debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity
linux/debian/patches/series

338 lines
20 KiB
Plaintext
Raw Normal View History

Move disabling of broken features from d/p/series-orig to d/p/series Also fix fuzz on one of the patches (our private patch system allows one line of fuzz).
2018-08-10 13:05:51 +00:00
# Disable features broken by exclusion of upstream files
debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
debian/dfsg/vs6624-disable.patch
debian/dfsg/drivers-net-appletalk-cops.patch
debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
# Changes to support package build system
Convert patch system to quilt, except for the 'orig' patch series svn path=/dists/sid/linux/; revision=19077
2012-06-03 23:29:42 +00:00
debian/version.patch
linux-image: Fix timestamps in the built-in initramfs for reproducible build $KBUILD_BUILD_TIMESTAMP is used in two places: 1. By mkcompile_h, to generate both the utsname::version string 2. By gen_initramfs_list.sh, to set the timestamps for the built-in initramfs As we want utsname::version to contain the package version and not an RFC822 timestamp, the current value doesn't work for (2). Change mkcompile_h to prefer $KBUILD_BUILD_VERSION_TIMESTAMP over $KBUILD_BUILD_TIMESTAMP, and set both variables in debian/rules.real. svn path=/dists/trunk/linux/; revision=22647
2015-05-12 18:52:20 +00:00
debian/uname-version-timestamp.patch
Convert patch system to quilt, except for the 'orig' patch series svn path=/dists/sid/linux/; revision=19077
2012-06-03 23:29:42 +00:00
debian/kernelvariables.patch
Setup gitignore suitable for using pkg-kernel via git svn svn path=/dists/trunk/linux/; revision=19739
2013-01-17 10:04:32 +00:00
debian/gitignore.patch
[ia64] Revert "Remove all support for ia64" This reverts commit ace247de5b21a805ff62c272058fc8387c8afd75. Refresh the "Hardcode arch script output" patch. Closes: #886693
2018-03-15 19:09:15 +00:00
debian/ia64-hardcode-arch-script-output.patch
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
debian/mips-disable-werror.patch
[mips{,64}r6{,el}] use boston as the target Add a patch to disable uImage generation to avoid depend on u-boot-tools Fix typo the EL's flavor names in installer: not same within defines Malta is never used for r6. (Closes: #898523) Boston also requires relocation table size >= 0x00121000
2018-05-14 08:26:26 +00:00
debian/mips-boston-disable-its.patch
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
debian/arch-sh4-fix-uimage-build.patch
debian/powerpcspe-omit-uimage.patch
Rename and regroup patches from linux-tools Move patches specific to Debian packaging under debian/, and bug fixes that could go upstream belong under bugfix/. Put them in two separate groups in the series.
2016-03-21 01:37:26 +00:00
debian/tools-perf-version.patch
debian/tools-perf-install.patch
wireless: Add Debian wireless-regdb certificates (see #892229)
2018-04-13 19:22:12 +00:00
debian/wireless-add-debian-wireless-regdb-certificates.patch
Export symbols needed by Android drivers
2018-06-26 16:01:33 +00:00
debian/export-symbols-needed-by-android-drivers.patch
[amd64,arm64,armhf] android: Build modules to support Anbox (Closes: #901492)
2018-06-22 16:36:15 +00:00
debian/android-enable-building-ashmem-and-binder-as-modules.patch
* debian/changelog: Set version to 2.6.20~rc4-1~experimental.1. * debian/patches/debian/version.patch: Update. * debian/patches/series/1~experimental.1 - Remove backport patches. - Disable non-working patches. svn path=/dists/trunk/linux-2.6/; revision=8140
2007-01-08 18:19:26 +00:00
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
# Fixes/improvements to firmware loading
Convert patch system to quilt, except for the 'orig' patch series svn path=/dists/sid/linux/; revision=19077
2012-06-03 23:29:42 +00:00
features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
debian/iwlwifi-do-not-request-unreleased-firmware.patch
bugfix/all/firmware_class-log-every-success-and-failure.patch
bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
amdgpu: Abort probing if firmware is not installed, as we do in radeon
2018-03-14 19:09:56 +00:00
bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
radeon: Refer to Debian wiki page when aborting probe due to missing firmware
2018-03-14 18:59:27 +00:00
debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
* debian/changelog: Update. * debian/patches/debian/dfsg/drivers-net-tg3-fix-simple.patch: Add. * debian/patches/series/1~experimental.1: Update. svn path=/dists/trunk/linux-2.6/; revision=9677
2007-10-25 22:17:50 +00:00
Move all patch generation scripts to debian/bin Rename them to genpatch-{aufs,lockdown,rt} Fixes lintian warning patch-file-present-but-not-mentioned-in-series. Also preparation for using dgit, which will remove everything except the main patch series under debian/patches.
