Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org, car...@debian.org
Hi,
an API change in the Linux kernel 4.19.194-1 uploaded with the Buster
10.10 stable minor update caused a regression in
iptables-netflow-dkms/2.3-5 built from the iptables-netflow source
package. The upstream API change happened in 4.19.191:
- modules: mark ref_module static
Relevant bug reports:
* Debian: https://bugs.debian.org/990123
* Upstream: https://github.com/aabc/ipt-netflow/issues/177
I would like to upload an updated package of iptables-netflow to
buster-proposed-updates which cherry-picks two upstream patches (see
below under [Changes] for details) which fix the issue initially and
then also for updated stable kernel lines like those in Buster.
[ Reason ]
Linux upstream has been backporting a change from kernel 5.9 to stable
kernel releases which makes sure that kernel modules which claim to be
GPL licensed and use _GPL exports, can no more depend on symbols from
non-GPL modules. This is has been solved by marking a function static,
i.e. no more being usable by kernel modules.
The Debian kernel team stated in that it's unlikely that Linux kernel
upstream will revert the patches and they also stated that it's
unlikely that Debian's linux kernel will divert from upstream at this
point.
Context about this issue:
https://lore.kernel.org/lkml/20200730061027.29472-1-...@lst.de/
https://lore.kernel.org/stable/ymxnxqzcp0g1f...@kroah.com/
(Thanks to Salvatore Bonaccorso of the Debian kernel team for these
links and further reviews and suggestions on this issue!)
[ Impact ]
The package is currently no more working after a reboot into a current
Buster 10.10 kernel as the DKMS kernel module fails to build with
current kernel headers (see #990123). It is currently still usable
with kernels before 4.19.194-1.
It will also no more compile with non-debian kernels of the stable
kernel lines 4.14 (version 4.14.233 and above) and 5.4 (version 5.4.11
and above). (Compilation of kernels above 5.9rc1 never worked with the
version in Buster.)
[ Tests ]
The .deb as generated when applying the debdiff below runs in
production for about 1.5 weeks on two of my netflow generating
servers, first with kernel version 4.19.194-1, later with kernel
version 4.19.194-2, both with ABI 4.19.0-17-amd64.
I also tried installing it (aka compiling the DKMS module) on a box
which was still running linux-image-4.19.0-12-amd64 (package version
4.19.152-1 + headers) from October 2020. Since also further Debian
kernels were installed, I also successfully tested its compilation
against linux-{image,headers}-4.19.0-14-amd64 (package version
4.19.171-2).
No issues have been observed so far. Functionality is as expected.
[ Risks and Expected Regressions ]
The upstream patch https://github.com/aabc/ipt-netflow/commit/352cdb28
mostly removes CPP "#if LINUX_VERSION_CODE >= KERNEL_VERSION(…)"
blocks containing legacy code not needed for more modern kernels and
enables the modern code also for older releases.
As I read that upstream commit, now this kernel module will no more
compile with (vanilla) kernels before 2.6.35 which seems to have
introduced the functionality which is now used instead of the function
made static in 5.9.0, 4.19.191 and other recent stable kernel
releases. (I though didn't test any other kernels than those in Debian
Buster. For older kernels than 4.19.194-1 I just tested if the DKMS
module still compiles, not if it still works as before.)
Since upstream's approach also compiled against older stable kernels
than those affected by #990123 I took upstream's approach instead of
making those "#if LINUX_VERSION_CODE >= KERNEL_VERSION(…)" checks even
more complex by adding further constraints to list all the updated
stable kernels mentioned above.
[ Checklist ]
[√] *all* changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
Footnotes: * = Patch 1 (cherry-picked adfc6318) is already included in
Debian Unstable and Bullseye as a cherry-picked patch
from the currently most recent upstream 2.6 release. It
fixes the same issue for kernels 5.9 and above since
Debian package version 2.5.1-1, but its CPP
conditionals were not prepared for that "mark
ref_module static" change being backported to stable
kernel lines.
Patch 2 (cherry-picked 352cdb28) is not included in
Debian Unstable and Bullseye as it is only necessary
for kernels older than those in Unstable/Bullseye which
got that change from 5.9 backported.
[ Changes ]
The proposed packages fixes #990123 by cherry-picking two upstream
commits in the same part of the code (I didn't want