kernel: fix grsecurity patch.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/lfs/linux b/lfs/linux
index 5c37a4b59c0e53cfa7e0aae7d2cb347da735cb38..e365be6afd5d5aa832999cfbcbbc307c729ab7f4 100644 (file)
--- a/lfs/linux
+++ b/lfs/linux
@@ -132,6 +132,7 @@ ifneq "$(KCFG)" "-headers"
        cd $(DIR_APP) && xz -c -d $(DIR_DL)/$(GRS_PATCHES) | patch -Np1
        cd $(DIR_APP) && rm localversion-grsec
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.7-disable-compat_vdso.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch
 endif
 
        # DVB Patches

diff --git a/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch b/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch
new file mode 100644 (file)
index 0000000..19d0448
--- /dev/null
+++ b/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch
@@ -0,0 +1,18 @@
+diff -Naur linux-3.14.77.org/net/ipv4/tcp_input.c linux-3.14.77/net/ipv4/tcp_input.c
+--- linux-3.14.77.org/net/ipv4/tcp_input.c     2016-08-21 19:58:45.000000000 +0200
++++ linux-3.14.77/net/ipv4/tcp_input.c 2016-08-21 21:11:24.336757369 +0200
+@@ -3299,12 +3299,12 @@
+               u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
+ 
+               challenge_timestamp = now;
+-              ACCESS_ONCE(challenge_count) = half +
++              ACCESS_ONCE_RW(challenge_count) = half +
+                                 prandom_u32_max(sysctl_tcp_challenge_ack_limit);
+       }
+       count = ACCESS_ONCE(challenge_count);
+       if (count > 0) {
+-              ACCESS_ONCE(challenge_count) = count - 1;
++              ACCESS_ONCE_RW(challenge_count) = count - 1;
+               NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+               tcp_send_ack(sk);
+       }