From 2258117c811aa525ec995c601c5f4649553e9490 Mon Sep 17 00:00:00 2001

From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Mon, 6 Jun 2022 09:30:32 -0400

Subject: [KPATCH CVE-2022-1012] kpatch fixes for CVE-2022-1012

Content-type: text/plain

Changes since last build:

arches: x86_64 ppc64le

inet6_hashtables.o: changed function: inet6_hash_connect

inet_hashtables.o: changed function: inet_hash_connect

inet_hashtables.o: new function: klp__inet_hash_connect

inet_hashtables.o: new function: klp_cve_2022_1012_pre_patch_callback

inet_hashtables.o: new function: klp_table_perturb_ctor

secure_seq.o: new function: klp_secure_ipv4_port_ephemeral

secure_seq.o: new function: klp_secure_ipv6_port_ephemeral

---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/2

Kernels:

5.14.0-70.13.1.el9_0

Modifications:

- Avoid header file changes, move prototypes into .c files

- secure_ipv4_port_ephemeral() and secure_ipv6_port_ephemeral() are

  exported symbols, create "klp_" variants that change return type

  from u32 -> u64

- inet_sk_port_offset() and inet6_sk_port_offset() have only one caller each,

  which we can kpatch, so it's safe to update their return values from

  u32 -> u64

- __inet_hash_connect() is prototyped in a header file, which we don't want to

  touch, so create a "klp" variant updating the interface for port_offset

  u32 -> u64

- Create larger klp_table_perturb for kpatch functions, leaving

  smaller table_perturb intact for unpatched code

- Use a shadow variable for the larger klp_table_perturb so it may

  persist across kpatch upgrades

- Get or allocate klp_table_perturb shadow variable in prepatch callback

  rather than inet_hashinfo2_init()

- Use a shadow variable constructor to initialize klp_table_perturb with

  net_get_random_once() on its allocation

- Use KLP_INET_TABLE_PERTURB_{SHIFT,SIZE} for larger size so we don't

  modify existing (smaller) table_perturb

- Add -fno-optimize-sibling-calls attribute for inet_hash_connect()

commit 2f0029a0cd4a60d087882790b8f2e4b3b7a34fc9

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:26:43 2022 +0200

    secure_seq: use the 64 bits of the siphash for port offset calculation

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: cca87d73827e2be4da6de677da5fbbf05ee1efe7

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    commit b2d057560b8107c633b39aabe517ff9d93f285e3

    Author: Willy Tarreau <w@1wt.eu>

    Date:   Mon May 2 10:46:08 2022 +0200

        secure_seq: use the 64 bits of the siphash for port offset calculation

        SipHash replaced MD5 in secure_ipv{4,6}_port_ephemeral() via commit

        7cd23e5300c1 ("secure_seq: use SipHash in place of MD5"), but the output

        remained truncated to 32-bit only. In order to exploit more bits from the

        hash, let's make the functions return the full 64-bit of siphash_3u32().

        We also make sure the port offset calculation in __inet_hash_connect()

        remains done on 32-bit to avoid the need for div_u64_rem() and an extra

        cost on 32-bit systems.

        Cc: Jason A. Donenfeld <Jason@zx2c4.com>

        Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>

        Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>

        Cc: Amit Klein <aksecurity@gmail.com>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

commit 12d013e32960f7de65bf6d48b5d1b34f035db485

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:29:59 2022 +0200

    tcp: use different parts of the port_offset for index and offset

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: cf01c418b12c3f395134654725aee76ba8ead14f

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    commit 9e9b70ae923baf2b5e8a0ea4fd0c8451801ac526

    Author: Willy Tarreau <w@1wt.eu>

    Date:   Mon May 2 10:46:09 2022 +0200

        tcp: use different parts of the port_offset for index and offset

        Amit Klein suggests that we use different parts of port_offset for the

        table's index and the port offset so that there is no direct relation

        between them.

