50a9ff6df4
The kernel is moved ahead to version 3.10.0-693.21.1.el7 To summarize: CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' This is fixed by load fences and is "baked in" and cannot be turned off. CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' This is fixed by a combination of retpolines and IBPB, or IBRS+IBPB if on skylake. This requires a microcode change in the processors. This feature, if on, has a significant performance impact. It is assumed on unless turned off via the "nospectre_v2" bootarg. CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' This is fixed by page table isolation using the Kaiser patches. This feature is assumed on unless turned off via the "nopti" bootarg. As of the commit date, we have changed the installer kickstarts to issue both "nopti nospectre_v2" bootargs to minimize realtime impacts by default. The customer will be able to optionally sacrifice performance for extra security at datafill time. Change-Id: Id7c99923f2ee2ee91f77c7bd9940e684eff8b476 Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
59 lines
2.6 KiB
Diff
59 lines
2.6 KiB
Diff
From f35323a9d7fa1d6975a4e6455479266b98ea5cd4 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <f35323a9d7fa1d6975a4e6455479266b98ea5cd4.1522097754.git.Jim.Somerville@windriver.com>
|
|
In-Reply-To: <f4706beaf86081b0890ea616082913f8f51823ff.1522097754.git.Jim.Somerville@windriver.com>
|
|
References: <f4706beaf86081b0890ea616082913f8f51823ff.1522097754.git.Jim.Somerville@windriver.com>
|
|
From: Allain Legacy <allain.legacy@windriver.com>
|
|
Date: Fri, 29 Jan 2016 12:13:40 -0500
|
|
Subject: [PATCH 03/27] CGTS-3744: route: do not cache fib route info on local
|
|
routes with oif
|
|
|
|
For local routes that require a particular output interface we do not want to
|
|
cache the result. Caching the result causes incorrect behaviour when there are
|
|
multiple source addresses on the interface. The end result being that if the
|
|
intended recipient is waiting on that interface for the packet he won't receive
|
|
it because it will be delivered on the loopback interface and the IP_PKTINFO
|
|
ipi_ifindex will be set to the loopback interface as well.
|
|
|
|
This can be tested by running a program such as "dhcp_release" which attempts
|
|
to inject a packet on a particular interface so that it is received by another
|
|
program on the same board. The receiving process should see an IP_PKTINFO
|
|
ipi_ifndex value of the source interface (e.g., eth1) instead of the loopback
|
|
interface (e.g., lo). The packet will still appear on the loopback interface
|
|
in tcpdump but the important aspect is that the CMSG info is correct.
|
|
|
|
Sample dhcp_release command line:
|
|
|
|
dhcp_release eth1 192.168.204.222 02:11:33:22:44:66
|
|
|
|
Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
|
|
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
|
|
---
|
|
net/ipv4/route.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
|
|
index def37c6..b554914 100644
|
|
--- a/net/ipv4/route.c
|
|
+++ b/net/ipv4/route.c
|
|
@@ -2050,6 +2050,17 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
|
|
*/
|
|
if (fi && res->prefixlen < 4)
|
|
fi = NULL;
|
|
+ } else if ((type == RTN_LOCAL) && (orig_oif != 0)) {
|
|
+ /*
|
|
+ * For local routes that require a particular output interface we do
|
|
+ * not want to cache the result. Caching the result causes incorrect
|
|
+ * behaviour when there are multiple source addresses on the interface.
|
|
+ * The end result being that if the intended recipient is waiting on
|
|
+ * that interface for the packet he won't receive it because it will be
|
|
+ * delivered on the loopback interface and the IP_PKTINFO ipi_ifindex
|
|
+ * will be set to the loopback interface as well.
|
|
+ */
|
|
+ fi = NULL;
|
|
}
|
|
|
|
fnhe = NULL;
|
|
--
|
|
1.8.3.1
|
|
|