[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Saturday, May 9, 2020 @ 19:59:26 Author: heftig Revision: 382975 5.6.11.a-3: more GCC 10 fixes Added: linux-hardened/trunk/0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch linux-hardened/trunk/0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch Modified: linux-hardened/trunk/0001-gcc-plugins-drop-support-for-GCC-4.7.patch linux-hardened/trunk/0002-gcc-common.h-Update-for-GCC-10.patch linux-hardened/trunk/PKGBUILD ---+ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch |2 0002-gcc-common.h-Update-for-GCC-10.patch |2 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch | 32 ++ 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch| 131 PKGBUILD | 10 5 files changed, 172 insertions(+), 5 deletions(-) Modified: 0001-gcc-plugins-drop-support-for-GCC-4.7.patch === --- 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-09 19:59:23 UTC (rev 382974) +++ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -1,7 +1,7 @@ From dba68a9d4df76d49d32245e4236713a43fb321da Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 29 Mar 2020 20:08:32 +0900 -Subject: [PATCH 1/2] gcc-plugins: drop support for GCC <= 4.7 +Subject: [PATCH 1/4] gcc-plugins: drop support for GCC <= 4.7 Nobody was opposed to raising minimum GCC version to 4.8 [1] So, we will drop GCC <= 4.7 support sooner or later. Modified: 0002-gcc-common.h-Update-for-GCC-10.patch === --- 0002-gcc-common.h-Update-for-GCC-10.patch 2020-05-09 19:59:23 UTC (rev 382974) +++ 0002-gcc-common.h-Update-for-GCC-10.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -2,7 +2,7 @@ From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 7 Apr 2020 13:32:59 +0200 -Subject: [PATCH 2/2] gcc-common.h: Update for GCC 10 +Subject: [PATCH 2/4] gcc-common.h: Update for GCC 10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added: 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch === --- 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch (rev 0) +++ 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -0,0 +1,32 @@ +From af805f5f1d2e61dd2cf907d9635f0abc66fe1197 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Tue, 17 Mar 2020 00:07:18 + +Subject: [PATCH 3/4] Makefile: disallow data races on gcc-10 as well + +gcc-10 will rename --param=allow-store-data-races=0 +to -fno-allow-store-data-races. + +The flag change happened at https://gcc.gnu.org/PR92046. + +Signed-off-by: Sergei Trofimovich +Acked-by: Jiri Kosina +Signed-off-by: Masahiro Yamada +--- + Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile b/Makefile +index 5dedd6f9ad75..6899bfc9dc7b 100644 +--- a/Makefile b/Makefile +@@ -714,6 +714,7 @@ endif + + # Tell gcc to never replace conditional load with a non-conditional one + KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) ++KBUILD_CFLAGS += $(call cc-option,-fno-allow-store-data-races) + + include scripts/Makefile.kcov + include scripts/Makefile.gcc-plugins +-- +2.26.2 + Added: 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch === --- 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch (rev 0) +++ 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -0,0 +1,131 @@ +From 309b6eca2e2605accf7a3b02b47b5c2732dbe543 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 22 Apr 2020 18:11:30 +0200 +Subject: [PATCH 4/4] x86: Fix early boot crash on gcc-10, next try +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... or the odyssey of trying to disable the stack protector for the +function which generates the stack canary value. + +The whole story started with Sergei reporting a boot crash with a kernel +built with gcc-10: + + Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 + Call Trace: +dump_stack +panic +? start_secondary +__stack_chk_fail +start_secondary +secondary_startup_64 + -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary + +This happens because gcc-10 tail-call optimizes the last function call +in start_sec
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Tuesday, October 29, 2019 @ 15:13:18
Author: heftig
Revision: 365999
5.3.7.b-3: Changes for new kmod and mkinitcpio hooks
Modified:
linux-hardened/trunk/PKGBUILD
Deleted:
linux-hardened/trunk/60-linux.hook
linux-hardened/trunk/90-linux.hook
linux-hardened/trunk/linux.install
linux-hardened/trunk/linux.preset
---+
60-linux.hook | 11 --
90-linux.hook | 11 --
PKGBUILD | 61 +++-
linux.install | 12 ---
linux.preset | 14
5 files changed, 13 insertions(+), 96 deletions(-)
Deleted: 60-linux.hook
===
--- 60-linux.hook 2019-10-29 15:13:11 UTC (rev 365998)
+++ 60-linux.hook 2019-10-29 15:13:18 UTC (rev 365999)
@@ -1,11 +0,0 @@
-[Trigger]
-Type = File
-Operation = Install
-Operation = Upgrade
-Operation = Remove
-Target = usr/lib/modules/%KERNVER%/*
-
-[Action]
-Description = Updating %PKGBASE% module dependencies...
-When = PostTransaction
-Exec = /usr/bin/depmod %KERNVER%
Deleted: 90-linux.hook
===
--- 90-linux.hook 2019-10-29 15:13:11 UTC (rev 365998)
+++ 90-linux.hook 2019-10-29 15:13:18 UTC (rev 365999)
@@ -1,11 +0,0 @@
-[Trigger]
-Type = File
-Operation = Install
-Operation = Upgrade
-Target = usr/lib/modules/%KERNVER%/vmlinuz
-Target = usr/lib/initcpio/*
-
-[Action]
-Description = Updating %PKGBASE% initcpios...
-When = PostTransaction
-Exec = /usr/bin/mkinitcpio -p %PKGBASE%
Modified: PKGBUILD
===
--- PKGBUILD2019-10-29 15:13:11 UTC (rev 365998)
+++ PKGBUILD2019-10-29 15:13:18 UTC (rev 365999)
@@ -1,30 +1,21 @@
# Maintainer: Levente Polyak
-# Contributor: Daniel Micay
-# Contributor: Tobias Powalowski
-# Contributor: Thomas Baechler
pkgbase=linux-hardened
-_pkgver=5.3.7
-_hardenedver=b
-pkgver=${_pkgver}.${_hardenedver}
-pkgrel=2
+pkgver=5.3.7.b
+pkgrel=3
url='https://github.com/anthraxx/linux-hardened'
-arch=('x86_64')
-license=('GPL2')
+arch=(x86_64)
+license=(GPL2)
makedepends=(
- xmlto kmod inetutils bc libelf python-sphinx python-sphinx_rtd_theme
- graphviz imagemagick
+ xmlto kmod inetutils bc libelf
+ python-sphinx python-sphinx_rtd_theme graphviz imagemagick
)
-replaces=('linux-grsec')
options=('!strip')
-_srcname=linux-${_pkgver}
+_srcname=linux-${pkgver%.*}
source=(
-
https://www.kernel.org/pub/linux/kernel/v${_pkgver%%.*}.x/${_srcname}.tar.{xz,sign}
+
https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign}
https://github.com/anthraxx/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig}
config # the main kernel config file
- 60-linux.hook # pacman hook for depmod
- 90-linux.hook # pacman hook for initramfs regeneration
- linux.preset # standard config files for mkinitcpio ramdisk
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -32,18 +23,13 @@
'65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay
'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak
)
+# https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
sha256sums=('c6c9714e21531c825c306b107bc6f6c7bfa2d5270a14bad170f8de5a73d34802'
'SKIP'
'0dd90897d1857bf7b3f373c86174056a447774930c419fbc27db599da30dd51e'
'SKIP'
-'514512ab1ffbb69367e20787b4ae7cc3a4df903aa6e8eb0a2c7e6ed4356c43c4'
-'452b8d4d71e1565ca91b1bebb280693549222ef51c47ba8964e411b2d461699c'
-'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636'
-'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65')
+'514512ab1ffbb69367e20787b4ae7cc3a4df903aa6e8eb0a2c7e6ed4356c43c4')
-_kernelname=${pkgbase#linux}
-: ${_kernelname:=-ARCH}
-
export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
export KBUILD_BUILD_TIMESTAMP="@${SOURCE_DATE_EPOCH:-$(date +%s)}"
@@ -52,10 +38,10 @@
cd $_srcname
msg2 "Setting version..."
- sed -e "/^EXTRAVERSION =/s/=.*/= .${_hardenedver}/" -i Makefile
+ sed -e "/^EXTRAVERSION =/s/=.*/= .${pkgver##*.}/" -i Makefile
scripts/setlocalversion --save-scmversion
echo "-$pkgrel" > localversion.10-pkgrel
- echo "$_kernelname" > localversion.20-pkgname
+ echo "${pkgbase#linux}" > localversion.20-pkgname
local src
for src in "${source[@]}"; do
@@ -85,8 +71,7 @@
optdepends=('crda: to set the correct wireless channels of your country'
'linux-firmware: firmware images needed for some devices'
'usbctl: deny_new_usb control')
- backup=("etc/mkinitcpio.d/$pkgbase.preset")
- install=linux.install
+ replaces=('linux-grsec')
cd $_srcname
local kernver="$(https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
install -Dm644 "$(make -s image_
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Saturday, October 19, 2019 @ 11:48:26 Author: anthraxx Revision: 365213 match vanilla hooks and rename config Added: linux-hardened/trunk/config Modified: linux-hardened/trunk/60-linux.hook linux-hardened/trunk/PKGBUILD linux-hardened/trunk/linux.install Deleted: linux-hardened/trunk/config.x86_64 ---+ 60-linux.hook |1 PKGBUILD |8 config|10515 config.x86_64 |10515 linux.install |1 5 files changed, 10519 insertions(+), 10521 deletions(-) The diff is longer than the limit of 200KB. Use svn diff -r 365212:365213 to see the changes.
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Thursday, September 6, 2018 @ 06:33:32
Author: anthraxx
Revision: 333580
upgpkg: linux-hardened 4.18.6.a-1
Added:
linux-hardened/trunk/HID-core-fix-grouping-by-application.patch
linux-hardened/trunk/drm-i915-Increase-LSPCON-timeout.patch
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
Deleted:
linux-hardened/trunk/increase-timeout-in-lspcon_wait_mode.patch
+
HID-core-fix-grouping-by-application.patch | 78 +++
PKGBUILD | 14 ++--
config.x86_64 | 14 ++--
drm-i915-Increase-LSPCON-timeout.patch | 54 ++
increase-timeout-in-lspcon_wait_mode.patch | 23 ---
5 files changed, 147 insertions(+), 36 deletions(-)
Added: HID-core-fix-grouping-by-application.patch
===
--- HID-core-fix-grouping-by-application.patch (rev 0)
+++ HID-core-fix-grouping-by-application.patch 2018-09-06 06:33:32 UTC (rev
333580)
@@ -0,0 +1,78 @@
+From 20acb01da9443e3ca814bb5d17f01b3fea754010 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires
+Date: Tue, 4 Sep 2018 15:31:14 +0200
+Subject: [PATCH] HID: core: fix grouping by application
+
+commit f07b3c1da92d ("HID: generic: create one input report per
+application type") was effectively the same as MULTI_INPUT:
+hidinput->report was never set, so hidinput_match_application()
+always returned null.
+
+Fix that by testing against the real application.
+
+Note that this breaks some old eGalax touchscreens that expect MULTI_INPUT
+instead of HID_QUIRK_INPUT_PER_APP. Enable this quirk for backward
+compatibility on all non-Win8 touchscreens.
+
+link: https://bugzilla.kernel.org/show_bug.cgi?id=200847
+link: https://bugzilla.kernel.org/show_bug.cgi?id=200849
+link: https://bugs.archlinux.org/task/59699
+link: https://github.com/NixOS/nixpkgs/issues/45165
+
+Cc: sta...@vger.kernel.org # v4.18+
+Signed-off-by: Benjamin Tissoires
+Signed-off-by: Jiri Kosina
+---
+ drivers/hid/hid-input.c | 4 ++--
+ drivers/hid/hid-multitouch.c | 3 +++
+ include/linux/hid.h | 1 +
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index ab93dd5927c3a..a137d2835f328 100644
+--- a/drivers/hid/hid-input.c
b/drivers/hid/hid-input.c
+@@ -1579,6 +1579,7 @@ static struct hid_input *hidinput_allocate(struct
hid_device *hid,
+ input_dev->dev.parent = &hid->dev;
+
+ hidinput->input = input_dev;
++ hidinput->application = application;
+ list_add_tail(&hidinput->list, &hid->inputs);
+
+ INIT_LIST_HEAD(&hidinput->reports);
+@@ -1674,8 +1675,7 @@ static struct hid_input
*hidinput_match_application(struct hid_report *report)
+ struct hid_input *hidinput;
+
+ list_for_each_entry(hidinput, &hid->inputs, list) {
+- if (hidinput->report &&
+- hidinput->report->application == report->application)
++ if (hidinput->application == report->application)
+ return hidinput;
+ }
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 45968f7970f87..1a987345692a6 100644
+--- a/drivers/hid/hid-multitouch.c
b/drivers/hid/hid-multitouch.c
+@@ -1476,6 +1476,9 @@ static int mt_probe(struct hid_device *hdev, const
struct hid_device_id *id)
+*/
+ hdev->quirks |= HID_QUIRK_INPUT_PER_APP;
+
++ if (id->group != HID_GROUP_MULTITOUCH_WIN_8)
++ hdev->quirks |= HID_QUIRK_MULTI_INPUT;
++
+ timer_setup(&td->release_timer, mt_expired_timeout, 0);
+
+ ret = hid_parse(hdev);
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 773bcb1d4044e..5482dd6ae9efd 100644
+--- a/include/linux/hid.h
b/include/linux/hid.h
+@@ -520,6 +520,7 @@ struct hid_input {
+ const char *name;
+ bool registered;
+ struct list_head reports; /* the list of reports */
++ unsigned int application; /* application usage for this input */
+ };
+
+ enum hid_type {
Modified: PKGBUILD
===
--- PKGBUILD2018-09-05 21:24:06 UTC (rev 333579)
+++ PKGBUILD2018-09-06 06:33:32 UTC (rev 333580)
@@ -4,7 +4,7 @@
# Contributor: Thomas Baechler
pkgbase=linux-hardened
-_pkgver=4.18.5
+_pkgver=4.18.6
_hardenedver=a
_srcname=linux-${_pkgver}
pkgver=${_pkgver}.${_hardenedver}
@@ -22,18 +22,20 @@
90-linux.hook # pacman hook for initramfs regeneration
linux.preset # standard config files for mkinitcpio ramdisk
-increase-timeout-in-lspcon_wait_mode.patch
+drm-i915-Increase-LSPCON-timeout.patch
+HID-core-fix-grouping-by-application.patch
)
replaces=('linux-grsec')
-sha256sums=('fb090a3680eddf6f10bf895bc3075bd3f830e3d2429ce469982db5a28df647bd'
+sha256sums=('05db
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Tuesday, May 29, 2018 @ 23:14:50
Author: anthraxx
Revision: 325134
upgpkg: linux-hardened 4.16.12.a-1
Added:
linux-hardened/trunk/ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch
linux-hardened/trunk/Revert-drm-i915-edp-Allow-alternate-fixed-mode-for-e.patch
Modified:
linux-hardened/trunk/PKGBUILD
Deleted:
linux-hardened/trunk/drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
linux-hardened/trunk/partially-revert-swiotlb-remove-various-exports.patch
---+
ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch | 117
PKGBUILD | 15
Revert-drm-i915-edp-Allow-alternate-fixed-mode-for-e.patch| 242
++
drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch | 39 -
partially-revert-swiotlb-remove-various-exports.patch | 26 -
5 files changed, 367 insertions(+), 72 deletions(-)
Added: ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch
===
--- ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch
(rev 0)
+++ ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch2018-05-29
23:14:50 UTC (rev 325134)
@@ -0,0 +1,117 @@
+From a0a37862a4e1844793d39aca9ccb8fecbdcb8659 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg
+Date: Mon, 23 Apr 2018 14:16:03 +0300
+Subject: [PATCH] ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70
+
+WDAT table on Lenovo Z50-70 is using RTC SRAM (ports 0x70 and 0x71) to
+store state of the timer. This conflicts with Linux RTC driver
+(rtc-cmos.c) who fails to reserve those ports for itself preventing RTC
+from functioning. In addition the WDAT table seems not to be fully
+functional because it does not reset the system when the watchdog times
+out.
+
+On this system iTCO_wdt works just fine so we simply prefer to use it
+instead of WDAT. This makes RTC working again and also results working
+watchdog via iTCO_wdt.
+
+Reported-by: Peter Milley
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033
+Signed-off-by: Mika Westerberg
+Signed-off-by: Rafael J. Wysocki
+---
+ drivers/acpi/acpi_watchdog.c | 59 ++--
+ 1 file changed, 49 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c
+index ebb626ffb5fa..4bde16fb97d8 100644
+--- a/drivers/acpi/acpi_watchdog.c
b/drivers/acpi/acpi_watchdog.c
+@@ -12,23 +12,64 @@
+ #define pr_fmt(fmt) "ACPI: watchdog: " fmt
+
+ #include
++#include
+ #include
+ #include
+
+ #include "internal.h"
+
++static const struct dmi_system_id acpi_watchdog_skip[] = {
++ {
++ /*
++ * On Lenovo Z50-70 there are two issues with the WDAT
++ * table. First some of the instructions use RTC SRAM
++ * to store persistent information. This does not work well
++ * with Linux RTC driver. Second, more important thing is
++ * that the instructions do not actually reset the system.
++ *
++ * On this particular system iTCO_wdt seems to work just
++ * fine so we prefer that over WDAT for now.
++ *
++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033.
++ */
++ .ident = "Lenovo Z50-70",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "20354"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"),
++ },
++ },
++ {}
++};
++
++static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void)
++{
++ const struct acpi_table_wdat *wdat = NULL;
++ acpi_status status;
++
++ if (acpi_disabled)
++ return NULL;
++
++ if (dmi_check_system(acpi_watchdog_skip))
++ return NULL;
++
++ status = acpi_get_table(ACPI_SIG_WDAT, 0,
++ (struct acpi_table_header **)&wdat);
++ if (ACPI_FAILURE(status)) {
++ /* It is fine if there is no WDAT */
++ return NULL;
++ }
++
++ return wdat;
++}
++
+ /**
+ * Returns true if this system should prefer ACPI based watchdog instead of
+ * the native one (which are typically the same hardware).
+ */
+ bool acpi_has_watchdog(void)
+ {
+- struct acpi_table_header hdr;
+-
+- if (acpi_disabled)
+- return false;
+-
+- return ACPI_SUCCESS(acpi_get_table_header(ACPI_SIG_WDAT, 0, &hdr));
++ return !!acpi_watchdog_get_wdat();
+ }
+ EXPORT_SYMBOL_GPL(acpi_has_watchdog);
+
+@@ -41,12 +82,10 @@ void __init acpi_watchdog_init(void)
+ struct platform_device *pdev;
+ struct resource *resources;
+ size_t nresources = 0;
+- acpi_status stat
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Thursday, April 26, 2018 @ 20:38:08
Author: anthraxx
Revision: 323061
upgpkg: linux-hardened 4.16.5.a-1
Added:
linux-hardened/trunk/fix-vboxguest-on-guests-with-more-than-4G-RAM.patch
linux-hardened/trunk/net-aquantia-Regression-on-reset-with-1.x-firmware.patch
linux-hardened/trunk/partially-revert-swiotlb-remove-various-exports.patch
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
--+
PKGBUILD | 28
config.x86_64| 342 +---
fix-vboxguest-on-guests-with-more-than-4G-RAM.patch | 549 +
net-aquantia-Regression-on-reset-with-1.x-firmware.patch | 68 +
partially-revert-swiotlb-remove-various-exports.patch| 26
5 files changed, 871 insertions(+), 142 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2018-04-26 19:41:19 UTC (rev 323060)
+++ PKGBUILD2018-04-26 20:38:08 UTC (rev 323061)
@@ -4,11 +4,11 @@
# Contributor: Thomas Baechler
pkgbase=linux-hardened
-_srcname=linux-4.15
-_pkgver=4.15.18
+_srcname=linux-4.16
+_pkgver=4.16.5
pkgver=${_pkgver}.a
pkgrel=1
-url='https://github.com/copperhead/linux-hardened'
+url='https://github.com/anthraxx/linux-hardened'
arch=('x86_64')
license=('GPL2')
makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf')
@@ -17,7 +17,7 @@
https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign
https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.xz
https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.sign
-
https://github.com/thestinger/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig}
+
https://github.com/anthraxx/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig}
config.x86_64 # the main kernel config files
60-linux.hook # pacman hook for depmod
90-linux.hook # pacman hook for initramfs regeneration
@@ -25,23 +25,30 @@
# https://bugs.archlinux.org/task/56711
drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
+net-aquantia-Regression-on-reset-with-1.x-firmware.patch
+fix-vboxguest-on-guests-with-more-than-4G-RAM.patch
+partially-revert-swiotlb-remove-various-exports.patch
)
replaces=('linux-grsec')
-sha256sums=('5a26478906d5005f4f809402e981518d2b8844949199f60c4b6e1f986ca2a769'
+sha256sums=('63f6dc8e3c9f3a0273d5d6f4dca38a2413ca3a5f689329d05b750e4c87bb21b9'
'SKIP'
-'beac2c2aef09ea2aa4b97512071c1364dee14c0fbf291ea85cd4ab8bfb6bc5da'
+'8c3bb050d11da6e91d3e169f76ee3ed6937e1ca64264e605ddba8108696ba011'
'SKIP'
-'72fee4dbfc40dd33f7c5e4241679e2d663043b0a2f6ecf7c9eb30dafb51555f4'
+'65482af87d9bac91d67591bde20ab56162060ea05fad910dbfcb5e5e964c8804'
'SKIP'
-'b3208d1b3c215748369909a8448c4db27738edc049c2107ec82a26375ee60eda'
+'6f296e865186eb6993e1494b595b56c8e56ec75327c982a846ca3d24686dc163'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
-'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148')
+'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148'
+'d7233371fe617895b600ad1939d8b818395276d07b8a7918b955c9590a5d1112'
+'b1c1cf770b2baab046d52687ec3dd83c543e3f45b4abeae2686c814673e0a1c5'
+'87a0849079db7bf1deefb687bcf43170f1b209d27af9950f98b049cdf233b447')
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
'65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay
+ 'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak
)
_kernelname=${pkgbase#linux}
: ${_kernelname:=-ARCH}
@@ -184,9 +191,6 @@
install -Dt "${_builddir}/drivers/md" -m644 drivers/md/*.h
install -Dt "${_builddir}/net/mac80211" -m644 net/mac80211/*.h
- # http://bugs.archlinux.org/task/9912
- install -Dt "${_builddir}/drivers/media/dvb-core" -m644
drivers/media/dvb-core/*.h
-
# http://bugs.archlinux.org/task/13146
install -Dt "${_builddir}/drivers/media/i2c" -m644
drivers/media/i2c/msp3400-driver.h
Modified: config.x86_64
===
--- config.x86_64 2018-04-26 19:41:19 UTC (rev 323060)
+++ config.x86_64 2018-04-26 20:38:08 UTC (rev 323061)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.15.16 Kernel Configuration
+# Linux/x86 4.16.5 Kernel Configuration
#
CONFIG_64
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Thursday, January 18, 2018 @ 22:26:14
Author: anthraxx
Revision: 283998
upgpkg: linux-hardened 4.14.14.a-1
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
Deleted:
linux-hardened/trunk/CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
linux-hardened/trunk/cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
linux-hardened/trunk/e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
-+
CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch | 161
--
PKGBUILD| 18 -
cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch | 132
config.x86_64 |4
e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch | 73
5 files changed, 8 insertions(+), 380 deletions(-)
Deleted: CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
===
--- CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
2018-01-18 22:25:01 UTC (rev 283997)
+++ CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
2018-01-18 22:26:14 UTC (rev 283998)
@@ -1,161 +0,0 @@
-From e39d200fa5bf5b94a0948db0dae44c1b73b84a56 Mon Sep 17 00:00:00 2001
-From: Wanpeng Li
-Date: Thu, 14 Dec 2017 17:40:50 -0800
-Subject: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reported by syzkaller:
-
- BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
- Read of size 8 at addr 8803259df7f8 by task syz-executor/32298
-
- CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE4.15.0-rc2+
#18
- Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS
02/16/2016
- Call Trace:
- dump_stack+0xab/0xe1
- print_address_description+0x6b/0x290
- kasan_report+0x28a/0x370
- write_mmio+0x11e/0x270 [kvm]
- emulator_read_write_onepage+0x311/0x600 [kvm]
- emulator_read_write+0xef/0x240 [kvm]
- emulator_fix_hypercall+0x105/0x150 [kvm]
- em_hypercall+0x2b/0x80 [kvm]
- x86_emulate_insn+0x2b1/0x1640 [kvm]
- x86_emulate_instruction+0x39a/0xb90 [kvm]
- handle_exception+0x1b4/0x4d0 [kvm_intel]
- vcpu_enter_guest+0x15a0/0x2640 [kvm]
- kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
- kvm_vcpu_ioctl+0x479/0x880 [kvm]
- do_vfs_ioctl+0x142/0x9a0
- SyS_ioctl+0x74/0x80
- entry_SYSCALL_64_fastpath+0x23/0x9a
-
-The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
-to the guest memory, however, write_mmio tracepoint always prints 8 bytes
-through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
-leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
-it by just accessing the bytes which we operate on.
-
-Before patch:
-
-syz-executor-5567 [007] 51370.561696: kvm_mmio: mmio write len 3 gpa
0x10 val 0x110077c1010f
-
-After patch:
-
-syz-executor-13416 [002] 51302.299573: kvm_mmio: mmio write len 3 gpa
0x10 val 0xc1010f
-
-Reported-by: Dmitry Vyukov
-Reviewed-by: Darren Kenny
-Reviewed-by: Marc Zyngier
-Tested-by: Marc Zyngier
-Cc: Paolo Bonzini
-Cc: Radim Krčmář
-Cc: Marc Zyngier
-Cc: Christoffer Dall
-Signed-off-by: Wanpeng Li
-Signed-off-by: Paolo Bonzini
- arch/x86/kvm/x86.c | 8
- include/trace/events/kvm.h | 7 +--
- virt/kvm/arm/mmio.c| 6 +++---
- 3 files changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 3a82f2d4333b..1cec2c62a0b0 100644
a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4384,7 +4384,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t
addr, int len, void *v)
-addr, n, v))
- && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
- break;
-- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
-+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
- handled += n;
- addr += n;
- len -= n;
-@@ -4643,7 +4643,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void
*val, int bytes)
- {
- if (vcpu->mmio_read_completed) {
- trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
-- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
-+ vcpu->mmio_fragments[0].gpa, val);
- vcpu->mmio_read_completed = 0;
- return 1;
- }
-@@ -4665,14 +4665,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t
gpa,
-
- static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
- {
-- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
-+ trace_kvm
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Saturday, January 6, 2018 @ 14:20:03
Author: anthraxx
Revision: 279504
upgpkg: linux-hardened 4.14.12.a-1
Added:
linux-hardened/trunk/drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
Deleted:
linux-hardened/trunk/Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
linux-hardened/trunk/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
---+
PKGBUILD | 16 --
Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch | 71
--
config.x86_64 |2
drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch | 39
+
x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 --
5 files changed, 47 insertions(+), 96 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2018-01-06 14:14:27 UTC (rev 279503)
+++ PKGBUILD2018-01-06 14:20:03 UTC (rev 279504)
@@ -5,7 +5,7 @@
pkgbase=linux-hardened
_srcname=linux-4.14
-_pkgver=4.14.11
+_pkgver=4.14.12
pkgver=${_pkgver}.a
pkgrel=1
url='https://github.com/copperhead/linux-hardened'
@@ -26,13 +26,12 @@
# https://bugs.archlinux.org/task/56575
e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
# https://bugs.archlinux.org/task/56605
-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
# https://bugs.archlinux.org/task/56846
cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+# https://bugs.archlinux.org/task/56711
+drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
-
CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
@@ -41,19 +40,18 @@
replaces=('linux-grsec')
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
-'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
+'da5d8db44b0988e4c45346899d3f5a51f8bd6c25f14e729615ca9ff9f17bdefd'
'SKIP'
-'7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5'
+'199ac6bc8644677dc801dae69c4293d4cef100696f2d1c60a4bc5faaa4d896e8'
'SKIP'
-'1dd1c470a8df028cf9c9db13e64263bdcff47f890d629ed9c81321fab7a57a05'
+'b7f54d50b34fa19f2847d2ed73fa6d1a631a2181882ac3d0c6311f8f8b6aedde'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
-'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8'
'294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
'721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19'
-'086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26'
+'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148'
'6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
'72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435'
Deleted: Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
===
--- Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
2018-01-06 14:14:27 UTC (rev 279503)
+++ Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
2018-01-06 14:20:03 UTC (rev 279504)
@@ -1,71 +0,0 @@
-From 94802151894d482e82c324edf2c658f8e6b96508 Mon Sep 17 00:00:00 2001
-From: Steffen Klassert
-Date: Wed, 15 Nov 2017 06:40:57 +0100
-Subject: [PATCH] Revert "xfrm: Fix stack-out-of-bounds read in
- xfrm_state_find."
-
-This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
-
-This commit breaks transport mode when the policy template
-has widlcard addresses configured, so revert it.
-
-Signed-off-by: Steffen Klassert
- net/xfrm/xfrm_policy.c | 29 ++---
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 2a6093840e7e..6bc16bb61b55 100644
a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Wednesday, January 3, 2018 @ 19:37:03
Author: anthraxx
Revision: 278365
upgpkg: linux-hardened 4.14.11.a-1 (enable PTI)
- drop patches added in upstream 4.11 release
- add AMD patch for PTI
Added:
linux-hardened/trunk/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
Deleted:
linux-hardened/trunk/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
linux-hardened/trunk/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
---+
CVE-2017-17449-netlink-Add-netns-check-on-taps.patch | 43
-
CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch | 74
--
PKGBUILD | 19 +-
config.x86_64 |3
x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 ++
5 files changed, 26 insertions(+), 128 deletions(-)
Deleted: CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
===
--- CVE-2017-17449-netlink-Add-netns-check-on-taps.patch2018-01-03
19:32:54 UTC (rev 278364)
+++ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch2018-01-03
19:37:03 UTC (rev 278365)
@@ -1,43 +0,0 @@
-From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee
-Date: Wed, 6 Dec 2017 12:12:27 -0800
-Subject: [PATCH] netlink: Add netns check on taps
-
-Currently, a nlmon link inside a child namespace can observe systemwide
-netlink activity. Filter the traffic so that nlmon can only sniff
-netlink messages from its own netns.
-
-Test case:
-
-vpnns -- bash -c "ip link add nlmon0 type nlmon; \
- ip link set nlmon0 up; \
- tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
-sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
-spi 0x1 mode transport \
-auth sha1 0x616263313233 \
-enc aes 0x
-grep --binary abc123 /tmp/nlmon.pcap
-
-Signed-off-by: Kevin Cernekee
-Signed-off-by: David S. Miller
- net/netlink/af_netlink.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index b9e0ee4e22f5..79cc1bf36e4a 100644
a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
- struct sock *sk = skb->sk;
- int ret = -ENOMEM;
-
-+ if (!net_eq(dev_net(dev), sock_net(sk)))
-+ return 0;
-+
- dev_hold(dev);
-
- if (is_vmalloc_addr(skb->head))
---
-2.15.1
-
Deleted: CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
===
--- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
2018-01-03 19:32:54 UTC (rev 278364)
+++ CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
2018-01-03 19:37:03 UTC (rev 278365)
@@ -1,74 +0,0 @@
-From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam
-Date: Sun, 10 Dec 2017 03:50:58 +
-Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
-
-inet->hdrincl is racy, and could lead to uninitialized stack pointer
-usage, so its value should be read only once.
-
-Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after
raw_probe_proto_opt")
-Signed-off-by: Mohamed Ghannam
-Reviewed-by: Eric Dumazet
-Signed-off-by: David S. Miller
- net/ipv4/raw.c | 15 ++-
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 33b70bfd1122..125c1eab3eaa 100644
a/net/ipv4/raw.c
-+++ b/net/ipv4/raw.c
-@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr
*msg, size_t len)
- int err;
- struct ip_options_data opt_copy;
- struct raw_frag_vec rfv;
-+ int hdrincl;
-
- err = -EMSGSIZE;
- if (len > 0x)
- goto out;
-
-+ /* hdrincl should be READ_ONCE(inet->hdrincl)
-+ * but READ_ONCE() doesn't work with bit fields
-+ */
-+ hdrincl = inet->hdrincl;
- /*
-* Check the flags.
-*/
-@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr
*msg, size_t len)
- /* Linux does not mangle headers on raw sockets,
-* so that IP options + IP_HDRINCL is non-sense.
-*/
-- if (inet->hdrincl)
-+ if (hdrincl)
- goto done;
- if (ipc.opt->opt.srr) {
- if (!daddr)
-@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct
