From f9b607962c04180e2534ffc398da032b09cabd49 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Sat, 2 Dec 2023 08:55:08 +0000 Subject: [PATCH] import EuroLinux kernel-4.18.0-513.9.1.el8_9 --- .gitignore | 2 +- .kernel.metadata | 6 +- SOURCES/debrand-rh-i686-cpu.patch | 12 ++ SOURCES/debrand-single-cpu.patch | 11 ++ ...ebrand-specific-versions-of-hardware.patch | 12 ++ SPECS/kernel.spec | 129 ++++++++++++++---- 6 files changed, 144 insertions(+), 28 deletions(-) create mode 100644 SOURCES/debrand-rh-i686-cpu.patch create mode 100644 SOURCES/debrand-single-cpu.patch create mode 100644 SOURCES/debrand-specific-versions-of-hardware.patch diff --git a/.gitignore b/.gitignore index 238ecbd..982e67d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer SOURCES/centossecurebootca2.cer SOURCES/kernel-abi-stablelists-4.18.0-513.tar.bz2 SOURCES/kernel-kabi-dw-4.18.0-513.tar.bz2 -SOURCES/linux-4.18.0-513.5.1.el8_9.tar.xz +SOURCES/linux-4.18.0-513.9.1.el8_9.tar.xz SOURCES/redhatsecureboot302.cer SOURCES/redhatsecureboot303.cer SOURCES/redhatsecureboot501.cer diff --git a/.kernel.metadata b/.kernel.metadata index 446fc7a..d0a69e4 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,8 +1,8 @@ 2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer -1b80f3713df5b69a8f2db146d970264f3c0bd634 SOURCES/kernel-abi-stablelists-4.18.0-513.tar.bz2 -d23322be97d0641ecaf432900ace3c5ee7987c5b SOURCES/kernel-kabi-dw-4.18.0-513.tar.bz2 -b24e12fe467bffa371c13a72fda5e583189a2616 SOURCES/linux-4.18.0-513.5.1.el8_9.tar.xz +b7c81f7a4572b627bf2df9213d715e3e74c1c394 SOURCES/kernel-abi-stablelists-4.18.0-513.tar.bz2 +26df1b50927ada39cecb1b9e86331fcbd0c21c65 SOURCES/kernel-kabi-dw-4.18.0-513.tar.bz2 +b66c16f3dbd5a47089d5552283162e6b403b3919 SOURCES/linux-4.18.0-513.9.1.el8_9.tar.xz 13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch new file mode 100644 index 0000000..d064ea0 --- /dev/null +++ b/SOURCES/debrand-rh-i686-cpu.patch @@ -0,0 +1,12 @@ +--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 +@@ -147,7 +147,7 @@ void main(void) + + /* Make sure we have all the proper CPU support */ + if (validate_cpu()) { +- puts("This processor is not supported in this version of RHEL.\n"); ++ puts("This processor is not supported in this version of EuroLinux.\n"); + die(); + } + + diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch new file mode 100644 index 0000000..c84dfcd --- /dev/null +++ b/SOURCES/debrand-single-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 +@@ -900,7 +900,7 @@ static void rh_check_supported(void) + if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && + !guest && is_kdump_kernel()) { + pr_crit("Detected single cpu native boot.\n"); +- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); ++ pr_crit("Important: In EuroLinux 8, single threaded, single CPU 64-bit physical systems are unsupported."); + } + + /* diff --git a/SOURCES/debrand-specific-versions-of-hardware.patch b/SOURCES/debrand-specific-versions-of-hardware.patch new file mode 100644 index 0000000..25a43ba --- /dev/null +++ b/SOURCES/debrand-specific-versions-of-hardware.patch @@ -0,0 +1,12 @@ +diff -urN linux-4.18.0-477.27.1.el8_8/init/main.c linux-4.18.0-477.27.1.el8_8p/init/main.c +--- linux-4.18.0-477.27.1.el8_8/init/main.c 2023-08-31 16:01:50.000000000 +0200 ++++ linux-4.18.0-477.27.1.el8_8p/init/main.c 2023-09-20 14:02:16.439638219 +0200 +@@ -576,7 +576,7 @@ + page_alloc_init(); + + pr_notice("Kernel command line: %s\n", boot_command_line); +- pr_notice("Specific versions of hardware are certified with Red Hat Enterprise Linux 8. Please see the list of hardware certified with Red Hat Enterprise Linux 8 at https://catalog.redhat.com.\n"); ++ pr_notice("Specific versions of hardware are certified with EuroLinux 8. Since EuroLinux is binary compatible with RHEL, please see the list of certified hardware at https://catalog.redhat.com.\n"); + /* parameters may set static keys */ + jump_label_init(); + parse_early_param(); diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index d630c1f..22fa427 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,10 +38,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 513.5.1.el8_9 +%define pkgrelease 513.9.1.el8_9 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 513.5.1%{?dist} +%define specrelease 513.9.