[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Saturday, May 9, 2020 @ 19:59:26 Author: heftig Revision: 382975 5.6.11.a-3: more GCC 10 fixes Added: linux-hardened/trunk/0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch linux-hardened/trunk/0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch Modified: linux-hardened/trunk/0001-gcc-plugins-drop-support-for-GCC-4.7.patch linux-hardened/trunk/0002-gcc-common.h-Update-for-GCC-10.patch linux-hardened/trunk/PKGBUILD ---+ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch |2 0002-gcc-common.h-Update-for-GCC-10.patch |2 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch | 32 ++ 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch| 131 PKGBUILD | 10 5 files changed, 172 insertions(+), 5 deletions(-) Modified: 0001-gcc-plugins-drop-support-for-GCC-4.7.patch === --- 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-09 19:59:23 UTC (rev 382974) +++ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -1,7 +1,7 @@ From dba68a9d4df76d49d32245e4236713a43fb321da Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 29 Mar 2020 20:08:32 +0900 -Subject: [PATCH 1/2] gcc-plugins: drop support for GCC <= 4.7 +Subject: [PATCH 1/4] gcc-plugins: drop support for GCC <= 4.7 Nobody was opposed to raising minimum GCC version to 4.8 [1] So, we will drop GCC <= 4.7 support sooner or later. Modified: 0002-gcc-common.h-Update-for-GCC-10.patch === --- 0002-gcc-common.h-Update-for-GCC-10.patch 2020-05-09 19:59:23 UTC (rev 382974) +++ 0002-gcc-common.h-Update-for-GCC-10.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -2,7 +2,7 @@ From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 7 Apr 2020 13:32:59 +0200 -Subject: [PATCH 2/2] gcc-common.h: Update for GCC 10 +Subject: [PATCH 2/4] gcc-common.h: Update for GCC 10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added: 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch === --- 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch (rev 0) +++ 0003-Makefile-disallow-data-races-on-gcc-10-as-well.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -0,0 +1,32 @@ +From af805f5f1d2e61dd2cf907d9635f0abc66fe1197 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Tue, 17 Mar 2020 00:07:18 + +Subject: [PATCH 3/4] Makefile: disallow data races on gcc-10 as well + +gcc-10 will rename --param=allow-store-data-races=0 +to -fno-allow-store-data-races. + +The flag change happened at https://gcc.gnu.org/PR92046. + +Signed-off-by: Sergei Trofimovich +Acked-by: Jiri Kosina +Signed-off-by: Masahiro Yamada +--- + Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile b/Makefile +index 5dedd6f9ad75..6899bfc9dc7b 100644 +--- a/Makefile b/Makefile +@@ -714,6 +714,7 @@ endif + + # Tell gcc to never replace conditional load with a non-conditional one + KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) ++KBUILD_CFLAGS += $(call cc-option,-fno-allow-store-data-races) + + include scripts/Makefile.kcov + include scripts/Makefile.gcc-plugins +-- +2.26.2 + Added: 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch === --- 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch (rev 0) +++ 0004-x86-Fix-early-boot-crash-on-gcc-10-next-try.patch 2020-05-09 19:59:26 UTC (rev 382975) @@ -0,0 +1,131 @@ +From 309b6eca2e2605accf7a3b02b47b5c2732dbe543 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 22 Apr 2020 18:11:30 +0200 +Subject: [PATCH 4/4] x86: Fix early boot crash on gcc-10, next try +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... or the odyssey of trying to disable the stack protector for the +function which generates the stack canary value. + +The whole story started with Sergei reporting a boot crash with a kernel +built with gcc-10: + + Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 + Call Trace: +dump_stack +panic +? start_secondary +__stack_chk_fail +start_secondary +secondary_startup_64 + -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary + +This happens because gcc-10 tail-call optimizes the last function call +in start_sec
