- + 2 files changed, 36 insertions(+), 14 deletions(-) + +--- a/include/net/flow.h ++++ b/include/net/flow.h +@@ -7,6 +7,7 @@ + #ifndef _NET_FLOW_H + #define _NET_FLOW_H + ++#include <linux/socket.h> + #include <linux/in6.h> + #include <asm/atomic.h> + +@@ -161,6 +162,24 @@ static inline struct flowi *flowidn_to_f + return container_of(fldn, struct flowi, u.dn); + } + ++typedef unsigned long flow_compare_t; ++ ++static inline size_t flow_key_size(u16 family) ++{ ++ switch (family) { ++ case AF_INET: ++ BUILD_BUG_ON(sizeof(struct flowi4) % sizeof(flow_compare_t)); ++ return sizeof(struct flowi4) / sizeof(flow_compare_t); ++ case AF_INET6: ++ BUILD_BUG_ON(sizeof(struct flowi6) % sizeof(flow_compare_t)); ++ return sizeof(struct flowi6) / sizeof(flow_compare_t); ++ case AF_DECnet: ++ BUILD_BUG_ON(sizeof(struct flowidn) % sizeof(flow_compare_t)); ++ return sizeof(struct flowidn) / sizeof(flow_compare_t); ++ } ++ return 0; ++} ++ + #define FLOW_DIR_IN 0 + #define FLOW_DIR_OUT 1 + #define FLOW_DIR_FWD 2 +--- a/net/core/flow.c ++++ b/net/core/flow.c +@@ -172,29 +172,26 @@ static void flow_new_hash_rnd(struct flo + + static u32 flow_hash_code(struct flow_cache *fc, + struct flow_cache_percpu *fcp, +- const struct flowi *key) ++ const struct flowi *key, ++ size_t keysize) + { + const u32 *k = (const u32 *) key; ++ const u32 length = keysize * sizeof(flow_compare_t) / sizeof(u32); + +- return jhash2(k, (sizeof(*key) / sizeof(u32)), fcp->hash_rnd) ++ return jhash2(k, length, fcp->hash_rnd) + & (flow_cache_hash_size(fc) - 1); + } + +-typedef unsigned long flow_compare_t; +- + /* I hear what you're saying, use memcmp. But memcmp cannot make +- * important assumptions that we can here, such as alignment and +- * constant size. ++ * important assumptions that we can here, such as alignment. + */ +-static int flow_key_compare(const struct flowi *key1, const struct flowi *key2) ++static int flow_key_compare(const struct flowi *key1, const struct flowi *key2, ++ size_t keysize) + { + const flow_compare_t *k1, *k1_lim, *k2; +- const int n_elem = sizeof(struct flowi) / sizeof(flow_compare_t); +- +- BUILD_BUG_ON(sizeof(struct flowi) % sizeof(flow_compare_t)); + + k1 = (const flow_compare_t *) key1; +- k1_lim = k1 + n_elem; ++ k1_lim = k1 + keysize; + + k2 = (const flow_compare_t *) key2; + +@@ -215,6 +212,7 @@ flow_cache_lookup(struct net *net, const + struct flow_cache_entry *fle, *tfle; + struct hlist_node *entry; + struct flow_cache_object *flo; ++ size_t keysize; + unsigned int hash; + + local_bh_disable(); +@@ -222,6 +220,11 @@ flow_cache_lookup(struct net *net, const + + fle = NULL; + flo = NULL; ++ ++ keysize = flow_key_size(family); ++ if (!keysize) ++ goto nocache; ++ + /* Packet really early in init? Making flow_cache_init a + * pre-smp initcall would solve this. --RR */ + if (!fcp->hash_table) +@@ -230,11 +233,11 @@ flow_cache_lookup(struct net *net, const + if (fcp->hash_rnd_recalc) + flow_new_hash_rnd(fc, fcp); + +- hash = flow_hash_code(fc, fcp, key); ++ hash = flow_hash_code(fc, fcp, key, keysize); + hlist_for_each_entry(tfle, entry, &fcp->hash_table[hash], u.hlist) { + if (tfle->family == family && + tfle->dir == dir && +- flow_key_compare(key, &tfle->key) == 0) { ++ flow_key_compare(key, &tfle->key, keysize) == 0) { + fle = tfle; + break; + } +@@ -248,7 +251,7 @@ flow_cache_lookup(struct net *net, const + if (fle) { + fle->family = family; + fle->dir = dir; +- memcpy(&fle->key, key, sizeof(*key)); ++ memcpy(&fle->key, key, keysize * sizeof(flow_compare_t)); + fle->object = NULL; + hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]); + fcp->hash_count++; diff --git a/main/open-iscsi-grsec/APKBUILD b/main/open-iscsi-grsec/APKBUILD index 9098230d44..ac71b6a694 100644 --- a/main/open-iscsi-grsec/APKBUILD +++ b/main/open-iscsi-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec _realname=open-iscsi _realver=2.0-872 _kver=3.0.8 -_kpkgrel=2 +_kpkgrel=3 # verify the kernel version before entering chroot if [ -f ../linux-${_flavor}/APKBUILD ]; then diff --git a/main/open-vm-tools-grsec/APKBUILD b/main/open-vm-tools-grsec/APKBUILD index db20bb650c..57ac16cdac 100644 --- a/main/open-vm-tools-grsec/APKBUILD +++ b/main/open-vm-tools-grsec/APKBUILD @@ -6,6 +6,9 @@ _mypkgrel=0 _realver=2011.09.23 _realsubver=491607 +_kver=3.0.8 +_kpkgrel=3 + # source open-vm-tools version if [ -f ../main/$_realname/APKBUILD ]; then . ../main/$_realname/APKBUILD @@ -14,9 +17,6 @@ if [ -f ../main/$_realname/APKBUILD ]; then && die "please set _realsubver to $_pkgsubver" fi -_kver=3.0.8 -_kpkgrel=2 - # source the kernel version if [ -f ../main/linux-${_flavor}/APKBUILD ]; then . ../main/linux-${_flavor}/APKBUILD diff --git a/main/xtables-addons-grsec/APKBUILD b/main/xtables-addons-grsec/APKBUILD index dd01f1c2e9..5c3c87d031 100644 --- a/main/xtables-addons-grsec/APKBUILD +++ b/main/xtables-addons-grsec/APKBUILD @@ -4,7 +4,7 @@ _realname=xtables-addons _name=$_realname-$_flavor _kver=3.0.8 -_kpkgrel=2 +_kpkgrel=3 # source the kernel version if [ -f ../linux-$_flavor/APKBUILD ]; then |