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -323,6 +323,19 @@ %define kernel_prereq coreutils, systemd >= 203-2, /usr/bin/kernel-install %define initrd_prereq dracut >= 027 +# EuroLinux override +# Normaly this should be done in rpmmacros, but because the packages must be rebuildable with beast +# we have to change this here + +%define with_doc 1 +%define with_kabichk 1 +%define with_kernel_abi_whitelists 1 +%global signkernel 0 +%global signmodules 0 + +# End of EuroLinux override + + Name: kernel%{?variant} Group: System Environment/Kernel @@ -544,14 +557,17 @@ Source4001: rpminspect.yaml # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000: debrand-rh-i686-cpu.patch +Patch1002: debrand-single-cpu.patch +Patch1003: debrand-specific-versions-of-hardware.patch # END OF PATCH DEFINITIONS BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for Red Hat Enterprise -Linux. It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for EuroLinux. +It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -559,7 +575,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in Red Hat Enterprise Linux, enhancements for +updates for supported hardware in EuroLinux, enhancements for enterprise customers, etc. # @@ -807,14 +823,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-stablelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists +Summary: The EuroLinux kernel ABI symbol stablelists Group: System Environment/Kernel AutoReqProv: no Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release} Provides: %{name}-abi-whitelists %description -n %{name}-abi-stablelists -The kABI package contains information pertaining to the Red Hat Enterprise -Linux kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the EuroLinux +kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -823,8 +839,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise -Linux kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the EuroLinux +kernel, suitable for the kabi-dw tool. %endif # @@ -1068,9 +1084,9 @@ ApplyPatch() exit 1 fi if ! grep -E "^Patch[0-9]+: $patch\$" %{_specdir}/${RPM_PACKAGE_NAME%%%%%{?variant}}.spec ; then - if [ "${patch:0:8}" != "patch-4." ] ; then + if [ "${patch:0:9}" != "patch-4." ] ; then echo "ERROR: Patch $patch not listed as a source patch in specfile" - exit 1 + #exit 1 fi fi 2>/dev/null case "$patch" in @@ -1100,6 +1116,9 @@ mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} +ApplyOptionalPatch debrand-single-cpu.patch +#ApplyOptionalPatch debrand-rh_taint.patch +ApplyOptionalPatch debrand-rh-i686-cpu.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -1752,18 +1771,18 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %ifarch s390x ppc64le - if [ $DoModules -eq 1 ]; then - if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - else - install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - fi - fi - %endif +# install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer +# %ifarch s390x ppc64le +# if [ $DoModules -eq 1 ]; then +# if [ -x /usr/bin/rpm-sign ]; then +# install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} +# else +# install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer +# openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} +# chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} +# fi +# fi +# %endif %if %{with_ipaclones} MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p') @@ -2696,6 +2715,68 @@ fi # # %changelog +* Thu Nov 30 2023 EuroLinux Autopatch +- Added Patch: debrand-rh-i686-cpu.patch +--> i686 info debrand +- Added Patch: debrand-single-cpu.patch +--> Single cpu debrand +- Added Patch: debrand-specific-versions-of-hardware.patch +--> Specific versions of hardware debrand + +* Thu Nov 16 2023 Patrick Talbert [4.18.0-513.9.1.el8_9] +- ice: reset first in crash dump kernels (Petr Oros) [2244625 2139761] +- nvmet-tcp: Fix a possible UAF in queue intialization setup (John Meneghini) [RHEL-11507 RHEL-11509] {CVE-2023-5178} +- block: check_events: don't bother with events if unsupported (Ming Lei) [RHEL-15052 RHEL-2407] +- Revert "block: unexport DISK_EVENT_MEDIA_CHANGE for legacy/fringe drivers" (Ming Lei) [RHEL-15052 RHEL-2407] +- Revert "ide: unexport DISK_EVENT_MEDIA_CHANGE for ide-gd and ide-cd" (Ming Lei) [RHEL-15052 RHEL-2407] +- block: disk_events: introduce event flags (Ming Lei) [RHEL-15052 RHEL-2407] +- block: genhd: remove async_events field (Ming Lei) [RHEL-15052 RHEL-2407] +- net: virtio_net_hdr_to_skb: count transport header in UFO (Cindy Lu) [RHEL-16332 RHEL-6030] +- x86/sev: Make enc_dec_hypercall() accept a size instead of npages (Vitaly Kuznetsov) [RHEL-5764 RHEL-3656] + +* Thu Nov 09 2023 Patrick Talbert [4.18.0-513.8.1.el8_9] +- cifs: Fix UAF in cifs_demultiplex_thread() (Scott Mayhew) [RHEL-15159 RHEL-7930] {CVE-2023-1192} +- ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (Florian Westphal) [RHEL-12371 RHEL-5742] +- sched/rt: Fix bad task migration for rt tasks (Valentin Schneider) [RHEL-11682 RHEL-3872] +- bpf: Fix incorrect verifier pruning due to missing register precision taints (Artem Savkov) [RHEL-13049 RHEL-7534] {CVE-2023-2163} + +* Thu Nov 02 2023 Patrick Talbert [4.18.0-513.7.1.el8_9] +- sched/fair: Block nohz tick_stop when cfs bandwidth in use (Phil Auld) [RHEL-12723 RHEL-2527] +- sched, cgroup: Restore meaning to hierarchical_quota (Phil Auld) [RHEL-12723 RHEL-2527] +- sched/fair: Hide unused init_cfs_bandwidth() stub (Phil Auld) [RHEL-12723 RHEL-2527] + +* Thu Oct 26 2023 Patrick Talbert [4.18.0-513.6.1.el8_9] +- redhat: fix bug/zjira sort in the changelog (Patrick Talbert) +- CI: Remove unused kpet_tree_family (Nikolai Kondrashov) +- redhat: set default zstream brew target for 8.9 (Patrick Talbert) +- rbd: take header_rwsem in rbd_dev_refresh() only when updating (Ilya Dryomov) [RHEL-12689 RHEL-11241] +- rbd: decouple parent info read-in from updating rbd_dev (Ilya Dryomov) [RHEL-12689 RHEL-11241] +- rbd: decouple header read-in from updating rbd_dev->header (Ilya Dryomov) [RHEL-12689 RHEL-11241] +- rbd: move rbd_dev_refresh() definition (Ilya Dryomov) [RHEL-12689 RHEL-11241] +- media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 (Dean Nelson) [RHEL-11279 RHEL-1784] {CVE-2022-45919} +- media: dvb_ca_en50221: fix a size write bug (Dean Nelson) [RHEL-11279 RHEL-1784] {CVE-2022-45919} +- media: dvb_ca_en50221: avoid speculation from CA slot (Dean Nelson) [RHEL-11279 RHEL-1784] {CVE-2022-45919} +- media: dvb-core: fix epoll() by calling poll_wait first (Dean Nelson) [RHEL-11279 RHEL-1784] {CVE-2022-45919} +- media: dvb_ca_en50221: off by one in dvb_ca_en50221_io_do_ioctl() (Dean Nelson) [RHEL-11279 RHEL-1784] {CVE-2022-45919} +- iavf: schedule a request immediately after add/delete vlan (Petr Oros) [2240750 2231174] +- iavf: add iavf_schedule_aq_request() helper (Petr Oros) [2240750 2231174] +- bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire (Tomas Glozar) [RHEL-6123 2229965] +- media: dvb-core: Fix use-after-free due on race condition at dvb_net (Dean Nelson) [RHEL-11248 RHEL-1842] {CVE-2022-45886} +- media: dvb_net: avoid speculation from net slot (Dean Nelson) [RHEL-11248 RHEL-1842] {CVE-2022-45886} +- mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy() (Rafael Aquini) [RHEL-11588 RHEL-3652] +- ice: always add legacy 32byte RXDID in supported_rxdids (Michal Schmidt) [RHEL-10393 RHEL-3379] +- net: tun: fix bugs for oversize packet when napi frags enabled (Ricardo Robaina) [RHEL-12295 RHEL-7185] {CVE-2023-3812} +- ice: Don't tx before switchdev is fully configured (Michal Schmidt) [RHEL-11331 RHEL-10997] +- media: dvb-core: Fix use-after-free due to race at dvb_register_device() (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- media: dvbdev: fix refcnt bug (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- media: dvbdev: adopts refcnt to avoid UAF (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- media: dvbdev: fix error logic at dvb_register_device() (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- media: dvbdev: Fix memleak in dvb_register_device (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- media: media/dvb: Use kmemdup rather than duplicating its implementation (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- media: dvbdev: remove double-unlock (Dean Nelson) [RHEL-11271 RHEL-1841] {CVE-2022-45884} +- bpf: Adjust insufficient default bpf_jit_limit (Viktor Malik) [2243011 2219567] +- bpf: Prevent increasing bpf_jit_limit above max (Viktor Malik) [2243011 2219567] + * Fri Sep 29 2023 Patrick Talbert [4.18.0-513.5.1.el8_9] - redhat: list Z-Jiras in the changelog before Y-Jiras (Herton R. Krzesinski) - Revert "mm, meminit: recalculate pcpu batch and high limits after init completes" (Chris von Recklinghausen) [RHEL-8539]