diff options
Diffstat (limited to 'libre/linux-libre')
3 files changed, 64 insertions, 202 deletions
diff --git a/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch index c6b567471..fced98119 100644 --- a/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -1,8 +1,7 @@ -From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001 +From 4272e4eff36395bf7e89550111219bede31013e2 Mon Sep 17 00:00:00 2001 From: Serge Hallyn <serge.hallyn@canonical.com> Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by - default +Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> [bwh: Remove unneeded binary sysctl bits] @@ -54,7 +53,7 @@ index b69248e6f0e0..3b1cd11dc6dc 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index ba4d9e85feb8..e88b93a850df 100644 +index d80bee8ff12e..ce7a1a5794a5 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -106,6 +106,9 @@ extern int core_uses_pid; diff --git a/libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch deleted file mode 100644 index c092a69cb..000000000 --- a/libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Fri, 8 Mar 2019 00:58:53 +0100 -Subject: [PATCH 2/2] netfilter: nf_tables: fix set double-free in abort path - -The abort path can cause a double-free of an anonymous set. -Added-and-to-be-aborted rule looks like this: - -udp dport { 137, 138 } drop - -The to-be-aborted transaction list looks like this: - -newset -newsetelem -newsetelem -rule - -This gets walked in reverse order, so first pass disables the rule, the -set elements, then the set. - -After synchronize_rcu(), we then destroy those in same order: rule, set -element, set element, newset. - -Problem is that the anonymous set has already been bound to the rule, so -the rule (lookup expression destructor) already frees the set, when then -cause use-after-free when trying to delete the elements from this set, -then try to free the set again when handling the newset expression. - -Rule releases the bound set in first place from the abort path, this -causes the use-after-free on set element removal when undoing the new -element transactions. To handle this, skip new element transaction if -set is bound from the abort path. - -This is still causes the use-after-free on set element removal. To -handle this, remove transaction from the list when the set is already -bound. - -Joint work with Florian Westphal. - -Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") -Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325 -Acked-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - include/net/netfilter/nf_tables.h | 6 ++---- - net/netfilter/nf_tables_api.c | 17 +++++++++++------ - 2 files changed, 13 insertions(+), 10 deletions(-) - -diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h -index b4984bbbe157..3d58acf94dd2 100644 ---- a/include/net/netfilter/nf_tables.h -+++ b/include/net/netfilter/nf_tables.h -@@ -416,7 +416,8 @@ struct nft_set { - unsigned char *udata; - /* runtime data below here */ - const struct nft_set_ops *ops ____cacheline_aligned; -- u16 flags:14, -+ u16 flags:13, -+ bound:1, - genmask:2; - u8 klen; - u8 dlen; -@@ -1329,15 +1330,12 @@ struct nft_trans_rule { - struct nft_trans_set { - struct