------------------------------------------------------------------- Thu Dec 9 12:41:55 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit 5f9bc08 ------------------------------------------------------------------- Fri Dec 3 16:07:45 CET 2021 - nstange@suse.de - Fix for CVE-2021-0941 ("In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free") Live patch for CVE-2021-0941. Upstream commit 6306c1189e77 ("bpf: Remove MTU check in __bpf_skb_max_len"). KLP: CVE-2021-0941 References: bsc#1192048 CVE-2021-0941 - commit adb711d ------------------------------------------------------------------- Fri Nov 26 17:05:27 CET 2021 - nstange@suse.de - Fix for CVE-2021-20322 ("new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies") Live patch for CVE-2021-20322. Upstream commits - 6457378fe796 ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()"), - 67d6d681e15b ("ipv4: make exception cache less predictible"), - 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()") and - a00df2caffed ("ipv6: make exception cache less predictible"). KLP: CVE-2021-20322 References: bsc#1191813 CVE-2021-20322 - commit a15ad50 ------------------------------------------------------------------- Thu Nov 11 13:35:46 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit d804ce6 ------------------------------------------------------------------- Mon Nov 8 12:14:01 CET 2021 - nstange@suse.de - Fix for CVE-2021-0935 ("In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free") Live patch for CVE-2021-0935. Upstream commits 2f987a76a977 ("net: ipv6: keep sk status consistent after datagram connect failure") and b954f94023dc ("l2tp: fix races with ipv4-mapped ipv6 addresses"). KLP: CVE-2021-0935 References: bsc#1192042 CVE-2021-0935 - commit 7d2348a ------------------------------------------------------------------- Fri Oct 22 15:13:34 CEST 2021 - mpdesouza@suse.com - Fix for CVE-2021-3752 ("a uaf bug in bluetooth") Live patch for CVE-2021-3752. Upstream commit 3af70b39fa2d ("Bluetooth: check for zapped sk before connecting"). KLP: CVE-2021-3752 References: bsc#1190432 CVE-2021-3752 - commit 5bc9241 ------------------------------------------------------------------- Tue Oct 12 15:43:24 CEST 2021 - nstange@suse.de - Fix for CVE-2021-41864 ("eBPF multiplication integer overflow in prealloc_elems_and_freelist()") Live patch for CVE-2021-41864. Upstream commit 30e29a9a2bc6 ("bpf: Fix integer overflow in prealloc_elems_and_freelist()"). KLP: CVE-2021-41864 References: bsc#1191318 CVE-2021-41864 - commit ef15151 ------------------------------------------------------------------- Fri Oct 8 02:51:44 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 6070679 ------------------------------------------------------------------- Wed Sep 15 12:21:30 CEST 2021 - nstange@suse.de - Fix for CVE-2021-38160 ("data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c") Live patch for CVE-2021-38160. Upstream commit d00d8da5869a ("virtio_console: Assure used length from device is limited"). KLP: CVE-2021-38160 References: bsc#1190118 CVE-2021-38160 - commit 96d310f ------------------------------------------------------------------- Tue Sep 14 11:02:53 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3640 ("Use-After-Free vulnerability in function sco_sock_sendmsg()") Live patch for CVE-2021-3640. Upstream commits - ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") - 734bc5ff7831 ("Bluetooth: avoid circular locks in sco_sock_connect") - 27c24fda62b6 ("Bluetooth: switch to lock_sock in SCO") - 99c23da0eed4 ("Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()") KLP: CVE-2021-3640 References: bsc#1188613 CVE-2021-3640 - commit 730e7a6 ------------------------------------------------------------------- Mon Sep 13 15:01:05 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3573 ("Use-After-Free vulnerability in function hci_sock_bound_ioctl()") Live patch for CVE-2021-3573. Upstream commit e04480920d1e ("Bluetooth: defer cleanup of resources in hci_unregister_dev()"). KLP: CVE-2021-3573 References: bsc#1187054 CVE-2021-3573 - commit 50f7c04 ------------------------------------------------------------------- Fri Sep 10 07:20:28 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit b8d5c30 ------------------------------------------------------------------- Fri Aug 27 13:06:42 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3653 ("kvm: missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest") Live patch for CVE-2021-3653. Upstream commit 0f923e07124d ("KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)"). KLP: CVE-2021-3653 References: bsc#1189420 CVE-2021-3653 - commit df7427d ------------------------------------------------------------------- Fri Aug 20 14:58:11 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3656 ("missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest") Live patch for CVE-2021-3656. Upstream commit c7dfa4009965 ("KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)"). KLP: CVE-2021-3656 References: bsc#1189418 CVE-2021-3656 - commit b88c270 ------------------------------------------------------------------- Tue Aug 17 10:44:51 CEST 2021 - nstange@suse.de - Fix for CVE-2021-38198 ("arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page") Live patch for CVE-2021-38198. Upstream commit b1bd5cba3306 ("KVM: X86: MMU: Use the correct inherited permissions to get shadow page"). KLP: CVE-2021-38198 References: bsc#1189278 CVE-2021-38198 - commit faa985e ------------------------------------------------------------------- Mon Aug 9 16:30:26 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 1a3c7c0 ------------------------------------------------------------------- Thu Aug 5 16:50:11 CEST 2021 - nstange@suse.de - scripts/register-patches.sh: fix issue with per-klp_object #if-guards scripts/register-patches.sh is supposed to #if-guard each constructed klp_object instance by the logical or of the individual functions' associated conditions as specified in the corresponding patched_funcs.csv entries. If only one such function entry doesn't have a condition associated with it, the compound logical || would always evaluate to true though and thus, register-patches.sh should skip the per-klp_object #if-guard alltogether in this case. To this end, the inner loop iterating over the function entries resets the array o_conds of unique conditions seen for the current object and breaks out upon encountering an unconditional patch entry, i.e. one w/o an empty condition field. The problem is that the break from the inner loop has no effect on the outer loop over the different patched_funcs.csv's and thus, the emptied o_conds array can get populated again in the course of processing a later patched_funcs.csv. Later code would then find the non-empty o_conds and guard the currently constructed klp_object by oring its individual entries together rather than omitting the #if-guard as a whole as it should. Fix this by introducing the boolean variable "any_unconds", flip it to true upon encountering an unconditional function entry and force the o_conds array to empty if any_unconds is found to be set once the outer loop has completed. - commit dae55a1 ------------------------------------------------------------------- Fri Jul 30 15:07:13 CEST 2021 - nstange@suse.de - Fix for CVE-2021-22543 ("/dev/kvm LPE") Live patch for CVE-2021-22543. Upstream commits - bd2fae8da794 ("KVM: do not assume PTE is writable after follow_pfn") - a9545779ee9e ("KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()") - f8be156be163 ("KVM: do not allow mapping valid but non-reference-counted pages") KLP: CVE-2021-22543 References: bsc#1186483 CVE-2021-22543 - commit 5b3d1ad ------------------------------------------------------------------- Fri Jul 30 11:55:07 CEST 2021 - nstange@suse.de - Fix for CVE-2021-37576 ("powerpc: KVM guest OS users can cause host OS memory corruption") Live patch for CVE-2021-37576. Upstream commit f62f3c20647e ("KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow"). KLP: CVE-2021-37576 References: bsc#1188842 CVE-2021-37576 - commit 66ee20c ------------------------------------------------------------------- Thu Jul 22 08:46:28 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 56233ef ------------------------------------------------------------------- Tue Jul 20 13:33:47 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3609 ("net/can: race condition in net/can/bcm.c leads to local privilege escalation") Live patch for CVE-2021-3609. Upstream commit d5f9023fa61e ("can: bcm: delay release of struct bcm_op after synchronize_rcu()"). KLP: CVE-2021-3609 References: bsc#1188323 CVE-2021-3609 - commit 3427eb9 ------------------------------------------------------------------- Fri Jul 16 09:51:47 CEST 2021 - nstange@suse.de - Fix for CVE-2021-33909 ("size_t-to-int vulnerability in Linux's filesystem layer") Live patch for CVE-2021-33909. No upstream commit yet. KLP: CVE-2021-33909 References: bsc#1188257 CVE-2021-33909 - commit d2d8498 ------------------------------------------------------------------- Thu Jul 15 12:19:40 CEST 2021 - nstange@suse.de - Fix for CVE-2021-22555 ("out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c") Live patch for CVE-2021-22555. Upstream commit b29c457a6511 ("netfilter: x_tables: fix compat match/target pad out-of-bound write"). KLP: CVE-2021-22555 References: bsc#1188117 CVE-2021-22555 - commit 2423537 ------------------------------------------------------------------- Fri Jul 9 11:42:25 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 795ba28 ------------------------------------------------------------------- Tue Jul 6 15:15:06 CEST 2021 - nstange@suse.de - Fix for CVE-2020-36385 ("An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma") Live patch for CVE-2020-36385. Upstream commit f5449e74802c ("RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy"). KLP: CVE-2020-36385 References: bsc#1187052 CVE-2020-36385 - commit c7fd15c ------------------------------------------------------------------- Wed Jun 30 15:04:03 CEST 2021 - nstange@suse.de - Fix for CVE-2021-0512 ("out-of-bounds write due to a heap buffer overflow in __hidinput_change_resolution_multipliers() of hid-input.c") Live patch for CVE-2021-0512. Upstream commit ed9be64eefe2 ("HID: make arrays usage and value to be the same"). KLP: CVE-2021-0512 References: bsc#1187597 CVE-2021-0512 - commit db69e16 ------------------------------------------------------------------- Fri Jun 18 15:11:38 CEST 2021 - nstange@suse.de - Fix for CVE-2021-23133 ("sctp_destroy_sock list_del race condition") Live patch for CVE-2021-23133. Upstream commit 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr"). KLP: CVE-2021-23133 References: bsc#1185901 CVE-2021-23133 - commit c237379 ------------------------------------------------------------------- Fri Jun 11 12:12:39 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 00306f1 ------------------------------------------------------------------- Thu May 27 16:21:39 CEST 2021 - nstange@suse.de - Fix for bsc#1185847 ("Data loss/corruption occurs any time there is a write error on an md/raid array") Live patch for bsc#1185847. Upstream commit 2417b9869b81 ("md/raid1: properly indicate failure when ending a failed write request"). KLP: bsc#1185847 References: bsc#1185847 - commit 0f194d0 ------------------------------------------------------------------- Wed May 26 12:45:00 CEST 2021 - nstange@suse.de - Fix for CVE-2021-33034 ("use-after-free when destroying an hci_chan") Live patch for CVE-2021-33034. Upstream commit 5c4c8c954409 ("Bluetooth: verify AMP hci_chan before amp_destroy"). KLP: CVE-2021-33034 References: bsc#1186285 CVE-2021-33034 - commit e386b14 ------------------------------------------------------------------- Mon May 17 16:57:31 CEST 2021 - nstange@suse.de - Fix for CVE-2021-32399 ("Linux device detach race condition") Live patch for CVE-2021-32399. Upstream commit e2cb6b891ad2 ("bluetooth: eliminate the potential race condition when removing the HCI controller"). KLP: CVE-2021-32399 References: bsc#1185899 CVE-2021-32399 - commit d15ab33 ------------------------------------------------------------------- Thu May 13 17:40:25 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 024bb09 ------------------------------------------------------------------- Thu Apr 29 09:35:25 CEST 2021 - nstange@suse.de - Fix for CVE-2020-36322 ("FUSE driver can confuse kernel by changing inode type") Live patch for CVE-2020-36322. Upstream commits 5d069dbe8aaf ("fuse: fix bad inode") and 775c5033a0d1 ("fuse: fix live lock in fuse_iget()"). KLP: CVE-2020-36322 References: bsc#1184952 CVE-2020-36322 - commit 0d95535 ------------------------------------------------------------------- Thu Apr 22 16:41:52 CEST 2021 - nstange@suse.de - Fix for CVE-2021-29154 ("LPE due to incorrect BPF JIT branch displacement computation") Live patch for CVE-2021-29154. Upstream commit e4d4d456436b ("bpf, x86: Validate computation of branch displacements for x86-64"). KLP: CVE-2021-29154 References: bsc#1184710 CVE-2021-29154 - commit c119098 ------------------------------------------------------------------- Tue Apr 20 09:49:20 CEST 2021 - nstange@suse.de - Bump up the version number in spec file - commit 1bee95a ------------------------------------------------------------------- Fri Apr 9 15:31:48 CEST 2021 - nstange@suse.de - Fix for CVE-2021-3444 ("Linux kernel bpf verifier incorrect mod32 truncation") Live patch for CVE-2021-3444. Upstream commits - f6b1b3bf0d5f ("bpf: fix subprog verifier bypass by div/mod by 0 exception"), - e88b2c6e5a4d ("bpf: Fix 32 bit src register truncation on div/mod") and - 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero"). KLP: CVE-2021-3444 References: bsc#1184171 CVE-2021-3444 - commit 47e6f3b ------------------------------------------------------------------- Wed Apr 7 15:45:19 CEST 2021 - nstange@suse.de - Fix for CVE-2021-28660 ("memory overwrite in rtl8188eu") Live patch for CVE-2021-28660. Upstream commit 74b6b20df8cf ("staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()"). KLP: CVE-2021-28660 References: bsc#1183658 CVE-2021-28660 - commit c1edf00 ------------------------------------------------------------------- Fri Mar 19 16:07:01 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit 8c16507 ------------------------------------------------------------------- Tue Mar 16 15:26:43 CET 2021 - nstange@suse.de - Fix for CVE-2021-27365 ("iscsi_host_get_param() allows sysfs params larger than 4k") Live patch for CVE-2021-27365. Upstream commits ec98ea7070e9 ("scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE") and f9dbdf97a5bd ("scsi: iscsi: Verify lengths on passthrough PDUs"). KLP: CVE-2021-27365 References: bsc#1183491 CVE-2021-27365 - commit 6c9442e ------------------------------------------------------------------- Mon Mar 15 14:08:14 CET 2021 - nstange@suse.de - Fix for bsc#1183452 ("system crash on kernfs_kill_sb() as a sysfs superblock's kernfs_super_info->node list is NULL") Live patch for bsc#1183452. Upstream commit 82382acec0c9 ("kernfs: deal with kernfs_fill_super() failures"). KLP: bsc#1183452 References: bsc#1183452 - commit 931a13b ------------------------------------------------------------------- Wed Mar 10 13:58:23 CET 2021 - nstange@suse.de - Fix for CVE-2021-26930 ("error handling issues in blkback's grant mapping (XSA-365 v3)") Live patch for CVE-2021-26931, CVE-2021-26930 and CVE-2021-28688. Upstream commits - 5a264285ed1c ("xen-blkback: don't "handle" error by BUG()") - 871997bc9e42 ("xen-blkback: fix error handling in xen_blkbk_map()") and - a846738f8c37 ("xen-blkback: don't leak persistent grants from xen_blkbk_map()"). KLP: CVE-2021-26931 CVE-2021-26930 CVE-2021-28688 References: bsc#1182294 CVE-2021-26931 CVE-2021-26930 CVE-2021-28688 XSA-362 XSA-365 XSA-371 - commit 7945da5 ------------------------------------------------------------------- Tue Mar 9 11:03:44 CET 2021 - nstange@suse.de - Fix for CVE-2021-27363 + CVE-2021-27364 ("show_transport_handle() shows iSCSI transport handle to non-root users") Live patch for CVE-2021-27363 and CVE-2021-27364. Upstream commit 688e8128b7a9 ("scsi: iscsi: Restrict sessions and handles to admin capabilities"). KLP: CVE-2021-27363 CVE-2021-27364 References: bsc#1183120 CVE-2021-27363 CVE-2021-27364 - commit d1ff42d ------------------------------------------------------------------- Wed Mar 3 09:11:52 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit f7a0805 ------------------------------------------------------------------- Wed Feb 24 13:15:44 CET 2021 - nstange@suse.de - bsc#1179664: apply follow-up upstream fix Apply upstream follow-up commit 1c2f67308af4 ("mm: thp: fix MADV_REMOVE deadlock on shmem THP") to the livepatch for bsc#1179664, CVE-2020-29368. References: bsc#1179664 - commit a4ccb0b ------------------------------------------------------------------- Wed Feb 10 13:45:12 CET 2021 - nstange@suse.de - Fix for CVE-2021-3347 ("UAF in futex") Live patch for CVE-2021-3347. Upstream commits 12bb3f7f1b03 ("futex: Ensure the correct return value from futex_lock_pi()") 04b79c55201f ("futex: Replace pointless printk in fixup_owner()") c5cade200ab9 ("futex: Provide and use pi_state_update_owner()") 2156ac193416 ("rtmutex: Remove unused argument from rt_mutex_proxy_unlock()") 6ccc84f917d3 ("futex: Use pi_state_update_owner() in put_pi_state()") f2dac39d9398 ("futex: Simplify fixup_pi_state_owner()") 34b1a1ce1458 ("futex: Handle faults correctly for PI futexes") KLP: CVE-2021-3347 References: bsc#1181553 CVE-2021-3347 - commit da34f16 ------------------------------------------------------------------- Wed Feb 3 12:01:08 CET 2021 - nstange@suse.de - Fix for CVE-2020-27786 ("use-after-free in kernel midi subsystem snd_rawmidi_kernel_read1()") Live patch for CVE-2020-27786. Upstream commit c1f6e3c818dd ("ALSA: rawmidi: Fix racy buffer resize under concurrent accesses"). KLP: CVE-2020-27786 References: bsc#1179616 CVE-2020-27786 - commit 8fd3758 ------------------------------------------------------------------- Fri Jan 29 15:24:57 CET 2021 - nstange@suse.de - Fix for CVE-2020-28374 ("LIO security issue") Live patch for CVE-2020-28374. Upstream commit 2896c93811e3 ("scsi: target: Fix XCOPY NAA identifier lookup"). KLP: CVE-2020-28374 References: bsc#1178684 CVE-2020-28374 - commit 5d8921f ------------------------------------------------------------------- Thu Jan 28 15:55:29 CET 2021 - nstange@suse.de - Bump up the version number in spec file - commit fbfc733 ------------------------------------------------------------------- Wed Jan 27 11:01:59 CET 2021 - nstange@suse.de - Fix for CVE-2021-0342 ("memory corruption due to a use after free in tun_get_user() of tun.c") Live patch for CVE-2021-0342. Upstream commit 96aa1b22bd6b ("tun: correct header offsets in napi frags mode"). KLP: CVE-2021-0342 References: bsc#1180859 CVE-2021-0342 - commit 2e3a4c2 ------------------------------------------------------------------- Mon Jan 18 11:16:24 CET 2021 - nstange@suse.de - Fix for CVE-2020-36158 ("RCE via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start marvell/mwifiex/join.c") Live patch for CVE-2020-36158. Upstream commit 5c455c5ab332 ("mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start"). KLP: CVE-2020-36158 References: bsc#1180562 CVE-2020-36158 - commit a8ef913 ------------------------------------------------------------------- Fri Jan 15 10:43:32 CET 2021 - nstange@suse.de - Fix for CVE-2020-0465 ("In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check.") Live patch for CVE-2020-0465. Upstream commit 35556bed836f ("HID: core: Sanitize event code and type when mapping input"). KLP: CVE-2020-0465 References: bsc#1180030 CVE-2020-0465 - commit 8b3662d ------------------------------------------------------------------- Wed Jan 13 11:41:32 CET 2021 - nstange@suse.de - klp_syscalls.h: fix syscall prototype mismatch on s390x for kernels >= 4.17 The __SYSCALL_DEFINEx(x, name, ...) macro as defined in arch/s390/include/asm/syscall_wrapper.h declares two protoypes for a given syscall: __s390x_sys##name() and __se_sys##name(). The former symbol is made to be an alias to the latter and the function arguments are of the "real" type as specified in the macro invocation whereas the latter's argument types are transformed into longs. Currently the KLP_SYSCALL_SYM() helper macro from our klp_syscalls.h evaluates to the __s390x_sys##name() variant, but its expansion result is intended to be used with KLP_SYSCALL_DECLx(), which does the transformation of the arguments' types to longs. This results in compilation errors due to the syscall prototype declaration from KLP_SYSCALL_DECLx() confliciting with the one from __SYSCALL_DEFINEx(), if visible. The current behaviour of KLP_SYSCALL_DECLx() should be retained in order to keep it working for the compatibility stubs, i.e. with KLP_SYSCALL_COMPAT_STUB_SYM(). So fix the issue by making KLP_SYSCALL_SYM() to evaluate to the __se_sys##name() variant on 390x for kernel versions >= 4.17. - commit 862bd77 ------------------------------------------------------------------- Tue Jan 12 13:38:00 CET 2021 - nstange@suse.de - scripts/register-patches.sh: stringify klp_funcs' ->old_name In order to enable the use of e.g. KLP_SYSCALL_SYM() for the to be livepatched function's name in patched_funcs.csv, make register-patches.sh wrap the emitted klp_funcs' ->old_name initialization values with __stringify() rather than writing string tokens directly. - commit f54c4d6 ------------------------------------------------------------------- Tue Jan 12 13:32:51 CET 2021 - nstange@suse.de - Fix for CVE-2020-0466 ("In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error.") Live patch for CVE-2020-0466. Upstream commits a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list"), 52c479697c9b ("do_epoll_ctl(): clean the failure exits up a bit"), 77f4689de17c ('fix regression in "epoll: Keep a reference on files added to the check list"'). KLP: CVE-2020-0466 References: bsc#1180032 CVE-2020-0466 - commit 0cc1cd3 ------------------------------------------------------------------- Thu Jan 7 13:27:24 CET 2021 - nstange@suse.de - Fix for CVE-2020-29569 ("Use after free triggered by block frontend in Linux blkback (XSA-350 v3)") Live patch for CVE-2020-29569. Upstream commit 1c728719a4da ("xen-blkback: set ring->xenblkd to NULL after kthread_stop()"). KLP: CVE-2020-29569 References: bsc#1180008 CVE-2020-29569 - commit 50ff765 ------------------------------------------------------------------- Wed Jan 6 12:32:28 CET 2021 - nstange@suse.de - Fix for CVE-2020-29660, CVE-2020-29661 ("[tty] hole/race in pgrp & session handling") Live patch for CVE-2020-29660 and CVE-2020-29661. Upstream commits 54ffccbf053b ("tty: Fix ->pgrp locking in tiocspgrp()") and c8bcd9c5be24 ("tty: Fix ->session locking"). KLP: CVE-2020-29660 CVE-2020-29661 References: bsc#1179877 CVE-2020-29660 CVE-2020-29661 - commit 007c476 ------------------------------------------------------------------- Wed Dec 9 11:14:24 CET 2020 - nstange@suse.de - Fix for CVE-2020-29368 ("the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check") Live patch for CVE-2020-29368. Upstream commit c444eb564fb1 ("mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()"). KLP: CVE-2020-29368 References: bsc#1179664 CVE-2020-29368 - commit ca10e97 ------------------------------------------------------------------- Wed Dec 2 14:45:28 CET 2020 - mbenes@suse.cz - Update IBS_PROJECT to correct maintenance incident after initial submission - commit 4b8ae31 ------------------------------------------------------------------- Mon Nov 30 12:26:55 CET 2020 - nstange@suse.de - New branch for SLE15-SP1_Update_20 - commit aef8915 ------------------------------------------------------------------- Tue May 19 15:01:34 CEST 2020 - mbenes@suse.cz - scripts: Disable use of klp-convert klp-convert tool was introduced to improve a situation with unexported symbols while preparing live patches. However, it is still not stable enough and upstream still needs to decide the purpose of the tool. Given that it is used only for uname patch and only on SLE15-SP1 it is better to just disable it for now. At the same, leave the infrastructure in place, because we might use it in the future. - commit 3397b3e ------------------------------------------------------------------- Wed Apr 8 10:14:20 CEST 2020 - nstange@suse.de - scripts: enable s390x for SLE12-SP4 The initial live patch shall be built on s390x for future SLE12-SP4 kernel releases. Make tar-up.sh add s390x to ExclusiveArch from the (not yet existing) SLE12-SP4_Update_13 onwards. - commit f49a99e ------------------------------------------------------------------- Mon Mar 30 11:59:20 CEST 2020 - nstange@suse.de - scripts: enable s390x for SLE15-SP2 - commit 933574a ------------------------------------------------------------------- Wed Mar 25 10:45:50 CET 2020 - nstange@suse.de - scripts: Generate ExclusiveArch in spec file dynamically s390x support is slowly being introduced for newly created master-livepatch based branches. In order to avoid problems with existing branches for e.g. the maintenance team, don't add s390x to the hard-coded list of ExclusiveArchs, but let tar-up.sh enable it dynamically depending on the codestream in question. For now, s390x builds will be enabled on SLE12-SP5, beginning with SLE12-SP5_Update_3 onwards. - commit 27b683d ------------------------------------------------------------------- Mon Dec 2 13:49:24 CET 2019 - mbenes@suse.cz - Revert "shadow variables: allow for dynamic initialization" This reverts commit 843c6fa42429afc1682cdb39119e7a011af2abc9. - commit 23d37c8 ------------------------------------------------------------------- Mon Dec 2 13:40:37 CET 2019 - mbenes@suse.cz - Revert "shadow variables: introduce upstream patch" This reverts commit e899c4fd3fe7602ebd70f578d8475f1049de7c78. - commit c1be24c ------------------------------------------------------------------- Mon Dec 2 13:38:18 CET 2019 - mbenes@suse.cz - Revert "shadow variables: drop EXPORT_SYMBOL()s" This reverts commit ac6cfebd7f831213ebcd4b2690672871572ec49e. - commit 5771a4b ------------------------------------------------------------------- Mon Dec 2 13:38:04 CET 2019 - mbenes@suse.cz - Revert "shadow variables: share shadow data among KGraft modules" This reverts commit 8e1e705d4d56981949f7ae3854d8e1cc2be7f40f. - commit 1c87412 ------------------------------------------------------------------- Mon Dec 2 13:37:30 CET 2019 - mbenes@suse.cz - Revert "shadow variables: add KGR_SHADOW_ID helper" This reverts commit 237c8f3d13c382321d3e65d138d328eae0b82f6c. - commit 41936fd ------------------------------------------------------------------- Sat Sep 7 18:53:16 CEST 2019 - nstange@suse.de - uname_patch: convert to the syscall stub wrapper macros from klp_syscalls.h In order to make the live patch to the newuname() syscall work on kernels >= 4.17 again, convert it to the KLP_SYSCALL_*() wrapper macros provided by klp_syscalls.h. References: bsc#1149841 - commit b5af38e ------------------------------------------------------------------- Sat Sep 7 18:53:15 CEST 2019 - nstange@suse.de - Provide wrapper macros for syscall naming Live patching syscall stubs is a common task, for example any live patch package modifies the newuname syscall. For the actual definitions of the live patched syscall stubs, the __SYSCALL_DEFINEx() name can always be (and often has been) used like e.g. __SYSCALL_DEFINEx(3, _klp_timer_create, const clockid_t, which_clock, struct sigevent __user *, timer_event_spec, timer_t __user *, created_timer_id) { /* New implementation */ } Up to kernel 4.16, this used to define a function named "SyS_klp_timer_create" which could then be used to live patch the "SyS_timer_create". However, beginning with kernel version 4.17, resp. upstream commits - fa697140f9a2 ("syscalls/x86: Use 'struct pt_regs' based syscall calling convention for 64-bit syscalls") - e145242ea0df ("syscalls/core, syscalls/x86: Clean up syscall stub naming convention") - d5a00528b58c ("syscalls/core, syscalls/x86: Rename struct pt_regs-based sys_*() to __x64_sys_*()"), things became more complex: - The naming of the resulting stubs now varies across architecture. - Some architectures (x86_64, s390x) instantiate an additional compat stub for syscalls sharing a common implementation between 32 and 64 bits. (The 32 bit entry code used to convert from the 32 bit ABI to 64 bit and simply call the 64 bit syscall stub afterwards. That's handled by the new 32 bit stubs now.) - The stubs' signatures have changed: each argument used to get mapped to either long or long long, but on x86_64, the stubs are now receiving a single struct pt_regs only -- it's their responsibility to extract the arguments as appropriate. In order to not require each and every live patch touching syscalls to include an insane amount of ifdeffery, provide a set of #defines hiding it: 1.) KLP_SYSCALL_SYM(name) expands to the syscall stub name for 64 bits as defined by _SYSCALL_DEFINEx(x, _name, ...). 2.) If the architeture requires 32bit specific stubs for syscalls sharing a common implementation between 32 and 64bits, the KLP_ARCH_HAS_SYSCALL_COMPAT_STUBS macro is defined. 3.) If KLP_ARCH_HAS_SYSCALL_COMPAT_STUBS is defined, then KLP_SYSCALL_COMPAT_STUB_SYM(name) expands to the syscall stub name for 32 bits as defined by _SYSCALL_DEFINEx(x, _name, ...). 4.) For syscalls not sharing a common implementation between 32 and 64 bits, i.e. those defined by COMPAT_SYSCALL_DEFINEx(), the macro KLP_COMPAT_SYSCALL_SYM(name) expands to the stub name defined as defined by COMPAT_SYSCALL_DEFINEx(x, _name, ...). 5.) Finally, for hiding differences between the signatures, provide the macro KLP_SYSCALL_DECLx(x, sym, ...) which expands to a declaration of sym, with the x arguments either mapped to long resp. long long each, or collapsed to a single struct pt_regs argument as appropriate for the architecture. Note that these macros are defined as appropriate on kernels before and after 4.17, so that live patch code can be shared. References: bsc#1149841 - commit da7b9a5 ------------------------------------------------------------------- Sat Aug 24 19:06:03 CEST 2019 - nstange@suse.de - scripts/create-makefile.sh: add -I flag for toplevel directory to ccflags-y Since upstream commit 58156ba4468f ("kbuild: skip 'addtree' and 'flags' magic for external module build") Kbuild won't add an -I flag for an external module's toplevel source directory to the compilation flags anymore. This results in compilation errors like the following: uname_patch/livepatch_uname.c:36:10: fatal error: klp_convert.h: No such file or directory #include "klp_convert.h" ^~~~~~~~~~~~~~~ Fix this by appending '-I$(obj)' to ccflags-y within the Makefile created by scripts/create-makefile.sh. Note that "$(obj)" is set to the current source directory before the Makefile is sourced by Kbuild. - commit b30a48e ------------------------------------------------------------------- Thu Mar 7 15:23:42 CET 2019 - mbenes@suse.cz - livepatch_main.c: Adaptation to a new livepatch API The atomic replace patch set among others removed the two-stage API. There is no (un)registration step needed now. SLES backport defines KLP_NOREG_API macro to easily distinguish whether the kernel provides the old or the new API. Use it and change the module init and exit functions accordingly. - commit 060163b ------------------------------------------------------------------- Thu Feb 7 14:13:00 CET 2019 - mbenes@suse.cz - uname_patch: Use klp-convert macros and rely on klp-convert where possible - commit 4c9eb70 ------------------------------------------------------------------- Wed Feb 6 14:12:44 CET 2019 - mbenes@suse.cz - Define macros to switch easily between klp-convert and kallsyms Kallsyms trick does not have to be used for resolving undefined symbols when klp-convert is available. It would be great though to share live patches sources between both modes of operation. Define macros to help with the task. Their definitions depend on whether USE_KLP_CONVERT macro is defined. tar-up.sh script is responsible to decide. - commit e3a42b7 ------------------------------------------------------------------- Wed Feb 6 10:53:44 CET 2019 - mbenes@suse.cz - Use klp-convert where provided klp-convert tool converts undefined symbols in a live patch kernel module to special relocation records which are resolved by the kernel. It allows to omit kallsyms tricks. Wire it to the spec file and let tar-up.sh script decide if it is to be used depending on a codestream. SLE15-SP1 is supported currently. - commit 3efd330 ------------------------------------------------------------------- Tue Dec 11 11:27:23 CET 2018 - mbenes@suse.cz - uname_patch: don't hold uts_sem while accessing userspace memory Backport upstream patch 42a0cc347858 ("sys: don't hold uts_sem while accessing userspace memory"). - commit d4e00de ------------------------------------------------------------------- Tue Oct 2 16:38:19 CEST 2018 - mbenes@suse.cz - scripts/tar-up.sh: Add ppc64le to ExclusiveArch even for SLE12-SP2 - commit 77a8a8b ------------------------------------------------------------------- Wed Aug 8 15:08:00 CEST 2018 - nstange@suse.de - Provide common kallsyms wrapper API With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsyms_lookup_name() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups. - commit bd113d8 ------------------------------------------------------------------- Wed Aug 8 15:07:59 CEST 2018 - nstange@suse.de - Provide common kallsyms wrapper API With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsyms_lookup_name() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups. - commit 4aed7d2 ------------------------------------------------------------------- Wed Jul 11 13:55:14 CEST 2018 - nstange@suse.de - provide KGR_SHADOW_ID() helper macro - provide KLP_SHADOW_ID() helper macro In analogy to the KGR_SHADOW_ID() macro, introduce KLP_SHADOW_ID() for the construction of unique shadow variable id's. - commit 7325c49 ------------------------------------------------------------------- Sun Jul 8 13:02:18 CEST 2018 - nstange@suse.de - scripts/register-patches.sh: implement conditional inclusion Currently, subpatches provide a patched_funcs.csv file describing what needs to be patched. register-patches.sh inspects those to assemble one global klp_patch structure. The current format for these patched_funcs.csv's is obj old_func(,sympos) newfun However, sometimes subpatches depend on some kernel configuration values like CONFIG_X86_64 and functions shall get patched only if the target kernel configuration matches. Extends the patched_funcs.csv format to obj old_func(,sympos) newfun (cpp condition) where everything coming after 'newfun' is taken to be a CPP condition to be used for conditional inclusion. In case there's no condition specified, assign that entry the same semantics as if a '1' had been given. Make register-patches.sh guard the corresponding klp_func entries with #if pragmas. Furthermore, let it guard the enclosing klp_object instances by or'ing together all its klp_funcs' conditions. For the sake of better readability, omit redundant #if pragmas as well as condition clauses. In particular, - if a function entry hasn't got any condition explicitly specified, there won't be any #if pragma, neither at the klp_func nor at the klp_object level, - if multiple function entries for an object are protected by the same condition, it'll be or'ed in at the klp_object level only once, - if all of an object's functions share the same condition, no #if pragmas will be emitted at the klp_func level because they would only duplicate what's already there for the enclosing object and - multiple subsequent function entries sharing the same condition get collated. - commit 56f0729 ------------------------------------------------------------------- Sun Jul 8 13:02:17 CEST 2018 - nstange@suse.de - scripts/register-patches.sh: allow spaces as patched_funcs.csv separators Currently there's one single cut(1) usage which requires that (single) tabs are used as field separators for the patched_funcs.csv. As the rest of the code can deal with sequences of any whitespace already, this imposes an unnecessary restriction on the format. Substitute that cut(1) usage by a sed(1) invocation as appropriate. - commit 9852661 ------------------------------------------------------------------- Mon Jun 4 15:20:08 CEST 2018 - mbenes@suse.cz - livepatch_main.c: Set .replace to true - commit 643f04c ------------------------------------------------------------------- Mon May 14 08:30:00 CEST 2018 - nstange@suse.de - scrips/create-makefile.sh: add support for assembly files - commit cf2464a ------------------------------------------------------------------- Mon Mar 5 15:44:31 CET 2018 - nstange@suse.de - shadow variables: allow for dynamic initialization Currently, the only shadow variable initialization scheme exposed by the allocation API is to let klp_shadow_alloc() resp. klp_shadow_get_or_alloc() memcpy some user provided buffer to the freshly allocated shadow variable. This is too limited for shadow structures containing pointers into themselves like list_heads or mutexes. Change the internal __klp_shadow_get_or_alloc() to take a pointer to an initializer functions and call that in place of the memcpy() operation. In order to retain former functionality of klp_shadow_alloc() and klp_shadow_get_or_alloc(), make them pass the new __klp_shadow_memcpy_init() wrapper to __klp_shadow_get_or_alloc(). Finally, introduce the new klp_shadow_alloc_with_init() and klp_shadow_get_or_alloc_with_init() which pass a user provided initializer function pointer onwards to __klp_shadow_get_or_alloc(). - commit 843c6fa ------------------------------------------------------------------- Wed Dec 6 14:40:14 CET 2017 - mbenes@suse.cz - Revert "shadow variables: introduce upstream patch" This reverts commit e899c4fd3fe7602ebd70f578d8475f1049de7c78. - commit a27c66a ------------------------------------------------------------------- Wed Dec 6 14:37:09 CET 2017 - mbenes@suse.cz - Revert "shadow variables: drop EXPORT_SYMBOL()s" This reverts commit ac6cfebd7f831213ebcd4b2690672871572ec49e. - commit 40d0ba6 ------------------------------------------------------------------- Wed Dec 6 14:37:06 CET 2017 - mbenes@suse.cz - Revert "shadow variables: share shadow data among KGraft modules" This reverts commit 8e1e705d4d56981949f7ae3854d8e1cc2be7f40f. - commit d184b38 ------------------------------------------------------------------- Wed Dec 6 14:36:56 CET 2017 - mbenes@suse.cz - Revert "shadow variables: add KGR_SHADOW_ID helper" This reverts commit 237c8f3d13c382321d3e65d138d328eae0b82f6c. - commit 22d6153 ------------------------------------------------------------------- Wed Dec 6 12:18:06 CET 2017 - mbenes@suse.cz - rpm/config.sh: Use SUSE:SLE-15:GA project - commit ff32fc9 ------------------------------------------------------------------- Wed Dec 6 12:14:17 CET 2017 - mbenes@suse.cz - Revert "scripts: Generate ExclusiveArch in spec file dynamically" This reverts commit 95ed856ea8f99b4e48d7d324278b3628d2ac2fa2. SLE15 will support ppc64le arch from the beginning. - commit 92e9bdb ------------------------------------------------------------------- Tue Dec 5 16:42:04 CET 2017 - mbenes@suse.cz - uname_patch: fix UNAME26 for 4.0 Backport upstream commit 39afb5ee4640 ("kernel/sys.c: fix UNAME26 for 4.0"). - commit 5988feb ------------------------------------------------------------------- Mon Dec 4 15:25:24 CET 2017 - mbenes@suse.cz - Revert "Add compat.h to deal with changes of KGR_PATCH macro" This reverts commit 4186bef35862029a2fd36ba4a73d5fa538992709. All currently supported kernels (that is, everything since SLE12_Update_14 and SLE12-SP1_Update_5) have sympos support. We can drop compat, because we don't need it anymore. - commit 11e3220 ------------------------------------------------------------------- Thu Nov 30 15:15:20 CET 2017 - mbenes@suse.cz - scripts: Generate ExclusiveArch in spec file dynamically ppc64le architecture kernel support is not present in all currently supported branches. It may cause problem for the maintenance team. Generate ExclusiveArch dynamically. It should be 'ppc64le x86_64' for SLE12-SP3 and 'x86_64' for the rest. - commit 95ed856 ------------------------------------------------------------------- Thu Nov 16 14:27:46 CET 2017 - mbenes@suse.cz - rpm/kgraft-patch.spec: Add ppc64le as a supported arch ppc64le is about to be supported in Live Patching product. Add it to ExclusiveArch tag. - commit 8437c94 ------------------------------------------------------------------- Thu Nov 16 14:26:35 CET 2017 - mbenes@suse.cz - rpm/kgraft-patch.spec: Remove s390x from supported archs s390x is not supported in Live Patching product. Remove it from ExclusiveArch. - commit f9614f2 ------------------------------------------------------------------- Tue Oct 31 10:34:53 CET 2017 - nstange@suse.de - livepatch_main.c: klp_patch_init(): fix error handling In case either of the invocations of klp_register_patch() or klp_enable_patch() fails, anything which has been setup by the prior per-(sub-)patch initialiation code, i.e. the expansion of @@KLP_PATCHES_INIT_CALLS@@, won't get undone. Fix this. Also make klp_patch_init() look more like the common 'goto err' idiom and adjust scripts/register_patches.sh accordingly. Fix for commit 7e20201cdcb8 ("kGraft to livepatch migration. API change."). - commit 6552b44 ------------------------------------------------------------------- Tue Oct 31 10:34:52 CET 2017 - nstange@suse.de - scripts/register_patches.sh: generate klp_object array The KLP API doesn't take a flat list of to be patched functions like KGraft did, but introduces an intermediate layer: struct klp_object. Each klp_patch instance is supposed to reference an array of klp_object's which in turn provide an array of klp_func's each. To facilitate merging, we want to generate this list of klp_object's automatically, exactly like we did for the flat function list with KGraft. For each klp_patch instance, there must be at most one klp_object entry referring to the same object. Hence care must be taken not to add an entry for the same object twice in case two different (sub-)patches both patch some functions therein. Require from each (sub-)patch to provide the list of to be patched symbols in a file named SUBPATCH/patched_funcs.csv with each line conforming to the obj old_func(,sympos) new_func pattern. Make scripts/register.sh generate an klp_object array initializer based on this and let it expand the @@KLP_PATCHES_OBJS@@ tag within livepatch_main.c accordingly. Do not replace the now obsolete @@KLP_PATCHES_FUNCS@@ anymore. Add and remove the @@KLP_PATCHES_OBJS@@ and @@KLP_PATCHES_FUNCS@@ markers to and from livepatch_main.c respectively. [ mb: amend copy&paste error ($newfun at the end of uname klp_func[]) ] - commit 0fe721b ------------------------------------------------------------------- Thu Oct 26 13:54:06 CEST 2017 - lpechacek@suse.com - kGraft to livepatch migration. External rename. External rename and thus final step of kGraft -> upstream livepatch migration. kgraft-patch* modules are now livepatch* and live in /lib/modules/$(uname -r)/livepatch. References: fate#323682 [ mb: changelog ] - commit f842fd5 ------------------------------------------------------------------- Thu Oct 5 12:12:29 CEST 2017 - nstange@suse.de - shadow variables: add KGR_SHADOW_ID helper As shadow variables are supposed to be shared among different KGraft modules their id's must be compile time constants. Introduce the KGR_SHADOW_ID helper macro for generating them in a uniform manner based on the bsc# number and a local id. - commit 237c8f3 ------------------------------------------------------------------- Thu Oct 5 12:12:28 CEST 2017 - nstange@suse.de - shadow variables: share shadow data among KGraft modules As it stands, each KGraft module maintains its own set of shadow variable management structures and thus, shadow variables are not sharable between livepatch modules. This behaviour is different from the upstream implementation and, as pointed out by Miroslav Benes, it also opens up an opportunity for a small window where the system might become vulnerable again during transition as we stack new livepatches on top. Let all KGraft patches share the shadow data. Sharing is implemented by moving the management structures from a KGraft module's .data to dynamically allocated memory. Each KGraft module will have specifically named pointers, 'kgr_shadow_hash12' and 'kgr_shadow_lock12', referencing them. Upon initialization, a KGraft module will discover already existing such shadow data by kallsyms-searching all loaded modules for these pointer symbols. If none is found, a new instance is allocated. The newly introduced kgr_shadow_init() implementing this is idempotent and can thus be called from the bsc# subpatches' initializers if needed. Upon KGraft module removal, the new kgr_shadow_cleanup() will conduct another kallsyms search and deallocate the shadow data in case there are no more users. kgr_shadow_cleanup() is also idempotent. Initialization and teardown of the common shadow data is serialized with the module_mutex which has to be taken for the kallsyms search anyway. - commit 8e1e705 ------------------------------------------------------------------- Thu Oct 5 12:12:27 CEST 2017 - nstange@suse.de - shadow variables: drop EXPORT_SYMBOL()s The shadow variable API will only ever get used by the KGraft module itself and thus, there's no need for exporting it. Drop all EXPORT_SYMBOL annotations. - commit ac6cfeb ------------------------------------------------------------------- Thu Oct 5 12:12:26 CEST 2017 - nstange@suse.de - shadow variables: introduce upstream patch Joe Lawrence posted the sixth version of his shadow variable patch [1] implementing the association of additional out-of-band data members to existing structure instances from livepatches. Jiri Kosina has applied this to his git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching.git for-4.15/shadow-variables tree and thus, it's queued up and close to getting merged. The plan is to eventually backport this shadow variable support to SLE kernels, but we also want to have it usable from KGraft modules by now. Port the implementation to the kraft-patches module. Namely, - dump shadow.c in it's current upstream state as it is after commits 439e7271dc2b ("livepatch: introduce shadow variable API") 5d9da759f758 ("livepatch: __klp_shadow_get_or_alloc() is local to shadow.c") 19205da6a0da ("livepatch: Small shadow variable documentation fixes") - add a shadow.h header and declare the newly introduced functions there - and incorporate the new files into the KGraft module's build system. [1] 1504211861-19899-2-git-send-email-joe.lawrence@redhat.com ("[PATCH v6] livepatch: introduce shadow variable API") - commit e899c4f ------------------------------------------------------------------- Wed Jul 12 11:14:40 CEST 2017 - lpechacek@suse.com - kGraft to livepatch migration. API change. Change from kGraft API to livepatch API. Note: error handling in _init() function is broken and fixed later. Automatic generation of klp_objects is not present at all. Added later. References: fate#323682 [ mb: changelog, patch split, whitespace errors ] - commit 7e20201 ------------------------------------------------------------------- Wed Jul 12 11:08:57 CEST 2017 - lpechacek@suse.com - kGraft to livepatch migration. Internal rename. Internal rename in preparation for kGraft -> upstream livepatch migration. External module naming stays the same. API is not touched yet. References: fate#323682 [ mb: changelog edit ] - commit 28a04a2 ------------------------------------------------------------------- Tue Jun 13 15:54:27 CEST 2017 - nstange@suse.de - scripts/register-patches.sh: register subpatch sources in rpm spec In order to reduce the manual merging work upon addition of new (sub)patches, commit 4e8dc885be22 ("scripts: create kgr_patch_main.c dynamically") introduced the register-patches.sh helper. It discovers those and tweaks the main entry point, kgr_patch_main.c, as needed. However, a remaining manual merging task is to list a (sub)patch's source archive in rpm/kgraft-patch.spec and to %setup it. Make scripts/register-patches.sh do this. Namely, - introduce the @@KGR_PATCHES_SOURCES@@ and @@KGR_PATCHES_SETUP_SOURCES@@ placeholders in rpm/kgraft-patch.spec - and make scripts/register-patches.sh expand those within a spec file to be given as an additional command line argument. Finally, adjust scripts/tar-up.sh accordingly. - commit 9eafc8a ------------------------------------------------------------------- Tue Jun 13 15:51:42 CEST 2017 - nstange@suse.de - scripts/register-patches.sh: don't add ','s to @@KGR_PATCHES_FUNCS@@ register-patches.sh expands kgr_patch_main.c's @@KGR_PATCHES_FUNCS@@ placeholder by concatenating all available patches' KGR_PATCH__FUNCS together, separating them by commas. The KGR_PATCH__FUNCS are CPP macros supposed to be provided by each patch. If one of these happens to be empty, the preprocessed expansion will contain two consecutive commas which gcc doesn't like in array initializers. Do not add any commas to the @@KGR_PATCHES_FUNCS@@ expansion but require the individual KGR_PATCH__FUNCS macros to already contain trailing ones as needed. Fixes: 4e8dc885be22 ("scripts: create kgr_patch_main.c dynamically") - commit ba41416 ------------------------------------------------------------------- Wed Jun 7 12:05:41 CEST 2017 - nstange@suse.de - scripts: create kgr_patch_main.c dynamically The kgraft-patches repository has got many branches, each corresponding to a supported codestream. Each of those carries a potentially different set of live (sub)patches which are controlled through the entry points in kgr_patch_main.c. According to Miroslav, merging of a new (sub)patch based on the pristine master is a pita due to conflicts. Since all (sub)patches stick to certain conventions already, the required modifications of the merging-hotspot kgr_patch_main.c are quite mechanic. Let a script do the work. Namely, - insert some special @@-embraced placeholders at the few places depending on the actual set of (sub)patches, - let register-patches.sh discover the available (sub)patches by searching for directories - and let register-patches.sh replace those placeholders in kgr_patch_main.c Finally, add a register-patches.sh invocation to tar-up.sh. This procedure requires that a SUBPATCH located in directory SUBPATCH/ adheres to the following conventions: - It must provide a provide a SUBPATCH/kgr_patch_SUBPATCH.h header. - This header must provide declarations for kgr_patch_SUBPATCH_init() and kgr_patch_SUBPATCH_cleanup(). - This header must also #define a KGR_PATCH_SUBPATCH_FUNCS macro. It should expand to a comma separated list of KGR_PATCH*() entries, each corresponding to a function the subpatch wants to replace. [mbenes: fixed typos, empty line removed] - commit 4e8dc88 ------------------------------------------------------------------- Mon Apr 24 16:00:54 CEST 2017 - mbenes@suse.cz - Replace $(PWD) with $(CURDIR) in Makefile CURDIR is an internal variable of make and more suitable. - commit 03bf1d5 ------------------------------------------------------------------- Wed Apr 19 14:02:27 CEST 2017 - mbenes@suse.cz - Create Makefile automatically Introduce scripts/create-makefile.sh script to automatically create a makefile. The scripts is called from tar-up.sh or could be called manually. - commit 1af6c29 ------------------------------------------------------------------- Mon Oct 24 13:26:09 CEST 2016 - mbenes@suse.cz - Better to use SUSE:SLE-12:Update than Devel:kGraft:SLE12 project - commit bdc7598 ------------------------------------------------------------------- Tue May 10 15:43:59 CEST 2016 - mbenes@suse.cz - Add compat.h to deal with changes of KGR_PATCH macro Sympos patch set for kGraft redefined KGR_PATCH macro and added two new ones. Add new compat.h which contains macro magic so that all kGraft patches would work on both old and new kernels with the patch set merged. - commit 4186bef ------------------------------------------------------------------- Fri May 6 17:01:17 CEST 2016 - mbenes@suse.cz - Fix the number of parameters of KGR_PATCH macro New kernels contain kGraft's sympos patch set which changed number of paramaters of KGR_PATCH macro and introduced new macros. Fix it in master so it will be ok for new branches. - commit 78cf676 ------------------------------------------------------------------- Tue Sep 1 13:00:23 CEST 2015 - mmarek@suse.com - Include the RPM version number in the module name - commit 8fa02c6 ------------------------------------------------------------------- Wed Aug 26 11:29:44 CEST 2015 - mbenes@suse.cz - Remove forgotten debug option in the Makefile - commit 9c24ab8 ------------------------------------------------------------------- Mon Aug 17 13:42:04 CEST 2015 - mbenes@suse.cz - Add license and copyright notices - commit d42d3aa ------------------------------------------------------------------- Wed Jul 15 15:58:35 CEST 2015 - mbenes@suse.cz - Remove immediate flag Fake signal was merged to kGraft and immediate feature removed. Remove it in kGraft patches from now on too. - commit c767ad2 ------------------------------------------------------------------- Wed May 20 16:32:17 CEST 2015 - mbenes@suse.cz - Set immediate flag to false Using immediate set to true can lead to BUGs and oopses when downgrading, reverting or applying replace_all patches. There is no way how to find out if there is a process in the old code which is being removed. The module would be put, removed and the process will crash. The consistency model guarantees that there is no one in the old code when the finalization ends. Thus use it for all case to be safe. - commit 830e1a3 ------------------------------------------------------------------- Tue May 12 15:48:07 CEST 2015 - mbenes@suse.cz - Fix description in rpm spec file Spec file description mentions initial kGraft patch which is only true for real initial patch. Make it more neutral. References: bsc#930408 - commit a55e023 ------------------------------------------------------------------- Wed Apr 1 15:36:24 CEST 2015 - mbenes@suse.cz - Generate archives names automatically in tar-up.sh - commit 1f34f18 ------------------------------------------------------------------- Wed Apr 1 13:39:26 CEST 2015 - mbenes@suse.cz - Automatically generate .changes file from git log Also add comments to tar-up.sh script to distinguish between sections. - commit 212a7ae ------------------------------------------------------------------- Thu Mar 26 14:24:21 CET 2015 - mmarek@suse.cz - Revert "Require exact kernel version in the patch" This needs to be done differently, so that modprobe --force works as expected. References: bnc#920615 This reverts commit c62c11aecd4e3f8822e1b835fea403acc3148c5a. - commit bc88dd7 ------------------------------------------------------------------- Wed Mar 25 13:10:24 CET 2015 - mmarek@suse.cz - Require exact kernel version in the patch References: bnc#920615 - commit c62c11a ------------------------------------------------------------------- Tue Mar 24 12:15:41 CET 2015 - mmarek@suse.cz - Add the git commit and branch to the package description References: bnc#920633 - commit 1ff4e48 ------------------------------------------------------------------- Wed Nov 26 10:09:14 CET 2014 - mbenes@suse.cz - Set immediate flag for the initial patch Setting immediate to true will simplify installation of the initial patch and possibly also of the further updates. References: bnc#907150 - commit 391b810 ------------------------------------------------------------------- Tue Nov 25 16:26:40 CET 2014 - mbenes@suse.cz - Add .replace_all set to true Add .replace_all flag set to true even to the initial patch. Thus we will not forget to add that later. Also .immediate is there as a comment. - commit 933e15e ------------------------------------------------------------------- Mon Nov 24 15:02:33 CET 2014 - mmarek@suse.cz - Drop the hardcoded kernel release string The updated kgraft-devel macros set this during build time, so we do not need to know the kernel release string beforehand. As a name suffix for the source packages, let's use SLE12_Test in the master branch and SLE12_Update_ in the update branches. - commit 65f7a25 ------------------------------------------------------------------- Fri Nov 21 15:48:48 CET 2014 - mmarek@suse.cz - Check that we are building against the set kernel version - commit 689e44a ------------------------------------------------------------------- Wed Nov 12 04:11:14 CET 2014 - mmarek@suse.cz - Mark the module as supported References: bnc#904970 - commit 6249314 ------------------------------------------------------------------- Tue Nov 11 17:11:28 CET 2014 - mmarek@suse.cz - Build the test packages against Devel:kGraft:SLE12 - commit c952fbb ------------------------------------------------------------------- Thu Nov 6 13:55:43 CET 2014 - mbenes@suse.cz - Add top git commit hash to uname -v Add top git commit hash to version part of uname. This makes the identification of current patch level easy (even in crash: p kgr_tag). References: fate#317769 - commit 54c9595 ------------------------------------------------------------------- Tue Nov 4 16:23:50 CET 2014 - mbenes@suse.cz - Replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ We need to replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ due to sysfs tree. @@RELEASE@@ changes with each new version of package. - commit 51fd9dd ------------------------------------------------------------------- Mon Nov 3 17:27:24 CET 2014 - mmarek@suse.cz - Add a source-timestamp file with the git commit hash and branch This is required by the bs-upload-kernel script to upload packages to the BS. It can also be used by the specfile in the future. - commit feab4f1 ------------------------------------------------------------------- Mon Nov 3 16:56:31 CET 2014 - mbenes@suse.cz - Initial commit - commit 600de9d ------------------------------------------------------------------- Mon Nov 3 14:59:46 CET 2014 - mmarek@suse.cz - Add config.sh script This tells the automatic builder which IBS project to use. - commit aa7f1cb