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Tuesday, October 29, 2019 @ 15:13:18 Author: heftig Revision: 365999 5.3.7.b-3: Changes for new kmod and mkinitcpio hooks Modified: linux-hardened/trunk/PKGBUILD Deleted: linux-hardened/trunk/60-linux.hook linux-hardened/trunk/90-linux.hook linux-hardened/trunk/linux.install linux-hardened/trunk/linux.preset ---+ 60-linux.hook | 11 -- 90-linux.hook | 11 -- PKGBUILD | 61 +++- linux.install | 12 --- linux.preset | 14 5 files changed, 13 insertions(+), 96 deletions(-) Deleted: 60-linux.hook === --- 60-linux.hook 2019-10-29 15:13:11 UTC (rev 365998) +++ 60-linux.hook 2019-10-29 15:13:18 UTC (rev 365999) @@ -1,11 +0,0 @@ -[Trigger] -Type = File -Operation = Install -Operation = Upgrade -Operation = Remove -Target = usr/lib/modules/%KERNVER%/* - -[Action] -Description = Updating %PKGBASE% module dependencies... -When = PostTransaction -Exec = /usr/bin/depmod %KERNVER% Deleted: 90-linux.hook === --- 90-linux.hook 2019-10-29 15:13:11 UTC (rev 365998) +++ 90-linux.hook 2019-10-29 15:13:18 UTC (rev 365999) @@ -1,11 +0,0 @@ -[Trigger] -Type = File -Operation = Install -Operation = Upgrade -Target = usr/lib/modules/%KERNVER%/vmlinuz -Target = usr/lib/initcpio/* - -[Action] -Description = Updating %PKGBASE% initcpios... -When = PostTransaction -Exec = /usr/bin/mkinitcpio -p %PKGBASE% Modified: PKGBUILD === --- PKGBUILD2019-10-29 15:13:11 UTC (rev 365998) +++ PKGBUILD2019-10-29 15:13:18 UTC (rev 365999) @@ -1,30 +1,21 @@ # Maintainer: Levente Polyak -# Contributor: Daniel Micay -# Contributor: Tobias Powalowski -# Contributor: Thomas Baechler pkgbase=linux-hardened -_pkgver=5.3.7 -_hardenedver=b -pkgver=${_pkgver}.${_hardenedver} -pkgrel=2 +pkgver=5.3.7.b +pkgrel=3 url='https://github.com/anthraxx/linux-hardened' -arch=('x86_64') -license=('GPL2') +arch=(x86_64) +license=(GPL2) makedepends=( - xmlto kmod inetutils bc libelf python-sphinx python-sphinx_rtd_theme - graphviz imagemagick + xmlto kmod inetutils bc libelf + python-sphinx python-sphinx_rtd_theme graphviz imagemagick ) -replaces=('linux-grsec') options=('!strip') -_srcname=linux-${_pkgver} +_srcname=linux-${pkgver%.*} source=( - https://www.kernel.org/pub/linux/kernel/v${_pkgver%%.*}.x/${_srcname}.tar.{xz,sign} + https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign} https://github.com/anthraxx/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig} config # the main kernel config file - 60-linux.hook # pacman hook for depmod - 90-linux.hook # pacman hook for initramfs regeneration - linux.preset # standard config files for mkinitcpio ramdisk ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -32,18 +23,13 @@ '65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay 'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak ) +# https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc sha256sums=('c6c9714e21531c825c306b107bc6f6c7bfa2d5270a14bad170f8de5a73d34802' 'SKIP' '0dd90897d1857bf7b3f373c86174056a447774930c419fbc27db599da30dd51e' 'SKIP' -'514512ab1ffbb69367e20787b4ae7cc3a4df903aa6e8eb0a2c7e6ed4356c43c4' -'452b8d4d71e1565ca91b1bebb280693549222ef51c47ba8964e411b2d461699c' -'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636' -'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65') +'514512ab1ffbb69367e20787b4ae7cc3a4df903aa6e8eb0a2c7e6ed4356c43c4') -_kernelname=${pkgbase#linux} -: ${_kernelname:=-ARCH} - export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase export KBUILD_BUILD_TIMESTAMP="@${SOURCE_DATE_EPOCH:-$(date +%s)}" @@ -52,10 +38,10 @@ cd $_srcname msg2 "Setting version..." - sed -e "/^EXTRAVERSION =/s/=.*/= .${_hardenedver}/" -i Makefile + sed -e "/^EXTRAVERSION =/s/=.*/= .${pkgver##*.}/" -i Makefile scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel - echo "$_kernelname" > localversion.20-pkgname + echo "${pkgbase#linux}" > localversion.20-pkgname local src for src in "${source[@]}"; do @@ -85,8 +71,7 @@ optdepends=('crda: to set the correct wireless channels of your country' 'linux-firmware: firmware images needed for some devices' 'usbctl: deny_new_usb control') - backup=("etc/mkinitcpio.d/$pkgbase.preset") - install=linux.install + replaces=('linux-grsec') cd $_srcname local kernver="$(https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344 install -Dm644 "$(make -s image_