2018-08-10 13:42:08 +00:00
# Patches from aufs4 repository, imported with debian/bin/genpatch-aufs.
# These are only the changes needed to allow aufs to be built out-of-tree.
aufs: Update support patchset to aufs4.x-rcN 20180910
2018-09-10 14:25:34 +00:00
features/all/aufs4/aufs4-base.patch
features/all/aufs4/aufs4-mmap.patch
features/all/aufs4/aufs4-standalone.patch
aufs: Apply patches to enable building aufs out-of-tree svn path=/dists/trunk/linux/; revision=22759
2015-06-16 22:42:42 +00:00
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
# Change some defaults for security reasons
Convert patch system to quilt, except for the 'orig' patch series svn path=/dists/sid/linux/; revision=19077
2012-06-03 23:29:42 +00:00
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
dccp: Disable auto-loading as mitigation against local exploits
2017-02-16 19:11:26 +00:00
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
debian/fs-enable-link-security-restrictions-by-default.patch
Fix config dependencies for VIDEO_VIVI svn path=/dists/trunk/linux-2.6/; revision=16333
2010-09-19 01:53:29 +00:00
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
# Set various features runtime-disabled by default
Convert patch system to quilt, except for the 'orig' patch series svn path=/dists/sid/linux/; revision=19077
2012-06-03 23:29:42 +00:00
debian/sched-autogroup-disabled.patch
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
debian/yama-disable-by-default.patch
Re-group patches in series svn path=/dists/trunk/linux/; revision=21125
2014-03-06 22:55:18 +00:00
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version submitted upstream This hasn't been *accepted* upstream, but maybe some day? It has gone into AOSP.
2016-10-05 21:23:08 +00:00
features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
Update to 3.2.24 Drop many bugfix patches that passed review in this version. Resolve conflicts between rt featureset and the leap second fixes. Add patches to undo various ABI changes. svn path=/dists/sid/linux/; revision=19293
2012-07-26 01:04:02 +00:00
Re-group patches in series svn path=/dists/trunk/linux/; revision=21125
2014-03-06 22:55:18 +00:00
# Disable autoloading/probing of various drivers by default
debian/patches: Reorder and group patches in series svn path=/dists/trunk/linux/; revision=20322
2013-07-01 06:29:13 +00:00
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
Re-group patches in series svn path=/dists/trunk/linux/; revision=21125
2014-03-06 22:55:18 +00:00
debian/snd-pcsp-disable-autoload.patch
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
fjes: Disable auto-loading, as this driver matches a very common ACPI ID (Closes: #853976)
2017-03-18 20:47:20 +00:00
debian/fjes-disable-autoload.patch
xen: microcode: update to latest API. svn path=/dists/trunk/linux/; revision=19736
2013-01-16 19:52:23 +00:00
fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737) Various free and proprietary AV products use this feature and users apparently want it. But punting access checks to userland seems like an easy way to deadlock the system, and there will be nothing we can do about that. So warn and taint the kernel if this feature is actually used.
2016-07-13 00:47:58 +00:00
# Taint if dangerous features are used
debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
btrfs: warn about RAID5/6 being experimental at mount time (Closes: #863290)
2017-06-04 00:20:23 +00:00
debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737) Various free and proprietary AV products use this feature and users apparently want it. But punting access checks to userland seems like an easy way to deadlock the system, and there will be nothing we can do about that. So warn and taint the kernel if this feature is actually used.
2016-07-13 00:47:58 +00:00
Re-group patches in series svn path=/dists/trunk/linux/; revision=21125
2014-03-06 22:55:18 +00:00
# Arch bug fixes
[armel] dts: kirkwood: Fix SATA pinmux-ing for TS419 (Closes: #855017)
2017-02-18 00:38:36 +00:00
bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
[arm64] correct voltage selector for Firefly-RK3399 (Closes: #900799)
2018-06-15 16:48:48 +00:00
bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
[x86] ideapad-laptop: Add various IdeaPad models to no_hw_rfkill list Closes: #866706
2017-07-16 22:59:10 +00:00
bugfix/x86/platform-x86-ideapad-laptop-add-ideapad-310-15ikb-to.patch
bugfix/x86/platform-x86-ideapad-laptop-add-ideapad-v310-15isk-t.patch
bugfix/x86/platform-x86-ideapad-laptop-add-y520-15ikbn-to-no_hw.patch
bugfix/x86/platform-x86-ideapad-laptop-add-y720-15ikbn-to-no_hw.patch
bugfix/x86/platform-x86-ideapad-laptop-add-ideapad-v510-15ikb-t.patch
bugfix/x86/platform-x86-ideapad-laptop-add-several-models-to-no.patch
[i386] perf tools: Fix unwind build (fixes FTBFS)
2017-07-22 16:41:53 +00:00
bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
[sh4] Do not use hyphen in exported variable names (fixes FTBFS)
2017-08-19 21:37:50 +00:00
bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
[powerpcspe] Fix build failures (thanks to James Clarke)
2018-07-06 04:11:04 +00:00
bugfix/powerpc/powerpc-lib-sstep-fix-building-for-powerpcspe.patch
bugfix/powerpc/powerpc-lib-makefile-don-t-pull-in-quad.o-for-32-bit.patch
[armhf] mm: Export __sync_icache_dcache() for xen-privcmd (fixes FTBFS)
2018-07-11 23:21:54 +00:00
bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
[powerpc*] boot: Fix missing crc32poly.h when building with KERNEL_XZ (fixes FTBFS)
2018-09-05 01:47:32 +00:00
bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
Add fixup for HPE m400 APEI firmware problems Signed-off-by: Geoff Levand <geoff@infradead.org> [bwh: Add Forwarded field and note the patch in debian/changelog]
2018-09-20 19:23:55 +00:00
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
[i386/686] Enable MGEODE_LX instead of M686 (regression in 4.16) - x86-32: Disable 3D-Now in generic config
2018-09-25 19:00:50 +00:00
bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
[powerpcspe] Fix -mcpu= options for SPE-only compiler
2018-12-26 00:06:02 +00:00
bugfix/powerpc/powerpc-fix-mcpu-options-for-spe-only-compiler.patch
[armhf] Add patch from upstream fixing cpufreq on Orange Pi Plus.
