Bug#754294: Debian kernel fix for routing regression in 3.2.60

To: 754294@bugs.debian.org
Subject: Bug#754294: Debian kernel fix for routing regression in 3.2.60
From: Teodor Milkov <zimage@icdsoft.com>
Date: Wed, 16 Jul 2014 15:28:56 +0300
Message-id: <[🔎] 53C67008.9060506@icdsoft.com>
Reply-to: Teodor Milkov <zimage@icdsoft.com>, 754294@bugs.debian.org
In-reply-to: <[🔎] 1405270522.2453.30.camel@deadeye.wl.decadent.org.uk>
References: <[🔎] 1405270522.2453.30.camel@deadeye.wl.decadent.org.uk>

On 13/07/14 19:55, Ben Hutchings wrote:

Sorry about the regression in the latest security update.  This is
apparently the result of an incomplete fix for a longstanding bug in
routing between interfaces with differing MTU.  The first part of the
fix went into 3.2.57, and the second part in 3.2.60.  It appears that
several more changes would need to be applied to complete the fix and
avoid this regression.

So, what I'm intending to do is to revert both those changes.  That will
leave the original bug present, but this will not be a regression from
the earlier Debian 7 'wheezy' kernel versions.

I have rebuilt the kernel for amd64 with these changes and uploaded to
<http://people.debian.org/~benh/packages/wheezy-security/>.  The changes
file is signed with my GPG key and there are also detached GPG
signatures for the linux-image binary packages.  You can verify these
using:

     gpg --keyring /usr/share/keyrings/debian-keyring.gpg --verify <sig-file>

If you need packages for another architecture or you're not sure about
the signature checking, you can build packages using the instructions at
<http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official> and the attached patches (revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch followed by
revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch).

After applying the above two patches all is good. Here's how I tested:

apt-get update
apt-get build-dep linux

mkdir linux-deb
cd linux-deb
apt-get source linux=3.2.60-1+deb7u1

wget --no-check-certificate"https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch;att=1;bug=754294";-O revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patchwget --no-check-certificate"https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch;att=2;bug=754294";-O revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch


cd linux-3.2.60

bash debian/bin/test-patches -f amd64 -j 8../revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch../revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch


dpkg -i linux-image-3.2.0-4-amd64_3.2.60-1+deb7u1a~test_i386.deb

And then tried my usual download-from-windows-host test, which worked fine.


Best regards,
Teodor Milkov

Reply to:

References:
- Bug#754173: Debian kernel fix for routing regression in 3.2.60
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Can't compile openvz kernel on debian 7
Next by Date: Re: New debconf template for the linux package
Previous by thread: Bug#754173: Debian kernel fix for routing regression in 3.2.60
Next by thread: Bug#754173: Debian kernel fix for routing regression in 3.2.60
Index(es):
- Date
- Thread