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Saturday, October 19, 2019 @ 11:48:26 Author: anthraxx Revision: 365213 match vanilla hooks and rename config Added: linux-hardened/trunk/config Modified: linux-hardened/trunk/60-linux.hook linux-hardened/trunk/PKGBUILD linux-hardened/trunk/linux.install Deleted: linux-hardened/trunk/config.x86_64 ---+ 60-linux.hook |1 PKGBUILD |8 config|10515 config.x86_64 |10515 linux.install |1 5 files changed, 10519 insertions(+), 10521 deletions(-) The diff is longer than the limit of 200KB. Use svn diff -r 365212:365213 to see the changes.
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Thursday, September 6, 2018 @ 06:33:32 Author: anthraxx Revision: 333580 upgpkg: linux-hardened 4.18.6.a-1 Added: linux-hardened/trunk/HID-core-fix-grouping-by-application.patch linux-hardened/trunk/drm-i915-Increase-LSPCON-timeout.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/increase-timeout-in-lspcon_wait_mode.patch + HID-core-fix-grouping-by-application.patch | 78 +++ PKGBUILD | 14 ++-- config.x86_64 | 14 ++-- drm-i915-Increase-LSPCON-timeout.patch | 54 ++ increase-timeout-in-lspcon_wait_mode.patch | 23 --- 5 files changed, 147 insertions(+), 36 deletions(-) Added: HID-core-fix-grouping-by-application.patch === --- HID-core-fix-grouping-by-application.patch (rev 0) +++ HID-core-fix-grouping-by-application.patch 2018-09-06 06:33:32 UTC (rev 333580) @@ -0,0 +1,78 @@ +From 20acb01da9443e3ca814bb5d17f01b3fea754010 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Sep 2018 15:31:14 +0200 +Subject: [PATCH] HID: core: fix grouping by application + +commit f07b3c1da92d ("HID: generic: create one input report per +application type") was effectively the same as MULTI_INPUT: +hidinput->report was never set, so hidinput_match_application() +always returned null. + +Fix that by testing against the real application. + +Note that this breaks some old eGalax touchscreens that expect MULTI_INPUT +instead of HID_QUIRK_INPUT_PER_APP. Enable this quirk for backward +compatibility on all non-Win8 touchscreens. + +link: https://bugzilla.kernel.org/show_bug.cgi?id=200847 +link: https://bugzilla.kernel.org/show_bug.cgi?id=200849 +link: https://bugs.archlinux.org/task/59699 +link: https://github.com/NixOS/nixpkgs/issues/45165 + +Cc: sta...@vger.kernel.org # v4.18+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-input.c | 4 ++-- + drivers/hid/hid-multitouch.c | 3 +++ + include/linux/hid.h | 1 + + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index ab93dd5927c3a..a137d2835f328 100644 +--- a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +@@ -1579,6 +1579,7 @@ static struct hid_input *hidinput_allocate(struct hid_device *hid, + input_dev->dev.parent = &hid->dev; + + hidinput->input = input_dev; ++ hidinput->application = application; + list_add_tail(&hidinput->list, &hid->inputs); + + INIT_LIST_HEAD(&hidinput->reports); +@@ -1674,8 +1675,7 @@ static struct hid_input *hidinput_match_application(struct hid_report *report) + struct hid_input *hidinput; + + list_for_each_entry(hidinput, &hid->inputs, list) { +- if (hidinput->report && +- hidinput->report->application == report->application) ++ if (hidinput->application == report->application) + return hidinput; + } + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 45968f7970f87..1a987345692a6 100644 +--- a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +@@ -1476,6 +1476,9 @@ static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id) +*/ + hdev->quirks |= HID_QUIRK_INPUT_PER_APP; + ++ if (id->group != HID_GROUP_MULTITOUCH_WIN_8) ++ hdev->quirks |= HID_QUIRK_MULTI_INPUT; ++ + timer_setup(&td->release_timer, mt_expired_timeout, 0); + + ret = hid_parse(hdev); +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 773bcb1d4044e..5482dd6ae9efd 100644 +--- a/include/linux/hid.h b/include/linux/hid.h +@@ -520,6 +520,7 @@ struct hid_input { + const char *name; + bool registered; + struct list_head reports; /* the list of reports */ ++ unsigned int application; /* application usage for this input */ + }; + + enum hid_type { Modified: PKGBUILD === --- PKGBUILD2018-09-05 21:24:06 UTC (rev 333579) +++ PKGBUILD2018-09-06 06:33:32 UTC (rev 333580) @@ -4,7 +4,7 @@ # Contributor: Thomas Baechler pkgbase=linux-hardened -_pkgver=4.18.5 +_pkgver=4.18.6 _hardenedver=a _srcname=linux-${_pkgver} pkgver=${_pkgver}.${_hardenedver} @@ -22,18 +22,20 @@ 90-linux.hook # pacman hook for initramfs regeneration linux.preset # standard config files for mkinitcpio ramdisk -increase-timeout-in-lspcon_wait_mode.patch +drm-i915-Increase-LSPCON-timeout.patch +HID-core-fix-grouping-by-application.patch ) replaces=('linux-grsec') -sha256sums=('fb090a3680eddf6f10bf895bc3075bd3f830e3d2429ce469982db5a28df647bd' +sha256sums=('05db
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Tuesday, May 29, 2018 @ 23:14:50 Author: anthraxx Revision: 325134 upgpkg: linux-hardened 4.16.12.a-1 Added: linux-hardened/trunk/ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch linux-hardened/trunk/Revert-drm-i915-edp-Allow-alternate-fixed-mode-for-e.patch Modified: linux-hardened/trunk/PKGBUILD Deleted: linux-hardened/trunk/drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch linux-hardened/trunk/partially-revert-swiotlb-remove-various-exports.patch ---+ ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch | 117 PKGBUILD | 15 Revert-drm-i915-edp-Allow-alternate-fixed-mode-for-e.patch| 242 ++ drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch | 39 - partially-revert-swiotlb-remove-various-exports.patch | 26 - 5 files changed, 367 insertions(+), 72 deletions(-) Added: ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch === --- ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch (rev 0) +++ ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch2018-05-29 23:14:50 UTC (rev 325134) @@ -0,0 +1,117 @@ +From a0a37862a4e1844793d39aca9ccb8fecbdcb8659 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 23 Apr 2018 14:16:03 +0300 +Subject: [PATCH] ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 + +WDAT table on Lenovo Z50-70 is using RTC SRAM (ports 0x70 and 0x71) to +store state of the timer. This conflicts with Linux RTC driver +(rtc-cmos.c) who fails to reserve those ports for itself preventing RTC +from functioning. In addition the WDAT table seems not to be fully +functional because it does not reset the system when the watchdog times +out. + +On this system iTCO_wdt works just fine so we simply prefer to use it +instead of WDAT. This makes RTC working again and also results working +watchdog via iTCO_wdt. + +Reported-by: Peter Milley +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033 +Signed-off-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +--- + drivers/acpi/acpi_watchdog.c | 59 ++-- + 1 file changed, 49 insertions(+), 10 deletions(-) + +diff --git a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c +index ebb626ffb5fa..4bde16fb97d8 100644 +--- a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c +@@ -12,23 +12,64 @@ + #define pr_fmt(fmt) "ACPI: watchdog: " fmt + + #include ++#include + #include + #include + + #include "internal.h" + ++static const struct dmi_system_id acpi_watchdog_skip[] = { ++ { ++ /* ++ * On Lenovo Z50-70 there are two issues with the WDAT ++ * table. First some of the instructions use RTC SRAM ++ * to store persistent information. This does not work well ++ * with Linux RTC driver. Second, more important thing is ++ * that the instructions do not actually reset the system. ++ * ++ * On this particular system iTCO_wdt seems to work just ++ * fine so we prefer that over WDAT for now. ++ * ++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033. ++ */ ++ .ident = "Lenovo Z50-70", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "20354"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"), ++ }, ++ }, ++ {} ++}; ++ ++static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void) ++{ ++ const struct acpi_table_wdat *wdat = NULL; ++ acpi_status status; ++ ++ if (acpi_disabled) ++ return NULL; ++ ++ if (dmi_check_system(acpi_watchdog_skip)) ++ return NULL; ++ ++ status = acpi_get_table(ACPI_SIG_WDAT, 0, ++ (struct acpi_table_header **)&wdat); ++ if (ACPI_FAILURE(status)) { ++ /* It is fine if there is no WDAT */ ++ return NULL; ++ } ++ ++ return wdat; ++} ++ + /** + * Returns true if this system should prefer ACPI based watchdog instead of + * the native one (which are typically the same hardware). + */ + bool acpi_has_watchdog(void) + { +- struct acpi_table_header hdr; +- +- if (acpi_disabled) +- return false; +- +- return ACPI_SUCCESS(acpi_get_table_header(ACPI_SIG_WDAT, 0, &hdr)); ++ return !!acpi_watchdog_get_wdat(); + } + EXPORT_SYMBOL_GPL(acpi_has_watchdog); + +@@ -41,12 +82,10 @@ void __init acpi_watchdog_init(void) + struct platform_device *pdev; + struct resource *resources; + size_t nresources = 0; +- acpi_status stat
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Thursday, April 26, 2018 @ 20:38:08 Author: anthraxx Revision: 323061 upgpkg: linux-hardened 4.16.5.a-1 Added: linux-hardened/trunk/fix-vboxguest-on-guests-with-more-than-4G-RAM.patch linux-hardened/trunk/net-aquantia-Regression-on-reset-with-1.x-firmware.patch linux-hardened/trunk/partially-revert-swiotlb-remove-various-exports.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 --+ PKGBUILD | 28 config.x86_64| 342 +--- fix-vboxguest-on-guests-with-more-than-4G-RAM.patch | 549 + net-aquantia-Regression-on-reset-with-1.x-firmware.patch | 68 + partially-revert-swiotlb-remove-various-exports.patch| 26 5 files changed, 871 insertions(+), 142 deletions(-) Modified: PKGBUILD === --- PKGBUILD2018-04-26 19:41:19 UTC (rev 323060) +++ PKGBUILD2018-04-26 20:38:08 UTC (rev 323061) @@ -4,11 +4,11 @@ # Contributor: Thomas Baechler pkgbase=linux-hardened -_srcname=linux-4.15 -_pkgver=4.15.18 +_srcname=linux-4.16 +_pkgver=4.16.5 pkgver=${_pkgver}.a pkgrel=1 -url='https://github.com/copperhead/linux-hardened' +url='https://github.com/anthraxx/linux-hardened' arch=('x86_64') license=('GPL2') makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf') @@ -17,7 +17,7 @@ https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.xz https://www.kernel.org/pub/linux/kernel/v4.x/patch-${_pkgver}.sign - https://github.com/thestinger/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig} + https://github.com/anthraxx/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig} config.x86_64 # the main kernel config files 60-linux.hook # pacman hook for depmod 90-linux.hook # pacman hook for initramfs regeneration @@ -25,23 +25,30 @@ # https://bugs.archlinux.org/task/56711 drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch +net-aquantia-Regression-on-reset-with-1.x-firmware.patch +fix-vboxguest-on-guests-with-more-than-4G-RAM.patch +partially-revert-swiotlb-remove-various-exports.patch ) replaces=('linux-grsec') -sha256sums=('5a26478906d5005f4f809402e981518d2b8844949199f60c4b6e1f986ca2a769' +sha256sums=('63f6dc8e3c9f3a0273d5d6f4dca38a2413ca3a5f689329d05b750e4c87bb21b9' 'SKIP' -'beac2c2aef09ea2aa4b97512071c1364dee14c0fbf291ea85cd4ab8bfb6bc5da' +'8c3bb050d11da6e91d3e169f76ee3ed6937e1ca64264e605ddba8108696ba011' 'SKIP' -'72fee4dbfc40dd33f7c5e4241679e2d663043b0a2f6ecf7c9eb30dafb51555f4' +'65482af87d9bac91d67591bde20ab56162060ea05fad910dbfcb5e5e964c8804' 'SKIP' -'b3208d1b3c215748369909a8448c4db27738edc049c2107ec82a26375ee60eda' +'6f296e865186eb6993e1494b595b56c8e56ec75327c982a846ca3d24686dc163' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' -'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148') +'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148' +'d7233371fe617895b600ad1939d8b818395276d07b8a7918b955c9590a5d1112' +'b1c1cf770b2baab046d52687ec3dd83c543e3f45b4abeae2686c814673e0a1c5' +'87a0849079db7bf1deefb687bcf43170f1b209d27af9950f98b049cdf233b447') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman '65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay + 'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak ) _kernelname=${pkgbase#linux} : ${_kernelname:=-ARCH} @@ -184,9 +191,6 @@ install -Dt "${_builddir}/drivers/md" -m644 drivers/md/*.h install -Dt "${_builddir}/net/mac80211" -m644 net/mac80211/*.h - # http://bugs.archlinux.org/task/9912 - install -Dt "${_builddir}/drivers/media/dvb-core" -m644 drivers/media/dvb-core/*.h - # http://bugs.archlinux.org/task/13146 install -Dt "${_builddir}/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h Modified: config.x86_64 === --- config.x86_64 2018-04-26 19:41:19 UTC (rev 323060) +++ config.x86_64 2018-04-26 20:38:08 UTC (rev 323061) @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.15.16 Kernel Configuration +# Linux/x86 4.16.5 Kernel Configuration # CONFIG_64
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Thursday, January 18, 2018 @ 22:26:14 Author: anthraxx Revision: 283998 upgpkg: linux-hardened 4.14.14.a-1 Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch linux-hardened/trunk/cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch linux-hardened/trunk/e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch -+ CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch | 161 -- PKGBUILD| 18 - cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch | 132 config.x86_64 |4 e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch | 73 5 files changed, 8 insertions(+), 380 deletions(-) Deleted: CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch === --- CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch 2018-01-18 22:25:01 UTC (rev 283997) +++ CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch 2018-01-18 22:26:14 UTC (rev 283998) @@ -1,161 +0,0 @@ -From e39d200fa5bf5b94a0948db0dae44c1b73b84a56 Mon Sep 17 00:00:00 2001 -From: Wanpeng Li -Date: Thu, 14 Dec 2017 17:40:50 -0800 -Subject: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reported by syzkaller: - - BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] - Read of size 8 at addr 8803259df7f8 by task syz-executor/32298 - - CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE4.15.0-rc2+ #18 - Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 - Call Trace: - dump_stack+0xab/0xe1 - print_address_description+0x6b/0x290 - kasan_report+0x28a/0x370 - write_mmio+0x11e/0x270 [kvm] - emulator_read_write_onepage+0x311/0x600 [kvm] - emulator_read_write+0xef/0x240 [kvm] - emulator_fix_hypercall+0x105/0x150 [kvm] - em_hypercall+0x2b/0x80 [kvm] - x86_emulate_insn+0x2b1/0x1640 [kvm] - x86_emulate_instruction+0x39a/0xb90 [kvm] - handle_exception+0x1b4/0x4d0 [kvm_intel] - vcpu_enter_guest+0x15a0/0x2640 [kvm] - kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] - kvm_vcpu_ioctl+0x479/0x880 [kvm] - do_vfs_ioctl+0x142/0x9a0 - SyS_ioctl+0x74/0x80 - entry_SYSCALL_64_fastpath+0x23/0x9a - -The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) -to the guest memory, however, write_mmio tracepoint always prints 8 bytes -through *(u64 *)val since kvm splits the mmio access into 8 bytes. This -leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes -it by just accessing the bytes which we operate on. - -Before patch: - -syz-executor-5567 [007] 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x110077c1010f - -After patch: - -syz-executor-13416 [002] 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f - -Reported-by: Dmitry Vyukov -Reviewed-by: Darren Kenny -Reviewed-by: Marc Zyngier -Tested-by: Marc Zyngier -Cc: Paolo Bonzini -Cc: Radim Krčmář -Cc: Marc Zyngier -Cc: Christoffer Dall -Signed-off-by: Wanpeng Li -Signed-off-by: Paolo Bonzini - arch/x86/kvm/x86.c | 8 - include/trace/events/kvm.h | 7 +-- - virt/kvm/arm/mmio.c| 6 +++--- - 3 files changed, 12 insertions(+), 9 deletions(-) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 3a82f2d4333b..1cec2c62a0b0 100644 a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -4384,7 +4384,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v) -addr, n, v)) - && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v)) - break; -- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); -+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); - handled += n; - addr += n; - len -= n; -@@ -4643,7 +4643,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes) - { - if (vcpu->mmio_read_completed) { - trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, -- vcpu->mmio_fragments[0].gpa, *(u64 *)val); -+ vcpu->mmio_fragments[0].gpa, val); - vcpu->mmio_read_completed = 0; - return 1; - } -@@ -4665,14 +4665,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa, - - static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) - { -- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); -+ trace_kvm
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Saturday, January 6, 2018 @ 14:20:03 Author: anthraxx Revision: 279504 upgpkg: linux-hardened 4.14.12.a-1 Added: linux-hardened/trunk/drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch linux-hardened/trunk/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch ---+ PKGBUILD | 16 -- Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch | 71 -- config.x86_64 |2 drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch | 39 + x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 -- 5 files changed, 47 insertions(+), 96 deletions(-) Modified: PKGBUILD === --- PKGBUILD2018-01-06 14:14:27 UTC (rev 279503) +++ PKGBUILD2018-01-06 14:20:03 UTC (rev 279504) @@ -5,7 +5,7 @@ pkgbase=linux-hardened _srcname=linux-4.14 -_pkgver=4.14.11 +_pkgver=4.14.12 pkgver=${_pkgver}.a pkgrel=1 url='https://github.com/copperhead/linux-hardened' @@ -26,13 +26,12 @@ # https://bugs.archlinux.org/task/56575 e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch # https://bugs.archlinux.org/task/56605 -Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch # https://bugs.archlinux.org/task/56846 cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch +# https://bugs.archlinux.org/task/56711 +drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch -x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch - CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch @@ -41,19 +40,18 @@ replaces=('linux-grsec') sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'SKIP' -'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9' +'da5d8db44b0988e4c45346899d3f5a51f8bd6c25f14e729615ca9ff9f17bdefd' 'SKIP' -'7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5' +'199ac6bc8644677dc801dae69c4293d4cef100696f2d1c60a4bc5faaa4d896e8' 'SKIP' -'1dd1c470a8df028cf9c9db13e64263bdcff47f890d629ed9c81321fab7a57a05' +'b7f54d50b34fa19f2847d2ed73fa6d1a631a2181882ac3d0c6311f8f8b6aedde' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' 'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3' -'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8' '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45' '721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19' -'086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26' +'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148' '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9' 'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5' '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435' Deleted: Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch === --- Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch 2018-01-06 14:14:27 UTC (rev 279503) +++ Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch 2018-01-06 14:20:03 UTC (rev 279504) @@ -1,71 +0,0 @@ -From 94802151894d482e82c324edf2c658f8e6b96508 Mon Sep 17 00:00:00 2001 -From: Steffen Klassert -Date: Wed, 15 Nov 2017 06:40:57 +0100 -Subject: [PATCH] Revert "xfrm: Fix stack-out-of-bounds read in - xfrm_state_find." - -This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e. - -This commit breaks transport mode when the policy template -has widlcard addresses configured, so revert it. - -Signed-off-by: Steffen Klassert - net/xfrm/xfrm_policy.c | 29 ++--- - 1 file changed, 18 insertions(+), 11 deletions(-) - -diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index 2a6093840e7e..6bc16bb61b55 100644 a/net/xfrm/xfrm_policy.c -+++ b/net/xfrm/xfrm_policy.c -@