2019-02-17 03:51:38 +00:00
bugfix/arm/ARM-dts-sun8i-h3-add-sy8106a-to-orange-pi-plus.patch
[arm64] Add patch from next-20190215 working around A64 timer issues.
2019-02-17 06:20:27 +00:00
bugfix/arm64/arm64-dts-allwinner-a64-Enable-A64-timer-workaround.patch
[mipsel/mips64el] Backport loongson workarounds MIPS: Loongson: Introduce and use loongson_llsc_mb()
2019-02-22 01:54:44 +00:00
bugfix/mips/MIPS-Loongson-Introduce-and-use-loongson_llsc_mb.patch
Re-group patches in series svn path=/dists/trunk/linux/; revision=21125
2014-03-06 22:55:18 +00:00
[mips*/loongson3] Backport Loongson 3B support from 3.17. svn path=/dists/trunk/linux/; revision=21741
2014-08-24 18:45:12 +00:00
# Arch features
Re-group patches svn path=/dists/sid/linux/; revision=22031
2014-11-04 00:31:44 +00:00
features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch
Rebase and re-enable various patches for 3.19 svn path=/dists/trunk/linux/; revision=22362
2015-02-10 01:13:04 +00:00
features/mips/MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch
Re-group patches in series svn path=/dists/sid/linux/; revision=21823
2014-09-12 13:44:38 +00:00
features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
features/x86/x86-make-x32-syscall-support-conditional.patch
[x86] Support booting a Xen PVH guest via Grub2 tl;dr: Xen PVH is the perfect upgrade path from PV and in combination with grub2 support, it's the Xen "killer feature" we really should have in Buster. Background info about Xen PVH: https://wiki.xen.org/wiki/Virtualization_Spectrum#Almost_fully_PV:_PVH_mode PVH mode in Xen, a.k.a. "HVM without having to run qemu" is a Xen guest type best supported since Xen 4.11 and Linux kernel 4.17. Just like when using PV mode, the guest does not have an emulated BIOS and the guest kernel is directly started by the dom0. Buster will ship with Xen 4.11. Why is PVH interesting? 1. When the whole Meltdown/Spectre story started, it quickly became apparent that 64-bit PV is the most problematic virtualization mode to protect and to protect from, since address space from the hypervisor and other guests (including dom0) is reachable from a 64-bit PV domU. To mitigate this, XPTI (the Xen variant of PTI) has been implemented in the hypervisor, but with a performance hit. HVM (so, also PVH) guests are better isolated from the hypervisor and other guests. Inside the guest a choice can be made about which mitigations to enable or not. Also see https://xenbits.xen.org/xsa/advisory-254.html 2. Unlike HVM, it's not needed to have a boot loader/sector, partitions, and a qemu process in the dom0 (using cpu and memory and having an attack surface). Also, when running a largeish amount of domUs on a physical server, not having all the qemu processes is an advantage. 3. Unlike PV, PVH makes use of all hardware features that accelerate virtualization. The upgrade path from PV to PVH is super optimal. It's just setting type='pvh' in the guest file and doing a full restart of the domU! Unless... (insert Monty Python's Dramatic Chord!) Unless... grub2 was used to boot the PV guests. Why is it interesting to be able to use grub? Without using grub in between, the guest kernel and initrd have to be copied out of the guest onto the dom0 filesystem, because the guest has to be booted with them directly. Currently, we already have the grub-xen packages in Debian, which provide grub images which can be used as kernel for a PV guest, after which it can load the actual linux kernel that is symlinked from /vmlinuz on the guest filesystem at that moment. The final changes to the Linux kernel for grub+PVH are in Linux 4.20. This request, to carry a few patches from Linux 4.20, provides one half of the dots that need to be connected to make the full thing happen for Buster. Since we'll have Xen 4.11 in Buster, PVH is supported. The related grub2 patchset was committed to the grub master branch on Dec 12 2018 (yup, today). So, I'll also start contacting the debian grub team soon to ask (and help) to get the current grub-xen functionality in Debian to be extended with PVH capabilities as well. Test reports: https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg01913.html https://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03312.html
2018-12-12 21:12:47 +00:00
features/x86/x86-boot-Add-ACPI-RSDP-address-to-setup_header.patch
features/x86/x86-acpi-x86-boot-Take-RSDP-address-for-boot-params-.patch
features/x86/x86-boot-Mostly-revert-commit-ae7e1238e68f2a-Add-ACP.patch
features/x86/x86-acpi-x86-boot-Take-RSDP-address-from-boot-params.patch
[arm64] Add patch from v4.20 to enable device-tree for Pine64-LTS.
2019-03-04 15:55:44 +00:00
features/arm64/arm64-dts-allwinner-a64-Add-Pine64-LTS-device-tree-f.patch
Merge tag 'debian/4.3.3-3' Drop the ABI reference and ignored symbols. Drop most of the patches, as they're already upstream.
2016-01-02 19:18:05 +00:00
Regroup patches in series
2016-01-02 19:20:40 +00:00
# Miscellaneous bug fixes
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
bugfix/all/disable-some-marvell-phys.patch
Re-group the patch series
2016-04-13 22:31:28 +00:00
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
Partially revert "usb: Kconfig: using select for USB_COMMON dependency" It causes USB_COMMON to be built-in for no good reason.
2017-01-11 04:34:58 +00:00
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
Kbuild.include: addtree: Remove quotes before matching path (regression in 4.8) loses: #856474
2017-03-04 02:19:07 +00:00
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for out-of-tree modules" This removes the bogus check for libelf-dev.
2018-01-14 19:44:14 +00:00
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
mt76: Use the correct hweight8() function (fixes FTBFS on ia64)
2019-02-12 15:39:34 +00:00
bugfix/all/mt76-use-the-correct-hweight8-function.patch
rtc-s35390a: backport fix to make hwclock able to read the time
2019-07-28 19:37:15 +00:00
bugfix/all/rtc-s35390a-set-uie_unsupported.patch
include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap Closes: #960271
2020-05-13 15:43:58 +00:00
bugfix/all/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch
ALSA: pcm: oss: Place the plugin buffer overflow checks correctly Closes: #960493
2020-06-14 08:39:26 +00:00
bugfix/all/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch
apparmor: don't try to replace stale label in ptraceme check Closes: #963493
2020-06-26 19:37:59 +00:00
bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
nfsd: apply umask on fs without ACL support Closes: #962254
2020-06-22 11:36:31 +00:00
bugfix/all/nfsd-apply-umask-on-fs-without-ACL-support.patch
Regroup patches in series
2016-01-02 19:20:40 +00:00
# Miscellaneous features
[arm64,x86] Replace securelevel patch set with lockdown patch set Matthew stopped maintaining the securelevel patch set, and David Howells has taken it up under the new name 'lockdown'. This is taken from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c Rebase the three patches not included there (cold boot mitigation, arm64 SB integration, MTD RAM restrictions). Update our kconfig for the renaming.
2017-04-20 01:38:29 +00:00
# Lockdown (formerly 'securelevel') patchset
Update to 4.15-rc5 Also update the aufs and lockdown patchsets.
2017-12-26 18:54:17 +00:00
features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch
features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch
features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch
features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch
features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch
features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch
features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch
features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch
features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch
features/all/lockdown/0025-Lock-down-proc-kcore.patch
features/all/lockdown/0026-Lock-down-kprobes.patch
features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch
features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch
features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
[arm64,x86] Replace securelevel patch set with lockdown patch set Matthew stopped maintaining the securelevel patch set, and David Howells has taken it up under the new name 'lockdown'. This is taken from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c Rebase the three patches not included there (cold boot mitigation, arm64 SB integration, MTD RAM restrictions). Update our kconfig for the renaming.
2017-04-20 01:38:29 +00:00
# some missing pieces
features/all/lockdown/enable-cold-boot-attack-mitigation.patch
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
lockdown: Refer to Debian wiki until manual page exists
2019-04-20 23:22:20 +00:00
# until the "kernel_lockdown.7" manual page exists
features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch
Add Matthew Garrett's securelevel patchset in preparation for Secure Boot support
2016-04-03 03:04:45 +00:00
Add patches to enable loading db and MOK keys Import patches from: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi that enable a new option that automatically loads keys from db and MOK into the secondary keyring, so that they can be used to verify the signature of kernel modules. Enable the required KCONFIGs. Allows users to self-sign modules (eg: dkms).
2019-04-02 12:17:51 +00:00
# load db and MOK keys into secondary keyring for kernel modules verification
features/all/db-mok-keyring/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
features/all/db-mok-keyring/0002-efi-Add-EFI-signature-data-types.patch
features/all/db-mok-keyring/0003-efi-Add-an-EFI-signature-blob-parser.patch
features/all/db-mok-keyring/0004-MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
features/all/db-mok-keyring/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch
features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
features/all/db-mok-keyring/0007-modsign-Use-secondary-trust-keyring-for-module-signi.patch
Add patches to enable loading dbx and MOKX blacklists Import patches from: https://lore.kernel.org/patchwork/cover/933178/ that allow to also load dbx and MOKX as blacklists for modules. These patches also disable loading MOK/MOKX when secure boot is not enabled, as the variables will not be safe, and to check the variables attributes before accepting them.
2019-05-02 22:03:39 +00:00
features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
MODSIGN: Make shash allocation failure fatal
2019-05-05 12:47:00 +00:00
features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
Add patches to enable loading db and MOK keys Import patches from: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi that enable a new option that automatically loads keys from db and MOK into the secondary keyring, so that they can be used to verify the signature of kernel modules. Enable the required KCONFIGs. Allows users to self-sign modules (eg: dkms).