nft_set *set; - u32 set_id; -- bool bound; - }; - - #define nft_trans_set(trans) \ - (((struct nft_trans_set *)trans->data)->set) - #define nft_trans_set_id(trans) \ - (((struct nft_trans_set *)trans->data)->set_id) --#define nft_trans_set_bound(trans) \ -- (((struct nft_trans_set *)trans->data)->bound) - - struct nft_trans_chain { - bool update; -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 4893f248dfdc..e1724f9d8b9d 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) - list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { - if (trans->msg_type == NFT_MSG_NEWSET && - nft_trans_set(trans) == set) { -- nft_trans_set_bound(trans) = true; -+ set->bound = true; - break; - } - } -@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) - nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); - break; - case NFT_MSG_NEWSET: -- if (!nft_trans_set_bound(trans)) -- nft_set_destroy(nft_trans_set(trans)); -+ nft_set_destroy(nft_trans_set(trans)); - break; - case NFT_MSG_NEWSETELEM: - nft_set_elem_destroy(nft_trans_elem_set(trans), -@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net) - break; - case NFT_MSG_NEWSET: - trans->ctx.table->use--; -- if (!nft_trans_set_bound(trans)) -- list_del_rcu(&nft_trans_set(trans)->list); -+ if (nft_trans_set(trans)->bound) { -+ nft_trans_destroy(trans); -+ break; -+ } -+ list_del_rcu(&nft_trans_set(trans)->list); - break; - case NFT_MSG_DELSET: - trans->ctx.table->use++; -@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net) - nft_trans_destroy(trans); - break; - case NFT_MSG_NEWSETELEM: -+ if (nft_trans_elem_set(trans)->bound) { -+ nft_trans_destroy(trans); -+ break; -+ } - te = (struct nft_trans_elem *)trans->data; -- - te->set->ops->remove(net, te->set, &te->elem); - atomic_dec(&te->set->nelems); - break; --- -2.21.0 - diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD index b8a1499ef..6f8492b70 100644 --- a/libre/linux-libre/PKGBUILD +++ b/libre/linux-libre/PKGBUILD @@ -12,7 +12,7 @@ pkgbase=linux-libre # Build stock kernel #pkgbase=linux-libre-custom # Build kernel with a different name _srcbasever=5.0-gnu -_srcver=5.0.5-gnu +_srcver=5.0.6-gnu _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname _replacesoldkernels=() # '%' gets replaced with _kernelname @@ -22,7 +22,7 @@ _srcname=linux-${_srcbasever%-*} _archpkgver=${_srcver%-*} pkgver=${_srcver//-/_} pkgrel=1 -rcnrel=armv7-x6 +rcnrel=armv7-x8 arch=(i686 x86_64 armv7h) url='https://linux-libre.fsfla.org/' license=(GPL2) @@ -32,18 +32,26 @@ options=('!strip') source=( "https://linux-libre.fsfla.org/pub/linux-libre/releases/$_srcbasever/linux-libre-$_srcbasever.tar.xz"{,.sign} "https://linux-libre.fsfla.org/pub/linux-libre/releases/$_srcver/patch-$_srcbasever-$_srcver.xz"{,.sign} - "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_clut224.ppm"{,.sig} - "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_mono.pbm"{,.sig} - "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_vga16.ppm"{,.sig} - # the main kernel config files - config.i686 config.x86_64 config.armv7h - # pacman hooks for depmod and initramfs regeneration - 60-linux.hook 90-linux.hook - # standard config files for mkinitcpio ramdisk - linux.preset - # files for signing Chromebooks kernels - kernel.its kernel.keyblock kernel_data_key.vbprivk - # armv7h patches + "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_"{clut224.ppm,vga16.ppm,mono.pbm}{,.sig} + config.i686 config.x86_64 config.armv7h # the main kernel config files + 60-linux.hook # pacman hook for depmod + 90-linux.hook # pacman hook for initramfs regeneration + linux.preset # standard config files for mkinitcpio ramdisk + "kernel"{.its,.keyblock,_data_key.vbprivk} # files for signing Chromebooks kernels + + # maintain the TTY over USB disconnects + # http://www.coreboot.org/EHCI_Gadget_Debug + 0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch + # fix Atmel maXTouch touchscreen support + # https://labs.parabola.nu/issues/877 + # http://www.fsfla.org/pipermail/linux-libre/2015-November/003202.html + 0002-fix-Atmel-maXTouch-touchscreen-support.patch + + # Arch's custom linux patches + 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +) +source_armv7h=( + # armv7h patches, put in the source_armv7h variable just for a more comfortable loop patching "https://repo.parabola.nu/other/rcn-libre/patches/${_srcver%-*}/rcn-libre-${_srcver%-*}-$rcnrel.patch"{,.sig} 0001-ARM-atags-add-support-for-Marvell-s-u-boot.patch 0002-ARM-atags-fdt-retrieve-MAC-addresses-from-Marvell-bo.patch @@ -54,11 +62,6 @@ source=( 0007-exynos4412-odroid-set-higher-minimum-buck2-regulator.patch 0008-ARM-dove-enable-ethernet-on-D3Plug.patch 0009-media-s5p-mfc-fix-incorrect-bus-assignment-in-virtua.patch - # other patches - 0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch - 0002-fix-Atmel-maXTouch-touchscreen-support.patch - 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch ) validpgpkeys=( '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva @@ -66,14 +69,14 @@ validpgpkeys=( ) sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc1651750dfa9eec15652108a1b8aff1781c4f8ec5f92784b8542e59e0605922d9' 'SKIP' - '5331dacd07dca625cebb3a05cf9779fd2d9260d78cec072508a360506c2fcc23a8783b3961c8438849d0155ab9f00d2f907fe2329d5734fac9cba637ce06529c' + 'c015da00812cfc9cb16e408807338d2e09270e3b33deb85c5cab36e9c2e6155dbc2a3653d744de272032d524bbb59b428984debf1369e42b788b51caf4591526' 'SKIP' '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3' 'SKIP' - '267295aa0cea65684968420c68b32f1a66a22d018b9d2b2c1ef14267bcf4cb68aaf7099d073cbfefe6c25c8608bdcbbd45f7ac8893fdcecbf1e621abdfe9ecc1' - 'SKIP' '7a3716bfe3b9f546da309c7492f3e08f8f506813afeb1c737a474c83313d5c313cf4582b65215c2cfce3b74d9d1021c96e8badafe8f6e5b01fe28d2b5c61ae78' 'SKIP' + '267295aa0cea65684968420c68b32f1a66a22d018b9d2b2c1ef14267bcf4cb68aaf7099d073cbfefe6c25c8608bdcbbd45f7ac8893fdcecbf1e621abdfe9ecc1' + 'SKIP' '70776ba8c99c778acd48e22d1396ef5e6419a6f78828776067b32081e345ba82510f05bae2d4cf07a2cb8b00406c607c38097425ff9cad9dabac6ff9c3f7feeb' 'd676726b536ea6bf255e5fd70ed0dbd97fa24ec29b6a6a36f438705b2be4c842127b2f5bd7b5270d99588fa75e3d3674d28113defcd665f11feb518022f032a3' '4b9e98e440426036fd9330b5a2408ceb9a871b14e9686933c43678bc9f55020df48d177bbd1c4333fe84dc95db095cc6043cfe421b4e2ea954d6ffbe2b8c7dda' @@ -83,21 +86,20 @@ sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc165 '167bc73c6c1c63931806238905dc44c7d87c5a5c0f6293159f2133dfe717fb44081018d810675716d1605ec7dff5e8333b87b19e09e2de21d0448e447437873b' 'bb6718984a7357c9b00c37e4788480e5b8b75018c172ecc1441bc3fc5d2d42444eb5d8c7f9d2e3a7d6fed6d03acb565e3c0559486e494c40a7fe6bd0570c9ede' '143dea30c6da00e504c99984a98a0eb2411f558fcdd9dfa7f607d6c14e9e7dffff9cb00121d9317044b07e3e210808286598c785ee854084b993ec9cb14d8232' - '86efeee41eff41928ce2ce8926dc11d34799437d415cf51239ee7e9cf04b82a20cbb6d11b89af2ae7c6c0464afb57369133093653acaf3a0e0ff9d7630d00834' - 'SKIP' - '6e2eed5e047d95a825241bf30bd09e3edad7787f1f742ca5cf3cf53f4f1383ca7ede306f12cf522fa1175930b3dde550994ef085bf6d93761babfe976dc94ca2' - '32a185f7d8b93e8cb70bee0d32eb6876ac0a976abe550ec83de1fc57963b0879872831c671f4aa5281b4def9bf81660c92809047eda9a9ada939bdf5b7d32dbc' - 'b523cc0978f6426162d8ef82dc44763fca7ca57c8bf3b2b27549d7ed7d873389ba3acf00dfe5576ceef991d31ba39613c3203195cb5a91900330c997c9b0efff' - 'd85f97025f21c26b438afb599af13939bae3ff769c1d1055bdcf9130a1449703a26ecf04ce715390570c14d6b91b693e7b220e7cff0576f9775990ee2fe75113' - 'a3b846c5a79afdfc5233ba5020cb8fc91bad0864bd811204f29191f8b2e7dd76cb19d8fa38cac55ad3adbbd4126f3b2102b03016fe9423bd7d0d252ed1b4c460' - 'd547f6ef7f876690092622c7b7de6995b972e46f25b34fac92b301d90ad7b04f993341346bbc54284e5338e5bbf76ccdfa42485842ed0a0b4a8414cf8a16412a' - 'b3cc320e6414c6a9a287df405cc6768cbc204bd859189c4c3f6902e55fd425ad7f05743ea6db3996c99a49f6b3a175d83c8fb05fd4314c2b1a3df52e8b1b16f3' - 'bed58fede674b139e470a2593c3d07f61f7f771d86ce137a5cf7e1b5cc53a8c2127439f7ef2bee9daaf554555f6cb9bb80cf35bbe6a6adf10a04cb5a93d0cc8f' - '17b09c80b0c235a5395c350c2b1acfda1c549c5bb6017f6a7056a84686fe23d7983a40f416cfc1da075523ad87d39ff4ff7b4057a275705679830db15b621991' '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af' 'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168' - '0016e750127728458ab23ef445f92a8b52064806f235c03dd92e699a8bfb397d6274f6ba484a99af19ed729f6c63bab714bd350c7e7ed82c30a4b62b29857ff7' - '8348ecfeec519a41c68f1a97ec4b6007b3ed5ed61c271733d562ae22c6c85e4e217eb6c367bb53f3c53ad72f311360bd3aa57d09fba7cda358748c2bdd0416c2') + '7748427819372a27b5aa9b3ce8cc8c75397bc3a76ac4fddd06f497ce5a1b34c2e15b6301e764e6e007ad66a49bb3f9c49e906c179875e115d213d2682ddb2576') +sha512sums_armv7h=('4f185601aa569db7ee2033d6360f284aede970ea02093fdbfe25e2a3bc7463b55180678192974ce38e425ea3ecb8193a58cb7442c9390429c1dabd13afc9be8e' + 'SKIP' + '6e2eed5e047d95a825241bf30bd09e3edad7787f1f742ca5cf3cf53f4f1383ca7ede306f12cf522fa1175930b3dde550994ef085bf6d93761babfe976dc94ca2' + '32a185f7d8b93e8cb70bee0d32eb6876ac0a976abe550ec83de1fc57963b0879872831c671f4aa5281b4def9bf81660c92809047eda9a9ada939bdf5b7d32dbc' + 'b523cc0978f6426162d8ef82dc44763fca7ca57c8bf3b2b27549d7ed7d873389ba3acf00dfe5576ceef991d31ba39613c3203195cb5a91900330c997c9b0efff' + 'd85f97025f21c26b438afb599af13939bae3ff769c1d1055bdcf9130a1449703a26ecf04ce715390570c14d6b91b693e7b220e7cff0576f9775990ee2fe75113' + 'a3b846c5a79afdfc5233ba5020cb8fc91bad0864bd811204f29191f8b2e7dd76cb19d8fa38cac55ad3adbbd4126f3b2102b03016fe9423bd7d0d252ed1b4c460' + 'd547f6ef7f876690092622c7b7de6995b972e46f25b34fac92b301d90ad7b04f993341346bbc54284e5338e5bbf76ccdfa42485842ed0a0b4a8414cf8a16412a' + 'b3cc320e6414c6a9a287df405cc6768cbc204bd859189c4c3f6902e55fd425ad7f05743ea6db3996c99a49f6b3a175d83c8fb05fd4314c2b1a3df52e8b1b16f3' + 'bed58fede674b139e470a2593c3d07f61f7f771d86ce137a5cf7e1b5cc53a8c2127439f7ef2bee9daaf554555f6cb9bb80cf35bbe6a6adf10a04cb5a93d0cc8f' + '17b09c80b0c235a5395c350c2b1acfda1c549c5bb6017f6a7056a84686fe23d7983a40f416cfc1da075523ad87d39ff4ff7b4057a275705679830db15b621991') _kernelname=${pkgbase#linux-libre} _replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}") @@ -117,47 +119,39 @@ prepare() { patch -p1 -i ../patch-$_srcbasever-$_srcver fi - if [ "$CARCH" = "armv7h" ]; then - # RCN patch (CM3 firmware deblobbed and AUFS/WireGuard removed) - # Note: For stability reasons, AUFS has been removed in the RCN patch. - # We are supporting AUFS in linux-libre-pck through PCK patch. - # See https://wiki.parabola.nu/PCK for further details. - patch -p1 -i ../rcn-libre-${_srcver%-*}-$rcnrel.patch - - # ALARM patches - patch -p1 -i ../0001-ARM-atags-add-support-for-Marvell-s-u-boot.patch - patch -p1 -i ../0002-ARM-atags-fdt-retrieve-MAC-addresses-from-Marvell-bo.patch - patch -p1 -i ../0003-SMILE-Plug-device-tree-file.patch - patch -p1 -i ../0004-fix-mvsdio-eMMC-timing.patch - patch -p1 -i ../0005-net-smsc95xx-Allow-mac-address-to-be-set-as-a-parame.patch - patch -p1 -i ../0006-set-default-cubietruck-led-triggers.patch - patch -p1 -i ../0007-exynos4412-odroid-set-higher-minimum-buck2-regulator.patch - patch -p1 -i ../0008-ARM-dove-enable-ethernet-on-D3Plug.patch - patch -p1 -i ../0009-media-s5p-mfc-fix-incorrect-bus-assignment-in-virtua.patch - fi - # add freedo as boot logo install -m644 -t drivers/video/logo \ ../logo_linux_{clut224.ppm,vga16.ppm,mono.pbm} - # add Arch patches - patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - patch -p1 -i ../0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch - - # maintain the TTY over USB disconnects - # http://www.coreboot.org/EHCI_Gadget_Debug - patch -p1 -i ../0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch - - # fix Atmel maXTouch touchscreen support - # https://labs.parabola.nu/issues/877 - # http://www.fsfla.org/pipermail/linux-libre/2015-November/003202.html - patch -p1 -i ../0002-fix-Atmel-maXTouch-touchscreen-support.patch - msg2 "Setting version..." scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel echo "$_kernelname" > localversion.20-pkgname + if [ "$CARCH" = "armv7h" ]; then + # RCN patch (CM3 firmware deblobbed and AUFS/WireGuard removed) + # Note: For stability reasons, AUFS has been removed in the RCN patch. + # We are supporting AUFS in linux-libre-pck through PCK patch. + # See https://wiki.parabola.nu/PCK for further details. + local src_armv7h + for src_armv7h in "${source_armv7h[@]}"; do + src_armv7h="${src_armv7h%%::*}" + src_armv7h="${src_armv7h##*/}" + [[ $src_armv7h = *.patch ]] || continue + msg2 "Applying patch $src_armv7h..." + patch -Np1 < "../$src_armv7h" + done + fi + + local src + for src in "${source[@]}"; do + src="${src%%::*}" + src="${src##*/}" + [[ $src = *.patch ]] || continue + msg2 "Applying patch $src..." + patch -Np1 < "../$src" + done + msg2 "Setting config..." cp ../config.$CARCH .config make olddefconfig |