[arch-commits] Commit in linux-hardened/trunk (5 files)
Date: Wednesday, January 3, 2018 @ 19:37:03 Author: anthraxx Revision: 278365 upgpkg: linux-hardened 4.14.11.a-1 (enable PTI) - drop patches added in upstream 4.11 release - add AMD patch for PTI Added: linux-hardened/trunk/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch linux-hardened/trunk/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch ---+ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch | 43 - CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch | 74 -- PKGBUILD | 19 +- config.x86_64 |3 x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 ++ 5 files changed, 26 insertions(+), 128 deletions(-) Deleted: CVE-2017-17449-netlink-Add-netns-check-on-taps.patch === --- CVE-2017-17449-netlink-Add-netns-check-on-taps.patch2018-01-03 19:32:54 UTC (rev 278364) +++ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch2018-01-03 19:37:03 UTC (rev 278365) @@ -1,43 +0,0 @@ -From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee -Date: Wed, 6 Dec 2017 12:12:27 -0800 -Subject: [PATCH] netlink: Add netns check on taps - -Currently, a nlmon link inside a child namespace can observe systemwide -netlink activity. Filter the traffic so that nlmon can only sniff -netlink messages from its own netns. - -Test case: - -vpnns -- bash -c "ip link add nlmon0 type nlmon; \ - ip link set nlmon0 up; \ - tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & -sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ -spi 0x1 mode transport \ -auth sha1 0x616263313233 \ -enc aes 0x -grep --binary abc123 /tmp/nlmon.pcap - -Signed-off-by: Kevin Cernekee -Signed-off-by: David S. Miller - net/netlink/af_netlink.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index b9e0ee4e22f5..79cc1bf36e4a 100644 a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, - struct sock *sk = skb->sk; - int ret = -ENOMEM; - -+ if (!net_eq(dev_net(dev), sock_net(sk))) -+ return 0; -+ - dev_hold(dev); - - if (is_vmalloc_addr(skb->head)) --- -2.15.1 - Deleted: CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch === --- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch 2018-01-03 19:32:54 UTC (rev 278364) +++ CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch 2018-01-03 19:37:03 UTC (rev 278365) @@ -1,74 +0,0 @@ -From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001 -From: Mohamed Ghannam -Date: Sun, 10 Dec 2017 03:50:58 + -Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg - -inet->hdrincl is racy, and could lead to uninitialized stack pointer -usage, so its value should be read only once. - -Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") -Signed-off-by: Mohamed Ghannam -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller - net/ipv4/raw.c | 15 ++- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 33b70bfd1122..125c1eab3eaa 100644 a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - int err; - struct ip_options_data opt_copy; - struct raw_frag_vec rfv; -+ int hdrincl; - - err = -EMSGSIZE; - if (len > 0x) - goto out; - -+ /* hdrincl should be READ_ONCE(inet->hdrincl) -+ * but READ_ONCE() doesn't work with bit fields -+ */ -+ hdrincl = inet->hdrincl; - /* -* Check the flags. -*/ -@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - /* Linux does not mangle headers on raw sockets, -* so that IP options + IP_HDRINCL is non-sense. -*/ -- if (inet->hdrincl) -+ if (hdrincl) - goto done; - if (ipc.opt->opt.srr) { - if (!daddr) -@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct