main/linux-grsec: fix ip_gre regression and enable xfrm statistics

4 files changed, 63 insertions, 9 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index b489b05761..342447a8c6 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.8.2
 _kernver=3.8
-pkgrel=1
+pkgrel=3
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -18,6 +18,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 
 	0004-arp-flush-arp-cache-on-device-change.patch
 	usb-ehci-revert-remove-ass-pss-polling-timeout.patch
+	Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -146,19 +147,22 @@ e282fcff76e975e121e0636018e31a56  patch-3.8.2.xz
 1bd92bea4325cafd07daa470810f1ea3  grsecurity-2.9.1-3.8.2-201303111845.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 eb332f6769f785a1c6b54b1f49ffd01a  usb-ehci-revert-remove-ass-pss-polling-timeout.patch
-3bcafb0c6230e2279930027e48162d0a  kernelconfig.x86
-653949f92e603ec35e072fbdc58a414b  kernelconfig.x86_64"
+dc52c70012b707fa8ebbfe9222960b1f  Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch
+2ae3dad7ae18b1d6aca01c433be78bf7  kernelconfig.x86
+d9ae40bc906e3ab1968ce784d879419e  kernelconfig.x86_64"
 sha256sums="e070d1bdfbded5676a4f374721c63565f1c969466c5a3e214004a136b583184b  linux-3.8.tar.xz
 2bd1a39db4608a03250bfef11d3b7894ab1f0ebcb5316bafeeed23535822fd9c  patch-3.8.2.xz
 c969b85daf641db52925344b66527d92395b50011c17b889cea36ce753e0f7a0  grsecurity-2.9.1-3.8.2-201303111845.patch
 e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde  0004-arp-flush-arp-cache-on-device-change.patch
 949393b84740cfe8a0d72d391ca2a89d24aa425df27c031f121fec7f7f331eed  usb-ehci-revert-remove-ass-pss-polling-timeout.patch
-f4f752af87b802ddfa201392906c4b7ec14a2239e994abd3fb08068824477cb4  kernelconfig.x86
-07e8251d7348414ee534d822fdf6561545309be87821032115d0161c443ad000  kernelconfig.x86_64"
+82687b6a369370359bab20fcd00e7e6ca55221d9777843d6df857f7e808d9916  Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch
+07357ba122b72516fa8add2e549bc65fddb10df85a91a6f1a1f7db2f62eb4b98  kernelconfig.x86
+ce5b69db73b452985d41aab188f1f5bf73c6b1ab633c264d72ba9289fe5e91cd  kernelconfig.x86_64"
 sha512sums="10a7983391af907d8aec72bdb096d1cabd4911985715e9ea13d35ff09095c035db15d4ab08b92eda7c10026cc27348cb9728c212335f7fcdcda7c610856ec30f  linux-3.8.tar.xz
 752a122646261461da9238feeacc61ab787bea9999f066b056226387ce718da57592e536eb1c6aa28b949f0a7ad1fa97cc97204fdc3e8f3939d9b0d3b9517d03  patch-3.8.2.xz
 faff701455d4985cc7c54e4b41cb87a44382b567c5adaa0ffa5182c0e4a629660b08715205f982d668f12697550da8ce6ea07da4636d60789e8fc1833cce084a  grsecurity-2.9.1-3.8.2-201303111845.patch
 b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e  0004-arp-flush-arp-cache-on-device-change.patch
 bb4576df6b5e029747975f5ed9d04c807d1bfd5e73f5418375f164a03342c15b2ca918e68bb6ff5bd0dc2fa8364e022aee18b254528210d2e24f8e06e6521609  usb-ehci-revert-remove-ass-pss-polling-timeout.patch
-9a37f22bbab39e7a2a35258a5004ad52e7ec40d1cb7e0e61df3e7c278fd1e0163f196fbb0110ef34b1984c5fae409c57b870e689f955c8520c2b27aa0afe8247  kernelconfig.x86
-e77717d46bdbb4bdf7d59a8ee9a9cf62f08b50f0e0b6dc3bf78cf007fce355b19a824205d1341bbb730708f5651f0b244d90d3b771b968b16af7ba4ca7ae8d58  kernelconfig.x86_64"
+86658aab1274eb7b273dc13473e3bd21d2c8cc8253002adf175dd0e0fd3b407c0ec85546f018597bbf5ad1b47b426a03c3be7b7a5d19991c46c7bd5afddf9929  Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch
+cd55284606d7d6e4e643a35638e3f4db547c9eb23e5e030d7c722df24910e57749a21af245f9eee82f08daf3b3563ed6b366759cffd42e7d8926ca14a4f60b4e  kernelconfig.x86
+88cce5dc8ec880b8ff48ea6f6dc5d41957717c4057e13bbfed75c921ad7a6061591ce23cce69f4c9816f56cafa59114bb8454a3d7d552fccd8eb3ddb81fe3e2c  kernelconfig.x86_64"
diff --git a/main/linux-grsec/Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch b/main/linux-grsec/Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch
new file mode 100644
index 0000000000..39277d52c8
--- /dev/null
+++ b/main/linux-grsec/Revert-ip_gre-make-ipgre_tunnel_xmit-not-parse-network-header-as-IP-unconditionally.patch
@@ -0,0 +1,49 @@
+From patchwork Wed Mar 13 12:37:49 2013
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as
+ IP unconditionally"
+Date: Wed, 13 Mar 2013 02:37:49 -0000
+From: =?utf-8?b?VGltbyBUZXLDpHMgPHRpbW8udGVyYXNAaWtpLmZpPg==?=
+X-Patchwork-Id: 227266
+Message-Id: <1363178269-27553-1-git-send-email-timo.teras@iki.fi>
+To: netdev@vger.kernel.org, Isaku Yamahata <yamahata@valinux.co.jp>,
+ Eric Dumazet <edumazet@google.com>, "David S. Miller" <davem@davemloft.net>
+Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+
+This reverts commit 412ed94744d16806fbec3bd250fd94e71cde5a1f.
+
+The commit is wrong as tiph points to the outer IPv4 header which is
+installed at ipgre_header() and not the inner one which is protocol dependant.
+
+This commit broke succesfully opennhrp which use PF_PACKET socket with
+ETH_P_NHRP protocol. Additionally ssl_addr is set to the link-layer
+IPv4 address. This address is written by ipgre_header() to the skb
+earlier, and this is the IPv4 header tiph should point to - regardless
+of the inner protocol payload.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+
+---
+net/ipv4/ip_gre.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+ 
+This commit appeared in 3.8.x. So should go to 3.8.x-stable.
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index d0ef0e6..91d66db 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -798,10 +798,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
+ 
+ 	if (dev->header_ops && dev->type == ARPHRD_IPGRE) {
+ 		gre_hlen = 0;
+-		if (skb->protocol == htons(ETH_P_IP))
+-			tiph = (const struct iphdr *)skb->data;
+-		else
+-			tiph = &tunnel->parms.iph;
++		tiph = (const struct iphdr *)skb->data;
+ 	} else {
+ 		gre_hlen = tunnel->hlen;
+ 		tiph = &tunnel->parms.iph;
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index cd2cd898e5..d82a3391fc 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -654,7 +654,7 @@ CONFIG_XFRM_ALGO=m
 CONFIG_XFRM_USER=m
 CONFIG_XFRM_SUB_POLICY=y
 CONFIG_XFRM_MIGRATE=y
-# CONFIG_XFRM_STATISTICS is not set
+CONFIG_XFRM_STATISTICS=y
 CONFIG_XFRM_IPCOMP=m
 CONFIG_NET_KEY=m
 CONFIG_NET_KEY_MIGRATE=y
@@ -3774,6 +3774,7 @@ CONFIG_DVB_S5H1411=m
 # ISDB-T (terrestrial) frontends
 #
 CONFIG_DVB_DIB8000=m
+CONFIG_DVB_MB86A20S=m
 
 #
 # Digital terrestrial only tuners/PLL
diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64
index 05e9586c7d..6db4607804 100644
--- a/main/linux-grsec/kernelconfig.x86_64
+++ b/main/linux-grsec/kernelconfig.x86_64
@@ -628,7 +628,7 @@ CONFIG_XFRM_ALGO=m
 CONFIG_XFRM_USER=m
 CONFIG_XFRM_SUB_POLICY=y
 CONFIG_XFRM_MIGRATE=y
-# CONFIG_XFRM_STATISTICS is not set
+CONFIG_XFRM_STATISTICS=y
 CONFIG_XFRM_IPCOMP=m
 CONFIG_NET_KEY=m
 CONFIG_NET_KEY_MIGRATE=y