2019-04-02 12:17:51 +00:00
Fix exported symbol versions - Revert upstream changes moving exports to assembly sources - [x86] kbuild: enable modversions for symbols exported from assembly - Revert "Fix subtle CONFIG_MODVERSIONS problems" This leaves powerpc and x86 as the only kernel architectures that export symbols from assembly, and <asm/asm-prototypes.h> for those two appear to define prototypes for all the functions that are used.
2016-12-02 00:19:09 +00:00
# Fix exported symbol versions
Update fixes for exported symbol versions Linus has re-enable CONFIG_MODVERSIONS, but also weakened the version matching. Apply his match but then revert the weakening. Also add a proposed fix for missing version CRCs, which gives them a default value of zero. Since buildcheck.py now checks for this, we should detect all unversioned symbols at build time.
2016-12-02 23:13:17 +00:00
bugfix/all/module-disable-matching-missing-version-crc.patch
Fix exported symbol versions - Revert upstream changes moving exports to assembly sources - [x86] kbuild: enable modversions for symbols exported from assembly - Revert "Fix subtle CONFIG_MODVERSIONS problems" This leaves powerpc and x86 as the only kernel architectures that export symbols from assembly, and <asm/asm-prototypes.h> for those two appear to define prototypes for all the functions that are used.
2016-12-02 00:19:09 +00:00
Rename and regroup patches from linux-tools Move patches specific to Debian packaging under debian/, and bug fixes that could go upstream belong under bugfix/. Put them in two separate groups in the series.
2016-03-21 01:37:26 +00:00
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
bugfix/all/tools-perf-man-date.patch
bugfix/all/tools-perf-remove-shebangs.patch
bugfix/all/tools-lib-traceevent-use-ldflags.patch
bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
cpupower: Bump soname version and rename library package accordingly
2016-06-09 23:10:18 +00:00
bugfix/all/cpupower-bump-soname-version.patch
libcpupower: Hide private function and drop it from .symbols file This avoids an FTBFS after this function was renamed in 4.19.6.
2018-12-01 19:27:12 +00:00
bugfix/all/libcpupower-hide-private-function.patch
cpupower: Fix checks for CPU existence (Closes: #843071)
2016-11-03 22:11:35 +00:00
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
Fix remaining build failures with gcc 8 (Closes: #897802) - tools/lib/api/fs/fs.c: Fix misuse of strncpy() - usbip: Fix misuse of strncpy()
2018-07-20 01:00:58 +00:00
bugfix/all/usbip-fix-misuse-of-strncpy.patch
tools: turbostat: Add checks for failure of fgets() and fscanf()
2018-09-11 02:20:07 +00:00
bugfix/x86/tools-turbostat-Add-checks-for-failure-of-fgets-and-.patch
Add patches to build libbpf.so with SONAME, link against libelf
2018-11-28 08:42:03 +00:00
bugfix/all/libbpf-add-soname-to-shared-object.patch
bugfix/all/libbpf-link-shared-object-with-libelf.patch
Generate and install libbpf.pc Backport patch from bpf-next and install libbpf.pc in libbpf-dev
2019-03-28 16:44:07 +00:00
bugfix/all/libbpf-generate-pkg-config.patch
tools/perf: Add python3 support to scripts
2019-11-13 06:31:56 +00:00
bugfix/all/perf-script-python-Add-Python3-support-to-netdev-tim.patch
bugfix/all/perf-script-python-Add-Python3-support-to-failed-sys.patch
bugfix/all/perf-script-python-Add-Python3-support-to-mem-phys-a.patch
bugfix/all/perf-script-python-Add-Python3-support-to-net_dropmo.patch
bugfix/all/perf-script-python-Add-Python3-support-to-powerpc-hc.patch
bugfix/all/perf-script-python-Add-Python3-support-to-sctop.py.patch
bugfix/all/perf-script-python-Add-Python3-support-to-stackcolla.patch
bugfix/all/perf-script-python-Add-Python3-support-to-stat-cpi.p.patch
bugfix/all/perf-script-python-Add-Python3-support-to-syscall-co.patch
bugfix/all/perf-script-python-Add-Python3-support-to-syscall-co-de667cce7f4f.patch
bugfix/all/perf-script-python-Remove-mixed-indentation.patch
bugfix/all/perf-script-python-Add-Python3-support-to-futex-cont.patch
bugfix/all/perf-script-python-add-Python3-support-to-check-perf.patch
bugfix/all/perf-script-python-Add-Python3-support-to-event_anal.patch
bugfix/all/perf-script-python-Add-Python3-support-to-intel-pt-e.patch
bugfix/all/perf-script-python-Add-Python3-support-to-export-to-.patch
bugfix/all/perf-script-python-Add-Python3-support-to-export-to-ebf6c5c181ab.patch
[armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i.
2017-12-11 21:05:28 +00:00
wireless: Disable regulatory.db direct loading (see #892229)
2018-04-05 18:32:03 +00:00
# wireless: Disable regulatory.db direct loading (until we sort out signing)
debian/wireless-disable-regulatory.db-direct-loading.patch
Documentation/media: uapi: Explicitly say there are no Invariant Sections Closes: #698668 This clarification has now been signed-off by the upstream authors.
2018-11-23 19:12:03 +00:00
# Licence clarification
bugfix/all/documentation-media-uapi-explicitly-say-there-are-no-invariant-sections.patch
ovl: permit overlayfs mounts in user namespaces (Closes: #913880) Permit overlayfs mounts within user namespaces to allow utilisation of e.g. unprivileged LXC overlay snapshots. Except by the Ubuntu community [1], overlayfs mounts in user namespaces are expected to be a security risk [2] and thus are not enabled on upstream Linux kernels. For the non-Ubuntu users that have to stick to unprivileged overlay-based LXCs, this meant to patch and compile the kernel manually. Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter allows a kind of a user-friendly way to enable the feature. Testable with: sudo modprobe overlay permit_mounts_in_userns=1 sudo sysctl -w kernel.unprivileged_userns_clone=1 mkdir -p lower upper work mnt unshare --map-root-user --mount \ mount -t overlay none mnt \ -o lowerdir=lower,upperdir=upper,workdir=work [1]: Ubuntu allows unprivileged mounting of overlay filesystem https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html [2]: User namespaces + overlayfs = root privileges https://lwn.net/Articles/671641/ Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
2018-11-19 20:16:26 +00:00
# overlay: allow mounting in user namespaces
debian/overlayfs-permit-mounts-in-userns.patch
drivers/net/ethernet/amazon: Backport v2.0.2 from Linux 4.20 Backport Amazon ENA ethernet driver version 2.0.2 from Linux 4.20 This mostly ammounts to cherry-picking the commits in the range described by git log v4.19.5..v4.20-rc7 drivers/net/ethernet/amazon Change e641e99f261f5203a911a9e0db54a214460d2cc4 introduced changes outside the ena directory, but only removed a redundant #include and was trivial to scope down. Upstream dealt with merge conflicts in d864991b220b7c62e81d21209e1fd978fd67352c; the resolution here was identical to upstream.
2018-11-29 07:29:55 +00:00
# Amazon ENA ethernet driver backport from Linux 4.20
features/all/ena/0001-net-ethernet-remove-redundant-include.patch
features/all/ena/0002-net-ena-minor-performance-improvement.patch
features/all/ena/0003-net-ena-complete-host-info-to-match-latest-ENA-spec.patch
features/all/ena/0004-net-ena-introduce-Low-Latency-Queues-data-structures.patch
features/all/ena/0005-net-ena-add-functions-for-handling-Low-Latency-Queue.patch
features/all/ena/0006-net-ena-add-functions-for-handling-Low-Latency-Queue.patch
features/all/ena/0007-net-ena-use-CSUM_CHECKED-device-indication-to-report.patch
features/all/ena/0008-net-ena-explicit-casting-and-initialization-and-clea.patch
features/all/ena/0009-net-ena-limit-refill-Rx-threshold-to-256-to-avoid-la.patch
features/all/ena/0010-net-ena-change-rx-copybreak-default-to-reduce-kernel.patch
features/all/ena/0011-net-ena-remove-redundant-parameter-in-ena_com_admin_.patch
features/all/ena/0012-net-ena-update-driver-version-to-2.0.1.patch
features/all/ena/0013-net-ena-fix-indentations-in-ena_defs-for-better-read.patch
features/all/ena/0015-net-ena-enable-Low-Latency-Queues.patch
features/all/ena/0016-net-ena-fix-compilation-error-in-xtensa-architecture.patch
features/all/ena/0017-net-ena-fix-crash-during-ena_remove.patch
features/all/ena/0018-net-ena-update-driver-version-from-2.0.1-to-2.0.2.patch
drivers/net/ethernet/amazon: Backport ENA driver from Linux 5.4
2019-10-01 00:20:24 +00:00
features/all/ena/net-ena-update-driver-version-from-2.0.2-to-2.0.3.patch
features/all/ena/net-ena-fix-set-freed-objects-to-NULL-to-avoid-faili.patch
features/all/ena/net-ena-fix-return-value-of-ena_com_config_llq_info.patch
features/all/ena/net-ena-improve-latency-by-disabling-adaptive-interr.patch
features/all/ena/net-ena-add-handling-of-llq-max-tx-burst-size.patch
features/all/ena/net-ena-replace-free_tx-rx_ids-union-with-single-fre.patch
features/all/ena/net-ena-arrange-ena_probe-function-variables-in-reve.patch
features/all/ena/net-ena-add-newline-at-the-end-of-pr_err-prints.patch
features/all/ena/net-ena-allow-automatic-fallback-to-polling-mode.patch
features/all/ena/net-ena-add-support-for-changing-max_header_size-in-.patch
features/all/ena/net-ena-optimise-calculations-for-CQ-doorbell.patch
features/all/ena/net-ena-use-dev_info_once-instead-of-static-variable.patch
features/all/ena/net-ena-add-MAX_QUEUES_EXT-get-feature-admin-command.patch
features/all/ena/net-ena-enable-negotiating-larger-Rx-ring-size.patch
features/all/ena/net-ena-make-ethtool-show-correct-current-and-max-qu.patch
features/all/ena/net-ena-allow-queue-allocation-backoff-when-low-on-m.patch
features/all/ena/net-ena-add-ethtool-function-for-changing-io-queue-s.patch
features/all/ena/net-ena-update-driver-version-from-2.0.3-to-2.1.0.patch
features/all/ena/net-ena-Fix-bug-where-ring-allocation-backoff-stoppe.patch
features/all/ena/net-ena-don-t-wake-up-tx-queue-when-down.patch
features/all/ena/net-ena-add-good-checksum-counter.patch
features/all/ena/net-ena-add-intr_moder_rx_interval-to-struct-ena_com.patch
features/all/ena/net-ena-remove-inline-keyword-from-functions-in-.c.patch
features/all/ena/net-ena-switch-to-dim-algorithm-for-rx-adaptive-inte.patch
features/all/ena/net-ena-reimplement-set-get_coalesce.patch
features/all/ena/net-ena-enable-the-interrupt_moderation-in-driver_su.patch
features/all/ena/net-ena-remove-code-duplication-in-ena_com_update_no.patch
features/all/ena/net-ena-remove-old-adaptive-interrupt-moderation-cod.patch
features/all/ena/net-ena-remove-ena_restore_ethtool_params-and-releva.patch
features/all/ena/net-ena-remove-all-old-adaptive-rx-interrupt-moderat.patch
features/all/ena/net-ena-fix-update-of-interrupt-moderation-register.patch
features/all/ena/net-ena-fix-retrieval-of-nonadaptive-interrupt-moder.patch
features/all/ena/net-ena-fix-incorrect-update-of-intr_delay_resolutio.patch
[arm64] Improve support for the Huawei TaiShan server platform Closes: #930554 Enable the HNS/ROCE Infiniband driver Backport fixes from 4.20 and 4.21 for HNS3 networking, hisi_sas SAS and HNS/ROCE Infiniband Signed-off-by: Steve McIntyre <93sam@debian.org>
2019-06-15 20:21:01 +00:00
# Backported bugfixes from 4.20/4.21 for the Huawei TaiShan server platform (aka D06)
bugfix/arm64/huawei-taishan/0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch
bugfix/arm64/huawei-taishan/0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch
bugfix/arm64/huawei-taishan/0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch
bugfix/arm64/huawei-taishan/0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch
bugfix/arm64/huawei-taishan/0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch
bugfix/arm64/huawei-taishan/0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch
bugfix/arm64/huawei-taishan/0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch
bugfix/arm64/huawei-taishan/0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch
bugfix/arm64/huawei-taishan/0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch
bugfix/arm64/huawei-taishan/0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch
bugfix/arm64/huawei-taishan/0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch
bugfix/arm64/huawei-taishan/0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch
bugfix/arm64/huawei-taishan/0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch
bugfix/arm64/huawei-taishan/0017-net-hns3-remove-unnecessary-configuration-recapture-.patch
bugfix/arm64/huawei-taishan/0018-net-hns3-remove-1000M-half-support-of-phy.patch
bugfix/arm64/huawei-taishan/0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch
bugfix/arm64/huawei-taishan/0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch
bugfix/arm64/huawei-taishan/0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch
bugfix/arm64/huawei-taishan/0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch
bugfix/arm64/huawei-taishan/0023-net-hns3-change-default-tc-state-to-close.patch
bugfix/arm64/huawei-taishan/0024-net-hns3-fix-a-bug-caused-by-udelay.patch
bugfix/arm64/huawei-taishan/0025-net-hns3-remove-redundant-variable-initialization.patch
bugfix/arm64/huawei-taishan/0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch
bugfix/arm64/huawei-taishan/0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch
bugfix/arm64/huawei-taishan/0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch
bugfix/arm64/huawei-taishan/0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch
bugfix/arm64/huawei-taishan/0033-scsi-hisi_sas-fix-calls-to-dma_set_mask_and_coherent.patch
[arm] Backport DTB support for Rasperry Pi Compute Module 3. Signed-off-by: Cyril Brulebois <cyril@debamax.com> (cherry picked from commit 64801af590540b4494f408b95a31fbe07963784d)
2019-07-15 20:41:51 +00:00
# Backported DTB support for Raspberry Pi Compute Module 3 from 4.20-rc1:
features/arm/ARM-dts-add-Raspberry-Pi-Compute-Module-3-and-IO-boa.patch
[arm64] Backport DTB support for Rasperry Pi Compute Module 3. Tested-by: Charles Fendt <charles.fendt@me.com> Signed-off-by: Cyril Brulebois <cyril@debamax.com> (cherry picked from commit de7501857cae4892f52d8c56c2184be548709052)
2019-07-15 20:43:42 +00:00
features/arm64/arm64-dts-broadcom-Add-reference-to-Compute-Module-I.patch
features/arm64/arm64-dts-broadcom-Use-the-.dtb-name-in-the-rule-rat.patch
[arm] Backport DTB support for Rasperry Pi Compute Module 3. Signed-off-by: Cyril Brulebois <cyril@debamax.com> (cherry picked from commit 64801af590540b4494f408b95a31fbe07963784d)
2019-07-15 20:41:51 +00:00
[armhf, arm64] Backport devicetree for enabling support for the Raspberry PI 3 A+ We already have everything we need inside the kernel 4.19.x for supporting this board. backporting patches from upstream so we get the support for buster.
2019-03-07 19:17:40 +00:00
# Backported devicetree support for Raspberry Pi 3 1+ from 5.1
features/arm/ARM-dts-add-Raspberry-Pi-3-A-Plus.patch
features/arm64/arm64-dts-broadcom-Add-reference-to-RPi-3-A-Plus.patch
features/arm/ARM-dts-bcm283x-Correct-vchiq-compatible-string.patch
features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
debian/patches/series: Apply security fixes last (except ABI maintenance) The security fixes are where we have the greatest churn, so it's convenient if they can be pushed/popped without having to go through other patches.
2019-10-20 13:35:22 +00:00
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/ntfs-mark-it-as-broken.patch
f2fs: fix to avoid memory leakage in f2fs_listxattr (CVE-2020-0067)
2020-04-26 09:03:08 +00:00
bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
net: ipv6: add net argument to ip6_dst_lookup_flow
2020-04-26 09:09:17 +00:00
bugfix/all/net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (CVE-2020-1749)
2020-04-26 09:18:06 +00:00
bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch
blktrace: Protect q->blk_trace with RCU (CVE-2019-19768)
2020-04-26 09:22:53 +00:00
bugfix/all/blktrace-protect-q-blk_trace-with-rcu.patch
blktrace: fix dereference after null check
2020-04-26 09:27:18 +00:00
bugfix/all/blktrace-fix-dereference-after-null-check.patch
[s390x] mm: fix page table upgrade vs 2ndary address mode accesses (CVE-2020-11884)
2020-04-26 19:01:57 +00:00
bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751)
2020-05-28 21:00:17 +00:00
bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch
fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
2020-05-28 21:33:22 +00:00
bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
propagate_one(): mnt_set_mountpoint() needs mount_lock A similar issue to CVE-2020-12114.
2020-06-06 23:46:11 +00:00
bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch
USB: core: Fix free-while-in-use bug in the USB S-Glibrary (CVE-2020-12464)
2020-05-29 11:46:50 +00:00
bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
[x86] KVM: SVM: Fix potential memory leak in svm_cpu_init() (CVE-2020-12768)
2020-05-29 12:02:45 +00:00
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
2020-05-29 19:20:44 +00:00
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
2020-05-29 19:34:00 +00:00
bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
netlabel: cope with NULL catmap (CVE-2020-10711)
2020-06-02 18:27:09 +00:00
bugfix/all/netlabel-cope-with-NULL-catmap.patch
fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732)
2020-06-03 05:41:02 +00:00
bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462)
2020-06-05 10:29:55 +00:00
bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch
mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757)
2020-06-05 10:34:01 +00:00
bugfix/all/mm-Fix-mremap-not-considering-huge-pmd-devmap.patch
Add fixes for CVE-2019-3016 Cherry-pick 11 commits from the 4.19.118 including prerequisited to adress CVE-2019-3016.
2020-06-06 08:35:47 +00:00
# pre-requisites and CVE-2019-3016
bugfix/x86/KVM-nVMX-Always-sync-GUEST_BNDCFGS-when-it-comes-fro.patch
bugfix/all/KVM-Introduce-a-new-guest-mapping-API.patch
bugfix/arm64/kvm-fix-compilation-on-aarch64.patch
bugfix/s390x/kvm-fix-compilation-on-s390.patch
bugfix/s390x/kvm-fix-compile-on-s390-part-2.patch
bugfix/all/KVM-Properly-check-if-page-is-valid-in-kvm_vcpu_unma.patch
bugfix/x86/x86-kvm-Introduce-kvm_-un-map_gfn.patch
bugfix/x86/x86-kvm-Cache-gfn-to-pfn-translation.patch
bugfix/x86/x86-KVM-Make-sure-KVM_VCPU_FLUSH_TLB-flag-is-not-mis.patch
bugfix/x86/x86-KVM-Clean-up-host-s-steal-time-structure.patch
[x86] Add support for mitigation of SRBDS (CVE-2020-0543) Apply the current version of the backport to 4.19.
2020-05-05 01:07:33 +00:00
bugfix/x86/srbds/0001-x86-cpu-Add-a-steppings-field-to-struct-x86_cpu_id.patch
bugfix/x86/srbds/0002-x86-cpu-Add-table-argument-to-cpu_matches.patch
bugfix/x86/srbds/0003-x86-speculation-Add-Special-Register-Buffer-Data-Sam.patch
bugfix/x86/srbds/0004-x86-speculation-Add-SRBDS-vulnerability-and-mitigati.patch
bugfix/x86/srbds/0005-x86-speculation-Add-Ivy-Bridge-to-affected-list.patch
debian/patches/series: Apply security fixes last (except ABI maintenance) The security fixes are where we have the greatest churn, so it's convenient if they can be pushed/popped without having to go through other patches.
2019-10-20 13:35:22 +00:00
Update to 4.13.9 Drop many patches which are now upstream. Avoid/ignore ABI changes as appropriate.
2017-10-26 09:12:11 +00:00
# ABI maintenance
Avoid an ABI change for SRBDS Adding the x86_cpu_id::steppings field is an ABI change. It doesn't seem worth the trouble of another ABI bump just to be able to report some potential future CPU steppings as invulnerable. Until we have other change that require an ABI bump, we'll match the affected models regardless of stepping. Keep the reverted patch in the queue so that the reverting patch will continue to be applied when we rebase onto a new stable update.
2020-05-05 01:21:33 +00:00
debian/abi/x86-speculation-do-not-match-steppings.patch
debian/abi/revert-x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch