From bf552271557d0d4554a0303b40a785d1cd07e0b0 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 16 Jan 2024 16:04:40 +0300 Subject: [PATCH 1/2] Import EL kernel-4.18.0-513.11.1.el8_9 --- .gitignore | 2 +- .kernel.metadata | 6 +- SOURCES/debrand-rh-i686-cpu.patch | 12 + SOURCES/debrand-single-cpu.patch | 11 + ...ebrand-specific-versions-of-hardware.patch | 12 + SPECS/kernel.spec | 224 ++++++++++++++---- 6 files changed, 220 insertions(+), 47 deletions(-) create mode 100644 SOURCES/debrand-rh-i686-cpu.patch create mode 100644 SOURCES/debrand-single-cpu.patch create mode 100644 SOURCES/debrand-specific-versions-of-hardware.patch diff --git a/.gitignore b/.gitignore index 982e67d..5fed0c9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer SOURCES/centossecurebootca2.cer SOURCES/kernel-abi-stablelists-4.18.0-513.tar.bz2 SOURCES/kernel-kabi-dw-4.18.0-513.tar.bz2 -SOURCES/linux-4.18.0-513.9.1.el8_9.tar.xz +SOURCES/linux-4.18.0-513.11.1.el8_9.tar.xz SOURCES/redhatsecureboot302.cer SOURCES/redhatsecureboot303.cer SOURCES/redhatsecureboot501.cer diff --git a/.kernel.metadata b/.kernel.metadata index d0a69e4..7a428a2 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,8 +1,8 @@ 2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer -b7c81f7a4572b627bf2df9213d715e3e74c1c394 SOURCES/kernel-abi-stablelists-4.18.0-513.tar.bz2 -26df1b50927ada39cecb1b9e86331fcbd0c21c65 SOURCES/kernel-kabi-dw-4.18.0-513.tar.bz2 -b66c16f3dbd5a47089d5552283162e6b403b3919 SOURCES/linux-4.18.0-513.9.1.el8_9.tar.xz +6bac4f0d78ba0bb5ead1fb8246e3696a463e9b07 SOURCES/kernel-abi-stablelists-4.18.0-513.tar.bz2 +98694c1cb92f1ff948a817c610e83f44cdefdc46 SOURCES/kernel-kabi-dw-4.18.0-513.tar.bz2 +8e36f68bdc4846384ae9835f703e877318c66d1c SOURCES/linux-4.18.0-513.11.1.el8_9.tar.xz 13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch new file mode 100644 index 0000000..d064ea0 --- /dev/null +++ b/SOURCES/debrand-rh-i686-cpu.patch @@ -0,0 +1,12 @@ +--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 +@@ -147,7 +147,7 @@ void main(void) + + /* Make sure we have all the proper CPU support */ + if (validate_cpu()) { +- puts("This processor is not supported in this version of RHEL.\n"); ++ puts("This processor is not supported in this version of EuroLinux.\n"); + die(); + } + + diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch new file mode 100644 index 0000000..c84dfcd --- /dev/null +++ b/SOURCES/debrand-single-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 +@@ -900,7 +900,7 @@ static void rh_check_supported(void) + if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && + !guest && is_kdump_kernel()) { + pr_crit("Detected single cpu native boot.\n"); +- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); ++ pr_crit("Important: In EuroLinux 8, single threaded, single CPU 64-bit physical systems are unsupported."); + } + + /* diff --git a/SOURCES/debrand-specific-versions-of-hardware.patch b/SOURCES/debrand-specific-versions-of-hardware.patch new file mode 100644 index 0000000..25a43ba --- /dev/null +++ b/SOURCES/debrand-specific-versions-of-hardware.patch @@ -0,0 +1,12 @@ +diff -urN linux-4.18.0-477.27.1.el8_8/init/main.c linux-4.18.0-477.27.1.el8_8p/init/main.c +--- linux-4.18.0-477.27.1.el8_8/init/main.c 2023-08-31 16:01:50.000000000 +0200 ++++ linux-4.18.0-477.27.1.el8_8p/init/main.c 2023-09-20 14:02:16.439638219 +0200 +@@ -576,7 +576,7 @@ + page_alloc_init(); + + pr_notice("Kernel command line: %s\n", boot_command_line); +- pr_notice("Specific versions of hardware are certified with Red Hat Enterprise Linux 8. Please see the list of hardware certified with Red Hat Enterprise Linux 8 at https://catalog.redhat.com.\n"); ++ pr_notice("Specific versions of hardware are certified with EuroLinux 8. Since EuroLinux is binary compatible with RHEL, please see the list of certified hardware at https://catalog.redhat.com.\n"); + /* parameters may set static keys */ + jump_label_init(); + parse_early_param(); diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 23b6b6f..bd82723 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -37,11 +37,11 @@ # define buildid .local -%define rpmversion 4.18.0 -%define pkgrelease 513.9.1.el8_9 +%define specversion 4.18.0 +%define pkgrelease 513.11.1.el8_9 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 513.9.1%{?dist} +%define specrelease 513.11.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -324,11 +324,24 @@ %define initrd_prereq dracut >= 027 +# EuroLinux override +# Normaly this should be done in rpmmacros, but because the packages must be rebuildable with beast +# we have to change this here + +%define with_doc 1 +%define with_kabichk 1 +%define with_kernel_abi_whitelists 1 +%global signkernel 0 +%global signmodules 0 + +# End of EuroLinux override + + Name: kernel%{?variant} Group: System Environment/Kernel License: GPLv2 and Redistributable, no modification permitted URL: http://www.kernel.org/ -Version: %{rpmversion} +Version: %{specversion} Release: %{pkg_release} Summary: The Linux kernel, based on version %{version}, heavily modified with backports %if %{with_realtime} @@ -435,7 +448,7 @@ BuildRequires: xmlto BuildRequires: asciidoc %endif -Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz +Source0: linux-%{specversion}-%{pkgrelease}.tar.xz Source9: x509.genkey @@ -522,8 +535,8 @@ Source211: Module.kabi_dup_ppc64le Source212: Module.kabi_dup_s390x Source213: Module.kabi_dup_x86_64 -Source300: kernel-abi-stablelists-%{rpmversion}-%{distro_build}.tar.bz2 -Source301: kernel-kabi-dw-%{rpmversion}-%{distro_build}.tar.bz2 +Source300: kernel-abi-stablelists-%{specversion}-%{distro_build}.tar.bz2 +Source301: kernel-kabi-dw-%{specversion}-%{distro_build}.tar.bz2 %endif %if %{with_realtime} @@ -544,14 +557,17 @@ Source4001: rpminspect.yaml # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000: debrand-rh-i686-cpu.patch +Patch1002: debrand-single-cpu.patch +Patch1003: debrand-specific-versions-of-hardware.patch # END OF PATCH DEFINITIONS BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for Red Hat Enterprise -Linux. It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for EuroLinux. +It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -559,7 +575,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in Red Hat Enterprise Linux, enhancements for +updates for supported hardware in EuroLinux, enhancements for enterprise customers, etc. # @@ -569,8 +585,8 @@ enterprise customers, etc. # macros defined above. # %define kernel_reqprovconf \ -Provides: %{name} = %{rpmversion}-%{pkg_release}\ -Provides: %{name}-%{_target_cpu} = %{rpmversion}-%{pkg_release}%{?1:+%{1}}\ +Provides: %{name} = %{specversion}-%{pkg_release}\ +Provides: %{name}-%{_target_cpu} = %{specversion}-%{pkg_release}%{?1:+%{1}}\ Provides: kernel-drm-nouveau = 16\ Provides: %{name}-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ Requires(pre): %{kernel_prereq}\ @@ -613,8 +629,8 @@ Group: Development/System Obsoletes: glibc-kernheaders < 3.0-46 Provides: glibc-kernheaders = 3.0-46 %if "0%{?variant}" -Obsoletes: kernel-headers < %{rpmversion}-%{pkg_release} -Provides: kernel-headers = %{rpmversion}-%{pkg_release} +Obsoletes: kernel-headers < %{specversion}-%{pkg_release} +Provides: kernel-headers = %{specversion}-%{pkg_release} %endif %description headers Kernel-headers includes the C header files that specify the interface @@ -807,14 +823,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-stablelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists +Summary: The EuroLinux kernel ABI symbol stablelists Group: System Environment/Kernel AutoReqProv: no -Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release} +Obsoletes: %{name}-abi-whitelists < %{specversion}-%{pkg_release} Provides: %{name}-abi-whitelists %description -n %{name}-abi-stablelists -The kABI package contains information pertaining to the Red Hat Enterprise -Linux kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the EuroLinux +kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -823,8 +839,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise -Linux kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the EuroLinux +kernel, suitable for the kabi-dw tool. %endif # @@ -898,7 +914,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for EuroLinux internal usage.\ %{nil} # @@ -1070,7 +1086,7 @@ ApplyPatch() if ! grep -E "^Patch[0-9]+: $patch\$" %{_specdir}/${RPM_PACKAGE_NAME%%%%%{?variant}}.spec ; then if [ "${patch:0:8}" != "patch-4." ] ; then echo "ERROR: Patch $patch not listed as a source patch in specfile" - exit 1 + # exit 1 fi fi 2>/dev/null case "$patch" in @@ -1095,11 +1111,14 @@ ApplyOptionalPatch() fi } -%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c -mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} +%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c +mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} +ApplyOptionalPatch debrand-single-cpu.patch +#ApplyOptionalPatch debrand-rh_taint.patch +ApplyOptionalPatch debrand-rh-i686-cpu.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -1184,7 +1203,7 @@ done %endif cp %{SOURCE42} . -./process_configs.sh -w -c %{name} %{rpmversion} %{?cross_opts} +./process_configs.sh -w -c %{name} %{specversion} %{?cross_opts} # end of kernel config %endif @@ -1750,20 +1769,20 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel - mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %ifarch s390x ppc64le - if [ $DoModules -eq 1 ]; then - if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - else - install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - fi - fi - %endif +# # EuroLinux UEFI Secure Boot CA cert, which can be used to authenticate the kernel +# mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer +# install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer +# %ifarch s390x ppc64le +# if [ $DoModules -eq 1 ]; then +# if [ -x /usr/bin/rpm-sign ]; then +# install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} +# else +# install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer +# openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} +# chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} +# fi +# fi +# %endif %if %{with_ipaclones} MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p') @@ -1990,7 +2009,7 @@ find Documentation -type d | xargs chmod u+w cd linux-%{KVERREL} %if %{with_doc} -docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{rpmversion}-%{pkgrelease} +docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease} # copy the source over mkdir -p $docdir @@ -2467,9 +2486,9 @@ fi %if %{with_doc} %files doc %defattr(-,root,root) -%{_datadir}/doc/kernel-doc-%{rpmversion}-%{pkgrelease}/Documentation/* -%dir %{_datadir}/doc/kernel-doc-%{rpmversion}-%{pkgrelease}/Documentation -%dir %{_datadir}/doc/kernel-doc-%{rpmversion}-%{pkgrelease} +%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease}/Documentation/* +%dir %{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease}/Documentation +%dir %{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease} %endif %if %{with_perf} @@ -2696,6 +2715,125 @@ fi # # %changelog +* Fri Jan 12 2024 EuroLinux Autopatch +- Added Patch: debrand-rh-i686-cpu.patch +--> i686 info debrand +- Added Patch: debrand-single-cpu.patch +--> Single cpu debrand +- Added Patch: debrand-specific-versions-of-hardware.patch +--> Specific versions of hardware debrand + +* Thu Dec 07 2023 Patrick Talbert [4.18.0-513.11.1.el8_9] +- redhat: fix to be able to build with rpm 4.19.0 (Denys Vlasenko) +- blk-mq: enforce op-specific segment limits in blk_insert_cloned_request (Ming Lei) [RHEL-14718 RHEL-14504] +- KVM: x86: Add SBPB support (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- KVM: x86: Add IBPB_BRTYPE support (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/retpoline: Document some thunk handling aspects (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Remove unnecessary semicolon (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/rethunk: Use SYM_CODE_START[_LOCAL]_NOALIGN macros (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Disentangle rethunk-dependent options (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Move retbleed IBPB check into existing 'has_microcode' code block (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/bugs: Remove default case for fully switched enums (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Remove 'pred_cmd' label (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Unexport untraining functions (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Improve i-cache locality for alias mitigation (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Fix vulnerability reporting for missing microcode (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Print mitigation for retbleed IBPB case (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Print actual mitigation if requested mitigation isn't possible (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Fix SBPB enablement for (possible) future fixed HW (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/alternatives: Remove faulty optimization (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Don't probe microcode in a guest (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Set CPUID feature bits independently of bug or mitigation status (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Fix srso_show_state() side effect (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Fix amd_check_microcode() declaration (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/CPU/AMD: Remove amd_get_topology_early() (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Correct the mitigation status when SMT is disabled (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Explain the untraining sequences a bit more (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu/kvm: Provide UNTRAIN_RET_VM (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Cleanup the untrain mess (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Rename original retbleed methods (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Clean up SRSO return thunk mess (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/alternative: Make custom return thunk unconditional (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- objtool/x86: Fix SRSO mess (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk() (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu: Fix __x86_return_thunk symbol type (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Disable the mitigation on unaffected configurations (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/CPU/AMD: Fix the DIV(0) initial fix attempt (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- driver core: cpu: Fix the fallback cpu_show_gds() name (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86: Move gds_ucode_mitigated() declaration to header (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/speculation: Add cpu_show_gds() prototype (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- driver core: cpu: Make cpu_show_not_affected() static (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Fix build breakage with the LLVM linker (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- Documentation/srso: Document IBPB aspect and fix formatting (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- driver core: cpu: Unify redundant silly stubs (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/CPU/AMD: Do not leak quotient data after a division by 0 (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Tie SBPB bit setting to microcode patch detection (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Add a forgotten NOENDBR annotation (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Fix return thunks in generated code (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Add IBPB on VMEXIT (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Add IBPB (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Add SRSO_NO support (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Add IBPB_BRTYPE support (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/srso: Add a Speculative RAS Overflow mitigation (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/retbleed: Add __x86_return_thunk alignment checks (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/retbleed: Fix return thunk alignment (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/alternative: Optimize returns patching (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/microcode/AMD: Load late on both threads too (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86/returnthunk: Allow different return thunks (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- x86: Sanitize linker script (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- objtool: Fix .return_sites generation (Waiman Long) [RHEL-14115 RHEL-9298] {CVE-2023-20569} +- drm/amdgpu: Fix possible null pointer dereference (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/amdgpu: Fix possible null pointer dereference (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Keep a gem reference to user bos in surfaces (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: fix typo of sizeof argument (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Fix possible invalid drm gem put calls (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Fix shader stage validation (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: remove unused vmw_overlay function (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Fix Legacy Display Unit atomic drm support (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Print errors when running on broken/unsupported configs (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Drop mksstat_init_record fn as currently unused (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Fix src/dst_pitch confusion (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Replace one-element array with flexible-array member (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Do not drop the reference to the handle too soon (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Stop accessing buffer objects which failed init (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Make the driver work without the dummy resources (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Stop using raw ttm_buffer_object's (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Abstract placement selection (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Rename dummy to is_iomem (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Cleanup the vmw bo usage in the cursor paths (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Simplify fb pinning (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Rename vmw_buffer_object to vmw_bo (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Remove the duplicate bo_free function (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/vmwgfx: Use the common gem mmap instead of the custom code (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/radeon: handle NULL bo->resource in move callback (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/qxl: handle NULL bo->resource in move callback (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/gem-vram: handle NULL bo->resource in move callback (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/ttm: prevent moving of pinned BOs (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/ttm: stop allocating a dummy resource for pipelined gutting (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/ttm: stop allocating dummy resources during BO creation (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/ttm: clear the ttm_tt when bo->resource is NULL (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- drm/i915/ttm: audit remaining bo->resource (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- Revert "drm/vmwgfx: Stop accessing buffer objects which failed init" (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- Revert "drm/vmwgfx: Do not drop the reference to the handle too soon" (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} +- Revert "drm/vmwgfx: Fix Legacy Display Unit atomic drm support" (Jocelyn Falempe) [RHEL-14509 RHEL-14510] {CVE-2023-5633} + +* Fri Nov 24 2023 Patrick Talbert [4.18.0-513.10.1.el8_9] +- pNFS/filelayout: treat GETDEVICEINFO errors as layout failure (Scott Mayhew) [RHEL-16407 RHEL-4969] +- scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (Chris Leech) [RHEL-12082 RHEL-8992] {CVE-2023-2162} +- scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress (Chris Leech) [RHEL-12082 RHEL-8992] {CVE-2023-2162} +- KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that hangs vCPUs (Peter Xu) [RHEL-15121 RHEL-7210] +- netfilter: conntrack: Fix gre tunneling over ipv6 (Florian Westphal) [RHEL-15259 RHEL-12497] +- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c (Florian Westphal) [RHEL-8443 RHEL-8444] {CVE-2023-42753} +- tcp: enforce receive buffer memory limits by allowing the tcp window to shrink (Felix Maurer) [RHEL-15096 RHEL-15023] +- redhat: change builder image to rhel-8.9 (Michael Hofmann) +- net: openvswitch: add support for l4 symmetric hashing (Antoine Tenart) [RHEL-12746 RHEL-10498] +- af_unix: Fix null-ptr-deref in unix_stream_sendpage(). (Guillaume Nault) [RHEL-16388 RHEL-2574] {CVE-2023-4622} + * Thu Nov 16 2023 Patrick Talbert [4.18.0-513.9.1.el8_9] - ice: reset first in crash dump kernels (Petr Oros) [2244625 2139761] - nvmet-tcp: Fix a possible UAF in queue intialization setup (John Meneghini) [RHEL-11507 RHEL-11509] {CVE-2023-5178} From 567d1987906c0465e5d5e0d18f9d87977e1dbedb Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 16 Jan 2024 16:09:31 +0300 Subject: [PATCH 2/2] Revert EuroLinux changes --- SOURCES/debrand-rh-i686-cpu.patch | 12 --- SOURCES/debrand-single-cpu.patch | 11 --- ...ebrand-specific-versions-of-hardware.patch | 12 --- SPECS/kernel.spec | 75 ++++++------------- 4 files changed, 24 insertions(+), 86 deletions(-) delete mode 100644 SOURCES/debrand-rh-i686-cpu.patch delete mode 100644 SOURCES/debrand-single-cpu.patch delete mode 100644 SOURCES/debrand-specific-versions-of-hardware.patch diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch deleted file mode 100644 index d064ea0..0000000 --- a/SOURCES/debrand-rh-i686-cpu.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 -@@ -147,7 +147,7 @@ void main(void) - - /* Make sure we have all the proper CPU support */ - if (validate_cpu()) { -- puts("This processor is not supported in this version of RHEL.\n"); -+ puts("This processor is not supported in this version of EuroLinux.\n"); - die(); - } - - diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch deleted file mode 100644 index c84dfcd..0000000 --- a/SOURCES/debrand-single-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 -@@ -900,7 +900,7 @@ static void rh_check_supported(void) - if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && - !guest && is_kdump_kernel()) { - pr_crit("Detected single cpu native boot.\n"); -- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); -+ pr_crit("Important: In EuroLinux 8, single threaded, single CPU 64-bit physical systems are unsupported."); - } - - /* diff --git a/SOURCES/debrand-specific-versions-of-hardware.patch b/SOURCES/debrand-specific-versions-of-hardware.patch deleted file mode 100644 index 25a43ba..0000000 --- a/SOURCES/debrand-specific-versions-of-hardware.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urN linux-4.18.0-477.27.1.el8_8/init/main.c linux-4.18.0-477.27.1.el8_8p/init/main.c ---- linux-4.18.0-477.27.1.el8_8/init/main.c 2023-08-31 16:01:50.000000000 +0200 -+++ linux-4.18.0-477.27.1.el8_8p/init/main.c 2023-09-20 14:02:16.439638219 +0200 -@@ -576,7 +576,7 @@ - page_alloc_init(); - - pr_notice("Kernel command line: %s\n", boot_command_line); -- pr_notice("Specific versions of hardware are certified with Red Hat Enterprise Linux 8. Please see the list of hardware certified with Red Hat Enterprise Linux 8 at https://catalog.redhat.com.\n"); -+ pr_notice("Specific versions of hardware are certified with EuroLinux 8. Since EuroLinux is binary compatible with RHEL, please see the list of certified hardware at https://catalog.redhat.com.\n"); - /* parameters may set static keys */ - jump_label_init(); - parse_early_param(); diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index bd82723..3fceb00 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -324,19 +324,6 @@ %define initrd_prereq dracut >= 027 -# EuroLinux override -# Normaly this should be done in rpmmacros, but because the packages must be rebuildable with beast -# we have to change this here - -%define with_doc 1 -%define with_kabichk 1 -%define with_kernel_abi_whitelists 1 -%global signkernel 0 -%global signmodules 0 - -# End of EuroLinux override - - Name: kernel%{?variant} Group: System Environment/Kernel License: GPLv2 and Redistributable, no modification permitted @@ -557,17 +544,14 @@ Source4001: rpminspect.yaml # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch -Patch1000: debrand-rh-i686-cpu.patch -Patch1002: debrand-single-cpu.patch -Patch1003: debrand-specific-versions-of-hardware.patch # END OF PATCH DEFINITIONS BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for EuroLinux. -It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for Red Hat Enterprise +Linux. It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -575,7 +559,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in EuroLinux, enhancements for +updates for supported hardware in Red Hat Enterprise Linux, enhancements for enterprise customers, etc. # @@ -823,14 +807,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-stablelists -Summary: The EuroLinux kernel ABI symbol stablelists +Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists Group: System Environment/Kernel AutoReqProv: no Obsoletes: %{name}-abi-whitelists < %{specversion}-%{pkg_release} Provides: %{name}-abi-whitelists %description -n %{name}-abi-stablelists -The kABI package contains information pertaining to the EuroLinux -kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the Red Hat Enterprise +Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -839,8 +823,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the EuroLinux -kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the Red Hat Enterprise +Linux kernel, suitable for the kabi-dw tool. %endif # @@ -914,7 +898,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for EuroLinux internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ %{nil} # @@ -1086,7 +1070,7 @@ ApplyPatch() if ! grep -E "^Patch[0-9]+: $patch\$" %{_specdir}/${RPM_PACKAGE_NAME%%%%%{?variant}}.spec ; then if [ "${patch:0:8}" != "patch-4." ] ; then echo "ERROR: Patch $patch not listed as a source patch in specfile" - # exit 1 + exit 1 fi fi 2>/dev/null case "$patch" in @@ -1116,9 +1100,6 @@ mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} -ApplyOptionalPatch debrand-single-cpu.patch -#ApplyOptionalPatch debrand-rh_taint.patch -ApplyOptionalPatch debrand-rh-i686-cpu.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -1769,20 +1750,20 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" -# # EuroLinux UEFI Secure Boot CA cert, which can be used to authenticate the kernel -# mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer -# install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer -# %ifarch s390x ppc64le -# if [ $DoModules -eq 1 ]; then -# if [ -x /usr/bin/rpm-sign ]; then -# install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} -# else -# install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer -# openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} -# chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} -# fi -# fi -# %endif + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch s390x ppc64le + if [ $DoModules -eq 1 ]; then + if [ -x /usr/bin/rpm-sign ]; then + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + else + install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + fi + fi + %endif %if %{with_ipaclones} MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p') @@ -2715,14 +2696,6 @@ fi # # %changelog -* Fri Jan 12 2024 EuroLinux Autopatch -- Added Patch: debrand-rh-i686-cpu.patch ---> i686 info debrand -- Added Patch: debrand-single-cpu.patch ---> Single cpu debrand -- Added Patch: debrand-specific-versions-of-hardware.patch ---> Specific versions of hardware debrand - * Thu Dec 07 2023 Patrick Talbert [4.18.0-513.11.1.el8_9] - redhat: fix to be able to build with rpm 4.19.0 (Denys Vlasenko) - blk-mq: enforce op-specific segment limits in blk_insert_cloned_request (Ming Lei) [RHEL-14718 RHEL-14504]