diff options
| -rw-r--r-- | .SRCINFO | 30 | ||||
| -rw-r--r-- | 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 2 | ||||
| -rw-r--r-- | 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch (renamed from 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch) | 2 | ||||
| -rw-r--r-- | 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch | 75 | ||||
| -rw-r--r-- | 0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch (renamed from 0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch) | 2 | ||||
| -rw-r--r-- | 0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch (renamed from 0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch) | 2 | ||||
| -rw-r--r-- | 0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch | 114 | ||||
| -rw-r--r-- | PKGBUILD | 42 | ||||
| -rw-r--r-- | config | 4 |
9 files changed, 35 insertions, 238 deletions
@@ -1,14 +1,14 @@ pkgbase = linux-uksm - pkgver = 4.14.13 - pkgrel = 2 + pkgver = 4.14.14 + pkgrel = 1 url = https://github.com/dolohow/uksm arch = x86_64 license = GPL2 options = !strip source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.13.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.13.sign + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.14.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.14.sign source = https://raw.githubusercontent.com/sirlucjan/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9+_kernel_v4.13+.patch source = https://raw.githubusercontent.com/dolohow/uksm/master/uksm-4.14.patch source = config @@ -17,30 +17,26 @@ pkgbase = linux-uksm source = 99-linux.hook source = linux.preset source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - source = 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch - source = 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch - source = 0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch - source = 0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch - source = 0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch + source = 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch + source = 0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch + source = 0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha512sums = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 sha512sums = SKIP - sha512sums = 6ae473fbed193a2997e9d3f02ef9c1b5a1bc6f2464ef32a4bc22306659f5d978ab64e531b3488bf8266732043868f1b14183e463c17020d1dc95c8cf70343415 + sha512sums = abc13c99eb85b2bd25f3ac07fccdad52a801118a86d3cd153a8ca6254730e5604e34261e98945352b23cf0e0a0317074a5008701d1240cc958ef4199bffd1ab6 sha512sums = SKIP sha512sums = 5ca7ae20245a54caa71fb570d971d6872d4e888f35c6123b93fbca16baf9a0e2500d6ec931f3906e4faecaaca9cad0d593694d9cab617efd0cb7b5fc09c0fa48 sha512sums = 44b31276d4d712e4e1e1455e128daa079ddd9d72a4620289607faf6134a225737004e8742de79e0283e98ef2d4f746f075e041870d37eab191c93c566f945c7f - sha512sums = 8a245a09327b42a7c732ef84c74f183055a9ef9e751aaae0d942930dc927697caf9c25bf9ffc2a7540b77b2bfd424fc93acd3363deb80602b053a8b50d76bf18 + sha512sums = 0f225e344aa55be95e3e5ae7a5ffdd45f38db00fce7e4c41d606ea8717a3926fefb3841ad7d33cccf1d6f5da48bd65699013c0258430e34dbe1b54f56a52ef23 sha512sums = 7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a sha512sums = 4a8b324aee4cccf3a512ad04ce1a272d14e5b05c8de90feb82075f55ea3845948d817e1b0c6f298f5816834ddd3e5ce0a0e2619866289f3c1ab8fd2f35f04f44 sha512sums = 6346b66f54652256571ef65da8e46db49a95ac5978ecd57a507c6b2a28aee70bb3ff87045ac493f54257c9965da1046a28b72cb5abb0087204d257f14b91fd74 sha512sums = 2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf - sha512sums = 46447e0257b7ad5db932eb50a241d046716f21b9c12698c9d83d5f3ef52aff4ba603b79a26616347e6993dcc4ec7452aef3c0c9cf430c73955ee8e61c62194a7 - sha512sums = 6f3b1efe81ac806217dd199a629f2d1ed55c6393ba1d90600cd2d2f41a865dca680e131b668265cc3e665be748295aea1b65877d737064661450d5cd089f0d96 - sha512sums = baa77972acdc1820af6ea82ae72e1dbc793bde242d77a5176ab29444c8a3e3c3670907a5e289045d1246e2dd706cdab64659f82605e2f84b30d5b3c8f3272de5 - sha512sums = 096eb9bbdeacae276145fc7b28946e8f6a432f9b5159b8a33d1df00c820d8b96780cc84541c30bb75bf8d9324ecb3222c2bcd9630d5310ef1d17d6fad0f68a15 - sha512sums = cfc7ee58c22639ed6a891ad6f42b2fbe15f684d706c8026b8b0cb463a06d8446ac06cacdac47a1e1c91028bea1611ae2e5d017a7e07a5471589039f33501966b - sha512sums = fcc40dc86dd432be76854e3c51889db488de0f1029ecc227b92c4f58c62ba928f7dc3b9515ac3ca0a08d6a0a72ca4a1a754d47c4fb274fe89f09a2a336088e7a + sha512sums = f665daaec89b15d3a4cf2cabaf2b423dcda5e005860275753575f6bbed6815c3f17558b24da01ce6f6f0aeba900c506c32efa50754592625f3b513c7f14aea62 + sha512sums = 2ab17dfa1d37a73441f2e42883358763db648c5b863e76a8d7b3b344c1b293ffee5f72c8ed1f8219cec8c8419898fac59b21e0b6bf47daee17e426b18d907df9 + sha512sums = 24dccb21b187f331955d6f4d992b2ccd9cbf27acd83e4ff417921e200a1ebc4f52ec9732180a6d3922f86d2422ab0047558c62b76253e6f81983f26d0ae10f76 + sha512sums = bd0a758c7cc185cf5f29ea1d0a8964d12592c45cd9560d1f0508ad0dc102920e4f45aaa6921e58f145daea211340e8884f530a07c8da76f12af817c812b021dc pkgname = linux-uksm pkgdesc = Linux Kernel and modules with the UKSM. diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch index c3364a49db0e..2968c83950c7 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -2,7 +2,7 @@ From 0b716bdb952b678d9bb5eb32198dbc82ec492df2 Mon Sep 17 00:00:00 2001 Message-Id: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> From: Serge Hallyn <serge.hallyn@canonical.com> Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/6] add sysctl to disallow unprivileged CLONE_NEWUSER by +Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by default Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> diff --git a/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch index 15e4d29b6e14..2350bc07c50f 100644 --- a/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch +++ b/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch @@ -4,7 +4,7 @@ In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffe References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> From: Mohamed Ghannam <simo.ghannam@gmail.com> Date: Tue, 5 Dec 2017 20:58:35 +0000 -Subject: [PATCH 3/6] dccp: CVE-2017-8824: use-after-free in DCCP code +Subject: [PATCH 2/4] dccp: CVE-2017-8824: use-after-free in DCCP code Whenever the sock object is in DCCP_CLOSED state, dccp_disconnect() must free dccps_hc_tx_ccid and diff --git a/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch b/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch deleted file mode 100644 index 9961ab6f9273..000000000000 --- a/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch +++ /dev/null @@ -1,75 +0,0 @@ -From e6a5e05524563626d14c1745619e37e79cb5a3a7 Mon Sep 17 00:00:00 2001 -Message-Id: <e6a5e05524563626d14c1745619e37e79cb5a3a7.1515173964.git.jan.steffens@gmail.com> -In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> -References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> -From: Benjamin Poirier <bpoirier@suse.com> -Date: Mon, 11 Dec 2017 16:26:40 +0900 -Subject: [PATCH 2/6] e1000e: Fix e1000_check_for_copper_link_ich8lan return - value. - -e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan() -are the two functions that may be assigned to mac.ops.check_for_link when -phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e: -Separate signaling for link check/link up") changed the meaning of the -return value of check_for_link for copper media but only adjusted the first -function. This patch adjusts the second function likewise. - -Reported-by: Christian Hesse <list@eworm.de> -Reported-by: Gabriel C <nix.or.die@gmail.com> -Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047 -Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up") -Tested-by: Christian Hesse <list@eworm.de> -Signed-off-by: Benjamin Poirier <bpoirier@suse.com> ---- - drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c -index d6d4ed7acf031172..31277d3bb7dc1241 100644 ---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c -+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c -@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force) - * Checks to see of the link status of the hardware has changed. If a - * change in link status has been detected, then we read the PHY registers - * to get the current speed/duplex if link exists. -+ * -+ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link -+ * up). - **/ - static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) - { - struct e1000_mac_info *mac = &hw->mac; - s32 ret_val, tipg_reg = 0; - u16 emi_addr, emi_val = 0; - bool link; - u16 phy_reg; - - /* We only want to go out to the PHY registers to see if Auto-Neg - * has completed and/or if our link status has changed. The - * get_link_status flag is set upon receiving a Link Status - * Change or Rx Sequence Error interrupt. - */ - if (!mac->get_link_status) -- return 0; -+ return 1; - - /* First we want to see if the MII Status Register reports - * link. If so, then we want to get the current speed/duplex -@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) - * different link partner. - */ - ret_val = e1000e_config_fc_after_link_up(hw); -- if (ret_val) -+ if (ret_val) { - e_dbg("Error configuring flow control\n"); -+ return ret_val; -+ } - -- return ret_val; -+ return 1; - } - - static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter) --- -2.15.1 - diff --git a/0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch index 6b4de3a648d9..fb6e0a4be29a 100644 --- a/0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch +++ b/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch @@ -4,7 +4,7 @@ In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffe References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> From: Steffen Klassert <steffen.klassert@secunet.com> Date: Fri, 22 Dec 2017 10:44:57 +0100 -Subject: [PATCH 4/6] xfrm: Fix stack-out-of-bounds read on socket policy +Subject: [PATCH 3/4] xfrm: Fix stack-out-of-bounds read on socket policy lookup. When we do tunnel or beet mode, we pass saddr and daddr from the diff --git a/0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch b/0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch index 5d36d15ac47b..b865e10691a1 100644 --- a/0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch +++ b/0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch @@ -4,7 +4,7 @@ In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffe References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> From: Jim Bride <jim.bride@linux.intel.com> Date: Mon, 6 Nov 2017 13:38:57 -0800 -Subject: [PATCH 6/6] drm/i915/edp: Only use the alternate fixed mode if it's +Subject: [PATCH 4/4] drm/i915/edp: Only use the alternate fixed mode if it's asked for In commit dc911f5bd8aa ("drm/i915/edp: Allow alternate fixed mode for diff --git a/0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch deleted file mode 100644 index 3090318aacb8..000000000000 --- a/0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch +++ /dev/null @@ -1,114 +0,0 @@ -From eadda028a73a567edd8462ccd0e8c28e023cde28 Mon Sep 17 00:00:00 2001 -Message-Id: <eadda028a73a567edd8462ccd0e8c28e023cde28.1515173964.git.jan.steffens@gmail.com> -In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> -References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com> -From: Tejun Heo <tj@kernel.org> -Date: Wed, 20 Dec 2017 07:09:19 -0800 -Subject: [PATCH 5/6] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC - -While teaching css_task_iter to handle skipping over tasks which -aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to -css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a -silly bug. - -CSS_TASK_ITER_PROCS is implemented by repeating -css_task_iter_advance() while the advanced cursor is pointing to a -non-leader thread. However, the cursor variable, @l, wasn't updated -when the iteration has to advance to the next css_set and the -following repetition would operate on the terminal @l from the -previous iteration which isn't pointing to a valid task leading to -oopses like the following or infinite looping. - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000254 - IP: __task_pid_nr_ns+0xc7/0xf0 - PGD 0 P4D 0 - Oops: 0000 [#1] SMP - ... - CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1 - Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017 - task: ffff88c4baee8000 task.stack: ffff96d5c3158000 - RIP: 0010:__task_pid_nr_ns+0xc7/0xf0 - RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206 - RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250 - RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00 - RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005 - R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18 - R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000 - FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0 - Call Trace: - cgroup_procs_show+0x19/0x30 - cgroup_seqfile_show+0x4c/0xb0 - kernfs_seq_show+0x21/0x30 - seq_read+0x2ec/0x3f0 - kernfs_fop_read+0x134/0x180 - __vfs_read+0x37/0x160 - ? security_file_permission+0x9b/0xc0 - vfs_read+0x8e/0x130 - SyS_read+0x55/0xc0 - entry_SYSCALL_64_fastpath+0x1a/0xa5 - RIP: 0033:0x7f94455f942d - RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 - RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d - RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b - RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60 - R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0 - R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560 - Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b - RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50 - -Fix it by moving the initialization of the cursor below the repeat -label. While at it, rename it to @next for readability. - -Signed-off-by: Tejun Heo <tj@kernel.org> -Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS") -Cc: stable@vger.kernel.org # v4.14+ -Reported-by: Laura Abbott <labbott@redhat.com> -Reported-by: Bronek Kozicki <brok@incorrekt.com> -Reported-by: George Amanakis <gamanakis@gmail.com> -Signed-off-by: Tejun Heo <tj@kernel.org> ---- - kernel/cgroup/cgroup.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 44857278eb8aa6a2..030e4286f14c715e 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -4059,26 +4059,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it) - - static void css_task_iter_advance(struct css_task_iter *it) - { -- struct list_head *l = it->task_pos; -+ struct list_head *next; - - lockdep_assert_held(&css_set_lock); -- WARN_ON_ONCE(!l); -- - repeat: - /* - * Advance iterator to find next entry. cset->tasks is consumed - * first and then ->mg_tasks. After ->mg_tasks, we move onto the - * next cset. - */ -- l = l->next; -+ next = it->task_pos->next; - -- if (l == it->tasks_head) -- l = it->mg_tasks_head->next; -+ if (next == it->tasks_head) -+ next = it->mg_tasks_head->next; - -- if (l == it->mg_tasks_head) -+ if (next == it->mg_tasks_head) - css_task_iter_advance_css_set(it); - else -- it->task_pos = l; -+ it->task_pos = next; - - /* if PROCS, skip over tasks which aren't group leaders */ - if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos && --- -2.15.1 - @@ -51,8 +51,8 @@ _use_current= pkgbase=linux-uksm # pkgname=('linux-uksm' 'linux-uksm-headers' 'linux-uksm-docs') _srcname=linux-4.14 -pkgver=4.14.13 -pkgrel=2 +pkgver=4.14.14 +pkgrel=1 arch=('x86_64') url="https://github.com/dolohow/uksm" license=('GPL2') @@ -80,12 +80,10 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" # standard config files for mkinitcpio ramdisk 'linux.preset' '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch' - '0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch' - '0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch' - '0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch' - '0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch' - '0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch') - + '0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch' + '0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch' + '0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch') + _kernelname=${pkgbase#linux} prepare() { @@ -98,26 +96,18 @@ prepare() { ### Disable USER_NS for non-root users by default msg "Disable USER_NS for non-root users by default" patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - - ### Fix https://bugs.archlinux.org/task/56575 - msg "Fix #56575" - patch -Np1 -i ../0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch ### Fix https://nvd.nist.gov/vuln/detail/CVE-2017-8824 msg "Fix CVE-2017-8824" - patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch + patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch ### Fix https://bugs.archlinux.org/task/56605 msg "Fix #56605" - patch -Np1 -i ../0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch - - ### Fix https://bugs.archlinux.org/task/56846 - msg "Fix #56846" - patch -Np1 -i ../0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + patch -Np1 -i ../0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch ### Fix https://bugs.archlinux.org/task/56711 msg "Fix #56711" - patch -Np1 -i ../0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch + patch -Np1 -i ../0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch ### Patch source with UKSM msg "Patching source with UKSM" @@ -388,21 +378,19 @@ done sha512sums=('77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8' 'SKIP' - '6ae473fbed193a2997e9d3f02ef9c1b5a1bc6f2464ef32a4bc22306659f5d978ab64e531b3488bf8266732043868f1b14183e463c17020d1dc95c8cf70343415' + 'abc13c99eb85b2bd25f3ac07fccdad52a801118a86d3cd153a8ca6254730e5604e34261e98945352b23cf0e0a0317074a5008701d1240cc958ef4199bffd1ab6' 'SKIP' '5ca7ae20245a54caa71fb570d971d6872d4e888f35c6123b93fbca16baf9a0e2500d6ec931f3906e4faecaaca9cad0d593694d9cab617efd0cb7b5fc09c0fa48' '44b31276d4d712e4e1e1455e128daa079ddd9d72a4620289607faf6134a225737004e8742de79e0283e98ef2d4f746f075e041870d37eab191c93c566f945c7f' - '8a245a09327b42a7c732ef84c74f183055a9ef9e751aaae0d942930dc927697caf9c25bf9ffc2a7540b77b2bfd424fc93acd3363deb80602b053a8b50d76bf18' + '0f225e344aa55be95e3e5ae7a5ffdd45f38db00fce7e4c41d606ea8717a3926fefb3841ad7d33cccf1d6f5da48bd65699013c0258430e34dbe1b54f56a52ef23' '7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a' '4a8b324aee4cccf3a512ad04ce1a272d14e5b05c8de90feb82075f55ea3845948d817e1b0c6f298f5816834ddd3e5ce0a0e2619866289f3c1ab8fd2f35f04f44' '6346b66f54652256571ef65da8e46db49a95ac5978ecd57a507c6b2a28aee70bb3ff87045ac493f54257c9965da1046a28b72cb5abb0087204d257f14b91fd74' '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf' - '46447e0257b7ad5db932eb50a241d046716f21b9c12698c9d83d5f3ef52aff4ba603b79a26616347e6993dcc4ec7452aef3c0c9cf430c73955ee8e61c62194a7' - '6f3b1efe81ac806217dd199a629f2d1ed55c6393ba1d90600cd2d2f41a865dca680e131b668265cc3e665be748295aea1b65877d737064661450d5cd089f0d96' - 'baa77972acdc1820af6ea82ae72e1dbc793bde242d77a5176ab29444c8a3e3c3670907a5e289045d1246e2dd706cdab64659f82605e2f84b30d5b3c8f3272de5' - '096eb9bbdeacae276145fc7b28946e8f6a432f9b5159b8a33d1df00c820d8b96780cc84541c30bb75bf8d9324ecb3222c2bcd9630d5310ef1d17d6fad0f68a15' - 'cfc7ee58c22639ed6a891ad6f42b2fbe15f684d706c8026b8b0cb463a06d8446ac06cacdac47a1e1c91028bea1611ae2e5d017a7e07a5471589039f33501966b' - 'fcc40dc86dd432be76854e3c51889db488de0f1029ecc227b92c4f58c62ba928f7dc3b9515ac3ca0a08d6a0a72ca4a1a754d47c4fb274fe89f09a2a336088e7a') + 'f665daaec89b15d3a4cf2cabaf2b423dcda5e005860275753575f6bbed6815c3f17558b24da01ce6f6f0aeba900c506c32efa50754592625f3b513c7f14aea62' + '2ab17dfa1d37a73441f2e42883358763db648c5b863e76a8d7b3b344c1b293ffee5f72c8ed1f8219cec8c8419898fac59b21e0b6bf47daee17e426b18d907df9' + '24dccb21b187f331955d6f4d992b2ccd9cbf27acd83e4ff417921e200a1ebc4f52ec9732180a6d3922f86d2422ab0047558c62b76253e6f81983f26d0ae10f76' + 'bd0a758c7cc185cf5f29ea1d0a8964d12592c45cd9560d1f0508ad0dc102920e4f45aaa6921e58f145daea211340e8884f530a07c8da76f12af817c812b021dc') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.11-1 Kernel Configuration +# Linux/x86 4.14.14-2 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -448,6 +448,7 @@ CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_FAST_FEATURE_TESTS=y CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y +CONFIG_RETPOLINE=y # CONFIG_GOLDFISH is not set CONFIG_INTEL_RDT=y # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -1876,6 +1877,7 @@ CONFIG_DEV_COREDUMP=y CONFIG_SYS_HYPERVISOR=y # CONFIG_GENERIC_CPU_DEVICES is not set CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y CONFIG_REGMAP=y CONFIG_REGMAP_I2C=y CONFIG_REGMAP_SPI=y |