        Cc: Jason A. Donenfeld <Jason@zx2c4.com>

        Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>

        Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>

        Cc: Amit Klein <aksecurity@gmail.com>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

commit a35aa2ee80eba52053d4857f03aaec487e124938

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:30:49 2022 +0200

    tcp: resalt the secret every 10 seconds

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: 76a5e5ab10aa3a222b10ea44aae87b61de99de76

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    Conflicts:

      (context) Missing upstream commit 49ecc2e9c3ab ("net: align static

      siphash keys"):

        RHEL 9 still declares net_secret and ts_secret as siphash_key_t,

        while upstream uses the new siphash_aligned_key_t.

    commit 4dfa9b438ee34caca4e6a4e5e961641807367f6f

    Author: Eric Dumazet <edumazet@google.com>

    Date:   Mon May 2 10:46:10 2022 +0200

        tcp: resalt the secret every 10 seconds

        In order to limit the ability for an observer to recognize the source

        ports sequence used to contact a set of destinations, we should

        periodically shuffle the secret. 10 seconds looks effective enough

        without causing particular issues.

        Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>

        Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>

        Cc: Amit Klein <aksecurity@gmail.com>

        Cc: Jason A. Donenfeld <Jason@zx2c4.com>

        Tested-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

commit 2e7decde85e1d99aba7cfc25489136757e5e5e4d

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:37:42 2022 +0200

    tcp: add small random increments to the source port

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: c36cc7ecaeb895c5ec73085d925208ead5a9f285

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    commit ca7af0402550f9a0b3316d5f1c30904e42ed257d

    Author: Willy Tarreau <w@1wt.eu>

    Date:   Mon May 2 10:46:11 2022 +0200

        tcp: add small random increments to the source port

        Here we're randomly adding between 0 and 7 random increments to the

        selected source port in order to add some noise in the source port

        selection that will make the next port less predictable.

        With the default port range of 32768-60999 this means a worst case

        reuse scenario of 14116/8=1764 connections between two consecutive

        uses of the same port, with an average of 14116/4.5=3137. This code

        was stressed at more than 800000 connections per second to a fixed

        target with all connections closed by the client using RSTs (worst

        condition) and only 2 connections failed among 13 billion, despite

        the hash being reseeded every 10 seconds, indicating a perfectly

        safe situation.

        Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>

        Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>

        Cc: Amit Klein <aksecurity@gmail.com>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

commit 11b7585327e4558856beea1b60c2b56a89109034

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:38:33 2022 +0200

    tcp: dynamically allocate the perturb table used by source ports

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: 2a8821f71c0f00f5169888c9e21df0e033306ae8

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    commit e9261476184be1abd486c9434164b2acbe0ed6c2

    Author: Willy Tarreau <w@1wt.eu>

    Date:   Mon May 2 10:46:12 2022 +0200

        tcp: dynamically allocate the perturb table used by source ports

        We'll need to further increase the size of this table and it's likely

        that at some point its size will not be suitable anymore for a static

        table. Let's allocate it on boot from inet_hashinfo2_init(), which is

        called from tcp_init().

        Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>

        Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>

        Cc: Amit Klein <aksecurity@gmail.com>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

commit ffec79df2cf078ae8efda94fa1644a2f3d249629

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:39:49 2022 +0200

    tcp: increase source port perturb table to 2^16

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: cb2b7f66f852709725a5fc3798b8cf60eee4cfcd

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    commit 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5

    Author: Willy Tarreau <w@1wt.eu>

    Date:   Mon May 2 10:46:13 2022 +0200

        tcp: increase source port perturb table to 2^16

        Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately

        identify a client by forcing it to emit only 40 times more connections

        than there are entries in the table_perturb[] table. The previous two

        improvements consisting in resalting the secret every 10s and adding

        randomness to each port selection only slightly improved the situation,

        and the current value of 2^8 was too small as it's not very difficult

        to make a client emit 10k connections in less than 10 seconds.

        Thus we're increasing the perturb table from 2^8 to 2^16 so that the

        same precision now requires 2.6M connections, which is more difficult in

        this time frame and harder to hide as a background activity. The impact

        is that the table now uses 256 kB instead of 1 kB, which could mostly

        affect devices making frequent outgoing connections. However such

        components usually target a small set of destinations (load balancers,

        database clients, perf assessment tools), and in practice only a few

        entries will be visited, like before.

        A live test at 1 million connections per second showed no performance

        difference from the previous value.

