summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 18:46:10 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 18:46:10 +0000
commit7050cdb205fd1b1b847c148092a8548f00a061c0 (patch)
tree05a497ffd12f14405445c3288085e228f4e8579f /debian/patches
parentAdding upstream version 16.2.11+ds. (diff)
downloadceph-7050cdb205fd1b1b847c148092a8548f00a061c0.tar.xz
ceph-7050cdb205fd1b1b847c148092a8548f00a061c0.zip
Adding debian version 16.2.11+ds-2.debian/16.2.11+ds-2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/32bit-fixes.patch164
-rw-r--r--debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch65
-rw-r--r--debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch26
-rw-r--r--debian/patches/CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch29
-rw-r--r--debian/patches/Fix-build-with-fmt-8-9.patch134
-rw-r--r--debian/patches/add-option-to-disable-ceph-dencoder.patch12
-rw-r--r--debian/patches/bug1914584.patch49
-rw-r--r--debian/patches/bug1917414.patch143
-rw-r--r--debian/patches/civetweb-755-1.8-somaxconn-configurable.patch53
-rw-r--r--debian/patches/civetweb-755-1.8-somaxconn-configurable_conf.patch18
-rw-r--r--debian/patches/civetweb-755-1.8-somaxconn-configurable_test.patch17
-rw-r--r--debian/patches/cmake-test-for-16-bytes-atomic-support-on-mips-also.patch29
-rw-r--r--debian/patches/compile-ppc.c-on-all-powerpc-machines.patch92
-rw-r--r--debian/patches/debian-armel-armhf-buildflags.patch45
-rw-r--r--debian/patches/disable-crypto.patch16
-rw-r--r--debian/patches/enable-strsignal.patch18
-rw-r--r--debian/patches/fix-CheckCxxAtomic-riscv64.patch16
-rw-r--r--debian/patches/fix-bash-completion-location9
-rw-r--r--debian/patches/fix-ceph-osd-systemd-target.patch17
-rw-r--r--debian/patches/only-yied-under-armv7-and-above.patch17
-rw-r--r--debian/patches/riscv64-link-pthread.patch16
-rw-r--r--debian/patches/series25
-rw-r--r--debian/patches/update-java-source-target-flags.patch23
23 files changed, 1033 insertions, 0 deletions
diff --git a/debian/patches/32bit-fixes.patch b/debian/patches/32bit-fixes.patch
new file mode 100644
index 000000000..1d2fcb660
--- /dev/null
+++ b/debian/patches/32bit-fixes.patch
@@ -0,0 +1,164 @@
+Description: Misc fixes for 32 bit architecture builds.
+Author: James Page <james.page@ubuntu.com>
+Forwarded: no
+
+Index: ceph/src/tools/rbd_mirror/image_replayer/snapshot/Replayer.cc
+===================================================================
+--- ceph.orig/src/tools/rbd_mirror/image_replayer/snapshot/Replayer.cc
++++ ceph/src/tools/rbd_mirror/image_replayer/snapshot/Replayer.cc
+@@ -253,7 +253,8 @@ bool Replayer<I>::get_replay_status(std:
+
+ json_spirit::mObject root_obj;
+ root_obj["replay_state"] = replay_state;
+- root_obj["remote_snapshot_timestamp"] = remote_snap_info->timestamp.sec();
++ root_obj["remote_snapshot_timestamp"] = static_cast<uint64_t>(
++ remote_snap_info->timestamp.sec());
+
+ auto matching_remote_snap_id = util::compute_remote_snap_id(
+ m_state_builder->local_image_ctx->image_lock,
+@@ -267,8 +268,8 @@ bool Replayer<I>::get_replay_status(std:
+ // use the timestamp from the matching remote image since
+ // the local snapshot would just be the time the snapshot was
+ // synced and not the consistency point in time.
+- root_obj["local_snapshot_timestamp"] =
+- matching_remote_snap_it->second.timestamp.sec();
++ root_obj["local_snapshot_timestamp"] = static_cast<uint64_t>(
++ matching_remote_snap_it->second.timestamp.sec());
+ }
+
+ matching_remote_snap_it = m_state_builder->remote_image_ctx->snap_info.find(
+@@ -276,7 +277,8 @@ bool Replayer<I>::get_replay_status(std:
+ if (m_remote_snap_id_end != CEPH_NOSNAP &&
+ matching_remote_snap_it !=
+ m_state_builder->remote_image_ctx->snap_info.end()) {
+- root_obj["syncing_snapshot_timestamp"] = remote_snap_info->timestamp.sec();
++ root_obj["syncing_snapshot_timestamp"] = static_cast<uint64_t>(
++ remote_snap_info->timestamp.sec());
+ root_obj["syncing_percent"] = static_cast<uint64_t>(
+ 100 * m_local_mirror_snap_ns.last_copied_object_number /
+ static_cast<float>(std::max<uint64_t>(1U, m_local_object_count)));
+Index: ceph/src/common/buffer.cc
+===================================================================
+--- ceph.orig/src/common/buffer.cc
++++ ceph/src/common/buffer.cc
+@@ -2272,7 +2272,7 @@ MEMPOOL_DEFINE_OBJECT_FACTORY(buffer::ra
+
+ void ceph::buffer::list::page_aligned_appender::_refill(size_t len) {
+ const size_t alloc = \
+- std::max((size_t)min_alloc, (len + CEPH_PAGE_SIZE - 1) & CEPH_PAGE_MASK);
++ std::max((size_t)min_alloc, (size_t)((len + CEPH_PAGE_SIZE - 1) & CEPH_PAGE_MASK));
+ auto new_back = \
+ ptr_node::create(buffer::create_page_aligned(alloc));
+ new_back->set_length(0); // unused, so far.
+Index: ceph/src/s3select/include/s3select_functions.h
+===================================================================
+--- ceph.orig/src/s3select/include/s3select_functions.h
++++ ceph/src/s3select/include/s3select_functions.h
+@@ -585,7 +585,7 @@ struct _fn_diff_timestamp : public base_
+ {
+ boost::gregorian::date_period dp =
+ boost::gregorian::date_period( val_dt1.timestamp()->date(), val_dt2.timestamp()->date());
+- result->set_value( dp.length().days() );
++ result->set_value( (int64_t)dp.length().days() );
+ }
+ else if (strcmp(val_date_part.str(), "hours") == 0)
+ {
+Index: ceph/src/os/bluestore/BlueFS.cc
+===================================================================
+--- ceph.orig/src/os/bluestore/BlueFS.cc
++++ ceph/src/os/bluestore/BlueFS.cc
+@@ -3831,11 +3831,11 @@ int BlueFS::do_replay_recovery_read(File
+
+ size_t BlueFS::probe_alloc_avail(int dev, uint64_t alloc_size)
+ {
+- size_t total = 0;
+- auto iterated_allocation = [&](size_t off, size_t len) {
++ uint64_t total = 0;
++ auto iterated_allocation = [&](uint64_t off, uint64_t len) {
+ //only count in size that is alloc_size aligned
+- size_t dist_to_alignment;
+- size_t offset_in_block = off & (alloc_size - 1);
++ uint64_t dist_to_alignment;
++ uint64_t offset_in_block = off & (alloc_size - 1);
+ if (offset_in_block == 0)
+ dist_to_alignment = 0;
+ else
+Index: ceph/src/tools/neorados.cc
+===================================================================
+--- ceph.orig/src/tools/neorados.cc
++++ ceph/src/tools/neorados.cc
+@@ -146,7 +146,7 @@ void create(R::RADOS& r, const std::vect
+ obj, pname));
+ }
+
+-inline constexpr std::size_t io_size = 4 << 20;
++inline constexpr std::uint64_t io_size = 4 << 20;
+
+ void write(R::RADOS& r, const std::vector<std::string>& p, s::yield_context y)
+ {
+@@ -156,7 +156,7 @@ void write(R::RADOS& r, const std::vecto
+
+ bs::error_code ec;
+ std::unique_ptr<char[]> buf = std::make_unique<char[]>(io_size);
+- std::size_t off = 0;
++ std::uint64_t off = 0;
+ boost::io::ios_exception_saver ies(std::cin);
+
+ std::cin.exceptions(std::istream::badbit);
+@@ -203,7 +203,7 @@ void read(R::RADOS& r, const std::vector
+ obj, pname));
+ }
+
+- std::size_t off = 0;
++ std::uint64_t off = 0;
+ ceph::buffer::list bl;
+ while (auto toread = std::max(len - off, io_size)) {
+ R::ReadOp op;
+Index: ceph/src/tools/cephfs_mirror/FSMirror.cc
+===================================================================
+--- ceph.orig/src/tools/cephfs_mirror/FSMirror.cc
++++ ceph/src/tools/cephfs_mirror/FSMirror.cc
+@@ -345,7 +345,7 @@ void FSMirror::handle_acquire_directory(
+ std::scoped_lock locker(m_lock);
+ m_directories.emplace(dir_path);
+ m_service_daemon->add_or_update_fs_attribute(m_filesystem.fscid, SERVICE_DAEMON_DIR_COUNT_KEY,
+- m_directories.size());
++ static_cast<uint64_t>(m_directories.size()));
+
+ for (auto &[peer, peer_replayer] : m_peer_replayers) {
+ dout(10) << ": peer=" << peer << dendl;
+@@ -363,7 +363,7 @@ void FSMirror::handle_release_directory(
+ if (it != m_directories.end()) {
+ m_directories.erase(it);
+ m_service_daemon->add_or_update_fs_attribute(m_filesystem.fscid, SERVICE_DAEMON_DIR_COUNT_KEY,
+- m_directories.size());
++ static_cast<uint64_t>(m_directories.size()));
+ for (auto &[peer, peer_replayer] : m_peer_replayers) {
+ dout(10) << ": peer=" << peer << dendl;
+ peer_replayer->remove_directory(dir_path);
+Index: ceph/src/librbd/object_map/DiffRequest.cc
+===================================================================
+--- ceph.orig/src/librbd/object_map/DiffRequest.cc
++++ ceph/src/librbd/object_map/DiffRequest.cc
+@@ -175,7 +175,7 @@ void DiffRequest<I>::handle_load_object_
+ m_object_map.resize(num_objs);
+ }
+
+- size_t prev_object_diff_state_size = m_object_diff_state->size();
++ uint64_t prev_object_diff_state_size = m_object_diff_state->size();
+ if (prev_object_diff_state_size < num_objs) {
+ // the diff state should be the largest of all snapshots in the set
+ m_object_diff_state->resize(num_objs);
+Index: ceph/src/SimpleRADOSStriper.cc
+===================================================================
+--- ceph.orig/src/SimpleRADOSStriper.cc
++++ ceph/src/SimpleRADOSStriper.cc
+@@ -140,7 +140,7 @@ int SimpleRADOSStriper::remove()
+ return 0;
+ }
+
+-int SimpleRADOSStriper::truncate(uint64_t size)
++int SimpleRADOSStriper::truncate(size_t size)
+ {
+ d(5) << size << dendl;
+
diff --git a/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch b/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
new file mode 100644
index 000000000..43f5e72df
--- /dev/null
+++ b/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
@@ -0,0 +1,65 @@
+Description: CVE-2022-3650: ceph-crash: drop privleges to run as "ceph" user, rather than root
+ If privileges cannot be dropped, log an error and exit. This commit
+ also catches and logs exceptions when scraping the crash path, without
+ which ceph-crash would just exit if it encountered an error.
+Author: Tim Serong <tserong@suse.com>
+Date: Wed, 2 Nov 2022 14:27:47 +1100
+Bug: https://tracker.ceph.com/issues/57967
+Signed-off-by: Tim Serong <tserong@suse.com>
+Origin: upstream, https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382
+Bug-Debian: https://bugs.debian.org/1024932
+Last-Update: 2022-11-28
+
+Index: ceph/src/ceph-crash.in
+===================================================================
+--- ceph.orig/src/ceph-crash.in
++++ ceph/src/ceph-crash.in
+@@ -3,8 +3,10 @@
+ # vim: ts=4 sw=4 smarttab expandtab
+
+ import argparse
++import grp
+ import logging
+ import os
++import pwd
+ import signal
+ import socket
+ import subprocess
+@@ -83,8 +85,25 @@ def handler(signum):
+ print('*** Interrupted with signal %d ***' % signum)
+ sys.exit(0)
+
++def drop_privs():
++ if os.getuid() == 0:
++ try:
++ ceph_uid = pwd.getpwnam("ceph").pw_uid
++ ceph_gid = grp.getgrnam("ceph").gr_gid
++ os.setgroups([])
++ os.setgid(ceph_gid)
++ os.setuid(ceph_uid)
++ except Exception as e:
++ log.error(f"Unable to drop privileges: {e}")
++ sys.exit(1)
++
++
+ def main():
+ global auth_names
++
++ # run as unprivileged ceph user
++ drop_privs()
++
+ # exit code 0 on SIGINT, SIGTERM
+ signal.signal(signal.SIGINT, handler)
+ signal.signal(signal.SIGTERM, handler)
+@@ -103,7 +122,10 @@ def main():
+
+ log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0))
+ while True:
+- scrape_path(args.path)
++ try:
++ scrape_path(args.path)
++ except Exception as e:
++ log.error(f"Error scraping {args.path}: {e}")
+ if args.delay == 0:
+ sys.exit(0)
+ time.sleep(args.delay * 60)
diff --git a/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch b/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
new file mode 100644
index 000000000..b49030904
--- /dev/null
+++ b/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
@@ -0,0 +1,26 @@
+Description: CVE-2022-3650: ceph-crash: fix stderr handling
+ Popen.communicate() returns a tuple (stdout, stderr), and stderr
+ will be of type bytes, hence the need to decode it before checking
+ if it's an empty string or not.
+Author: Tim Serong <tserong@suse.com>
+Date: Wed, 2 Nov 2022 14:23:20 +1100
+Bug: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e
+Signed-off-by: Tim Serong <tserong@suse.com>
+Bug-Debian: https://bugs.debian.org/1024932
+Origin: upstream, https://github.com/ceph/ceph/commit/45915540559126a652f8d9d105723584cfc63439
+Last-Update: 2022-11-28
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index 0fffd59a96df5..e2a7be59da701 100755
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -50,7 +50,8 @@ def post_crash(path):
+ stderr=subprocess.PIPE,
+ )
+ f = open(os.path.join(path, 'meta'), 'rb')
+- stderr = pr.communicate(input=f.read())
++ (_, stderr) = pr.communicate(input=f.read())
++ stderr = stderr.decode()
+ rc = pr.wait()
+ f.close()
+ if rc != 0 or stderr != "":
diff --git a/debian/patches/CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch b/debian/patches/CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
new file mode 100644
index 000000000..f06997a85
--- /dev/null
+++ b/debian/patches/CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
@@ -0,0 +1,29 @@
+Description: CVE-2022-3854: rgw: Guard against malformed bucket URLs
+ Misplaced colons can result in radosgw thinking is has a bucket URL
+ but with no bucket name, leading to a crash later on.
+Author: "Adam C. Emerson" <aemerson@redhat.com>
+Date: Fri, 8 Jul 2022 14:58:16 -0400
+Fixes: https://tracker.ceph.com/issues/55765
+Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
+Fixes: https://tracker.ceph.com/issues/56586
+Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
+Origin: upstream, https://github.com/ceph/ceph/pull/47194/commits/9746e8011ff1de6de7dba9c0041e28a16c8f6828.patch
+Bug-Debian: https://bugs.debian.org/1027151
+Last-Update: 2022-01-09
+
+Index: ceph/src/rgw/rgw_common.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_common.cc
++++ ceph/src/rgw/rgw_common.cc
+@@ -1265,6 +1265,11 @@ bool verify_bucket_permission_no_policy(
+
+ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s, const int perm)
+ {
++ if (rgw::sal::RGWBucket::empty(s->bucket)) {
++ // request is missing a bucket name
++ return false;
++ }
++
+ perm_state_from_req_state ps(s);
+
+ if (!verify_requester_payer_permission(&ps))
diff --git a/debian/patches/Fix-build-with-fmt-8-9.patch b/debian/patches/Fix-build-with-fmt-8-9.patch
new file mode 100644
index 000000000..1cb0d2f2c
--- /dev/null
+++ b/debian/patches/Fix-build-with-fmt-8-9.patch
@@ -0,0 +1,134 @@
+From: Shengjing Zhu <zhushengjing@cambricon.com>
+Date: Sun, 31 Jul 2022 15:27:17 +0800
+Subject: Fix build with fmt 8/9
+
++ changes in segment_manager.cc and segment_manager.h are backported from
+ part of the large changes in https://github.com/ceph/ceph/commit/d5b0cd13
++ change in node_extent_accessor.h is not forwarded to upstream since it's
+ a workaround. However it doesn't harm since it's just a error message
+ which shouldn't happen anyway.
++ changes in seastar is backported from
+ https://github.com/scylladb/seastar/commit/dfb62861
++ changes in crimson/osd/main.cc is backported from
+ https://github.com/ceph/ceph/commit/58cb9bac
+---
+ src/crimson/os/seastore/CMakeLists.txt | 1 +
+ .../staged-fltree/node_extent_accessor.h | 2 +-
+ src/crimson/os/seastore/segment_manager.cc | 19 +++++++++++++++++++
+ src/crimson/os/seastore/segment_manager.h | 3 +++
+ src/crimson/osd/main.cc | 6 +++---
+ src/seastar/include/seastar/core/print.hh | 4 ++++
+ 6 files changed, 31 insertions(+), 4 deletions(-)
+ create mode 100644 src/crimson/os/seastore/segment_manager.cc
+
+diff --git a/src/crimson/os/seastore/CMakeLists.txt b/src/crimson/os/seastore/CMakeLists.txt
+index 77f8465..c6d4e93 100644
+--- a/src/crimson/os/seastore/CMakeLists.txt
++++ b/src/crimson/os/seastore/CMakeLists.txt
+@@ -1,6 +1,7 @@
+ add_library(crimson-seastore STATIC
+ cached_extent.cc
+ seastore_types.cc
++ segment_manager.cc
+ segment_manager/ephemeral.cc
+ segment_manager/block.cc
+ transaction_manager.cc
+diff --git a/src/crimson/os/seastore/onode_manager/staged-fltree/node_extent_accessor.h b/src/crimson/os/seastore/onode_manager/staged-fltree/node_extent_accessor.h
+index 94782f5..3c45861 100644
+--- a/src/crimson/os/seastore/onode_manager/staged-fltree/node_extent_accessor.h
++++ b/src/crimson/os/seastore/onode_manager/staged-fltree/node_extent_accessor.h
+@@ -169,7 +169,7 @@ class DeltaRecorderT final: public DeltaRecorder {
+ }
+ default:
+ logger().error("OTree::Extent::Replay: got unknown op {} when replay {:#x}",
+- op, node.get_laddr());
++ static_cast<uint8_t>(op), node.get_laddr());
+ ceph_abort();
+ }
+ } catch (buffer::error& e) {
+diff --git a/src/crimson/os/seastore/segment_manager.cc b/src/crimson/os/seastore/segment_manager.cc
+new file mode 100644
+index 0000000..d4a7132
+--- /dev/null
++++ b/src/crimson/os/seastore/segment_manager.cc
+@@ -0,0 +1,19 @@
++#include "crimson/os/seastore/segment_manager.h"
++
++namespace crimson::os::seastore {
++
++ std::ostream& operator<<(std::ostream &out, Segment::segment_state_t s)
++ {
++ using state_t = Segment::segment_state_t;
++ switch (s) {
++ case state_t::EMPTY:
++ return out << "EMPTY";
++ case state_t::OPEN:
++ return out << "OPEN";
++ case state_t::CLOSED:
++ return out << "CLOSED";
++ default:
++ return out << "INVALID_SEGMENT_STATE!";
++ }
++ }
++}
+diff --git a/src/crimson/os/seastore/segment_manager.h b/src/crimson/os/seastore/segment_manager.h
+index 61c6509..30bdbc4 100644
+--- a/src/crimson/os/seastore/segment_manager.h
++++ b/src/crimson/os/seastore/segment_manager.h
+@@ -73,6 +73,9 @@ public:
+
+ virtual ~Segment() {}
+ };
++
++std::ostream& operator<<(std::ostream& out, Segment::segment_state_t);
++
+ using SegmentRef = boost::intrusive_ptr<Segment>;
+
+ constexpr size_t PADDR_SIZE = sizeof(paddr_t);
+diff --git a/src/crimson/osd/main.cc b/src/crimson/osd/main.cc
+index a90903e..0db6496 100644
+--- a/src/crimson/osd/main.cc
++++ b/src/crimson/osd/main.cc
+@@ -88,7 +88,7 @@ seastar::future<> make_keyring()
+ if (exists &&
+ keyring.load(nullptr, path) == 0 &&
+ keyring.get_auth(name, auth)) {
+- seastar::fprint(std::cerr, "already have key in keyring: %s\n", path);
++ fmt::print(std::cerr, "already have key in keyring: %s\n", path);
+ return seastar::now();
+ } else {
+ auth.key.create(std::make_unique<CephContext>().get(), CEPH_CRYPTO_AES);
+@@ -100,7 +100,7 @@ seastar::future<> make_keyring()
+ return crimson::write_file(std::move(bl), path, permissions);
+ }
+ }).handle_exception_type([path](const std::filesystem::filesystem_error& e) {
+- seastar::fprint(std::cerr, "FATAL: writing new keyring to %s: %s\n", path, e.what());
++ fmt::print(std::cerr, "FATAL: writing new keyring to %s: %s\n", path, e.what());
+ throw e;
+ });
+ }
+@@ -216,7 +216,7 @@ int main(int argc, char* argv[])
+ });
+ });
+ } catch (...) {
+- seastar::fprint(std::cerr, "FATAL: Exception during startup, aborting: %s\n", std::current_exception());
++ fmt::print(std::cerr, "FATAL: Exception during startup, aborting: %s\n", std::current_exception());
+ return EXIT_FAILURE;
+ }
+ }
+diff --git a/src/seastar/include/seastar/core/print.hh b/src/seastar/include/seastar/core/print.hh
+index 72e3934..c1868e8 100644
+--- a/src/seastar/include/seastar/core/print.hh
++++ b/src/seastar/include/seastar/core/print.hh
+@@ -133,7 +133,11 @@ template <typename... A>
+ sstring
+ format(const char* fmt, A&&... a) {
+ fmt::memory_buffer out;
++#if FMT_VERSION >= 80000
++ fmt::format_to(fmt::appender(out), fmt::runtime(fmt), std::forward<A>(a)...);
++#else
+ fmt::format_to(out, fmt, std::forward<A>(a)...);
++#endif
+ return sstring{out.data(), out.size()};
+ }
+
diff --git a/debian/patches/add-option-to-disable-ceph-dencoder.patch b/debian/patches/add-option-to-disable-ceph-dencoder.patch
new file mode 100644
index 000000000..ef813e505
--- /dev/null
+++ b/debian/patches/add-option-to-disable-ceph-dencoder.patch
@@ -0,0 +1,12 @@
+Index: ceph/src/tools/CMakeLists.txt
+===================================================================
+--- ceph.orig/src/tools/CMakeLists.txt
++++ ceph/src/tools/CMakeLists.txt
+@@ -151,5 +151,7 @@ if(WITH_SEASTAR)
+ endif()
+
+ add_subdirectory(immutable_object_cache)
++if(NOT DISABLE_DENCODER)
+ add_subdirectory(ceph-dencoder)
++endif(DISABLE_DENCODER)
+ add_subdirectory(erasure-code)
diff --git a/debian/patches/bug1914584.patch b/debian/patches/bug1914584.patch
new file mode 100644
index 000000000..763a948f9
--- /dev/null
+++ b/debian/patches/bug1914584.patch
@@ -0,0 +1,49 @@
+From a8c1aec073fc8364818027a26fa1ddb5d34c58af Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <mv3@sanger.ac.uk>
+Date: Thu, 4 Feb 2021 11:41:14 +0000
+Subject: [PATCH] rgw/radosgw-admin clarify error when email address already in
+ use
+
+The error message if you try and create an S3 user with an email
+address that is already associated with another S3 account is very
+confusing; this patch makes it much clearer
+
+To reproduce:
+
+radosgw-admin user create --uid=foo --display-name="Foo test" --email=bar@domain.invalid
+radosgw-admin user create --uid=test --display-name="AN test" --email=bar@domain.invalid
+could not create user: unable to parse parameters, user id mismatch, operation id: foo does not match: test
+
+With this patch:
+
+radosgw-admin user create --uid=test --display-name="AN test" --email=bar@domain.invalid
+could not create user: unable to create user test because user id foo already exists with email bar@domain.invalid
+
+Fixes: https://tracker.ceph.com/issues/49137
+Fixes: https://tracker.ceph.com/issues/19411
+Signed-off-by: Matthew Vernon <mv3@sanger.ac.uk>
+(cherry picked from commit 05318d6f71e45a42a46518a0ef17047dfab83990)
+---
+ src/rgw/rgw_user.cc | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+Index: ceph/src/rgw/rgw_user.cc
+===================================================================
+--- ceph.orig/src/rgw/rgw_user.cc
++++ ceph/src/rgw/rgw_user.cc
+@@ -1970,7 +1970,14 @@ int RGWUser::remove(const DoutPrefixProv
+
+ ret = check_op(op_state, &subprocess_msg);
+ if (ret < 0) {
+- set_err_msg(err_msg, "unable to parse parameters, " + subprocess_msg);
++ if (is_populated() && (user_id.compare(op_state.get_user_id()) != 0)) {
++ set_err_msg(err_msg, "unable to create user " + user_id.to_str()
++ + " because user id " + op_state.get_user_id().to_str()
++ + " already exists with email "
++ + op_state.get_user_email());
++ } else {
++ set_err_msg(err_msg, "unable to parse parameters, " + subprocess_msg);
++ }
+ return ret;
+ }
+
diff --git a/debian/patches/bug1917414.patch b/debian/patches/bug1917414.patch
new file mode 100644
index 000000000..aca739fb9
--- /dev/null
+++ b/debian/patches/bug1917414.patch
@@ -0,0 +1,143 @@
+From db463aa139aa0f3eb996062bd7c65f0d10a7932b Mon Sep 17 00:00:00 2001
+From: luo rixin <luorixin@huawei.com>
+Date: Fri, 8 Jan 2021 16:16:02 +0800
+Subject: [PATCH] src/isa-l/erasure_code: Fix text relocation on aarch64
+
+Here is the bug report on ceph. https://tracker.ceph.com/issues/48681
+
+Signed-off-by: luo rixin <luorixin@huawei.com>
+---
+ src/isa-l/erasure_code/aarch64/gf_2vect_mad_neon.S | 5 +++--
+ src/isa-l/erasure_code/aarch64/gf_3vect_mad_neon.S | 5 +++--
+ src/isa-l/erasure_code/aarch64/gf_4vect_mad_neon.S | 5 +++--
+ src/isa-l/erasure_code/aarch64/gf_5vect_mad_neon.S | 5 +++--
+ src/isa-l/erasure_code/aarch64/gf_6vect_mad_neon.S | 5 +++--
+ src/isa-l/erasure_code/aarch64/gf_vect_mad_neon.S | 5 +++--
+ 6 files changed, 18 insertions(+), 12 deletions(-)
+
+--- a/src/isa-l/erasure_code/aarch64/gf_2vect_mad_neon.S
++++ b/src/isa-l/erasure_code/aarch64/gf_2vect_mad_neon.S
+@@ -360,7 +360,8 @@ gf_2vect_mad_neon:
+ sub x_dest1, x_dest1, x_tmp
+ sub x_dest2, x_dest2, x_tmp
+
+- ldr x_const, =const_tbl
++ adrp x_const, const_tbl
++ add x_const, x_const, :lo12:const_tbl
+ sub x_const, x_const, x_tmp
+ ldr q_tmp, [x_const, #16]
+
+@@ -394,7 +395,7 @@ gf_2vect_mad_neon:
+ mov w_ret, #1
+ ret
+
+-.section .data
++.section .rodata
+ .balign 8
+ const_tbl:
+ .dword 0x0000000000000000, 0x0000000000000000
+--- a/src/isa-l/erasure_code/aarch64/gf_3vect_mad_neon.S
++++ b/src/isa-l/erasure_code/aarch64/gf_3vect_mad_neon.S
+@@ -332,7 +332,8 @@ gf_3vect_mad_neon:
+ sub x_dest2, x_dest2, x_tmp
+ sub x_dest3, x_dest3, x_tmp
+
+- ldr x_const, =const_tbl
++ adrp x_const, const_tbl
++ add x_const, x_const, :lo12:const_tbl
+ sub x_const, x_const, x_tmp
+ ldr q_tmp, [x_const, #16]
+
+@@ -374,7 +375,7 @@ gf_3vect_mad_neon:
+ mov w_ret, #1
+ ret
+
+-.section .data
++.section .rodata
+ .balign 8
+ const_tbl:
+ .dword 0x0000000000000000, 0x0000000000000000
+--- a/src/isa-l/erasure_code/aarch64/gf_4vect_mad_neon.S
++++ b/src/isa-l/erasure_code/aarch64/gf_4vect_mad_neon.S
+@@ -397,7 +397,8 @@ gf_4vect_mad_neon:
+ sub x_dest3, x_dest3, x_tmp
+ sub x_dest4, x_dest4, x_tmp
+
+- ldr x_const, =const_tbl
++ adrp x_const, const_tbl
++ add x_const, x_const, :lo12:const_tbl
+ sub x_const, x_const, x_tmp
+ ldr q_tmp, [x_const, #16]
+
+@@ -448,7 +449,7 @@ gf_4vect_mad_neon:
+ mov w_ret, #1
+ ret
+
+-.section .data
++.section .rodata
+ .balign 8
+ const_tbl:
+ .dword 0x0000000000000000, 0x0000000000000000
+--- a/src/isa-l/erasure_code/aarch64/gf_5vect_mad_neon.S
++++ b/src/isa-l/erasure_code/aarch64/gf_5vect_mad_neon.S
+@@ -463,7 +463,8 @@ gf_5vect_mad_neon:
+ sub x_dest4, x_dest4, x_tmp
+ sub x_dest5, x_dest5, x_tmp
+
+- ldr x_const, =const_tbl
++ adrp x_const, const_tbl
++ add x_const, x_const, :lo12:const_tbl
+ sub x_const, x_const, x_tmp
+ ldr q_tmp, [x_const, #16]
+
+@@ -527,7 +528,7 @@ gf_5vect_mad_neon:
+ mov w_ret, #1
+ ret
+
+-.section .data
++.section .rodata
+ .balign 8
+ const_tbl:
+ .dword 0x0000000000000000, 0x0000000000000000
+--- a/src/isa-l/erasure_code/aarch64/gf_6vect_mad_neon.S
++++ b/src/isa-l/erasure_code/aarch64/gf_6vect_mad_neon.S
+@@ -526,7 +526,8 @@ gf_6vect_mad_neon:
+ sub x_dest5, x_dest5, x_tmp
+ sub x_dest6, x_dest6, x_tmp
+
+- ldr x_const, =const_tbl
++ adrp x_const, const_tbl
++ add x_const, x_const, :lo12:const_tbl
+ sub x_const, x_const, x_tmp
+ ldr q_tmp, [x_const, #16]
+
+@@ -602,7 +603,7 @@ gf_6vect_mad_neon:
+ mov w_ret, #1
+ ret
+
+-.section .data
++.section .rodata
+ .balign 8
+ const_tbl:
+ .dword 0x0000000000000000, 0x0000000000000000
+--- a/src/isa-l/erasure_code/aarch64/gf_vect_mad_neon.S
++++ b/src/isa-l/erasure_code/aarch64/gf_vect_mad_neon.S
+@@ -281,7 +281,8 @@ gf_vect_mad_neon:
+ mov x_src, x_src_end
+ sub x_dest1, x_dest1, x_tmp
+
+- ldr x_const, =const_tbl
++ adrp x_const, const_tbl
++ add x_const, x_const, :lo12:const_tbl
+ sub x_const, x_const, x_tmp
+ ldr q_tmp, [x_const, #16]
+
+@@ -307,7 +308,7 @@ gf_vect_mad_neon:
+ mov w_ret, #1
+ ret
+
+-.section .data
++.section .rodata
+ .balign 8
+ const_tbl:
+ .dword 0x0000000000000000, 0x0000000000000000
diff --git a/debian/patches/civetweb-755-1.8-somaxconn-configurable.patch b/debian/patches/civetweb-755-1.8-somaxconn-configurable.patch
new file mode 100644
index 000000000..8313b3ece
--- /dev/null
+++ b/debian/patches/civetweb-755-1.8-somaxconn-configurable.patch
@@ -0,0 +1,53 @@
+Description: Makes SOMAXCONN user-configurable.
+Author: Jesse Williamson <jesse.williamson@canonical.com>
+Origin: upstream, https://github.com/civetweb/civetweb/pull/776/commits/febab7dc38c9671577603425c54c20f841e27f97
+Bug: https://github.com/civetweb/civetweb/issues/775
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/civetweb/src/civetweb.c
++++ b/src/civetweb/src/civetweb.c
+@@ -1541,10 +1541,6 @@ typedef int socklen_t;
+ #define MSG_NOSIGNAL (0)
+ #endif
+
+-#if !defined(SOMAXCONN)
+-#define SOMAXCONN (100)
+-#endif
+-
+ /* Size of the accepted socket queue */
+ #if !defined(MGSQLEN)
+ #define MGSQLEN (20)
+@@ -2063,6 +2059,7 @@ enum {
+ SSL_CERTIFICATE,
+ SSL_CERTIFICATE_CHAIN,
+ NUM_THREADS,
++ SO_MAX_CONNECTIONS,
+ RUN_AS_USER,
+ URL_REWRITE_PATTERN,
+ HIDE_FILES,
+@@ -2165,6 +2162,7 @@ static struct mg_option config_options[]
+ {"ssl_certificate", CONFIG_TYPE_FILE, NULL},
+ {"ssl_certificate_chain", CONFIG_TYPE_FILE, NULL},
+ {"num_threads", CONFIG_TYPE_NUMBER, "50"},
++ {"max_connections", CONFIG_TYPE_NUMBER, "100"},
+ {"run_as_user", CONFIG_TYPE_STRING, NULL},
+ {"url_rewrite_patterns", CONFIG_TYPE_STRING_LIST, NULL},
+ {"hide_files_patterns", CONFIG_TYPE_EXT_PATTERN, NULL},
+@@ -13340,7 +13338,15 @@ set_ports_option(struct mg_context *ctx)
+ continue;
+ }
+
+- if (listen(so.sock, SOMAXCONN) != 0) {
++ char *p = ctx->config[SO_MAX_CONNECTIONS];
++ long opt_max_connections = strtol(p, NULL, 10);
++ if(opt_max_connections > INT_MAX || opt_max_connections < 1) {
++ mg_cry(fc(ctx),
++ "max_connections value \"%s\" is invalid", p);
++ continue;
++ }
++
++ if (listen(so.sock, (int)opt_max_connections) != 0) {
+
+ mg_cry(fc(ctx),
+ "cannot listen to %.*s: %d (%s)",
diff --git a/debian/patches/civetweb-755-1.8-somaxconn-configurable_conf.patch b/debian/patches/civetweb-755-1.8-somaxconn-configurable_conf.patch
new file mode 100644
index 000000000..e8e3b0b0f
--- /dev/null
+++ b/debian/patches/civetweb-755-1.8-somaxconn-configurable_conf.patch
@@ -0,0 +1,18 @@
+Description: Adds max_connections to reference configuration.
+Author: Jesse Williamson <jesse.williamson@canonical.com>
+Origin: upstream, https://github.com/civetweb/civetweb/pull/776/commits/3b8eb36676f70d06f8918ccf62029207c49cdda0
+Bug: https://github.com/civetweb/civetweb/issues/775
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/civetweb/resources/civetweb.conf
++++ b/src/civetweb/resources/civetweb.conf
+@@ -8,6 +8,8 @@
+ document_root .
+ listening_ports 8080
+
++#so_max_connections 100
++
+ # cgi_pattern **.cgi$|**.pl$|**.php$
+ # cgi_environment
+ # put_delete_auth_file
diff --git a/debian/patches/civetweb-755-1.8-somaxconn-configurable_test.patch b/debian/patches/civetweb-755-1.8-somaxconn-configurable_test.patch
new file mode 100644
index 000000000..cdd27b5ab
--- /dev/null
+++ b/debian/patches/civetweb-755-1.8-somaxconn-configurable_test.patch
@@ -0,0 +1,17 @@
+Description: Adds max_connections to test display.
+Author: Jesse Williamson <jesse.williamson@canonical.com>
+Origin: upstream, https://github.com/civetweb/civetweb/pull/776/commits/3b8eb36676f70d06f8918ccf62029207c49cdda0
+Bug: https://github.com/civetweb/civetweb/issues/775
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1838109
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/civetweb/test/page3.ssjs
++++ b/src/civetweb/test/page3.ssjs
+@@ -21,6 +21,7 @@ opts = [
+ "document_root",
+ "ssl_certificate",
+ "num_threads",
++"max_connections",
+ "run_as_user",
+ "url_rewrite_patterns",
+ "hide_files_patterns",
diff --git a/debian/patches/cmake-test-for-16-bytes-atomic-support-on-mips-also.patch b/debian/patches/cmake-test-for-16-bytes-atomic-support-on-mips-also.patch
new file mode 100644
index 000000000..c9712311a
--- /dev/null
+++ b/debian/patches/cmake-test-for-16-bytes-atomic-support-on-mips-also.patch
@@ -0,0 +1,29 @@
+Description: cmake: test for 16-byte atomic support on mips also
+ it's reported that a mips64el build host is able to pass the test of
+ CheckCxxAtomic without linking against libatomic, while librbd.so
+ fails to link due to failures like
+ .
+ /usr/bin/ld: ../../../lib/librbd.so.1.16.0: undefined reference to `__atomic_store_16'
+ /usr/bin/ld: ../../../lib/librbd.so.1.16.0: undefined reference to `__atomic_load_16'
+ /usr/bin/ld: ../../../lib/librbd.so.1.16.0: undefined reference to `__atomic_compare_exchange_16'
+ .
+ so we have to check the existence of __atomic_load_16 instruction on
+ mips architecture.
+Author: Kefu Chai <tchaikov@gmail.com>
+Date: Wed, 24 Nov 2021 00:40:54 +0800
+Origin: upstream, https://github.com/ceph/ceph/commit/709a77f22010f03aee4a4c0ab930588944cb4a58
+Last-Update: 2021-11-24
+
+diff --git a/cmake/modules/CheckCxxAtomic.cmake b/cmake/modules/CheckCxxAtomic.cmake
+index f2d89cf3e0beb..da2be5206d634 100644
+--- a/cmake/modules/CheckCxxAtomic.cmake
++++ b/cmake/modules/CheckCxxAtomic.cmake
+@@ -11,7 +11,7 @@ function(check_cxx_atomics var)
+ #include <atomic>
+ #include <cstdint>
+
+-#if __s390x__
++#if defined(__s390x__) || (defined(__mips__) && _MIPS_SIM ==_ABI64 )
+ // Boost needs 16-byte atomics for tagged pointers.
+ // These are implemented via inline instructions on the platform
+ // if 16-byte alignment can be proven, and are delegated to libatomic
diff --git a/debian/patches/compile-ppc.c-on-all-powerpc-machines.patch b/debian/patches/compile-ppc.c-on-all-powerpc-machines.patch
new file mode 100644
index 000000000..888d58919
--- /dev/null
+++ b/debian/patches/compile-ppc.c-on-all-powerpc-machines.patch
@@ -0,0 +1,92 @@
+From 1b9ad6ca971d2c6222f1fb405ae620a32159cd5d Mon Sep 17 00:00:00 2001
+From: Kefu Chai <tchaikov@gmail.com>
+Date: Sun, 29 Aug 2021 22:24:30 +0800
+Subject: [PATCH] arch,cmake: compile ppc.c on all powerpc machines
+
+* cmake/modules/SIMDExt.cmake: define HAVE_PPC for 32-bit PowerPC.
+* src/arch/CMakeLists.txt: compile ppc.c for all PowerPC architectures,
+ including powerpc (32-bit PowerPC), ppc64el (64-bit Little Endian
+ PowerPC) and ppc64 (64-bit Big Endian PowerPC).
+
+before this change, ppc.c is only compiled if HAVE_POWER8 is defined.
+but Power8 is a 64-bit PowerPC architecture. while in src/arch/probe.cc,
+we check for `defined(__powerpc__) || defined(__ppc__)`, if this is
+true, ceph_arch_ppc_probe() is used to check for the support of
+Altivec. but on non-power8 PowerPC machines, the linker fails to find the
+symbols like ceph_arch_ppc_probe(), as ppc.c is not compiled on them.
+
+in this change, ppc.c is compiled on all PowerPC architectures, so that
+ceph_arch_ppc_probe() is also available on non-power8 machines. this
+change does not impact the behavior of non-power8 machines. because
+on them, the runtime check would fail to detect the existence of
+PPC_FEATURE2_VEC_CRYPTO instructions.
+
+Reported-by: Mattias Ellert <mattias.ellert@physics.uu.se>
+Signed-off-by: Kefu Chai <tchaikov@gmail.com>
+---
+ cmake/modules/SIMDExt.cmake | 17 ++++++++++++++---
+ src/arch/CMakeLists.txt | 2 +-
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+Index: ceph/cmake/modules/SIMDExt.cmake
+===================================================================
+--- ceph.orig/cmake/modules/SIMDExt.cmake
++++ ceph/cmake/modules/SIMDExt.cmake
+@@ -1,8 +1,13 @@
+ # detect SIMD extensions
+ #
++# HAVE_ARM
+ # HAVE_ARMV8_CRC
++# HAVE_ARMV8_CRC_CRYPTO_INTRINSICS
++# HAVE_ARMV8_CRYPTO
+ # HAVE_ARMV8_SIMD
+ # HAVE_ARM_NEON
++#
++# HAVE_INTEL
+ # HAVE_INTEL_SSE
+ # HAVE_INTEL_SSE2
+ # HAVE_INTEL_SSE3
+@@ -11,6 +16,10 @@
+ # HAVE_INTEL_SSE4_1
+ # HAVE_INTEL_SSE4_2
+ #
++# HAVE_PPC64LE
++# HAVE_PPC64
++# HAVE_PPC
++#
+ # SIMD_COMPILE_FLAGS
+ #
+
+@@ -82,14 +91,16 @@ elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "i
+ endif()
+ endif(CMAKE_SYSTEM_PROCESSOR MATCHES "amd64|x86_64|AMD64")
+ endif(CMAKE_SYSTEM_PROCESSOR MATCHES "i686|amd64|x86_64|AMD64")
+-elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(powerpc|ppc)64|(powerpc|ppc)64le")
++elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(powerpc|ppc)")
+ if(CMAKE_SYSTEM_PROCESSOR MATCHES "(powerpc|ppc)64le")
+ set(HAVE_PPC64LE 1)
+ message(STATUS " we are ppc64le")
+- else()
++ elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(powerpc|ppc)64")
+ set(HAVE_PPC64 1)
+ message(STATUS " we are ppc64")
+- endif(CMAKE_SYSTEM_PROCESSOR MATCHES "(powerpc|ppc)64le")
++ else()
++ set(HAVE_PPC 1)
++ endif()
+ CHECK_C_COMPILER_FLAG("-maltivec" HAS_ALTIVEC)
+ if(HAS_ALTIVEC)
+ message(STATUS " HAS_ALTIVEC yes")
+Index: ceph/src/arch/CMakeLists.txt
+===================================================================
+--- ceph.orig/src/arch/CMakeLists.txt
++++ ceph/src/arch/CMakeLists.txt
+@@ -5,7 +5,7 @@ if(HAVE_ARM)
+ list(APPEND arch_srcs arm.c)
+ elseif(HAVE_INTEL)
+ list(APPEND arch_srcs intel.c)
+-elseif(HAVE_POWER8)
++elseif(HAVE_PPC64LE OR HAVE_PPC64 OR HAVE_PPC)
+ list(APPEND arch_srcs ppc.c)
+ endif()
+
diff --git a/debian/patches/debian-armel-armhf-buildflags.patch b/debian/patches/debian-armel-armhf-buildflags.patch
new file mode 100644
index 000000000..e9a450aa5
--- /dev/null
+++ b/debian/patches/debian-armel-armhf-buildflags.patch
@@ -0,0 +1,45 @@
+--- a/cmake/modules/SIMDExt.cmake
++++ b/cmake/modules/SIMDExt.cmake
+@@ -40,11 +40,14 @@ if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch
+
+ elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "arm|ARM")
+ set(HAVE_ARM 1)
+- CHECK_C_COMPILER_FLAG(-mfpu=neon HAVE_ARM_NEON)
+- if(HAVE_ARM_NEON)
+- set(SIMD_COMPILE_FLAGS "${SIMD_COMPILE_FLAGS} -mfpu=neon")
++ if(CMAKE_LIBRARY_ARCHITECTURE EQUAL "arm-linux-gnueabi")
++ set(SIMD_COMPILE_FLAGS "${SIMD_COMPILE_FLAGS} --with-arch=armv5te --with-float=soft")
++ else()
++ CHECK_C_COMPILER_FLAG(-mfpu=neon HAVE_ARM_NEON)
++ if(HAVE_ARM_NEON)
++ set(SIMD_COMPILE_FLAGS "${SIMD_COMPILE_FLAGS} -mfpu=neon")
++ endif()
+ endif()
+-
+ elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "i386|i686|amd64|x86_64|AMD64")
+ set(HAVE_INTEL 1)
+ if(CMAKE_SYSTEM_PROCESSOR MATCHES "i686|amd64|x86_64|AMD64")
+--- a/src/erasure-code/jerasure/gf-complete/m4/ax_ext.m4
++++ b/src/erasure-code/jerasure/gf-complete/m4/ax_ext.m4
+@@ -19,10 +19,17 @@ AC_DEFUN([AX_EXT],
+ ;;
+
+ arm*)
+- AC_CACHE_CHECK([whether NEON is enabled], [ax_cv_have_neon_ext], [ax_cv_have_neon_ext=yes])
+- if test "$ax_cv_have_neon_ext" = yes; then
+- AX_CHECK_COMPILE_FLAG(-mfpu=neon, [SIMD_FLAGS="$SIMD_FLAGS -mfpu=neon -DARM_NEON"], [ax_cv_have_neon_ext=no])
+- fi
++ case $host_cpu in
++ arm-linux-gnueabi)
++ AX_CHECK_COMPILE_FLAG(-mfpu=soft, [SIMD_FLAGS="$SIMD_FLAGS -mfpu=soft -march=armv5te"], [ax_cv_have_neon_ext=no])
++ ;;
++ *)
++ AC_CACHE_CHECK([whether NEON is enabled], [ax_cv_have_neon_ext], [ax_cv_have_neon_ext=yes])
++ if test "$ax_cv_have_neon_ext" = yes; then
++ AX_CHECK_COMPILE_FLAG(-mfpu=neon, [SIMD_FLAGS="$SIMD_FLAGS -mfpu=neon -DARM_NEON"], [ax_cv_have_neon_ext=no])
++ fi
++ ;;
++ esac
+ ;;
+
+ powerpc*)
diff --git a/debian/patches/disable-crypto.patch b/debian/patches/disable-crypto.patch
new file mode 100644
index 000000000..b25aaac1b
--- /dev/null
+++ b/debian/patches/disable-crypto.patch
@@ -0,0 +1,16 @@
+Index: ceph/src/os/CMakeLists.txt
+===================================================================
+--- ceph.orig/src/os/CMakeLists.txt
++++ ceph/src/os/CMakeLists.txt
+@@ -98,8 +98,9 @@ endif()
+ target_link_libraries(os kv)
+
+ add_dependencies(os compressor_plugins)
+-add_dependencies(os crypto_plugins)
+-
++if(HAVE_INTEL AND HAVE_BETTER_YASM_ELF64 AND (NOT APPLE))
++ add_dependencies(os crypto_plugins)
++endif()
+
+ if(WITH_BLUESTORE)
+ add_executable(ceph-bluestore-tool
diff --git a/debian/patches/enable-strsignal.patch b/debian/patches/enable-strsignal.patch
new file mode 100644
index 000000000..dacd6ded0
--- /dev/null
+++ b/debian/patches/enable-strsignal.patch
@@ -0,0 +1,18 @@
+Description: This defines HAVE_REENTRANT_STRSIGNAL as sys_siglist no longer
+ exists with glibc 2.32 and all programs should use strsignal instead.
+Forwarded: no
+Last-Update: 2020-09-21
+
+Index: ceph/CMakeLists.txt
+===================================================================
+--- ceph.orig/CMakeLists.txt
++++ ceph/CMakeLists.txt
+@@ -505,7 +505,7 @@ if(WITH_THREAD_SAFE_RES_QUERY)
+ set(HAVE_THREAD_SAFE_RES_QUERY 1 CACHE INTERNAL "Thread safe res_query supported.")
+ endif()
+
+-option(WITH_REENTRANT_STRSIGNAL "strsignal is reentrant" OFF)
++option(WITH_REENTRANT_STRSIGNAL "strsignal is reentrant" ON)
+ if(WITH_REENTRANT_STRSIGNAL)
+ set(HAVE_REENTRANT_STRSIGNAL 1 CACHE INTERNAL "Reentrant strsignal is supported.")
+ endif()
diff --git a/debian/patches/fix-CheckCxxAtomic-riscv64.patch b/debian/patches/fix-CheckCxxAtomic-riscv64.patch
new file mode 100644
index 000000000..52d3ad7f3
--- /dev/null
+++ b/debian/patches/fix-CheckCxxAtomic-riscv64.patch
@@ -0,0 +1,16 @@
+Description: Fix CheckCxxAtomic to detect more accurately
+ Some platforms like riscv64 does not have full support for atomic primitives,
+ yet passes the test. Adding operator++ fixes this issue.
+Author: Eric Long <i@hack3r.moe>
+Last-Update: 2022-08-30
+--- a/cmake/modules/CheckCxxAtomic.cmake
++++ b/cmake/modules/CheckCxxAtomic.cmake
+@@ -32,7 +32,7 @@
+ std::atomic<uint16_t> w2;
+ std::atomic<uint32_t> w4;
+ std::atomic<uint64_t> w8;
+- return w1 + w2 + w4 + w8;
++ return ++w1 + ++w2 + ++w4 + ++w8;
+ }
+ " ${var})
+ endfunction(check_cxx_atomics)
diff --git a/debian/patches/fix-bash-completion-location b/debian/patches/fix-bash-completion-location
new file mode 100644
index 000000000..916ff8a79
--- /dev/null
+++ b/debian/patches/fix-bash-completion-location
@@ -0,0 +1,9 @@
+--- a/src/bash_completion/CMakeLists.txt
++++ b/src/bash_completion/CMakeLists.txt
+@@ -11,5 +11,5 @@ if(WITH_RADOSGW)
+ endif()
+
+ install(FILES ${completions}
+- DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/bash_completion.d)
++ DESTINATION /usr/share/bash-completion/completions)
+
diff --git a/debian/patches/fix-ceph-osd-systemd-target.patch b/debian/patches/fix-ceph-osd-systemd-target.patch
new file mode 100644
index 000000000..9f42077ba
--- /dev/null
+++ b/debian/patches/fix-ceph-osd-systemd-target.patch
@@ -0,0 +1,17 @@
+Description: Fix systemd ceph-osd.target
+ This helps when rebooting.
+Author: Thomas Goirand <zigo@debian.org>
+Forwarded: no
+Last-Update: 2021-01-28
+
+--- ceph-14.2.16.orig/systemd/ceph-osd.target
++++ ceph-14.2.16/systemd/ceph-osd.target
+@@ -1,7 +1,7 @@
+ [Unit]
+ Description=ceph target allowing to start/stop all ceph-osd@.service instances at once
+ PartOf=ceph.target
+-After=ceph-mon.target
++After=ceph-mon.target systemd-udev-settle.service
+ Before=ceph.target
+ Wants=ceph.target ceph-mon.target
+
diff --git a/debian/patches/only-yied-under-armv7-and-above.patch b/debian/patches/only-yied-under-armv7-and-above.patch
new file mode 100644
index 000000000..f5a9206b6
--- /dev/null
+++ b/debian/patches/only-yied-under-armv7-and-above.patch
@@ -0,0 +1,17 @@
+Description: Only yield under ARMv7 and above (#1176)
+Author: Rosen Penev <rosenp@gmail.com>
+Date: Tue, 12 Nov 2019 13:56:53 -0800
+Origin: upstream, https://github.com/facebook/folly/commit/62d8e6e0b91ebd6f878f3066cd9b6e5f3c18a97b.patch
+Last-Update: 2021-11-24
+
+--- ceph-16.2.6+ds.orig/src/rocksdb/third-party/folly/folly/portability/Asm.h
++++ ceph-16.2.6+ds/src/rocksdb/third-party/folly/folly/portability/Asm.h
+@@ -19,7 +19,7 @@ inline void asm_volatile_pause() {
+ ::_mm_pause();
+ #elif defined(__i386__) || FOLLY_X64
+ asm volatile("pause");
+-#elif FOLLY_AARCH64 || defined(__arm__)
++#elif FOLLY_AARCH64 || (defined(__arm__) && !(__ARM_ARCH < 7))
+ asm volatile("yield");
+ #elif FOLLY_PPC64
+ asm volatile("or 27,27,27");
diff --git a/debian/patches/riscv64-link-pthread.patch b/debian/patches/riscv64-link-pthread.patch
new file mode 100644
index 000000000..18b6eed93
--- /dev/null
+++ b/debian/patches/riscv64-link-pthread.patch
@@ -0,0 +1,16 @@
+Description: Link with -pthread instead of -lpthread to fix FTBFS on riscv64
+Forwarded: no
+Last-Update: 2020-03-01
+
+Index: ceph/CMakeLists.txt
+===================================================================
+--- ceph.orig/CMakeLists.txt
++++ ceph/CMakeLists.txt
+@@ -25,6 +25,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_S
+
+ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+ set(LINUX ON)
++ set(THREADS_PREFER_PTHREAD_FLAG ON)
+ FIND_PACKAGE(Threads)
+ elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
+ set(FREEBSD ON)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000000000..a4cec842c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,25 @@
+enable-strsignal.patch
+update-java-source-target-flags.patch
+disable-crypto.patch
+# Ubuntu: civetweb max connections
+civetweb-755-1.8-somaxconn-configurable_conf.patch
+civetweb-755-1.8-somaxconn-configurable.patch
+civetweb-755-1.8-somaxconn-configurable_test.patch
+# Upstream: py3
+# Upstream: 32bit
+debian-armel-armhf-buildflags.patch
+fix-bash-completion-location
+32bit-fixes.patch
+add-option-to-disable-ceph-dencoder.patch
+riscv64-link-pthread.patch
+fix-ceph-osd-systemd-target.patch
+compile-ppc.c-on-all-powerpc-machines.patch
+bug1914584.patch
+bug1917414.patch
+cmake-test-for-16-bytes-atomic-support-on-mips-also.patch
+only-yied-under-armv7-and-above.patch
+Fix-build-with-fmt-8-9.patch
+fix-CheckCxxAtomic-riscv64.patch
+CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
+CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
+CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
diff --git a/debian/patches/update-java-source-target-flags.patch b/debian/patches/update-java-source-target-flags.patch
new file mode 100644
index 000000000..6c8b79228
--- /dev/null
+++ b/debian/patches/update-java-source-target-flags.patch
@@ -0,0 +1,23 @@
+Description: use --release 7 instead of -source/-target
+ Instead of -source/-target ceph should be build with --release for OpenJDK 9
+ or later so that the bootclasspath is also set, as per JEP-247, otherwise it
+ risks incurring into binary incompatibility when run with an earlier OpenJDK.
+ OpenJDK 11 minimum compatibility release has been updated to 7.
+Author: Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>
+Bug-Ubuntu: https://launchpad.net/bugs/1756854
+Bug-Ubuntu: https://launchpad.net/bugs/1766998
+Forwarded: no
+Last-Update: 2018-04-24
+---
+
+--- a/src/java/CMakeLists.txt
++++ b/src/java/CMakeLists.txt
+@@ -21,7 +21,7 @@ set(java_srcs
+ # warning: [options] bootstrap class path not set in conjunction with -source 1.7
+ # as per
+ # https://blogs.oracle.com/darcy/entry/bootclasspath_older_source
+-set(CMAKE_JAVA_COMPILE_FLAGS "-source" "1.8" "-target" "1.8" "-Xlint:-options")
++set(CMAKE_JAVA_COMPILE_FLAGS "--release" "7" "-Xlint:-options")
+ set(jni_header_dir "${CMAKE_CURRENT_BINARY_DIR}/native")
+ if(CMAKE_VERSION VERSION_LESS 3.11)
+ set(CMAKE_JAVA_COMPILE_FLAGS ${CMAKE_JAVA_COMPILE_FLAGS} "-h" ${jni_header_dir})