------------------------------------------------------------------- Fri Sep 10 07:20:26 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 3cc5516 ------------------------------------------------------------------- Fri Aug 27 12:03:47 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3653 ("kvm: missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest") Live patch for CVE-2021-3653. Upstream commit 0f923e07124d ("KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)"). KLP: CVE-2021-3653 References: bsc#1189420 CVE-2021-3653 - commit 9cc0c3c ------------------------------------------------------------------- Tue Aug 17 15:58:21 CEST 2021 - nstange@suse.de - Fix for CVE-2021-38198 ("arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page") Live patch for CVE-2021-38198. Upstream commit b1bd5cba3306 ("KVM: X86: MMU: Use the correct inherited permissions to get shadow page"). KLP: CVE-2021-38198 References: bsc#1189278 CVE-2021-38198 - commit 6b3125c ------------------------------------------------------------------- Mon Aug 9 16:30:24 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 2287054 ------------------------------------------------------------------- Fri Jul 30 11:38:46 CEST 2021 - nstange@suse.de - Fix for CVE-2021-37576 ("powerpc: KVM guest OS users can cause host OS memory corruption") Live patch for CVE-2021-37576. Upstream commit f62f3c20647e ("KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow"). KLP: CVE-2021-37576 References: bsc#1188842 CVE-2021-37576 - commit 760f995 ------------------------------------------------------------------- Thu Jul 22 08:46:26 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 6ca74b0 ------------------------------------------------------------------- Tue Jul 20 13:16:29 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3609 ("net/can: race condition in net/can/bcm.c leads to local privilege escalation") Live patch for CVE-2021-3609. Upstream commit d5f9023fa61e ("can: bcm: delay release of struct bcm_op after synchronize_rcu()"). KLP: CVE-2021-3609 References: bsc#1188323 CVE-2021-3609 - commit 8bc2b21 ------------------------------------------------------------------- Fri Jul 16 09:37:16 CEST 2021 - nstange@suse.de - Fix for CVE-2021-33909 ("size_t-to-int vulnerability in Linux's filesystem layer") Live patch for CVE-2021-33909. No upstream commit yet. KLP: CVE-2021-33909 References: bsc#1188257 CVE-2021-33909 - commit 5890df5 ------------------------------------------------------------------- Thu Jul 15 11:24:20 CEST 2021 - nstange@suse.de - Fix for CVE-2021-22555 ("out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c") Live patch for CVE-2021-22555. Upstream commit b29c457a6511 ("netfilter: x_tables: fix compat match/target pad out-of-bound write"). KLP: CVE-2021-22555 References: bsc#1188117 CVE-2021-22555 - commit ceb23b3 ------------------------------------------------------------------- Fri Jul 9 11:42:22 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 81c9463 ------------------------------------------------------------------- Tue Jul 6 14:29:52 CEST 2021 - nstange@suse.de - Fix for CVE-2020-36385 ("An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma") Live patch for CVE-2020-36385. Upstream commit f5449e74802c ("RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy"). KLP: CVE-2020-36385 References: bsc#1187052 CVE-2020-36385 - commit a82f32e ------------------------------------------------------------------- Thu Jul 1 09:36:48 CEST 2021 - nstange@suse.de - Fix for CVE-2021-0605 ("In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out of bounds") Live patch for CVE-2021-0605. Upstream commit 37bd22420f85 ("af_key: pfkey_dump needs parameter validation"). KLP: CVE-2021-0605 References: bsc#1187687 CVE-2021-0605 - commit 10410c6 ------------------------------------------------------------------- Wed Jun 30 14:40:33 CEST 2021 - nstange@suse.de - Fix for CVE-2021-0512 ("out-of-bounds write due to a heap buffer overflow in __hidinput_change_resolution_multipliers() of hid-input.c") Live patch for CVE-2021-0512. Upstream commit ed9be64eefe2 ("HID: make arrays usage and value to be the same"). KLP: CVE-2021-0512 References: bsc#1187597 CVE-2021-0512 - commit 3af809c ------------------------------------------------------------------- Fri Jun 11 12:12:37 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit c3ac484 ------------------------------------------------------------------- Wed May 26 12:00:55 CEST 2021 - nstange@suse.de - Fix for CVE-2021-33034 ("use-after-free when destroying an hci_chan") Live patch for CVE-2021-33034. Upstream commit 5c4c8c954409 ("Bluetooth: verify AMP hci_chan before amp_destroy"). KLP: CVE-2021-33034 References: bsc#1186285 CVE-2021-33034 - commit e7bd162 ------------------------------------------------------------------- Wed May 19 14:23:49 CEST 2021 - nstange@suse.de - Fix for bsc#1186235 ("kgraft: kernel warning during sysfs read") Live patch for bsc#1186235. No upstream commit. KLP: bsc#1186235 References: bsc#1186235 - commit feb74b7 ------------------------------------------------------------------- Mon May 17 16:41:26 CEST 2021 - nstange@suse.de - Fix for CVE-2021-32399 ("Linux device detach race condition") Live patch for CVE-2021-32399. Upstream commit e2cb6b891ad2 ("bluetooth: eliminate the potential race condition when removing the HCI controller"). KLP: CVE-2021-32399 References: bsc#1185899 CVE-2021-32399 - commit 313c9bc ------------------------------------------------------------------- Thu May 13 17:40:23 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 2b5bf50 ------------------------------------------------------------------- Wed Apr 28 14:29:56 CEST 2021 - nstange@suse.de - Fix for CVE-2020-36322 ("FUSE driver can confuse kernel by changing inode type") Live patch for CVE-2020-36322. Upstream commits 5d069dbe8aaf ("fuse: fix bad inode") and 775c5033a0d1 ("fuse: fix live lock in fuse_iget()"). KLP: CVE-2020-36322 References: bsc#1184952 CVE-2020-36322 - commit 5c4689b ------------------------------------------------------------------- Thu Apr 22 15:27:37 CEST 2021 - nstange@suse.de - Fix for CVE-2021-29154 ("LPE due to incorrect BPF JIT branch displacement computation") Live patch for CVE-2021-29154. Upstream commit e4d4d456436b ("bpf, x86: Validate computation of branch displacements for x86-64"). KLP: CVE-2021-29154 References: bsc#1184710 CVE-2021-29154 - commit 3b1880e ------------------------------------------------------------------- Tue Apr 20 09:49:17 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit e2966ee ------------------------------------------------------------------- Fri Mar 19 16:06:59 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit 26aece2 ------------------------------------------------------------------- Tue Mar 16 14:59:22 CET 2021 - nstange@suse.de - Fix for CVE-2021-27365 ("iscsi_host_get_param() allows sysfs params larger than 4k") Live patch for CVE-2021-27365. Upstream commits ec98ea7070e9 ("scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE") and f9dbdf97a5bd ("scsi: iscsi: Verify lengths on passthrough PDUs"). KLP: CVE-2021-27365 References: bsc#1183491 CVE-2021-27365 - commit 6c5a2f7 ------------------------------------------------------------------- Wed Mar 10 13:28:09 CET 2021 - nstange@suse.de - Fix for CVE-2021-26930 ("error handling issues in blkback's grant mapping (XSA-365 v3)") Live patch for CVE-2021-26931, CVE-2021-26930 and CVE-2021-28688. Upstream commits - 5a264285ed1c ("xen-blkback: don't "handle" error by BUG()") - 871997bc9e42 ("xen-blkback: fix error handling in xen_blkbk_map()") and - a846738f8c37 ("xen-blkback: don't leak persistent grants from xen_blkbk_map()"). KLP: CVE-2021-26931 CVE-2021-26930 CVE-2021-28688 References: bsc#1182294 CVE-2021-26931 CVE-2021-26930 CVE-2021-28688 XSA-362 XSA-365 XSA-371 - commit cdf5225 ------------------------------------------------------------------- Tue Mar 9 09:44:40 CET 2021 - nstange@suse.de - Fix for CVE-2021-27363 + CVE-2021-27364 ("show_transport_handle() shows iSCSI transport handle to non-root users") Live patch for CVE-2021-27363 and CVE-2021-27364. Upstream commit 688e8128b7a9 ("scsi: iscsi: Restrict sessions and handles to admin capabilities"). KLP: CVE-2021-27363 CVE-2021-27364 References: bsc#1183120 CVE-2021-27363 CVE-2021-27364 - commit 21e9c07 ------------------------------------------------------------------- Wed Mar 3 09:11:51 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit 622bd76 ------------------------------------------------------------------- Tue Feb 16 11:06:19 CET 2021 - nstange@suse.de - Fix for CVE-2021-3347 ("UAF in futex") Live patch for CVE-2021-3347. Upstream commits 12bb3f7f1b03 ("futex: Ensure the correct return value from futex_lock_pi()") 04b79c55201f ("futex: Replace pointless printk in fixup_owner()") c5cade200ab9 ("futex: Provide and use pi_state_update_owner()") 2156ac193416 ("rtmutex: Remove unused argument from rt_mutex_proxy_unlock()") 6ccc84f917d3 ("futex: Use pi_state_update_owner() in put_pi_state()") f2dac39d9398 ("futex: Simplify fixup_pi_state_owner()") 34b1a1ce1458 ("futex: Handle faults correctly for PI futexes") KLP: CVE-2021-3347 References: bsc#1181553 CVE-2021-3347 - commit 9193142 ------------------------------------------------------------------- Wed Feb 3 11:09:08 CET 2021 - nstange@suse.de - Fix for CVE-2020-27786 ("use-after-free in kernel midi subsystem snd_rawmidi_kernel_read1()") Live patch for CVE-2020-27786. Upstream commit c1f6e3c818dd ("ALSA: rawmidi: Fix racy buffer resize under concurrent accesses"). KLP: CVE-2020-27786 References: bsc#1179616 CVE-2020-27786 - commit 67b5ca7 ------------------------------------------------------------------- Mon Feb 1 10:48:39 CET 2021 - nstange@suse.de - Fix for CVE-2020-28374 ("LIO security issue") Live patch for CVE-2020-28374. Upstream commit 2896c93811e3 ("scsi: target: Fix XCOPY NAA identifier lookup"). KLP: CVE-2020-28374 References: bsc#1178684 CVE-2020-28374 - commit cc14654 ------------------------------------------------------------------- Thu Jan 28 15:55:24 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit e58c334 ------------------------------------------------------------------- Mon Jan 18 10:20:01 CET 2021 - nstange@suse.de - Fix for CVE-2020-36158 ("RCE via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start marvell/mwifiex/join.c") Live patch for CVE-2020-36158. Upstream commit 5c455c5ab332 ("mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start"). KLP: CVE-2020-36158 References: bsc#1180562 CVE-2020-36158 - commit c0db70a ------------------------------------------------------------------- Thu Jan 14 15:03:42 CET 2021 - nstange@suse.de - Fix for CVE-2020-0465 ("In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check.") Live patch for CVE-2020-0465. Upstream commit 35556bed836f ("HID: core: Sanitize event code and type when mapping input"). KLP: CVE-2020-0465 References: bsc#1180030 CVE-2020-0465 - commit 5e3180c ------------------------------------------------------------------- Tue Jan 12 12:50:23 CET 2021 - nstange@suse.de - Fix for CVE-2020-0466 ("In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error.") Live patch for CVE-2020-0466. Upstream commits a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list"), 52c479697c9b ("do_epoll_ctl(): clean the failure exits up a bit"), 77f4689de17c ('fix regression in "epoll: Keep a reference on files added to the check list"'). KLP: CVE-2020-0466 References: bsc#1180032 CVE-2020-0466 - commit f93830d ------------------------------------------------------------------- Thu Jan 7 13:15:52 CET 2021 - nstange@suse.de - Fix for CVE-2020-29569 ("Use after free triggered by block frontend in Linux blkback (XSA-350 v3)") Live patch for CVE-2020-29569. Upstream commit 1c728719a4da ("xen-blkback: set ring->xenblkd to NULL after kthread_stop()"). KLP: CVE-2020-29569 References: bsc#1180008 CVE-2020-29569 - commit 7f77404 ------------------------------------------------------------------- Wed Jan 6 11:13:29 CET 2021 - nstange@suse.de - Fix for CVE-2020-29660, CVE-2020-29661 ("[tty] hole/race in pgrp & session handling") Live patch for CVE-2020-29660 and CVE-2020-29661. Upstream commits 54ffccbf053b ("tty: Fix ->pgrp locking in tiocspgrp()") and c8bcd9c5be24 ("tty: Fix ->session locking"). KLP: CVE-2020-29660 CVE-2020-29661 References: bsc#1179877 CVE-2020-29660 CVE-2020-29661 - commit 98aa564 ------------------------------------------------------------------- Fri Nov 27 19:01:30 CET 2020 - nstange@suse.de - Bump up the version number in spec file - commit e861503 ------------------------------------------------------------------- Fri Nov 20 14:23:42 CET 2020 - nstange@suse.de - Fix for CVE-2020-25668 ("concurrency use-after-free in con_font_op") Live patch for CVE-2020-25668. Upstream commit 90bfdeef83f1 ("tty: make FONTX ioctl use the tty pointer they were actually passed"). KLP: CVE-2020-25668 References: bsc#1178622 CVE-2020-25668 - commit 0e04767 ------------------------------------------------------------------- Fri Nov 20 10:44:48 CET 2020 - nstange@suse.de - Fix for CVE-2020-8694 ("Intel RAPL sidechannel aka PLATYPUS attack") Live patch for CVE-2020-8694. Upstream commit 949dd0104c49 ("powercap: restrict energy meter to root access"). KLP: CVE-2020-8694 References: bsc#1178700 CVE-2020-8694 - commit d91bda1 ------------------------------------------------------------------- Wed Nov 18 15:52:55 CET 2020 - nstange@suse.de - Fix for CVE-2020-25705 ("New vulnerabilities in ICMP rate limiting") Live patch for CVE-2020-25705. Upstream commit b38e7819cae9 ("icmp: randomize the global rate limiter"). KLP: CVE-2020-25705 References: bsc#1178783 CVE-2020-25705 - commit de5744b ------------------------------------------------------------------- Thu Nov 12 09:18:07 CET 2020 - nstange@suse.de - Bump up the version number in spec file - commit 92158f0 ------------------------------------------------------------------- Tue Oct 27 14:16:52 CET 2020 - nstange@suse.de - Bump up the version number in spec file - commit c22153d ------------------------------------------------------------------- Mon Oct 26 12:52:31 CET 2020 - nstange@suse.de - Fix for CVE-2020-25645 ("Geneve/IPsec traffic may be unencrypted between two Geneve endpoints") Live patch for CVE-2020-25645. Upstream commit 34beb2159451 ("geneve: add transport ports in route lookup for geneve"). KLP: CVE-2020-25645 References: bsc#1177513 CVE-2020-25645 - commit fa04560 ------------------------------------------------------------------- Mon Oct 5 11:19:22 CEST 2020 - nstange@suse.de - Fix for CVE-2020-0429 ("possible memory corruption in l2tp_session_delete and related functions of l2tp_core.c") Live patch for CVE-2020-0429. Upstream commits 4ac36a4adaf8 ("l2tp: Correctly return -EBADF from pppol2tp_getname.") 61b9a047729b ("l2tp: fix race in l2tp_recv_common()") 57377d635478 ("l2tp: ensure session can't get removed during pppol2tp_session_ioctl()") dbdbc73b4478 ("l2tp: fix duplicate session creation") 54c151d9ed13 ("l2tp: Refactor the codes with existing macros instead of literal number") cdd10c962749 ("l2tp: ensure sessions are freed after their PPPOL2TP socket") b228a9406640 ("l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()") KLP: CVE-2020-0429 References: bsc#1176931 CVE-2020-0429 - commit 26fc80c ------------------------------------------------------------------- Tue Sep 29 12:33:24 CEST 2020 - nstange@suse.de - Fix for CVE-2020-14381 ("referencing inode of removed superblock in get_futex_key() causes UAF") Live patch for CVE-2020-14381. Upstream commit 8019ad13ef7f ("futex: Fix inode life-time issue"). KLP: CVE-2020-14381 References: bsc#1176012 CVE-2020-14381 - commit 6fabbe8 ------------------------------------------------------------------- Fri Sep 25 10:26:18 CEST 2020 - nstange@suse.de - Fix for CVE-2020-0431 ("possible out of bounds write in kbd_keycode of keyboard.c") Live patch for CVE-2020-0431. Upstream commit 4f3882177240 ("HID: hid-input: clear unmapped usages"). KLP: CVE-2020-0431 References: bsc#1176896 CVE-2020-0431 - commit f809a7f ------------------------------------------------------------------- Thu Sep 24 15:11:09 CEST 2020 - nstange@suse.de - Fix for CVE-2020-25212 ("TOCTOU mismatch in the NFS client code") Live patch for CVE-2020-25212. Upstream commit b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow"). KLP: CVE-2020-25212 References: bsc#1176382 CVE-2020-25212 - commit 1ae1bce ------------------------------------------------------------------- Mon Sep 7 12:50:03 CEST 2020 - mbenes@suse.cz - Update IBS_PROJECT to correct maintenance incident after initial submission - commit ce1b3bf ------------------------------------------------------------------- Fri Sep 4 10:43:12 CEST 2020 - nstange@suse.de - New branch for SLE12-SP3_Update_35 - commit 24ce389 ------------------------------------------------------------------- Tue Jul 14 16:16:44 CEST 2020 - nstange@suse.de - Fix for CVE-2020-11668 ("malicious USB device pretending to be Xirlink camera can corrupt random kernel memory") Live patch for CVE-2020-11668. Upstream commit a246b4d54770 ("media: xirlink_cit: add missing descriptor sanity checks"). KLP: CVE-2020-11668 References: bsc#1173942 CVE-2020-11668 - commit c272e02 ------------------------------------------------------------------- Mon Mar 23 15:08:56 CET 2020 - nstange@suse.de - Fix for CVE-2020-1749 ("some ipv6 protocols not encrypted over ipsec tunnel") Live patch for CVE-2020-1749. Upstream commit 6c8991f41546 ("net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup"). KLP: CVE-2020-1749 References: bsc#1165631 CVE-2020-1749 - commit 37b2939 ------------------------------------------------------------------- Mon Dec 2 13:49:24 CET 2019 - mbenes@suse.cz - Revert "shadow variables: allow for dynamic initialization" This reverts commit 843c6fa42429afc1682cdb39119e7a011af2abc9. - commit 23d37c8 ------------------------------------------------------------------- Mon Dec 2 13:40:37 CET 2019 - mbenes@suse.cz - Revert "shadow variables: introduce upstream patch" This reverts commit e899c4fd3fe7602ebd70f578d8475f1049de7c78. - commit c1be24c ------------------------------------------------------------------- Mon Dec 2 13:38:18 CET 2019 - mbenes@suse.cz - Revert "shadow variables: drop EXPORT_SYMBOL()s" This reverts commit ac6cfebd7f831213ebcd4b2690672871572ec49e. - commit 5771a4b ------------------------------------------------------------------- Mon Dec 2 13:38:04 CET 2019 - mbenes@suse.cz - Revert "shadow variables: share shadow data among KGraft modules" This reverts commit 8e1e705d4d56981949f7ae3854d8e1cc2be7f40f. - commit 1c87412 ------------------------------------------------------------------- Mon Dec 2 13:37:30 CET 2019 - mbenes@suse.cz - Revert "shadow variables: add KGR_SHADOW_ID helper" This reverts commit 237c8f3d13c382321d3e65d138d328eae0b82f6c. - commit 41936fd ------------------------------------------------------------------- Tue Dec 11 11:27:23 CET 2018 - mbenes@suse.cz - uname_patch: don't hold uts_sem while accessing userspace memory Backport upstream patch 42a0cc347858 ("sys: don't hold uts_sem while accessing userspace memory"). - commit d4e00de ------------------------------------------------------------------- Tue Oct 2 16:38:19 CEST 2018 - mbenes@suse.cz - scripts/tar-up.sh: Add ppc64le to ExclusiveArch even for SLE12-SP2 - commit 77a8a8b ------------------------------------------------------------------- Wed Aug 8 15:07:59 CEST 2018 - nstange@suse.de - Provide common kallsyms wrapper API With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsyms_lookup_name() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups. - commit 4aed7d2 ------------------------------------------------------------------- Wed Jul 11 13:55:14 CEST 2018 - nstange@suse.de - provide KGR_SHADOW_ID() helper macro - commit 7325c49 ------------------------------------------------------------------- Mon May 14 08:30:00 CEST 2018 - nstange@suse.de - scrips/create-makefile.sh: add support for assembly files - commit cf2464a ------------------------------------------------------------------- Mon Mar 5 15:44:31 CET 2018 - nstange@suse.de - shadow variables: allow for dynamic initialization Currently, the only shadow variable initialization scheme exposed by the allocation API is to let klp_shadow_alloc() resp. klp_shadow_get_or_alloc() memcpy some user provided buffer to the freshly allocated shadow variable. This is too limited for shadow structures containing pointers into themselves like list_heads or mutexes. Change the internal __klp_shadow_get_or_alloc() to take a pointer to an initializer functions and call that in place of the memcpy() operation. In order to retain former functionality of klp_shadow_alloc() and klp_shadow_get_or_alloc(), make them pass the new __klp_shadow_memcpy_init() wrapper to __klp_shadow_get_or_alloc(). Finally, introduce the new klp_shadow_alloc_with_init() and klp_shadow_get_or_alloc_with_init() which pass a user provided initializer function pointer onwards to __klp_shadow_get_or_alloc(). - commit 843c6fa ------------------------------------------------------------------- Tue Dec 5 16:42:04 CET 2017 - mbenes@suse.cz - uname_patch: fix UNAME26 for 4.0 Backport upstream commit 39afb5ee4640 ("kernel/sys.c: fix UNAME26 for 4.0"). - commit 5988feb ------------------------------------------------------------------- Mon Dec 4 15:25:24 CET 2017 - mbenes@suse.cz - Revert "Add compat.h to deal with changes of KGR_PATCH macro" This reverts commit 4186bef35862029a2fd36ba4a73d5fa538992709. All currently supported kernels (that is, everything since SLE12_Update_14 and SLE12-SP1_Update_5) have sympos support. We can drop compat, because we don't need it anymore. - commit 11e3220 ------------------------------------------------------------------- Thu Nov 30 15:15:20 CET 2017 - mbenes@suse.cz - scripts: Generate ExclusiveArch in spec file dynamically ppc64le architecture kernel support is not present in all currently supported branches. It may cause problem for the maintenance team. Generate ExclusiveArch dynamically. It should be 'ppc64le x86_64' for SLE12-SP3 and 'x86_64' for the rest. - commit 95ed856 ------------------------------------------------------------------- Thu Nov 16 14:27:46 CET 2017 - mbenes@suse.cz - rpm/kgraft-patch.spec: Add ppc64le as a supported arch ppc64le is about to be supported in Live Patching product. Add it to ExclusiveArch tag. - commit 8437c94 ------------------------------------------------------------------- Thu Nov 16 14:26:35 CET 2017 - mbenes@suse.cz - rpm/kgraft-patch.spec: Remove s390x from supported archs s390x is not supported in Live Patching product. Remove it from ExclusiveArch. - commit f9614f2 ------------------------------------------------------------------- Thu Oct 5 12:12:29 CEST 2017 - nstange@suse.de - shadow variables: add KGR_SHADOW_ID helper As shadow variables are supposed to be shared among different KGraft modules their id's must be compile time constants. Introduce the KGR_SHADOW_ID helper macro for generating them in a uniform manner based on the bsc# number and a local id. - commit 237c8f3 ------------------------------------------------------------------- Thu Oct 5 12:12:28 CEST 2017 - nstange@suse.de - shadow variables: share shadow data among KGraft modules As it stands, each KGraft module maintains its own set of shadow variable management structures and thus, shadow variables are not sharable between livepatch modules. This behaviour is different from the upstream implementation and, as pointed out by Miroslav Benes, it also opens up an opportunity for a small window where the system might become vulnerable again during transition as we stack new livepatches on top. Let all KGraft patches share the shadow data. Sharing is implemented by moving the management structures from a KGraft module's .data to dynamically allocated memory. Each KGraft module will have specifically named pointers, 'kgr_shadow_hash12' and 'kgr_shadow_lock12', referencing them. Upon initialization, a KGraft module will discover already existing such shadow data by kallsyms-searching all loaded modules for these pointer symbols. If none is found, a new instance is allocated. The newly introduced kgr_shadow_init() implementing this is idempotent and can thus be called from the bsc# subpatches' initializers if needed. Upon KGraft module removal, the new kgr_shadow_cleanup() will conduct another kallsyms search and deallocate the shadow data in case there are no more users. kgr_shadow_cleanup() is also idempotent. Initialization and teardown of the common shadow data is serialized with the module_mutex which has to be taken for the kallsyms search anyway. - commit 8e1e705 ------------------------------------------------------------------- Thu Oct 5 12:12:27 CEST 2017 - nstange@suse.de - shadow variables: drop EXPORT_SYMBOL()s The shadow variable API will only ever get used by the KGraft module itself and thus, there's no need for exporting it. Drop all EXPORT_SYMBOL annotations. - commit ac6cfeb ------------------------------------------------------------------- Thu Oct 5 12:12:26 CEST 2017 - nstange@suse.de - shadow variables: introduce upstream patch Joe Lawrence posted the sixth version of his shadow variable patch [1] implementing the association of additional out-of-band data members to existing structure instances from livepatches. Jiri Kosina has applied this to his git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching.git for-4.15/shadow-variables tree and thus, it's queued up and close to getting merged. The plan is to eventually backport this shadow variable support to SLE kernels, but we also want to have it usable from KGraft modules by now. Port the implementation to the kraft-patches module. Namely, - dump shadow.c in it's current upstream state as it is after commits 439e7271dc2b ("livepatch: introduce shadow variable API") 5d9da759f758 ("livepatch: __klp_shadow_get_or_alloc() is local to shadow.c") 19205da6a0da ("livepatch: Small shadow variable documentation fixes") - add a shadow.h header and declare the newly introduced functions there - and incorporate the new files into the KGraft module's build system. [1] 1504211861-19899-2-git-send-email-joe.lawrence@redhat.com ("[PATCH v6] livepatch: introduce shadow variable API") - commit e899c4f ------------------------------------------------------------------- Tue Jun 13 15:54:27 CEST 2017 - nstange@suse.de - scripts/register-patches.sh: register subpatch sources in rpm spec In order to reduce the manual merging work upon addition of new (sub)patches, commit 4e8dc885be22 ("scripts: create kgr_patch_main.c dynamically") introduced the register-patches.sh helper. It discovers those and tweaks the main entry point, kgr_patch_main.c, as needed. However, a remaining manual merging task is to list a (sub)patch's source archive in rpm/kgraft-patch.spec and to %setup it. Make scripts/register-patches.sh do this. Namely, - introduce the @@KGR_PATCHES_SOURCES@@ and @@KGR_PATCHES_SETUP_SOURCES@@ placeholders in rpm/kgraft-patch.spec - and make scripts/register-patches.sh expand those within a spec file to be given as an additional command line argument. Finally, adjust scripts/tar-up.sh accordingly. - commit 9eafc8a ------------------------------------------------------------------- Tue Jun 13 15:51:42 CEST 2017 - nstange@suse.de - scripts/register-patches.sh: don't add ','s to @@KGR_PATCHES_FUNCS@@ register-patches.sh expands kgr_patch_main.c's @@KGR_PATCHES_FUNCS@@ placeholder by concatenating all available patches' KGR_PATCH__FUNCS together, separating them by commas. The KGR_PATCH__FUNCS are CPP macros supposed to be provided by each patch. If one of these happens to be empty, the preprocessed expansion will contain two consecutive commas which gcc doesn't like in array initializers. Do not add any commas to the @@KGR_PATCHES_FUNCS@@ expansion but require the individual KGR_PATCH__FUNCS macros to already contain trailing ones as needed. Fixes: 4e8dc885be22 ("scripts: create kgr_patch_main.c dynamically") - commit ba41416 ------------------------------------------------------------------- Wed Jun 7 12:05:41 CEST 2017 - nstange@suse.de - scripts: create kgr_patch_main.c dynamically The kgraft-patches repository has got many branches, each corresponding to a supported codestream. Each of those carries a potentially different set of live (sub)patches which are controlled through the entry points in kgr_patch_main.c. According to Miroslav, merging of a new (sub)patch based on the pristine master is a pita due to conflicts. Since all (sub)patches stick to certain conventions already, the required modifications of the merging-hotspot kgr_patch_main.c are quite mechanic. Let a script do the work. Namely, - insert some special @@-embraced placeholders at the few places depending on the actual set of (sub)patches, - let register-patches.sh discover the available (sub)patches by searching for directories - and let register-patches.sh replace those placeholders in kgr_patch_main.c Finally, add a register-patches.sh invocation to tar-up.sh. This procedure requires that a SUBPATCH located in directory SUBPATCH/ adheres to the following conventions: - It must provide a provide a SUBPATCH/kgr_patch_SUBPATCH.h header. - This header must provide declarations for kgr_patch_SUBPATCH_init() and kgr_patch_SUBPATCH_cleanup(). - This header must also #define a KGR_PATCH_SUBPATCH_FUNCS macro. It should expand to a comma separated list of KGR_PATCH*() entries, each corresponding to a function the subpatch wants to replace. [mbenes: fixed typos, empty line removed] - commit 4e8dc88 ------------------------------------------------------------------- Mon Apr 24 16:00:54 CEST 2017 - mbenes@suse.cz - Replace $(PWD) with $(CURDIR) in Makefile CURDIR is an internal variable of make and more suitable. - commit 03bf1d5 ------------------------------------------------------------------- Wed Apr 19 14:02:27 CEST 2017 - mbenes@suse.cz - Create Makefile automatically Introduce scripts/create-makefile.sh script to automatically create a makefile. The scripts is called from tar-up.sh or could be called manually. - commit 1af6c29 ------------------------------------------------------------------- Mon Oct 24 13:26:09 CEST 2016 - mbenes@suse.cz - Better to use SUSE:SLE-12:Update than Devel:kGraft:SLE12 project - commit bdc7598 ------------------------------------------------------------------- Tue May 10 15:43:59 CEST 2016 - mbenes@suse.cz - Add compat.h to deal with changes of KGR_PATCH macro Sympos patch set for kGraft redefined KGR_PATCH macro and added two new ones. Add new compat.h which contains macro magic so that all kGraft patches would work on both old and new kernels with the patch set merged. - commit 4186bef ------------------------------------------------------------------- Fri May 6 17:01:17 CEST 2016 - mbenes@suse.cz - Fix the number of parameters of KGR_PATCH macro New kernels contain kGraft's sympos patch set which changed number of paramaters of KGR_PATCH macro and introduced new macros. Fix it in master so it will be ok for new branches. - commit 78cf676 ------------------------------------------------------------------- Tue Sep 1 13:00:23 CEST 2015 - mmarek@suse.com - Include the RPM version number in the module name - commit 8fa02c6 ------------------------------------------------------------------- Wed Aug 26 11:29:44 CEST 2015 - mbenes@suse.cz - Remove forgotten debug option in the Makefile - commit 9c24ab8 ------------------------------------------------------------------- Mon Aug 17 13:42:04 CEST 2015 - mbenes@suse.cz - Add license and copyright notices - commit d42d3aa ------------------------------------------------------------------- Wed Jul 15 15:58:35 CEST 2015 - mbenes@suse.cz - Remove immediate flag Fake signal was merged to kGraft and immediate feature removed. Remove it in kGraft patches from now on too. - commit c767ad2 ------------------------------------------------------------------- Wed May 20 16:32:17 CEST 2015 - mbenes@suse.cz - Set immediate flag to false Using immediate set to true can lead to BUGs and oopses when downgrading, reverting or applying replace_all patches. There is no way how to find out if there is a process in the old code which is being removed. The module would be put, removed and the process will crash. The consistency model guarantees that there is no one in the old code when the finalization ends. Thus use it for all case to be safe. - commit 830e1a3 ------------------------------------------------------------------- Tue May 12 15:48:07 CEST 2015 - mbenes@suse.cz - Fix description in rpm spec file Spec file description mentions initial kGraft patch which is only true for real initial patch. Make it more neutral. References: bsc#930408 - commit a55e023 ------------------------------------------------------------------- Wed Apr 1 15:36:24 CEST 2015 - mbenes@suse.cz - Generate archives names automatically in tar-up.sh - commit 1f34f18 ------------------------------------------------------------------- Wed Apr 1 13:39:26 CEST 2015 - mbenes@suse.cz - Automatically generate .changes file from git log Also add comments to tar-up.sh script to distinguish between sections. - commit 212a7ae ------------------------------------------------------------------- Thu Mar 26 14:24:21 CET 2015 - mmarek@suse.cz - Revert "Require exact kernel version in the patch" This needs to be done differently, so that modprobe --force works as expected. References: bnc#920615 This reverts commit c62c11aecd4e3f8822e1b835fea403acc3148c5a. - commit bc88dd7 ------------------------------------------------------------------- Wed Mar 25 13:10:24 CET 2015 - mmarek@suse.cz - Require exact kernel version in the patch References: bnc#920615 - commit c62c11a ------------------------------------------------------------------- Tue Mar 24 12:15:41 CET 2015 - mmarek@suse.cz - Add the git commit and branch to the package description References: bnc#920633 - commit 1ff4e48 ------------------------------------------------------------------- Wed Nov 26 10:09:14 CET 2014 - mbenes@suse.cz - Set immediate flag for the initial patch Setting immediate to true will simplify installation of the initial patch and possibly also of the further updates. References: bnc#907150 - commit 391b810 ------------------------------------------------------------------- Tue Nov 25 16:26:40 CET 2014 - mbenes@suse.cz - Add .replace_all set to true Add .replace_all flag set to true even to the initial patch. Thus we will not forget to add that later. Also .immediate is there as a comment. - commit 933e15e ------------------------------------------------------------------- Mon Nov 24 15:02:33 CET 2014 - mmarek@suse.cz - Drop the hardcoded kernel release string The updated kgraft-devel macros set this during build time, so we do not need to know the kernel release string beforehand. As a name suffix for the source packages, let's use SLE12_Test in the master branch and SLE12_Update_ in the update branches. - commit 65f7a25 ------------------------------------------------------------------- Fri Nov 21 15:48:48 CET 2014 - mmarek@suse.cz - Check that we are building against the set kernel version - commit 689e44a ------------------------------------------------------------------- Wed Nov 12 04:11:14 CET 2014 - mmarek@suse.cz - Mark the module as supported References: bnc#904970 - commit 6249314 ------------------------------------------------------------------- Tue Nov 11 17:11:28 CET 2014 - mmarek@suse.cz - Build the test packages against Devel:kGraft:SLE12 - commit c952fbb ------------------------------------------------------------------- Thu Nov 6 13:55:43 CET 2014 - mbenes@suse.cz - Add top git commit hash to uname -v Add top git commit hash to version part of uname. This makes the identification of current patch level easy (even in crash: p kgr_tag). References: fate#317769 - commit 54c9595 ------------------------------------------------------------------- Tue Nov 4 16:23:50 CET 2014 - mbenes@suse.cz - Replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ We need to replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ due to sysfs tree. @@RELEASE@@ changes with each new version of package. - commit 51fd9dd ------------------------------------------------------------------- Mon Nov 3 17:27:24 CET 2014 - mmarek@suse.cz - Add a source-timestamp file with the git commit hash and branch This is required by the bs-upload-kernel script to upload packages to the BS. It can also be used by the specfile in the future. - commit feab4f1 ------------------------------------------------------------------- Mon Nov 3 16:56:31 CET 2014 - mbenes@suse.cz - Initial commit - commit 600de9d ------------------------------------------------------------------- Mon Nov 3 14:59:46 CET 2014 - mmarek@suse.cz - Add config.sh script This tells the automatic builder which IBS project to use. - commit aa7f1cb