        Reported-by: Moshe Kol <moshe.kol@mail.huji.ac.il>

        Reported-by: Yossi Gilad <yossi.gilad@mail.huji.ac.il>

        Reported-by: Amit Klein <aksecurity@gmail.com>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

commit 8b63da5c1514e473907b074eae7ce5acc0ea739e

Author: Guillaume Nault <gnault@redhat.com>

Date:   Tue May 10 21:40:34 2022 +0200

    tcp: drop the hash_32() part from the index calculation

    Bugzilla: https://bugzilla.redhat.com/2087128

    CVE: CVE-2022-1012

    Y-Commit: f8b7b8321dd6b55062382fc343422f3926ffa04c

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868

    Upstream Status: linux.git

    O-CVE: CVE-2022-1012

    commit e8161345ddbb66e449abde10d2fdce93f867eba9

    Author: Willy Tarreau <w@1wt.eu>

    Date:   Mon May 2 10:46:14 2022 +0200

        tcp: drop the hash_32() part from the index calculation

        In commit 190cc82489f4 ("tcp: change source port randomizarion at

        connect() time"), the table_perturb[] array was introduced and an

        index was taken from the port_offset via hash_32(). But it turns

        out that hash_32() performs a multiplication while the input here

        comes from the output of SipHash in secure_seq, that is well

        distributed enough to avoid the need for yet another hash.

        Suggested-by: Amit Klein <aksecurity@gmail.com>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Willy Tarreau <w@1wt.eu>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Guillaume Nault <gnault@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 net/core/secure_seq.c       |  30 +++++++

 net/ipv4/inet_hashtables.c  | 175 ++++++++++++++++++++++++++++++++++--

 net/ipv6/inet6_hashtables.c |  20 +++--

 3 files changed, 211 insertions(+), 14 deletions(-)

diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c

index b5bc680d4755..f18f8176d69e 100644

--- a/net/core/secure_seq.c

+++ b/net/core/secure_seq.c

@@ -22,6 +22,8 @@

 static siphash_key_t net_secret __read_mostly;

 static siphash_key_t ts_secret __read_mostly;

+#define EPHEMERAL_PORT_SHUFFLE_PERIOD (10 * HZ)

+

 static __always_inline void net_secret_init(void)

 {

 	net_get_random_once(&net_secret, sizeof(net_secret));

@@ -111,6 +113,25 @@ u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,

 		       &net_secret);

 }

 EXPORT_SYMBOL(secure_ipv6_port_ephemeral);

+

+u64 klp_secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,

+				   __be16 dport)

+{

+	const struct {

+		struct in6_addr saddr;

+		struct in6_addr daddr;

+		unsigned int timeseed;

+		__be16 dport;

+	} __aligned(SIPHASH_ALIGNMENT) combined = {

+		.saddr = *(struct in6_addr *)saddr,

+		.daddr = *(struct in6_addr *)daddr,

+		.timeseed = jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,

+		.dport = dport,

+	};

+	net_secret_init();

+	return siphash(&combined, offsetofend(typeof(combined), dport),

+		       &net_secret);

+}

 #endif

 #ifdef CONFIG_INET

@@ -149,6 +170,15 @@ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)

 			    (__force u16)dport, &net_secret);

 }

 EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);

+

+u64 klp_secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)

+{

+	net_secret_init();

+	return siphash_4u32((__force u32)saddr, (__force u32)daddr,

+			    (__force u16)dport,

+			    jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,

+			    &net_secret);

+}

 #endif

 #if IS_ENABLED(CONFIG_IP_DCCP)

diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c

index bfb522e51346..7f982eb04e3f 100644

--- a/net/ipv4/inet_hashtables.c

+++ b/net/ipv4/inet_hashtables.c

@@ -504,13 +504,14 @@ static int __inet_check_established(struct inet_timewait_death_row *death_row,

 	return -EADDRNOTAVAIL;

 }

-static u32 inet_sk_port_offset(const struct sock *sk)

+u64 klp_secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);

+static u64 inet_sk_port_offset(const struct sock *sk)

 {

 	const struct inet_sock *inet = inet_sk(sk);

-	return secure_ipv4_port_ephemeral(inet->inet_rcv_saddr,

-					  inet->inet_daddr,

-					  inet->inet_dport);

+	return klp_secure_ipv4_port_ephemeral(inet->inet_rcv_saddr,

+					      inet->inet_daddr,

+					      inet->inet_dport);

 }

 /* Searches for an exsiting socket in the ehash bucket list.

@@ -842,18 +843,178 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,

 	return 0;

 }

+#include "kpatch-macros.h"

+#define KLP_CVE_2022_1012_TABLE_PERTURB 0x2022101200000001

+

+#define KLP_INET_TABLE_PERTURB_SHIFT 16

+#define KLP_INET_TABLE_PERTURB_SIZE (1 << KLP_INET_TABLE_PERTURB_SHIFT)

+static u32 *klp_table_perturb;

+

+static int klp_table_perturb_ctor(void *obj, void *shadow_data, void *ctor_data)

+{

+	u32 *klp_tp = shadow_data;

+	if (!net_get_random_once(klp_tp, KLP_INET_TABLE_PERTURB_SIZE * sizeof(*klp_tp))) {

+		pr_err("kpatch assertion: net_get_random_once() on klp_table_perturb");

+		return -1;

+	}

+

+	return 0;

+}

+

+static int klp_cve_2022_1012_pre_patch_callback(struct klp_object *obj)

+{

+	/* this one is used for source ports of outgoing connections */

+	klp_table_perturb = klp_shadow_get_or_alloc(0, KLP_CVE_2022_1012_TABLE_PERTURB,

+						    KLP_INET_TABLE_PERTURB_SIZE * sizeof(*klp_table_perturb),

+						    GFP_KERNEL, klp_table_perturb_ctor, NULL);

+	if (!klp_table_perturb) {

+		pr_err("TCP: failed to alloc / find klp_table_perturb");

+		return -ENOMEM;

+	}

+

+	return 0;

+}

+KPATCH_PRE_PATCH_CALLBACK(klp_cve_2022_1012_pre_patch_callback);

+

+int klp__inet_hash_connect(struct inet_timewait_death_row *death_row,

+			   struct sock *sk, u64 port_offset,

+			   int (*check_established)(struct inet_timewait_death_row *,

+				   struct sock *, __u16, struct inet_timewait_sock **))

+{

+	struct inet_hashinfo *hinfo = death_row->hashinfo;

+	struct inet_timewait_sock *tw = NULL;

+	struct inet_bind_hashbucket *head;

+	int port = inet_sk(sk)->inet_num;

+	struct net *net = sock_net(sk);

+	struct inet_bind_bucket *tb;

+	u32 remaining, offset;

+	int ret, i, low, high;

+	int l3mdev;

+	u32 index;

+

+	if (port) {

+		head = &hinfo->bhash[inet_bhashfn(net, port,

+						  hinfo->bhash_size)];

+		tb = inet_csk(sk)->icsk_bind_hash;

+		spin_lock_bh(&head->lock);

+		if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) {

+			inet_ehash_nolisten(sk, NULL, NULL);

+			spin_unlock_bh(&head->lock);

+			return 0;

+		}

+		spin_unlock(&head->lock);

+		/* No definite answer... Walk to established hash table */

+		ret = check_established(death_row, sk, port, NULL);

+		local_bh_enable();

+		return ret;

+	}

+

+	l3mdev = inet_sk_bound_l3mdev(sk);

+

+	inet_get_local_port_range(net, &low, &high);

+	high++; /* [32768, 60999] -> [32768, 61000[ */

+	remaining = high - low;

+	if (likely(remaining > 1))

+		remaining &= ~1U;

+

+	/*

+	 * kpatch: klp_table_perturb_ctor() responsible for calling

+	 * net_get_random_once() for klp_table_perturb

+	 */

+	index = port_offset & (KLP_INET_TABLE_PERTURB_SIZE - 1);

+

+	offset = READ_ONCE(klp_table_perturb[index]) + (port_offset >> 32);

+	offset %= remaining;

+

+	/* In first pass we try ports of @low parity.

+	 * inet_csk_get_port() does the opposite choice.

+	 */

+	offset &= ~1U;

+other_parity_scan:

+	port = low + offset;

+	for (i = 0; i < remaining; i += 2, port += 2) {

+		if (unlikely(port >= high))

+			port -= remaining;

+		if (inet_is_local_reserved_port(net, port))

+			continue;

+		head = &hinfo->bhash[inet_bhashfn(net, port,

+						  hinfo->bhash_size)];

+		spin_lock_bh(&head->lock);

+

+		/* Does not bother with rcv_saddr checks, because

+		 * the established check is already unique enough.

+		 */

+		inet_bind_bucket_for_each(tb, &head->chain) {

+			if (net_eq(ib_net(tb), net) && tb->l3mdev == l3mdev &&

+			    tb->port == port) {

+				if (tb->fastreuse >= 0 ||

+				    tb->fastreuseport >= 0)

+					goto next_port;

+				WARN_ON(hlist_empty(&tb->owners));

+				if (!check_established(death_row, sk,

+						       port, &tw))

+					goto ok;

+				goto next_port;

+			}

+		}

+

+		tb = inet_bind_bucket_create(hinfo->bind_bucket_cachep,

+					     net, head, port, l3mdev);

+		if (!tb) {

+			spin_unlock_bh(&head->lock);

+			return -ENOMEM;

+		}

+		tb->fastreuse = -1;

+		tb->fastreuseport = -1;

+		goto ok;

+next_port:

+		spin_unlock_bh(&head->lock);

+		cond_resched();

+	}

+

+	offset++;

+	if ((offset & 1) && remaining > 1)

+		goto other_parity_scan;

+

+	return -EADDRNOTAVAIL;

+

+ok:

+	/* Here we want to add a little bit of randomness to the next source

+	 * port that will be chosen. We use a max() with a random here so that

+	 * on low contention the randomness is maximal and on high contention

+	 * it may be inexistent.

+	 */

+	i = max_t(int, i, (prandom_u32() & 7) * 2);

+	WRITE_ONCE(klp_table_perturb[index], READ_ONCE(klp_table_perturb[index]) + i + 2);

+

+	/* Head lock still held and bh's disabled */

+	inet_bind_hash(sk, tb, port);

+	if (sk_unhashed(sk)) {

+		inet_sk(sk)->inet_sport = htons(port);

+		inet_ehash_nolisten(sk, (struct sock *)tw, NULL);

+	}

+	if (tw)

+		inet_twsk_bind_unhash(tw, hinfo);

+	spin_unlock(&head->lock);

+	if (tw)

+		inet_twsk_deschedule_put(tw);

+	local_bh_enable();

+	return 0;

+}

+

 /*

  * Bind a port for a connect operation and hash it.

  */

+__attribute__((optimize("-fno-optimize-sibling-calls")))

 int inet_hash_connect(struct inet_timewait_death_row *death_row,

 		      struct sock *sk)

 {

-	u32 port_offset = 0;

+	u64 port_offset = 0;

 	if (!inet_sk(sk)->inet_num)

 		port_offset = inet_sk_port_offset(sk);

-	return __inet_hash_connect(death_row, sk, port_offset,

-				   __inet_check_established);

+	return klp__inet_hash_connect(death_row, sk, port_offset,

+				      __inet_check_established);

 }

 EXPORT_SYMBOL_GPL(inet_hash_connect);

diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c

index 67c9114835c8..fe0c5e5935e7 100644

--- a/net/ipv6/inet6_hashtables.c

+++ b/net/ipv6/inet6_hashtables.c

@@ -308,24 +308,30 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row,

 	return -EADDRNOTAVAIL;

 }

-static u32 inet6_sk_port_offset(const struct sock *sk)

+u64 klp_secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,

+				   __be16 dport);

+static u64 inet6_sk_port_offset(const struct sock *sk)

 {

 	const struct inet_sock *inet = inet_sk(sk);

-	return secure_ipv6_port_ephemeral(sk->sk_v6_rcv_saddr.s6_addr32,

-					  sk->sk_v6_daddr.s6_addr32,

-					  inet->inet_dport);

+	return klp_secure_ipv6_port_ephemeral(sk->sk_v6_rcv_saddr.s6_addr32,

+					      sk->sk_v6_daddr.s6_addr32,

+					      inet->inet_dport);

 }

+int klp__inet_hash_connect(struct inet_timewait_death_row *death_row,

+			   struct sock *sk, u64 port_offset,

+			   int (*check_established)(struct inet_timewait_death_row *,

+				   struct sock *, __u16, struct inet_timewait_sock **));

 int inet6_hash_connect(struct inet_timewait_death_row *death_row,

 		       struct sock *sk)

 {

-	u32 port_offset = 0;

+	u64 port_offset = 0;

 	if (!inet_sk(sk)->inet_num)

 		port_offset = inet6_sk_port_offset(sk);

-	return __inet_hash_connect(death_row, sk, port_offset,

-				   __inet6_check_established);

+	return klp__inet_hash_connect(death_row, sk, port_offset,

+				      __inet6_check_established);

 }

 EXPORT_SYMBOL_GPL(inet6_hash_connect);

-- 

2.26.3