commit 0a2b7ca35e997c101965c518f649f7205c6365aa
Author: Arkadiusz MiĆkiewicz <[email protected]>
Date: Tue Sep 6 23:05:05 2016 +0200
- up to 4.1.32
kernel-small_fixes.patch | 80 ------------------------------------------------
kernel.spec | 4 +--
2 files changed, 2 insertions(+), 82 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index fde2de5..6446cab 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -70,7 +70,7 @@
%define rel 1
%define basever 4.1
-%define postver .30
+%define postver .32
# define this to '-%{basever}' for longterm branch
%define versuffix -%{basever}
@@ -119,7 +119,7 @@ Source0:
http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{basever}.tar.xz
# Source0-md5: fe9dc0f6729f36400ea81aa41d614c37
%if "%{postver}" != ".0"
Patch0:
http://www.kernel.org/pub/linux/kernel/v4.x/patch-%{version}.xz
-# Patch0-md5: c24bf5095a53863c5c28e33d0d606f95
+# Patch0-md5: bc9ad9c3602cee0223d4a3b23f4ce44a
%endif
Source1: kernel.sysconfig
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index f785fa9..83a0b12 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -114,84 +114,4 @@ index 29531ec..65fbfb7 100644
goto out_destroy_log;
-From 75ff39ccc1bd5d3c455b6822ab09e533c551f758 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <[email protected]>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: tcp: make challenge acks less predictable
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <[email protected]>
-Signed-off-by: Eric Dumazet <[email protected]>
-Suggested-by: Linus Torvalds <[email protected]>
-Cc: Yuchung Cheng <[email protected]>
-Cc: Neal Cardwell <[email protected]>
-Acked-by: Neal Cardwell <[email protected]>
-Acked-by: Yuchung Cheng <[email protected]>
-Signed-off-by: David S. Miller <[email protected]>
----
- net/ipv4/tcp_input.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index d6c8f4cd0..91868bb 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
-
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
-
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3458,7 +3458,7 @@ static void tcp_send_challenge_ack(struct sock *sk,
const struct sk_buff *skb)
- static u32 challenge_timestamp;
- static unsigned int challenge_count;
- struct tcp_sock *tp = tcp_sk(sk);
-- u32 now;
-+ u32 count, now;
-
- /* First check our per-socket dupack rate limit. */
- if (tcp_oow_rate_limited(sock_net(sk), skb,
-@@ -3466,13 +3466,18 @@ static void tcp_send_challenge_ack(struct sock *sk,
const struct sk_buff *skb)
- &tp->last_oow_ack_time))
- return;
-
-- /* Then check the check host-wide RFC 5961 rate limit. */
-+ /* Then check host-wide RFC 5961 rate limit. */
- now = jiffies / HZ;
- if (now != challenge_timestamp) {
-+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- challenge_timestamp = now;
-- challenge_count = 0;
-+ WRITE_ONCE(challenge_count, half +
-+ prandom_u32_max(sysctl_tcp_challenge_ack_limit));
- }
-- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
-+ count = READ_ONCE(challenge_count);
-+ if (count > 0) {
-+ WRITE_ONCE(challenge_count, count - 1);
- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- tcp_send_ack(sk);
- }
---
-cgit v1.0-17-g0c1e3
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/0a2b7ca35e997c101965c518f649f7205c6365aa
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
