diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 18:49:59 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 18:49:59 +0000 |
commit | 01997497f915e8f79871f3f2acb55ac465051d24 (patch) | |
tree | 1ce1afd7246e1014199e15cbf854bf7924458e5d | |
parent | Adding upstream version 6.1.76. (diff) | |
download | linux-debian.tar.xz linux-debian.zip |
Adding debian version 6.1.76-1.debian/6.1.76-1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
1793 files changed, 173113 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..fa3f0a315 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,65 @@ +Linux kernel for Debian +----------------------- + +Patches +------- +Debian applies small changes to the kernel source. These are split up into +separated patches addressing individual problems. Each of the patch files +contains a description and mentions the author. The patches can be found +in the source package or at +https://sources.debian.org/src/linux/<version>/debian/patches/ +(with the package version substituted). + +Config Files +------------ +The .config files used to build the various linux-image files are dynamically +generated during the linux package build. See the source package for +details. Each linux-image-* package provides the complete .config file that +was used to generate it. This file is installed in /boot. + +Scope of security support +------------------------- +Security support is provided not only for the binary builds, but also +for the full source package, allowing for locally customized kernels. +However, kernel options that are not enabled in official Debian builds are +given a lower priority for security support. Options marked as BROKEN +or EXPERIMENTAL are of very low priority, and should not be enabled in +customized builds for a security-sensitive environment. + +Building custom kernel binary packages +-------------------------------------- +We recommend using the 'make deb-pkg' target provided by the upstream +kernel source. + +Rebuilding official binary packages +----------------------------------- +You can build specific kernel binary packages using the targets in +debian/rules.gen, which have names of the form: + binary-arch_<architecture>_<featureset>_<flavour> + +Example: + fakeroot make -f debian/rules.gen binary-arch_i386_none_686 + +Rebuilding Adaptec AIC7xxx/79xx firmware +---------------------------------------- +You can rebuild the firmware for the Adaptec AIC7xxx/79xx SCSI Adapters. To +do so you need to set AIC7XXX_BUILD_FIRMWARE/AIC79XX_BUILD_FIRMWARE config +options. Note that this requires to have the development packages for +Berkeley Database (libdb-dev) installed. + +Non-free bits removed +--------------------- +See the Files-Excluded field in debian/copyright. + +Changelog +--------- +Older Debian changelog entries are no longer included in binary +packages, but can be found in debian/changelog.old in the source +package. + +Further information +------------------- +Debian Linux Kernel Handbook: + https://kernel-team.pages.debian.net/kernel-handbook/ + or debian-kernel-handbook package +Debian Wiki: https://wiki.debian.org/DebianKernel diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 000000000..2248ac9ae --- /dev/null +++ b/debian/README.source @@ -0,0 +1,297 @@ +Checklist for uploaders +======================= + +There is a checklist in the kernel-team.git repository; see +<https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/docs/kernel-upload-checklist.md>. + +Updating the upstream source +============================ + +In addition to the build-dependencies, you will need the rsync package +installed. + +1) Run: ./debian/bin/genorig.py <repository> + + where <repository> is a local or remote git repository with the + upstream release tag in it. + + If you do not have a local repository, use the appropriate one of: + + * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git + * https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git + * git://kernel.ubuntu.com/ubuntu/linux.git + + This will produce ../orig/linux_<version>.orig.tar.xz + (e.g. linux_3.5~rc1.orig.tar.xz). + + It involves deleting files for DFSG compliance, as listed in the + Files-Excluded field in debian/copyright. + +2) Run: make -f debian/rules orig + + This will apply the main quilt series to the upstream source, which + will usually fail due to conflicts with upstream changes. You need + to resolve those by dropping or refreshing patches. + +Recording updates in the changelog +---------------------------------- + +Upstream commits that we already cherry-picked and included in a +previous package upload should not be mentioned, since they don't make +any difference to the package. Any other commits that fix a Debian +bug report and/or a security issue with a CVE ID should always be +listed, along with the (Closes: #nnnnnn) and/or (CVE-yyyy-nnnn) +reference. + +Aside from those general rules: + +* For an upstream release candidate, don't attempt to list the changes + +* For a stable release by Linus, refer to the summary at + kernelnewbies.org, e.g. https://kernelnewbies.org/Linux_4.5 + +* For a stable update, refer to the changelog on kernel.org, e.g. + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.1, and + list all changes that are relevant to our package and that fix bugs + that we would consider 'important' or higher severity + + - The script debian/bin/stable-update updates the changelog + version and inserts the list of changes. It doesn't attempt to + filter out irrelevant or unimportant changes. + + - If you have time, please delete irrelevant changes such as: + + Fixes for architectures not supported by the package + + Fixes for drivers that aren't enabled in any of our configurations + + Build fixes for configurations that we don't use + + Fixes for lockdep false positives + +If you have time, please add bracketted prefixes to the upstream +change list as described below under "Changelog conventions". + +Applying patches to the Debian kernel tree +========================================== + +The Debian kernel packaging uses the quilt patch system, but with +multiple series to allow for featuresets. + +Patches are stored below debian/patches, loosely sorted in bugfix/, +features/ and debian/. Patches are in the standard kernel patch +format (unified diff to be applied with patch -p1) and generally have +DEP-3 headers. + +For each optional featureset there is an additional patch directory +debian/patches-<featureset>. + +If you want to generate a source tree with all patches applied, run +make -f debian/rules source + +The resulting source can be found below debian/build. + +Changelog conventions +===================== + +If a change only affects some architectures, flavours or featuresets, +this should be noted with a bracketted prefix on the changelog line: + +* [<fset>] Change to featureset <fset> +* [<arch>] Change that affects Debian architecture <arch> +* [<arch1>,<arch2>...] Change that affects Debian architectures + <arch1>, <arch2>, ... +* [<arch>/<flavour>] Change that affects kernel flavour <flavour> + on Debian architecture <arch> +* [<arch>/{<flavour1>,<flavour2>...}] Change that affects kernel + flavours <flavour1>, <flavour2>, ... on Debian architecture <arch> + +You can use wildcards to cover multiple values, e.g. 'arm*' for armel, +armhf and arm64 architectures. Also 'x86' is used to cover the Debian +architectures amd64, i386 and x32. + +Kernel config files +=================== + +Each kernel configuration file is constructed dynamically from a +number of files under debian/config and (if it exists) +debian/config.local. They are read in the following order, such that +files later on the list can override settings from earlier files. +Files in debian/config.local can also override settings from the +corresponding file in debian/config. Most of the files are optional +and the filenames can generally be overridden by explicit lists +(possibly empty) specified in the 'defines' files. + +1. Common: + - Default filename: config + - Filename list: [image]configs in defines +2. Per kernel architecture: + - Filename: kernelarch-<karch>/config (optional) +3. Per architecture: + - Default filename: <arch>/config + - Filename list: [image]configs in <arch>/defines +4. Per architecture and flavour: + - Default filename: <arch>/config.<flavour> (optional) + - Filename list: [<flavour>_image]configs in <arch>/defines +5. Per featureset: + - Default filename: featureset-<fset>/config (optional) + - Filename list: [image]configs in featureset-<fset>/defines +6. Per architecture and featureset: + - Default filename: <arch>/<fset>/config (optional) + - Filename list: [image]configs in <arch>/<fset>/defines +7. Per architecture, featureset, and flavour: + - Default filename: <arch>/<fset>/config.<flavour> (optional) + - Filename list: [<flavour>_image]configs in <arch>/<fset>/defines + +You can check the final list of configuration files by reading +debian/rules.gen. Each binary-arch_<arch>_<fset>_<flavour>_real +rule passes the list to debian/rules.real as the KCONFIG variable. + +These files should be kept in order using the kconfigeditor2 +utility from <https://salsa.debian.org/kernel-team/kernel-team>. +With this source package as your working directory, run: + + debian/rules source + .../kernel-team/utils/kconfigeditor2/process.py . + +This will also warn about any symbols that no longer exist, or +cannot be explicitly configured. + +Control file +============ +The master control file debian/control must be generated before +the package is uploaded. debian/rules contains the debian/control +target, which generates the control file by invoking the +debian/bin/gencontrol.py script, which combines the templates from +the templates directory and architecture-specific defines file to +produce the debian/control file. Note that this target is intentionally +made to fail with a non-zero exit code to make sure that it is never +run during an automatic build. The following variables are substituted +into the templates: + +@version@ Upstream kernel version, for example 2.6.11. +@arch@ The Debian arch name, such as powerpc or i386. +@flavour@ The build flavour, such as 686 or k7-smp. +@class@ The CPU/architecture class; displayed in synopsis. It should + be fairly short, as the synopsis is supposed to be <80 chars. + It should be in the form "foo class", and will show up in the + description as "foo class machines". +@longclass@ The CPU/architecture class; displayed in the extended + description. The same rules apply as in @class@. If + this is unset, it will default to @class@. +@desc@ (Potentially) multi-line verbiage that's appended to + -image descriptions. +@abiname@ Current abiname, a single digit. + +Normally, the arch-specific contents should be controlled by +adjusting the corresponding defines file. + +Build-dependencies that relate to specific binary packages can be +specified in a Build-Depends field in the template for that binary +package. gencontrol.py will append the value to the source package's +Build-Depends-Arch or Build-Depends-Indep field, as appropriate. It +will also use the binary package's Architecture and Build-Profile as +the architecture-qualification and/or restriction for each build- +dependency that doesn't already have them. + +TODO: +- Patches applied to the upstream source +- How to define a flavour +- More detail on generation of debian/control and configs + +Running tests +============= + +linux supports autopkgtest and should be able to run most of the +kernel's self-tests on any architecture where kexec is supported, +but it has higher resource requirements than most packages: + +- A VM with plenty of disk space (10GB is enough), RAM (1GB is + probably enough) and at least 2 CPUs +- The temporary directory for adt-virt-qemu (-o option) will need + several GB of space, so a tmpfs may not be suitable + +Note that if you tell adt-run to use an 'unbuilt tree' (i.e. an +unpacked source package) it does not exclude VCS directories such as +.git. Either use a packed source package or copy the working tree +elsewhere excluding .git. + +Example invocation: + + adt-run -B ../linux-image-4.2.0-rc6-amd64_4.2~rc6-1~exp2_amd64.deb \ + ../linux_4.2~rc6-1~exp2.dsc \ + --timeout-test=1200 \ + --- adt-virt-qemu /var/cache/autopkgtest/adt-sid.img -o /var/tmp -c 2 + +Build profiles +============== + +Several build profiles are understood and supported: + +- stage1: Needed when bootstrapping an architecture. A stage1 build + produces only the linux-libc-dev package and has no host + build-dependencies. +- nodoc: Exclude most documentation +- noudeb: Exclude installer udeb packages +- pkg.linux.notools: Exclude userland tool packages (linux-kbuild-<version>, + linux-perf, etc.) +- pkg.linux.mintools: Build minimal set of userland tool packages + (linux-kbuild-<version>, linux-bootwrapper-<abiname> on powerpc/ppc64) +- pkg.linux.nokernel: Exclude kernel image and header packages +- pkg.linux.nokerneldbg: Exclude kernel debug packages +- pkg.linux.nokerneldbginfo: Build kernel without debug symbols (also disables + BTF) +- pkg.linux.nosource: Exclude source binary package (linux-source-<version>) +- cross: Needed when cross-building. +- nopython: Disable Python bindings. This currently disables building the + linux-perf-<version> package, as the perf program embeds Python. +- pkg.linux.nometa: Exclude most meta-packages. The linux-compiler-* and + linux-headers-*-all* packages can still be built. +- pkg.linux.quick: Perform a limited build that should provide good + coverage yet be quick enough for use in CI. + +Build rules +=========== + +The Debian build rules are split across multiple makefiles: + +- debian/rules: Standard top-level makefile for Debian package build. +- debian/rules.gen: Intermediate makefile between debian/rules and + debian/rules.real. This is generated by gencontrol.py based on + the configuration under debian/config. +- debian/rules.real: Makefile for building a single kernel flavour + or other group of binary packages. +- debian/rules.d: Makefiles for building userland code from specific + source directories. The directory structure mirrors the kernel + source directories. debian/rules.real uses the "make-tools" to + invoke these makefiles. + +All builds *must* be done out-of-tree in a subdirectory of +debian/build, so that the output files do not end up in the +linux-source-<version> binary package. Currently kernel builds use +debian/build/build_<arch>_<featureset>_<flavour>, userland code uses +debian/build/build-tools/<source-dir> and documentation uses +debian/build/build-doc. + +Code signing +============ + +The kernel image and modules may be signed after building, to support +a Secure Boot or Trusted Boot policy. In Debian, this is performed by +a "code signing service" that is separate from the normal package +build process. + +The initial package build generates binary packages named +linux-image-<arch>-signed-template, that contain a source package +template and metadata about the files to be signed. The code signing +service will download this and the linux-image packages to be signed. +It will add detached signatures to the source package, then upload it +(without ever running debian/rules). + +The source package template is generated by +debian/bin/gencontrol_signed.py and debian/rules.real with files from +debian/signing_templates and debian/templates. To test changes to +these: + +1. Build the linux source package. +2. Generate the signed source package by running the script + "debian-test-sign" from the kernel-team.git repository. It is + also possible to set up a development configuration of the + official code signing service, but this is more complicated. +3. Build the signed source package. diff --git a/debian/bin/abiupdate.py b/debian/bin/abiupdate.py new file mode 100755 index 000000000..dbb6f77ba --- /dev/null +++ b/debian/bin/abiupdate.py @@ -0,0 +1,232 @@ +#!/usr/bin/python3 + +import sys +import optparse +import os +import shutil +import tempfile + +from urllib.request import urlopen +from urllib.error import HTTPError + +from debian_linux.abi import Symbols +from debian_linux.config import ConfigCoreDump +from debian_linux.debian import Changelog, VersionLinux + +default_url_base = "https://deb.debian.org/debian/" +default_url_base_incoming = "https://incoming.debian.org/debian-buildd/" +default_url_base_ports = "https://deb.debian.org/debian-ports/" +default_url_base_ports_incoming = "https://incoming.ports.debian.org/" +default_url_base_security = "https://deb.debian.org/debian-security/" + + +class url_debian_flat(object): + def __init__(self, base): + self.base = base + + def __call__(self, source, filename, arch): + return self.base + filename + + +class url_debian_pool(object): + def __init__(self, base): + self.base = base + + def __call__(self, source, filename, arch): + return (self.base + "pool/main/" + source[0] + "/" + source + "/" + + filename) + + +class url_debian_ports_pool(url_debian_pool): + def __call__(self, source, filename, arch): + if arch == 'all': + return url_debian_pool.__call__(self, source, filename, arch) + return (self.base + "pool-" + arch + "/main/" + source[0] + "/" + + source + "/" + filename) + + +class url_debian_security_pool(url_debian_pool): + def __call__(self, source, filename, arch): + return (self.base + "pool/updates/main/" + source[0] + "/" + source + + "/" + filename) + + +class Main(object): + dir = None + + def __init__(self, arch=None, featureset=None, flavour=None): + self.log = sys.stdout.write + + self.override_arch = arch + self.override_featureset = featureset + self.override_flavour = flavour + + changelog = Changelog(version=VersionLinux) + while changelog[0].distribution == 'UNRELEASED': + changelog.pop(0) + changelog = changelog[0] + + self.source = changelog.source + self.version = changelog.version.linux_version + self.version_source = changelog.version.complete + + if changelog.distribution.endswith('-security'): + self.urls = [url_base_security] + else: + self.urls = [url_base, url_base_ports, + url_base_incoming, url_base_ports_incoming] + + self.config = ConfigCoreDump(fp=open("debian/config.defines.dump", + "rb")) + + self.version_abi = self.config['version', ]['abiname'] + + def __call__(self): + self.dir = tempfile.mkdtemp(prefix='abiupdate') + try: + self.log("Retrieve config\n") + + try: + config = self.get_config() + except HTTPError as e: + self.log("Failed to retrieve %s: %s\n" % (e.filename, e)) + sys.exit(1) + + if self.override_arch: + arches = [self.override_arch] + else: + arches = config[('base',)]['arches'] + for arch in arches: + self.update_arch(config, arch) + finally: + shutil.rmtree(self.dir) + + def extract_package(self, filename, base): + base_out = self.dir + "/" + base + os.mkdir(base_out) + os.system("dpkg-deb --extract %s %s" % (filename, base_out)) + return base_out + + def get_abi(self, arch, prefix): + try: + version_abi = (self.config[('version',)]['abiname_base'] + '-' + + self.config['abi', arch]['abiname']) + except KeyError: + version_abi = self.version_abi + filename = ("linux-headers-%s-%s_%s_%s.deb" % + (version_abi, prefix, self.version_source, arch)) + f = self.retrieve_package(filename, arch) + d = self.extract_package(f, "linux-headers-%s_%s" % (prefix, arch)) + f1 = d + ("/usr/src/linux-headers-%s-%s/Module.symvers" % + (version_abi, prefix)) + s = Symbols(open(f1)) + shutil.rmtree(d) + return version_abi, s + + def get_config(self): + # XXX We used to fetch the previous version of linux-support here, + # but until we authenticate downloads we should not do that as + # pickle.load allows running arbitrary code. + return self.config + + def retrieve_package(self, filename, arch): + for i, url in enumerate(self.urls): + u = url(self.source, filename, arch) + filename_out = self.dir + "/" + filename + + try: + f_in = urlopen(u) + except HTTPError: + if i == len(self.urls) - 1: + # No more URLs to try + raise + else: + continue + + f_out = open(filename_out, 'wb') + while 1: + r = f_in.read() + if not r: + break + f_out.write(r) + return filename_out + + def save_abi(self, version_abi, symbols, arch, featureset, flavour): + dir = "debian/abi/%s" % version_abi + if not os.path.exists(dir): + os.makedirs(dir) + out = "%s/%s_%s_%s" % (dir, arch, featureset, flavour) + symbols.write(open(out, 'w')) + + def update_arch(self, config, arch): + if self.override_featureset: + featuresets = [self.override_featureset] + else: + featuresets = config[('base', arch)]['featuresets'] + for featureset in featuresets: + self.update_featureset(config, arch, featureset) + + def update_featureset(self, config, arch, featureset): + config_base = config.merge('base', arch, featureset) + + if not config_base.get('enabled', True): + return + + if self.override_flavour: + flavours = [self.override_flavour] + else: + flavours = config_base['flavours'] + for flavour in flavours: + self.update_flavour(config, arch, featureset, flavour) + + def update_flavour(self, config, arch, featureset, flavour): + self.log("Updating ABI for arch %s, featureset %s, flavour %s: " % + (arch, featureset, flavour)) + try: + if featureset == 'none': + localversion = flavour + else: + localversion = featureset + '-' + flavour + + version_abi, abi = self.get_abi(arch, localversion) + self.save_abi(version_abi, abi, arch, featureset, flavour) + self.log("Ok.\n") + except HTTPError as e: + self.log("Failed to retrieve %s: %s\n" % (e.filename, e)) + except Exception: + self.log("FAILED!\n") + import traceback + traceback.print_exc(None, sys.stdout) + + +if __name__ == '__main__': + options = optparse.OptionParser() + options.add_option("-u", "--url-base", dest="url_base", + default=default_url_base) + options.add_option("--url-base-incoming", dest="url_base_incoming", + default=default_url_base_incoming) + options.add_option("--url-base-ports", dest="url_base_ports", + default=default_url_base_ports) + options.add_option("--url-base-ports-incoming", + dest="url_base_ports_incoming", + default=default_url_base_ports_incoming) + options.add_option("--url-base-security", dest="url_base_security", + default=default_url_base_security) + + opts, args = options.parse_args() + + kw = {} + if len(args) >= 1: + kw['arch'] = args[0] + if len(args) >= 2: + kw['featureset'] = args[1] + if len(args) >= 3: + kw['flavour'] = args[2] + + url_base = url_debian_pool(opts.url_base) + url_base_incoming = url_debian_pool(opts.url_base_incoming) + url_base_ports = url_debian_ports_pool(opts.url_base_ports) + url_base_ports_incoming = url_debian_flat(opts.url_base_ports_incoming) + url_base_security = url_debian_security_pool(opts.url_base_security) + + Main(**kw)() diff --git a/debian/bin/buildcheck.py b/debian/bin/buildcheck.py new file mode 100755 index 000000000..3f7ce25a9 --- /dev/null +++ b/debian/bin/buildcheck.py @@ -0,0 +1,285 @@ +#!/usr/bin/python3 + +import sys +import glob +import os +import re + +from debian_linux.abi import Symbols +from debian_linux.config import ConfigCoreDump +from debian_linux.debian import Changelog, VersionLinux + + +class CheckAbi(object): + class SymbolInfo(object): + def __init__(self, symbol, symbol_ref=None): + self.symbol = symbol + self.symbol_ref = symbol_ref or symbol + + @property + def module(self): + return self.symbol.module + + @property + def name(self): + return self.symbol.name + + def write(self, out, ignored): + info = [] + if ignored: + info.append("ignored") + for name in ('module', 'version', 'export'): + data = getattr(self.symbol, name) + data_ref = getattr(self.symbol_ref, name) + if data != data_ref: + info.append("%s: %s -> %s" % (name, data_ref, data)) + else: + info.append("%s: %s" % (name, data)) + out.write("%-48s %s\n" % (self.symbol.name, ", ".join(info))) + + def __init__(self, config, dir, arch, featureset, flavour): + self.config = config + self.arch, self.featureset, self.flavour = arch, featureset, flavour + + self.filename_new = "%s/Module.symvers" % dir + + try: + version_abi = (self.config[('version',)]['abiname_base'] + '-' + + self.config['abi', arch]['abiname']) + except KeyError: + version_abi = self.config[('version',)]['abiname'] + self.filename_ref = ("debian/abi/%s/%s_%s_%s" % + (version_abi, arch, featureset, flavour)) + + def __call__(self, out): + ret = 0 + + new = Symbols(open(self.filename_new)) + unversioned = [name for name in new + if new[name].version == '0x00000000'] + if unversioned: + out.write("ABI is not completely versioned! " + "Refusing to continue.\n") + out.write("\nUnversioned symbols:\n") + for name in sorted(unversioned): + self.SymbolInfo(new[name]).write(out, False) + ret = 1 + + try: + ref = Symbols(open(self.filename_ref)) + except IOError: + out.write("Can't read ABI reference. ABI not checked!\n") + return ret + + symbols, add, change, remove = self._cmp(ref, new) + + ignore = self._ignore(symbols) + + add_effective = add - ignore + change_effective = change - ignore + remove_effective = remove - ignore + + if change_effective or remove_effective: + out.write("ABI has changed! Refusing to continue.\n") + ret = 1 + elif change or remove: + out.write("ABI has changed but all changes have been ignored. " + "Continuing.\n") + elif add_effective: + out.write("New symbols have been added. Continuing.\n") + elif add: + out.write("New symbols have been added but have been ignored. " + "Continuing.\n") + else: + out.write("No ABI changes.\n") + + if add: + out.write("\nAdded symbols:\n") + for name in sorted(add): + symbols[name].write(out, name in ignore) + + if change: + out.write("\nChanged symbols:\n") + for name in sorted(change): + symbols[name].write(out, name in ignore) + + if remove: + out.write("\nRemoved symbols:\n") + for name in sorted(remove): + symbols[name].write(out, name in ignore) + + return ret + + def _cmp(self, ref, new): + ref_names = set(ref.keys()) + new_names = set(new.keys()) + + add = set() + change = set() + remove = set() + + symbols = {} + + for name in new_names - ref_names: + add.add(name) + symbols[name] = self.SymbolInfo(new[name]) + + for name in ref_names.intersection(new_names): + s_ref = ref[name] + s_new = new[name] + + if s_ref != s_new: + change.add(name) + symbols[name] = self.SymbolInfo(s_new, s_ref) + + for name in ref_names - new_names: + remove.add(name) + symbols[name] = self.SymbolInfo(ref[name]) + + return symbols, add, change, remove + + def _ignore_pattern(self, pattern): + ret = [] + for i in re.split(r'(\*\*?)', pattern): + if i == '*': + ret.append(r'[^/]*') + elif i == '**': + ret.append(r'.*') + elif i: + ret.append(re.escape(i)) + return re.compile('^' + ''.join(ret) + '$') + + def _ignore(self, symbols): + # TODO: let config merge this lists + configs = [] + configs.append(self.config.get(('abi', self.arch, self.featureset, + self.flavour), {})) + configs.append(self.config.get(('abi', self.arch, None, self.flavour), + {})) + configs.append(self.config.get(('abi', self.arch, self.featureset), + {})) + configs.append(self.config.get(('abi', self.arch), {})) + configs.append(self.config.get(('abi', None, self.featureset), {})) + configs.append(self.config.get(('abi',), {})) + + ignores = set() + for config in configs: + ignores.update(config.get('ignore-changes', [])) + + filtered = set() + for ignore in ignores: + type = 'name' + if ':' in ignore: + type, ignore = ignore.split(':') + if type in ('name', 'module'): + p = self._ignore_pattern(ignore) + for symbol in symbols.values(): + if p.match(getattr(symbol, type)): + filtered.add(symbol.name) + else: + raise NotImplementedError + + return filtered + + +class CheckImage(object): + def __init__(self, config, dir, arch, featureset, flavour): + self.dir = dir + self.arch, self.featureset, self.flavour = arch, featureset, flavour + + self.changelog = Changelog(version=VersionLinux)[0] + + self.config_entry_base = config.merge('base', arch, featureset, + flavour) + self.config_entry_build = config.merge('build', arch, featureset, + flavour) + self.config_entry_image = config.merge('image', arch, featureset, + flavour) + + def __call__(self, out): + image = self.config_entry_build.get('image-file') + uncompressed_image = self.config_entry_build \ + .get('uncompressed-image-file') + + if not image: + # TODO: Bail out + return 0 + + image = os.path.join(self.dir, image) + if uncompressed_image: + uncompressed_image = os.path.join(self.dir, uncompressed_image) + + fail = 0 + + fail |= self.check_size(out, image, uncompressed_image) + + return fail + + def check_size(self, out, image, uncompressed_image): + value = self.config_entry_image.get('check-size') + + if not value: + return 0 + + dtb_size = 0 + if self.config_entry_image.get('check-size-with-dtb'): + for dtb in glob.glob( + os.path.join(self.dir, 'arch', + self.config_entry_base['kernel-arch'], + 'boot/dts/*.dtb')): + dtb_size = max(dtb_size, os.stat(dtb).st_size) + + size = os.stat(image).st_size + dtb_size + + # 1% overhead is desirable in order to cope with growth + # through the lifetime of a stable release. Warn if this is + # not the case. + usage = (float(size)/value) * 100.0 + out.write('Image size %d/%d, using %.2f%%. ' % (size, value, usage)) + if size > value: + out.write('Too large. Refusing to continue.\n') + return 1 + elif usage >= 99.0: + out.write('Under 1%% space in %s. ' % self.changelog.distribution) + else: + out.write('Image fits. ') + out.write('Continuing.\n') + + # Also check the uncompressed image + if uncompressed_image and \ + self.config_entry_image.get('check-uncompressed-size'): + value = self.config_entry_image.get('check-uncompressed-size') + size = os.stat(uncompressed_image).st_size + usage = (float(size)/value) * 100.0 + out.write('Uncompressed Image size %d/%d, using %.2f%%. ' % + (size, value, usage)) + if size > value: + out.write('Too large. Refusing to continue.\n') + return 1 + elif usage >= 99.0: + out.write('Uncompressed Image Under 1%% space in %s. ' % + self.changelog.distribution) + else: + out.write('Uncompressed Image fits. ') + out.write('Continuing.\n') + + return 0 + + +class Main(object): + def __init__(self, dir, arch, featureset, flavour): + self.args = dir, arch, featureset, flavour + + self.config = ConfigCoreDump(open("debian/config.defines.dump", "rb")) + + def __call__(self): + fail = 0 + + for c in CheckAbi, CheckImage: + fail |= c(self.config, *self.args)(sys.stdout) + + return fail + + +if __name__ == '__main__': + sys.exit(Main(*sys.argv[1:])()) diff --git a/debian/bin/check-patches.sh b/debian/bin/check-patches.sh new file mode 100755 index 000000000..54bb731e9 --- /dev/null +++ b/debian/bin/check-patches.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e + +TMPDIR=$(mktemp -d) +trap "rm -rf $TMPDIR" EXIT +for patchdir in debian/patches*; do + sed '/^#/d; /^[[:space:]]*$/d; /^X /d; s/^+ //; s,^,'"$patchdir"'/,' "$patchdir"/series +done | sort -u > $TMPDIR/used +find debian/patches* ! -path '*/series' -type f -name "*.diff" -o -name "*.patch" -printf "%p\n" | sort > $TMPDIR/avail +echo "Used patches" +echo "==============" +cat $TMPDIR/used +echo +echo "Unused patches" +echo "==============" +grep -F -v -f $TMPDIR/used $TMPDIR/avail || test $? = 1 +echo +echo "Patches without required headers" +echo "================================" +xargs grep -E -l '^(Subject|Description):' < $TMPDIR/used | xargs grep -E -l '^(From|Author|Origin):' > $TMPDIR/goodheaders || test $? = 1 +grep -F -v -f $TMPDIR/goodheaders $TMPDIR/used || test $? = 1 +echo +echo "Patches without Origin or Forwarded header" +echo "==========================================" +xargs grep -E -L '^(Origin:|Forwarded: (no\b|not-needed|http))' < $TMPDIR/used || test $? = 1 +echo +echo "Patches to be forwarded" +echo "=======================" +xargs grep -E -l '^Forwarded: no\b' < $TMPDIR/used || test $? = 1 diff --git a/debian/bin/debian_linux b/debian/bin/debian_linux new file mode 120000 index 000000000..01f3e04dc --- /dev/null +++ b/debian/bin/debian_linux @@ -0,0 +1 @@ +../lib/python/debian_linux/
\ No newline at end of file diff --git a/debian/bin/fix-shebang b/debian/bin/fix-shebang new file mode 100755 index 000000000..edf551fa3 --- /dev/null +++ b/debian/bin/fix-shebang @@ -0,0 +1,12 @@ +#!/usr/bin/perl -pi + +# Change "#!/usr/bin/env perl" to "#!/usr/bin/perl" (policy §10.4). +# Other uses of /usr/bin/env should probably be converted as well, but +# policy doesn't specify what to do. +if ($. == 1 && m|^\#!\s*/usr/bin/env\s+(.+)|) { + if ($1 eq "perl") { + $_ = "#!/usr/bin/perl\n"; + } else { + print STDERR "W: Found #!/usr/bin/env $1 and don't know what to substitute\n"; + } +} diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py new file mode 100755 index 000000000..325ff46ec --- /dev/null +++ b/debian/bin/gencontrol.py @@ -0,0 +1,664 @@ +#!/usr/bin/python3 + +import sys +import locale +import os +import os.path +import subprocess +import re + +from debian_linux import config +from debian_linux.debian import PackageRelation, \ + PackageRelationEntry, PackageRelationGroup, VersionLinux, BinaryPackage, \ + restriction_requires_profile +from debian_linux.gencontrol import Gencontrol as Base, \ + iter_featuresets, iter_flavours, add_package_build_restriction +from debian_linux.utils import Templates + +locale.setlocale(locale.LC_CTYPE, "C.UTF-8") + + +class Gencontrol(Base): + config_schema = { + 'abi': { + 'ignore-changes': config.SchemaItemList(), + }, + 'build': { + 'signed-code': config.SchemaItemBoolean(), + 'vdso': config.SchemaItemBoolean(), + }, + 'description': { + 'parts': config.SchemaItemList(), + }, + 'image': { + 'bootloaders': config.SchemaItemList(), + 'configs': config.SchemaItemList(), + 'initramfs-generators': config.SchemaItemList(), + 'check-size': config.SchemaItemInteger(), + 'check-size-with-dtb': config.SchemaItemBoolean(), + 'check-uncompressed-size': config.SchemaItemInteger(), + 'depends': config.SchemaItemList(','), + 'provides': config.SchemaItemList(','), + 'suggests': config.SchemaItemList(','), + 'recommends': config.SchemaItemList(','), + 'conflicts': config.SchemaItemList(','), + 'breaks': config.SchemaItemList(','), + }, + 'relations': { + }, + 'packages': { + 'docs': config.SchemaItemBoolean(), + 'installer': config.SchemaItemBoolean(), + 'libc-dev': config.SchemaItemBoolean(), + 'meta': config.SchemaItemBoolean(), + 'tools-unversioned': config.SchemaItemBoolean(), + 'tools-versioned': config.SchemaItemBoolean(), + 'source': config.SchemaItemBoolean(), + } + } + + env_flags = [ + ('DEBIAN_KERNEL_DISABLE_INSTALLER', 'disable_installer', 'installer modules'), + ('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'), + ] + + def __init__(self, config_dirs=["debian/config", "debian/config.local"], + template_dirs=["debian/templates"]): + super(Gencontrol, self).__init__( + config.ConfigCoreHierarchy(self.config_schema, config_dirs), + Templates(template_dirs), + VersionLinux) + self.process_changelog() + self.config_dirs = config_dirs + + for env, attr, desc in self.env_flags: + setattr(self, attr, False) + if os.getenv(env): + if self.changelog[0].distribution == 'UNRELEASED': + import warnings + warnings.warn(f'Disable {desc} on request ({env} set)') + setattr(self, attr, True) + else: + raise RuntimeError( + f'Unable to disable {desc} in release build ({env} set)') + + def _setup_makeflags(self, names, makeflags, data): + for src, dst, optional in names: + if src in data or not optional: + makeflags[dst] = data[src] + + def do_main_setup(self, vars, makeflags, extra): + super(Gencontrol, self).do_main_setup(vars, makeflags, extra) + makeflags.update({ + 'VERSION': self.version.linux_version, + 'UPSTREAMVERSION': self.version.linux_upstream, + 'ABINAME': self.abiname_version + self.abiname_part, + 'SOURCEVERSION': self.version.complete, + }) + makeflags['SOURCE_BASENAME'] = vars['source_basename'] + makeflags['SOURCE_SUFFIX'] = vars['source_suffix'] + + # Prepare to generate debian/tests/control + self.tests_control = self.templates.get_tests_control('main.tests-control', vars) + self.tests_control_image = None + self.tests_control_headers = None + + self.installer_packages = {} + + if not self.disable_installer and self.config.merge('packages').get('installer', True): + # Add udebs using kernel-wedge + kw_env = os.environ.copy() + kw_env['KW_DEFCONFIG_DIR'] = 'debian/installer' + kw_env['KW_CONFIG_DIR'] = 'debian/installer' + kw_proc = subprocess.Popen( + ['kernel-wedge', 'gen-control', vars['abiname']], + stdout=subprocess.PIPE, + text=True, + env=kw_env) + udeb_packages = BinaryPackage.read_rfc822(kw_proc.stdout) + kw_proc.wait() + if kw_proc.returncode != 0: + raise RuntimeError('kernel-wedge exited with code %d' % + kw_proc.returncode) + + # All architectures that have some installer udebs + arches = set() + for package in udeb_packages: + arches.update(package['Architecture']) + + # Code-signing status for those architectures + # If we're going to build signed udebs later, don't actually + # generate udebs. Just test that we *can* build, so we find + # configuration errors before building linux-signed. + build_signed = {} + for arch in arches: + if not self.disable_signed: + build_signed[arch] = self.config.merge('build', arch) \ + .get('signed-code', False) + else: + build_signed[arch] = False + + for package in udeb_packages: + # kernel-wedge currently chokes on Build-Profiles so add it now + if any(build_signed[arch] for arch in package['Architecture']): + assert all(build_signed[arch] + for arch in package['Architecture']) + # XXX This is a hack to exclude the udebs from + # the package list while still being able to + # convince debhelper and kernel-wedge to go + # part way to building them. + package['Build-Profiles'] = ( + '<pkg.linux.udeb-unsigned-test-build !noudeb !stage1' + ' !pkg.linux.nokernel !pkg.linux.quick>') + else: + package['Build-Profiles'] = ( + '<!noudeb !stage1 !pkg.linux.nokernel !pkg.linux.quick>') + + for arch in package['Architecture']: + self.installer_packages.setdefault(arch, []) \ + .append(package) + + def do_main_makefile(self, makeflags, extra): + for featureset in iter_featuresets(self.config): + makeflags_featureset = makeflags.copy() + makeflags_featureset['FEATURESET'] = featureset + + self.makefile.add_rules(f'source_{featureset}', + 'source', makeflags_featureset) + self.makefile.add_deps('source', [f'source_{featureset}']) + + makeflags = makeflags.copy() + makeflags['ALL_FEATURESETS'] = ' '.join(iter_featuresets(self.config)) + super().do_main_makefile(makeflags, extra) + + def do_main_packages(self, vars, makeflags, extra): + self.bundle.add('main', ('real', ), makeflags, vars) + + # Only build the metapackages if their names won't exactly match + # the packages they depend on + do_meta = self.config.merge('packages').get('meta', True) \ + and vars['source_suffix'] != '-' + vars['version'] + + if self.config.merge('packages').get('docs', True): + self.bundle.add('docs', ('real', ), makeflags, vars) + if do_meta: + self.bundle.add('docs.meta', ('real', ), makeflags, vars) + if self.config.merge('packages').get('source', True): + self.bundle.add('sourcebin', ('real', ), makeflags, vars) + if do_meta: + self.bundle.add('sourcebin.meta', ('real', ), makeflags, vars) + + def do_indep_featureset_setup(self, vars, makeflags, featureset, extra): + makeflags['LOCALVERSION'] = vars['localversion'] + kernel_arches = set() + for arch in iter(self.config['base', ]['arches']): + if self.config.get_merge('base', arch, featureset, None, + 'flavours'): + kernel_arches.add(self.config['base', arch]['kernel-arch']) + makeflags['ALL_KERNEL_ARCHES'] = ' '.join(sorted(list(kernel_arches))) + + vars['featureset_desc'] = '' + if featureset != 'none': + desc = self.config[('description', None, featureset)] + desc_parts = desc['parts'] + vars['featureset_desc'] = (' with the %s featureset' % + desc['part-short-%s' % desc_parts[0]]) + + def do_indep_featureset_packages(self, featureset, + vars, makeflags, extra): + self.bundle.add('headers.featureset', (featureset, 'real'), makeflags, vars) + + arch_makeflags = ( + ('kernel-arch', 'KERNEL_ARCH', False), + ) + + def do_arch_setup(self, vars, makeflags, arch, extra): + config_base = self.config.merge('base', arch) + + self._setup_makeflags(self.arch_makeflags, makeflags, config_base) + + try: + gnu_type = subprocess.check_output( + ['dpkg-architecture', '-f', '-a', arch, + '-q', 'DEB_HOST_GNU_TYPE'], + stderr=subprocess.DEVNULL, + encoding='utf-8') + except subprocess.CalledProcessError: + # This sometimes happens for the newest ports :-/ + print('W: Unable to get GNU type for %s' % arch, file=sys.stderr) + else: + vars['gnu-type-package'] = gnu_type.strip().replace('_', '-') + + def do_arch_packages(self, arch, vars, makeflags, + extra): + try: + abiname_part = '-%s' % self.config['abi', arch]['abiname'] + except KeyError: + abiname_part = self.abiname_part + makeflags['ABINAME'] = vars['abiname'] = \ + self.abiname_version + abiname_part + + if not self.disable_signed: + build_signed = self.config.merge('build', arch) \ + .get('signed-code', False) + else: + build_signed = False + + udeb_packages = self.installer_packages.get(arch, []) + if udeb_packages: + makeflags_local = makeflags.copy() + makeflags_local['PACKAGE_NAMES'] = ' '.join(p['Package'] for p in udeb_packages) + + for package in udeb_packages: + package.meta['rules-target'] = build_signed and 'udeb_test' or 'udeb' + + self.bundle.add_packages( + udeb_packages, + (arch, 'real'), + makeflags_local, arch=arch, check_packages=not build_signed, + ) + + if build_signed: + self.bundle.add('signed-template', (arch, 'real'), makeflags, vars, arch=arch) + + if self.config.merge('packages').get('libc-dev', True): + self.bundle.add('libc-dev', (arch, 'real'), makeflags, vars) + + if self.config['base', arch].get('featuresets') and \ + self.config.merge('packages').get('source', True): + self.bundle.add('config', (arch, 'real'), makeflags, vars) + + if self.config.merge('packages').get('tools-unversioned', True): + self.bundle.add('tools-unversioned', (arch, 'real'), makeflags, vars) + + if self.config.merge('packages').get('tools-versioned', True): + self.bundle.add('tools-versioned', (arch, 'real'), makeflags, vars) + + def do_featureset_setup(self, vars, makeflags, arch, featureset, extra): + vars['localversion_headers'] = vars['localversion'] + makeflags['LOCALVERSION_HEADERS'] = vars['localversion_headers'] + + self.default_flavour = self.config.merge('base', arch, featureset) \ + .get('default-flavour') + if self.default_flavour is not None: + if featureset != 'none': + raise RuntimeError("default-flavour set for %s %s," + " but must only be set for featureset none" + % (arch, featureset)) + if self.default_flavour \ + not in iter_flavours(self.config, arch, featureset): + raise RuntimeError("default-flavour %s for %s %s does not exist" + % (self.default_flavour, arch, featureset)) + + self.quick_flavour = self.config.merge('base', arch, featureset) \ + .get('quick-flavour') + + flavour_makeflags_base = ( + ('compiler', 'COMPILER', False), + ('compiler-filename', 'COMPILER', True), + ('kernel-arch', 'KERNEL_ARCH', False), + ('cflags', 'KCFLAGS', True), + ('override-host-type', 'OVERRIDE_HOST_TYPE', True), + ('cross-compile-compat', 'CROSS_COMPILE_COMPAT', True), + ) + + flavour_makeflags_build = ( + ('image-file', 'IMAGE_FILE', True), + ) + + flavour_makeflags_image = ( + ('install-stem', 'IMAGE_INSTALL_STEM', True), + ) + + flavour_makeflags_other = ( + ('localversion', 'LOCALVERSION', False), + ('localversion-image', 'LOCALVERSION_IMAGE', True), + ) + + def do_flavour_setup(self, vars, makeflags, arch, featureset, flavour, + extra): + config_base = self.config.merge('base', arch, featureset, flavour) + config_build = self.config.merge('build', arch, featureset, flavour) + config_description = self.config.merge('description', arch, featureset, + flavour) + config_image = self.config.merge('image', arch, featureset, flavour) + + vars['flavour'] = vars['localversion'][1:] + vars['class'] = config_description['hardware'] + vars['longclass'] = (config_description.get('hardware-long') + or vars['class']) + + vars['localversion-image'] = vars['localversion'] + override_localversion = config_image.get('override-localversion', None) + if override_localversion is not None: + vars['localversion-image'] = (vars['localversion_headers'] + '-' + + override_localversion) + vars['image-stem'] = config_image.get('install-stem') + + self._setup_makeflags(self.flavour_makeflags_base, makeflags, + config_base) + self._setup_makeflags(self.flavour_makeflags_build, makeflags, + config_build) + self._setup_makeflags(self.flavour_makeflags_image, makeflags, + config_image) + self._setup_makeflags(self.flavour_makeflags_other, makeflags, vars) + + def do_flavour_packages(self, arch, featureset, + flavour, vars, makeflags, extra): + ruleid = (arch, featureset, flavour, 'real') + + packages_headers = ( + self.bundle.add('headers', ruleid, makeflags, vars, arch=arch) + ) + assert len(packages_headers) == 1 + + do_meta = self.config.merge('packages').get('meta', True) + config_entry_base = self.config.merge('base', arch, featureset, + flavour) + config_entry_build = self.config.merge('build', arch, featureset, + flavour) + config_entry_description = self.config.merge('description', arch, + featureset, flavour) + config_entry_relations = self.config.merge('relations', arch, + featureset, flavour) + + def config_entry_image(key, *args, **kwargs): + return self.config.get_merge( + 'image', arch, featureset, flavour, key, *args, **kwargs) + + compiler = config_entry_base.get('compiler', 'gcc') + + # Work out dependency from linux-headers to compiler. Drop + # dependencies for cross-builds. Strip any remaining + # restrictions, as they don't apply to binary Depends. + relations_compiler_headers = PackageRelation( + self.substitute(config_entry_relations.get('headers%' + compiler) + or config_entry_relations.get(compiler), vars)) + relations_compiler_headers = PackageRelation( + PackageRelationGroup( + entry for entry in group + if not restriction_requires_profile(entry.restrictions, + 'cross')) + for group in relations_compiler_headers) + for group in relations_compiler_headers: + for entry in group: + entry.restrictions = [] + + relations_compiler_build_dep = PackageRelation( + self.substitute(config_entry_relations[compiler], vars)) + for group in relations_compiler_build_dep: + for item in group: + item.arches = [arch] + self.packages['source']['Build-Depends-Arch'].extend( + relations_compiler_build_dep) + + packages_own = [] + + if not self.disable_signed: + build_signed = config_entry_build.get('signed-code') + else: + build_signed = False + + vars.setdefault('desc', None) + + package_image = ( + self.bundle.add(build_signed and 'image-unsigned' or 'image', + ruleid, makeflags, vars, arch=arch) + )[0] + makeflags['IMAGE_PACKAGE_NAME'] = package_image['Package'] + + for field in ('Depends', 'Provides', 'Suggests', 'Recommends', + 'Conflicts', 'Breaks'): + package_image.setdefault(field).extend(PackageRelation( + config_entry_image(field.lower(), None), + override_arches=(arch,))) + + generators = config_entry_image('initramfs-generators') + group = PackageRelationGroup() + for i in generators: + i = config_entry_relations.get(i, i) + group.append(i) + a = PackageRelationEntry(i) + if a.operator is not None: + a.operator = -a.operator + package_image['Breaks'].append(PackageRelationGroup([a])) + for item in group: + item.arches = [arch] + package_image['Depends'].append(group) + + bootloaders = config_entry_image('bootloaders', None) + if bootloaders: + group = PackageRelationGroup() + for i in bootloaders: + i = config_entry_relations.get(i, i) + group.append(i) + a = PackageRelationEntry(i) + if a.operator is not None: + a.operator = -a.operator + package_image['Breaks'].append(PackageRelationGroup([a])) + for item in group: + item.arches = [arch] + package_image['Suggests'].append(group) + + desc_parts = self.config.get_merge('description', arch, featureset, + flavour, 'parts') + if desc_parts: + # XXX: Workaround, we need to support multiple entries of the same + # name + parts = list(set(desc_parts)) + parts.sort() + desc = package_image['Description'] + for part in parts: + desc.append(config_entry_description['part-long-' + part]) + desc.append_short(config_entry_description + .get('part-short-' + part, '')) + + packages_headers[0]['Depends'].extend(relations_compiler_headers) + packages_own.append(package_image) + packages_own.extend(packages_headers) + if extra.get('headers_arch_depends'): + extra['headers_arch_depends'].append('%s (= ${binary:Version})' % + packages_own[-1]['Package']) + + # The image meta-packages will depend on signed linux-image + # packages where applicable, so should be built from the + # signed source packages The header meta-packages will also be + # built along with the signed packages, to create a dependency + # relationship that ensures src:linux and src:linux-signed-* + # transition to testing together. + if do_meta and not build_signed: + packages_meta = ( + self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch) + ) + assert len(packages_meta) == 1 + packages_meta += ( + self.bundle.add('headers.meta', ruleid, makeflags, vars, arch=arch) + ) + assert len(packages_meta) == 2 + + if flavour == self.default_flavour \ + and not self.vars['source_suffix']: + packages_meta[0].setdefault('Provides') \ + .append('linux-image-generic') + packages_meta[1].setdefault('Provides') \ + .append('linux-headers-generic') + + packages_own.extend(packages_meta) + + if config_entry_build.get('vdso', False): + makeflags['VDSO'] = True + + packages_own.extend( + self.bundle.add('image-dbg', ruleid, makeflags, vars, arch=arch) + ) + if do_meta: + packages_own.extend( + self.bundle.add('image-dbg.meta', ruleid, makeflags, vars, arch=arch) + ) + + # In a quick build, only build the quick flavour (if any). + if flavour != self.quick_flavour: + for package in packages_own: + add_package_build_restriction(package, '!pkg.linux.quick') + + # Make sure signed-template is build after linux + if build_signed: + self.makefile.add_deps(f'build-arch_{arch}_real_signed-template', + [f'build-arch_{arch}_{featureset}_{flavour}_real']) + self.makefile.add_deps(f'binary-arch_{arch}_real_signed-template', + [f'binary-arch_{arch}_{featureset}_{flavour}_real']) + + # Make sure udeb is build after linux + self.makefile.add_deps(f'build-arch_{arch}_real_udeb', + [f'build-arch_{arch}_{featureset}_{flavour}_real']) + self.makefile.add_deps(f'binary-arch_{arch}_real_udeb', + [f'binary-arch_{arch}_{featureset}_{flavour}_real']) + + tests_control = self.templates.get_tests_control('image.tests-control', vars)[0] + tests_control['Depends'].append( + PackageRelationGroup(package_image['Package'], + override_arches=(arch,))) + if self.tests_control_image: + self.tests_control_image['Depends'].extend( + tests_control['Depends']) + else: + self.tests_control_image = tests_control + self.tests_control.append(tests_control) + + if flavour == (self.quick_flavour or self.default_flavour): + if not self.tests_control_headers: + self.tests_control_headers = \ + self.templates.get_tests_control('headers.tests-control', vars)[0] + self.tests_control.append(self.tests_control_headers) + self.tests_control_headers['Architecture'].add(arch) + self.tests_control_headers['Depends'].append( + PackageRelationGroup(packages_headers[0]['Package'], + override_arches=(arch,))) + + def get_config(*entry_name): + entry_real = ('image',) + entry_name + entry = self.config.get(entry_real, None) + if entry is None: + return None + return entry.get('configs', None) + + def check_config_default(fail, f): + for d in self.config_dirs[::-1]: + f1 = d + '/' + f + if os.path.exists(f1): + return [f1] + if fail: + raise RuntimeError("%s unavailable" % f) + return [] + + def check_config_files(files): + ret = [] + for f in files: + for d in self.config_dirs[::-1]: + f1 = d + '/' + f + if os.path.exists(f1): + ret.append(f1) + break + else: + raise RuntimeError("%s unavailable" % f) + return ret + + def check_config(default, fail, *entry_name): + configs = get_config(*entry_name) + if configs is None: + return check_config_default(fail, default) + return check_config_files(configs) + + kconfig = check_config('config', True) + # XXX: We have no way to override kernelarch-X configs + kconfig.extend(check_config_default(False, + "kernelarch-%s/config" % config_entry_base['kernel-arch'])) + kconfig.extend(check_config("%s/config" % arch, True, arch)) + kconfig.extend(check_config("%s/config.%s" % (arch, flavour), False, + arch, None, flavour)) + kconfig.extend(check_config("featureset-%s/config" % featureset, False, + None, featureset)) + kconfig.extend(check_config("%s/%s/config" % (arch, featureset), False, + arch, featureset)) + kconfig.extend(check_config("%s/%s/config.%s" % + (arch, featureset, flavour), False, + arch, featureset, flavour)) + makeflags['KCONFIG'] = ' '.join(kconfig) + makeflags['KCONFIG_OPTIONS'] = '' + if build_signed: + makeflags['KCONFIG_OPTIONS'] += ' -o SECURITY_LOCKDOWN_LSM=y -o MODULE_SIG=y' + # Add "salt" to fix #872263 + makeflags['KCONFIG_OPTIONS'] += \ + ' -o "BUILD_SALT=\\"%(abiname)s%(localversion)s\\""' % vars + if config_entry_build.get('trusted-certs'): + makeflags['KCONFIG_OPTIONS'] += \ + f' -o "SYSTEM_TRUSTED_KEYS=\\"${{CURDIR}}/{config_entry_build["trusted-certs"]}\\""' + + merged_config = ('debian/build/config.%s_%s_%s' % + (arch, featureset, flavour)) + self.makefile.add_cmds(merged_config, + ["$(MAKE) -f debian/rules.real %s %s" % + (merged_config, makeflags)]) + + def process_changelog(self): + version = self.version = self.changelog[0].version + self.abiname_part = '-%s' % self.config['abi', ]['abiname'] + # We need to keep at least three version components to avoid + # userland breakage (e.g. #742226, #745984). + self.abiname_version = re.sub(r'^(\d+\.\d+)(?=-|$)', r'\1.0', + self.version.linux_version) + self.vars = { + 'upstreamversion': self.version.linux_upstream, + 'version': self.version.linux_version, + 'source_basename': re.sub(r'-[\d.]+$', '', + self.changelog[0].source), + 'source_upstream': self.version.upstream, + 'source_package': self.changelog[0].source, + 'abiname': self.abiname_version + self.abiname_part, + } + self.vars['source_suffix'] = \ + self.changelog[0].source[len(self.vars['source_basename']):] + self.config['version', ] = {'source': self.version.complete, + 'upstream': self.version.linux_upstream, + 'abiname_base': self.abiname_version, + 'abiname': (self.abiname_version + + self.abiname_part)} + + distribution = self.changelog[0].distribution + if distribution in ('unstable', ): + if version.linux_revision_experimental or \ + version.linux_revision_backports or \ + version.linux_revision_other: + raise RuntimeError("Can't upload to %s with a version of %s" % + (distribution, version)) + if distribution in ('experimental', ): + if not version.linux_revision_experimental: + raise RuntimeError("Can't upload to %s with a version of %s" % + (distribution, version)) + if distribution.endswith('-security') or distribution.endswith('-lts'): + if version.linux_revision_backports or \ + version.linux_revision_other: + raise RuntimeError("Can't upload to %s with a version of %s" % + (distribution, version)) + if distribution.endswith('-backports'): + if not version.linux_revision_backports: + raise RuntimeError("Can't upload to %s with a version of %s" % + (distribution, version)) + + def write(self): + self.write_config() + super().write() + self.write_tests_control() + + def write_config(self): + f = open("debian/config.defines.dump", 'wb') + self.config.dump(f) + f.close() + + def write_tests_control(self): + self.write_rfc822(open("debian/tests/control", 'w'), + self.tests_control) + + +if __name__ == '__main__': + Gencontrol()() diff --git a/debian/bin/gencontrol_signed.py b/debian/bin/gencontrol_signed.py new file mode 100755 index 000000000..5a5d7f2de --- /dev/null +++ b/debian/bin/gencontrol_signed.py @@ -0,0 +1,351 @@ +#!/usr/bin/python3 + +import hashlib +import json +import os.path +import pathlib +import re +import ssl +import subprocess +import sys + +from debian_linux.config import ConfigCoreDump +from debian_linux.debian import VersionLinux, BinaryPackage +from debian_linux.gencontrol import Gencontrol as Base, \ + iter_flavours, PackagesBundle +from debian_linux.utils import Templates + + +class Gencontrol(Base): + def __init__(self, arch): + super(Gencontrol, self).__init__( + ConfigCoreDump(fp=open('debian/config.defines.dump', 'rb')), + Templates(['debian/signing_templates', 'debian/templates'])) + + image_binary_version = self.changelog[0].version.complete + + config_entry = self.config[('version',)] + self.version = VersionLinux(config_entry['source']) + + # Check config version matches changelog version + assert self.version.complete == re.sub(r'\+b\d+$', r'', + image_binary_version) + + self.abiname = config_entry['abiname'] + self.vars = { + 'upstreamversion': self.version.linux_upstream, + 'version': self.version.linux_version, + 'source_basename': re.sub(r'-[\d.]+$', '', + self.changelog[0].source), + 'source_upstream': self.version.upstream, + 'abiname': self.abiname, + 'imagebinaryversion': image_binary_version, + 'imagesourceversion': self.version.complete, + 'arch': arch, + } + self.vars['source_suffix'] = \ + self.changelog[0].source[len(self.vars['source_basename']):] + self.vars['template'] = \ + 'linux-image%(source_suffix)s-%(arch)s-signed-template' % self.vars + + self.package_dir = 'debian/%(template)s' % self.vars + self.template_top_dir = (self.package_dir + + '/usr/share/code-signing/%(template)s' + % self.vars) + self.template_debian_dir = (self.template_top_dir + + '/source-template/debian') + os.makedirs(self.template_debian_dir, exist_ok=True) + + self.image_packages = [] + + # We need a separate base dir for now + self.bundles = {None: PackagesBundle(None, self.templates, + pathlib.Path(self.template_debian_dir))} + self.packages = self.bundle.packages + self.makefile = self.bundle.makefile + + def do_main_setup(self, vars, makeflags, extra): + makeflags['VERSION'] = self.version.linux_version + makeflags['GENCONTROL_ARGS'] = ( + '-v%(imagebinaryversion)s ' + '-DBuilt-Using="%(source_basename)s%(source_suffix)s (= %(imagesourceversion)s)"' % + vars) + makeflags['PACKAGE_VERSION'] = vars['imagebinaryversion'] + + self.installer_packages = {} + + if os.getenv('DEBIAN_KERNEL_DISABLE_INSTALLER'): + if self.changelog[0].distribution == 'UNRELEASED': + import warnings + warnings.warn('Disable installer modules on request ' + '(DEBIAN_KERNEL_DISABLE_INSTALLER set)') + else: + raise RuntimeError( + 'Unable to disable installer modules in release build ' + '(DEBIAN_KERNEL_DISABLE_INSTALLER set)') + elif self.config.merge('packages').get('installer', True): + # Add udebs using kernel-wedge + kw_env = os.environ.copy() + kw_env['KW_DEFCONFIG_DIR'] = 'debian/installer' + kw_env['KW_CONFIG_DIR'] = 'debian/installer' + kw_proc = subprocess.Popen( + ['kernel-wedge', 'gen-control', vars['abiname']], + stdout=subprocess.PIPE, + text=True, + env=kw_env) + udeb_packages = BinaryPackage.read_rfc822(kw_proc.stdout) + kw_proc.wait() + if kw_proc.returncode != 0: + raise RuntimeError('kernel-wedge exited with code %d' % + kw_proc.returncode) + + for package in udeb_packages: + for arch in package['Architecture']: + if self.config.merge('build', arch) \ + .get('signed-code', False): + self.installer_packages.setdefault(arch, []) \ + .append(package) + + def do_main_packages(self, vars, makeflags, extra): + # Assume that arch:all packages do not get binNMU'd + self.packages['source']['Build-Depends'].append( + 'linux-support-%(abiname)s (= %(imagesourceversion)s)' % vars) + + def do_main_recurse(self, vars, makeflags, extra): + # Each signed source package only covers a single architecture + self.do_arch(vars['arch'], vars.copy(), + makeflags.copy(), extra) + + def do_extra(self): + pass + + def do_arch_setup(self, vars, makeflags, arch, extra): + super(Gencontrol, self).do_main_setup(vars, makeflags, extra) + + abiname_part = '-%s' % self.config.merge('abi', arch)['abiname'] + makeflags['ABINAME'] = vars['abiname'] = \ + self.config['version', ]['abiname_base'] + abiname_part + + def do_arch_packages(self, arch, vars, makeflags, extra): + udeb_packages = self.installer_packages.get(arch, []) + + if udeb_packages: + makeflags_local = makeflags.copy() + makeflags_local['PACKAGE_NAMES'] = ' '.join(p['Package'] for p in udeb_packages) + + for package in udeb_packages: + package.meta['rules-target'] = 'udeb' + + self.bundle.add_packages( + udeb_packages, + (arch, 'real'), + makeflags_local, arch=arch, + ) + + def do_featureset_setup(self, vars, makeflags, arch, featureset, extra): + self.default_flavour = self.config.merge('base', arch, featureset) \ + .get('default-flavour') + if self.default_flavour is not None: + if featureset != 'none': + raise RuntimeError("default-flavour set for %s %s," + " but must only be set for featureset none" + % (arch, featureset)) + if self.default_flavour \ + not in iter_flavours(self.config, arch, featureset): + raise RuntimeError("default-flavour %s for %s %s does not exist" + % (self.default_flavour, arch, featureset)) + + self.quick_flavour = self.config.merge('base', arch, featureset) \ + .get('quick-flavour') + + def do_flavour_setup(self, vars, makeflags, arch, featureset, flavour, + extra): + super(Gencontrol, self).do_flavour_setup(vars, makeflags, arch, + featureset, flavour, extra) + + config_description = self.config.merge('description', arch, featureset, + flavour) + config_image = self.config.merge('image', arch, featureset, flavour) + + vars['flavour'] = vars['localversion'][1:] + vars['class'] = config_description['hardware'] + vars['longclass'] = (config_description.get('hardware-long') + or vars['class']) + + vars['image-stem'] = config_image.get('install-stem') + makeflags['IMAGE_INSTALL_STEM'] = vars['image-stem'] + + def do_flavour_packages(self, arch, featureset, + flavour, vars, makeflags, extra): + ruleid = (arch, featureset, flavour, 'real') + + config_build = self.config.merge('build', arch, featureset, flavour) + if not config_build.get('signed-code', False): + return + + # In a quick build, only build the quick flavour (if any). + if 'pkg.linux.quick' in \ + os.environ.get('DEB_BUILD_PROFILES', '').split() \ + and flavour != self.quick_flavour: + return + + image_suffix = '%(abiname)s%(localversion)s' % vars + image_package_name = 'linux-image-%s-unsigned' % image_suffix + + # Verify that this flavour is configured to support Secure Boot, + # and get the trusted certificates filename. + with open('debian/%s/boot/config-%s' % + (image_package_name, image_suffix)) as f: + kconfig = f.readlines() + assert 'CONFIG_EFI_STUB=y\n' in kconfig + assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig + cert_file_name = config_build['trusted-certs'] + self.image_packages.append((image_suffix, image_package_name, + cert_file_name)) + + self.packages['source']['Build-Depends'].append( + image_package_name + + ' (= %(imagebinaryversion)s) [%(arch)s]' % vars) + + packages_own = ( + self.bundle.add('image', + ruleid, makeflags, vars, arch=arch) + ) + + if self.config.merge('packages').get('meta', True): + packages_meta = ( + self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch) + ) + assert len(packages_meta) == 1 + packages_meta += ( + self.bundle.add('headers.meta', ruleid, makeflags, vars, arch=arch) + ) + assert len(packages_meta) == 2 + + # Don't pretend to support build-profiles + for package in packages_meta: + del package['Build-Profiles'] + + if flavour == self.default_flavour \ + and not self.vars['source_suffix']: + packages_meta[0].setdefault('Provides') \ + .append('linux-image-generic') + packages_meta[1].setdefault('Provides') \ + .append('linux-headers-generic') + + packages_own.extend(packages_meta) + + def write(self): + self.bundle.extract_makefile() + self.write_changelog() + self.write_control(name=(self.template_debian_dir + '/control')) + self.write_makefile(name=(self.template_debian_dir + '/rules.gen')) + self.write_files_json() + self.write_source_lintian_overrides() + + def write_changelog(self): + # Copy the linux changelog, but: + # * Change the source package name and version + # * Insert a line to refer to refer to the linux source version + vars = self.vars.copy() + vars['source'] = self.changelog[0].source + vars['distribution'] = self.changelog[0].distribution + vars['urgency'] = self.changelog[0].urgency + vars['signedsourceversion'] = \ + re.sub(r'\+b(\d+)$', r'.b\1', + re.sub(r'-', r'+', vars['imagebinaryversion'])) + + with open(self.template_debian_dir + '/changelog', 'w', + encoding='utf-8') as f: + f.write(self.substitute('''\ +linux-signed@source_suffix@-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@ + + * Sign kernel from @source@ @imagebinaryversion@ + +''', + vars)) + + with open('debian/changelog', 'r', encoding='utf-8') \ + as changelog_in: + # Ignore first two header lines + changelog_in.readline() + changelog_in.readline() + + for d in changelog_in.read(): + f.write(d) + + def write_files_json(self): + # Can't raise from a lambda function :-( + def raise_func(e): + raise e + + # Some functions in openssl work with multiple concatenated + # PEM-format certificates, but others do not. + def get_certs(file_name): + certs = [] + BEGIN, MIDDLE = 0, 1 + state = BEGIN + with open(file_name) as f: + for line in f: + if line == '-----BEGIN CERTIFICATE-----\n': + assert state == BEGIN + certs.append([]) + state = MIDDLE + elif line == '-----END CERTIFICATE-----\n': + assert state == MIDDLE + state = BEGIN + else: + assert line[0] != '-' + assert state == MIDDLE + certs[-1].append(line) + assert state == BEGIN + return [''.join(cert_lines) for cert_lines in certs] + + def get_cert_fingerprint(cert, algo): + hasher = hashlib.new(algo) + hasher.update(ssl.PEM_cert_to_DER_cert(cert)) + return hasher.hexdigest() + + all_files = {'packages': {}} + + for image_suffix, image_package_name, cert_file_name in \ + self.image_packages: + package_dir = 'debian/%s' % image_package_name + package_files = [] + package_modules = [] + package_files.append({'sig_type': 'efi', + 'file': 'boot/vmlinuz-%s' % image_suffix}) + for root, dirs, files in os.walk('%s/lib/modules' % package_dir, + onerror=raise_func): + for name in files: + if name.endswith('.ko'): + package_modules.append( + '%s/%s' % + (root[(len(package_dir) + 1):], name)) + package_modules.sort() + for module in package_modules: + package_files.append( + {'sig_type': 'linux-module', + 'file': module}) + package_certs = [get_cert_fingerprint(cert, 'sha256') + for cert in get_certs(cert_file_name)] + assert len(package_certs) >= 1 + all_files['packages'][image_package_name] = { + 'trusted_certs': package_certs, + 'files': package_files + } + + with open(self.template_top_dir + '/files.json', 'w') as f: + json.dump(all_files, f) + + def write_source_lintian_overrides(self): + os.makedirs(os.path.join(self.template_debian_dir, 'source'), + exist_ok=True) + with open(os.path.join(self.template_debian_dir, + 'source/lintian-overrides'), 'w') as f: + f.write(self.substitute(self.templates.get('source.lintian-overrides'), + self.vars)) + + +if __name__ == '__main__': + Gencontrol(sys.argv[1])() diff --git a/debian/bin/genorig.py b/debian/bin/genorig.py new file mode 100755 index 000000000..9bf43a34e --- /dev/null +++ b/debian/bin/genorig.py @@ -0,0 +1,169 @@ +#!/usr/bin/python3 + +import sys +from debian import deb822 +import glob +import os +import os.path +import shutil +import subprocess +import time +import warnings + +from debian_linux.debian import Changelog, VersionLinux + + +class Main(object): + def __init__(self, input_repo, override_version): + self.log = sys.stdout.write + + self.input_repo = input_repo + + changelog = Changelog(version=VersionLinux)[0] + source = changelog.source + version = changelog.version + + if override_version: + version = VersionLinux('%s-0' % override_version) + + self.version_dfsg = version.linux_dfsg + if self.version_dfsg is None: + self.version_dfsg = '0' + + self.log('Using source name %s, version %s, dfsg %s\n' % + (source, version.upstream, self.version_dfsg)) + + self.orig = '%s-%s' % (source, version.upstream) + self.orig_tar = '%s_%s.orig.tar.xz' % (source, version.upstream) + self.tag = 'v' + version.linux_upstream_full + + def __call__(self): + import tempfile + temp_dir = tempfile.mkdtemp(prefix='genorig', dir='debian') + old_umask = os.umask(0o022) + try: + # When given a remote repo, we need a local copy. + if not self.input_repo.startswith('/') and ':' in self.input_repo: + temp_repo = os.path.join(temp_dir, 'git') + subprocess.run( + ['git', 'clone', '--bare', '--depth=1', '-b', self.tag, + self.input_repo, temp_repo], + check=True) + self.input_repo = temp_repo + + self.dir = os.path.join(temp_dir, 'export') + os.mkdir(self.dir) + self.upstream_export(self.input_repo) + + # exclude_files() will change dir mtimes. Capture the + # original release time so we can apply it to the final + # tarball. + orig_date = time.strftime( + "%a, %d %b %Y %H:%M:%S +0000", + time.gmtime( + os.stat(os.path.join(self.dir, self.orig, 'Makefile')) + .st_mtime)) + + self.exclude_files() + os.umask(old_umask) + self.tar(orig_date) + finally: + os.umask(old_umask) + shutil.rmtree(temp_dir) + + def upstream_export(self, input_repo): + self.log("Exporting %s from %s\n" % (self.tag, input_repo)) + + gpg_wrapper = os.path.join(os.getcwd(), + "debian/bin/git-tag-gpg-wrapper") + verify_proc = subprocess.Popen(['git', + '-c', 'gpg.program=%s' % gpg_wrapper, + 'tag', '-v', self.tag], + cwd=input_repo) + if verify_proc.wait(): + raise RuntimeError("GPG tag verification failed") + + archive_proc = subprocess.Popen(['git', 'archive', '--format=tar', + '--prefix=%s/' % self.orig, self.tag], + cwd=input_repo, + stdout=subprocess.PIPE) + extract_proc = subprocess.Popen(['tar', '-xaf', '-'], cwd=self.dir, + stdin=archive_proc.stdout) + + ret1 = archive_proc.wait() + ret2 = extract_proc.wait() + if ret1 or ret2: + raise RuntimeError("Can't create archive") + + def exclude_files(self): + self.log("Excluding file patterns specified in debian/copyright\n") + with open("debian/copyright") as f: + header = deb822.Deb822(f) + patterns = header.get("Files-Excluded", '').strip().split() + for pattern in patterns: + matched = False + for name in glob.glob(os.path.join(self.dir, self.orig, pattern)): + try: + shutil.rmtree(name) + except NotADirectoryError: + os.unlink(name) + matched = True + if not matched: + warnings.warn("Exclusion pattern '%s' did not match anything" + % pattern, + RuntimeWarning) + + def tar(self, orig_date): + out = os.path.join("../orig", self.orig_tar) + try: + os.mkdir("../orig") + except OSError: + pass + try: + os.stat(out) + raise RuntimeError("Destination already exists") + except OSError: + pass + self.log("Generate tarball %s\n" % out) + + env = os.environ.copy() + env.update({ + 'LC_ALL': 'C', + }) + cmd = [ + 'tar', + '-C', self.dir, + '--sort=name', + '--mtime={}'.format(orig_date), + '--owner=root', + '--group=root', + '--use-compress-program=xz -T0', + '-cf', + out, self.orig, + ] + + try: + subprocess.run(cmd, env=env, check=True) + os.chmod(out, 0o644) + except BaseException: + try: + os.unlink(out) + except OSError: + pass + raise + try: + os.symlink(os.path.join('orig', self.orig_tar), + os.path.join('..', self.orig_tar)) + except OSError: + pass + + +if __name__ == '__main__': + from optparse import OptionParser + parser = OptionParser(usage="%prog [OPTION]... REPO") + parser.add_option("-V", "--override-version", dest="override_version", + help="Override version", metavar="VERSION") + options, args = parser.parse_args() + + assert len(args) == 1 + Main(args[0], options.override_version)() diff --git a/debian/bin/genpatch-lockdown b/debian/bin/genpatch-lockdown new file mode 100755 index 000000000..1aed0c735 --- /dev/null +++ b/debian/bin/genpatch-lockdown @@ -0,0 +1,109 @@ +#!/usr/bin/python3 + +import io +import os +import os.path +import re +import subprocess +import sys + + +def main(repo, range='torvalds/master..dhowells/efi-lock-down'): + patch_dir = 'debian/patches' + lockdown_patch_dir = 'features/all/lockdown' + series_name = 'series' + + # Only replace patches in this subdirectory and starting with a digit + # - the others are presumably Debian-specific for now + lockdown_patch_name_re = re.compile( + r'^' + re.escape(lockdown_patch_dir) + r'/\d') + series_before = [] + series_after = [] + + old_series = set() + new_series = set() + + try: + with open(os.path.join(patch_dir, series_name), 'r') as series_fh: + for line in series_fh: + name = line.strip() + if lockdown_patch_name_re.match(name): + old_series.add(name) + elif len(old_series) == 0: + series_before.append(line) + else: + series_after.append(line) + except FileNotFoundError: + pass + + with open(os.path.join(patch_dir, series_name), 'w') as series_fh: + for line in series_before: + series_fh.write(line) + + # Add directory prefix to all filenames. + # Add Origin to all patch headers. + def add_patch(name, source_patch, origin): + name = os.path.join(lockdown_patch_dir, name) + path = os.path.join(patch_dir, name) + try: + os.unlink(path) + except FileNotFoundError: + pass + with open(path, 'w') as patch: + in_header = True + for line in source_patch: + if in_header and re.match(r'^(\n|[^\w\s]|Index:)', line): + patch.write('Origin: %s\n' % origin) + if line != '\n': + patch.write('\n') + in_header = False + patch.write(line) + series_fh.write(name) + series_fh.write('\n') + new_series.add(name) + + # XXX No signature to verify + + env = os.environ.copy() + env['GIT_DIR'] = os.path.join(repo, '.git') + args = ['git', 'format-patch', '--subject-prefix=', range] + format_proc = subprocess.Popen(args, + cwd=os.path.join(patch_dir, + lockdown_patch_dir), + env=env, stdout=subprocess.PIPE) + with io.open(format_proc.stdout.fileno(), encoding='utf-8') as pipe: + for line in pipe: + name = line.strip('\n') + with open(os.path.join(patch_dir, lockdown_patch_dir, name)) \ + as source_patch: + patch_from = source_patch.readline() + match = re.match(r'From ([0-9a-f]{40}) ', patch_from) + assert match + origin = ('https://git.kernel.org/pub/scm/linux/kernel/' + 'git/dhowells/linux-fs.git/commit?id=%s' % + match.group(1)) + add_patch(name, source_patch, origin) + + for line in series_after: + series_fh.write(line) + + for name in new_series: + if name in old_series: + old_series.remove(name) + else: + print('Added patch', os.path.join(patch_dir, name)) + + for name in old_series: + print('Obsoleted patch', os.path.join(patch_dir, name)) + + +if __name__ == '__main__': + if not (2 <= len(sys.argv) <= 3): + sys.stderr.write('''\ +Usage: %s REPO [REVISION-RANGE] +REPO is a git repo containing the REVISION-RANGE. The default range is +torvalds/master..dhowells/efi-lock-down. +''' % sys.argv[0]) + print('BASE is the base branch (default: torvalds/master).') + sys.exit(2) + main(*sys.argv[1:]) diff --git a/debian/bin/genpatch-rt b/debian/bin/genpatch-rt new file mode 100755 index 000000000..66affb076 --- /dev/null +++ b/debian/bin/genpatch-rt @@ -0,0 +1,160 @@ +#!/usr/bin/python3 + +import argparse +import io +import os +import os.path +import re +import shutil +import subprocess +import sys +import tempfile + + +def main(source, version, verify_signature): + patch_dir = 'debian/patches-rt' + series_name = 'series' + old_series = set() + new_series = set() + + try: + with open(os.path.join(patch_dir, series_name), 'r') as series_fh: + for line in series_fh: + name = line.strip() + if name != '' and name[0] != '#': + old_series.add(name) + except FileNotFoundError: + pass + + with open(os.path.join(patch_dir, series_name), 'w') as series_fh: + # Add Origin to all patch headers. + def add_patch(name, source_patch, origin): + path = os.path.join(patch_dir, name) + try: + os.unlink(path) + except FileNotFoundError: + pass + with open(path, 'w') as patch: + in_header = True + for line in source_patch: + if in_header and re.match(r'^(\n|[^\w\s]|Index:)', line): + patch.write('Origin: %s\n' % origin) + if line != '\n': + patch.write('\n') + in_header = False + patch.write(line) + new_series.add(name) + + if os.path.isdir(os.path.join(source, '.git')): + # Export rebased branch from stable-rt git as patch series + up_ver = re.sub(r'-rt\d+$', '', version) + env = os.environ.copy() + env['GIT_DIR'] = os.path.join(source, '.git') + env['DEBIAN_KERNEL_KEYRING'] = 'rt-signing-key.pgp' + + if verify_signature: + # Validate tag signature + gpg_wrapper = os.path.join(os.getcwd(), + "debian/bin/git-tag-gpg-wrapper") + verify_proc = subprocess.Popen( + ['git', '-c', 'gpg.program=%s' % gpg_wrapper, + 'tag', '-v', 'v%s-rebase' % version], + env=env) + if verify_proc.wait(): + raise RuntimeError("GPG tag verification failed") + + args = ['git', 'format-patch', + 'v%s..v%s-rebase' % (up_ver, version)] + format_proc = subprocess.Popen(args, + cwd=patch_dir, + env=env, stdout=subprocess.PIPE) + with io.open(format_proc.stdout.fileno(), encoding='utf-8') \ + as pipe: + for line in pipe: + name = line.strip('\n') + with open(os.path.join(patch_dir, name)) as source_patch: + patch_from = source_patch.readline() + match = re.match(r'From ([0-9a-f]{40}) ', patch_from) + assert match + origin = ('https://git.kernel.org/cgit/linux/kernel/' + 'git/rt/linux-stable-rt.git/commit?id=%s' % + match.group(1)) + add_patch(name, source_patch, origin) + series_fh.write(line) + + else: + # Get version and upstream version + if version is None: + match = re.search(r'(?:^|/)patches-(.+)\.tar\.[gx]z$', source) + assert match, 'no version specified or found in filename' + version = match.group(1) + match = re.match(r'^(\d+\.\d+)(?:\.\d+|-rc\d+)?-rt\d+$', version) + assert match, 'could not parse version string' + up_ver = match.group(1) + + if verify_signature: + # Expect an accompanying signature, and validate it + source_sig = re.sub(r'.[gx]z$', '.sign', source) + unxz_proc = subprocess.Popen(['xzcat', source], + stdout=subprocess.PIPE) + verify_output = subprocess.check_output( + ['gpgv', '--status-fd', '1', + '--keyring', 'debian/upstream/rt-signing-key.pgp', + '--ignore-time-conflict', source_sig, '-'], + stdin=unxz_proc.stdout, + text=True) + if unxz_proc.wait() or \ + not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s', + verify_output, re.MULTILINE): + sys.stderr.write(verify_output) + raise RuntimeError("GPG signature verification failed") + + temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian') + try: + # Unpack tarball + subprocess.check_call(['tar', '-C', temp_dir, '-xaf', source]) + source_dir = os.path.join(temp_dir, 'patches') + assert os.path.isdir(source_dir), \ + 'tarball does not contain patches directory' + + # Copy patch series + origin = ('https://www.kernel.org/pub/linux/kernel/projects/' + 'rt/%s/older/patches-%s.tar.xz' % + (up_ver, version)) + with open(os.path.join(source_dir, 'series'), 'r') \ + as source_series_fh: + for line in source_series_fh: + name = line.strip() + if name != '' and name[0] != '#': + with open(os.path.join(source_dir, name)) \ + as source_patch: + add_patch(name, source_patch, origin) + series_fh.write(line) + finally: + shutil.rmtree(temp_dir) + + for name in new_series: + if name in old_series: + old_series.remove(name) + else: + print('Added patch', os.path.join(patch_dir, name)) + + for name in old_series: + print('Obsoleted patch', os.path.join(patch_dir, name)) + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description='Generate or update the rt featureset patch series') + parser.add_argument( + 'source', metavar='SOURCE', type=str, + help='tarball of patches or git repo containing the given RT-VERSION') + parser.add_argument( + 'version', metavar='RT-VERSION', type=str, nargs='?', + help='rt kernel version (optional for tarballs)') + parser.add_argument( + '--verify-signature', action=argparse.BooleanOptionalAction, + default=True, + help='verify signature on tarball (detached in .sign file) or git tag') + args = parser.parse_args() + main(args.source, args.version, args.verify_signature) diff --git a/debian/bin/getconfig.py b/debian/bin/getconfig.py new file mode 100755 index 000000000..b719a17a1 --- /dev/null +++ b/debian/bin/getconfig.py @@ -0,0 +1,25 @@ +#!/usr/bin/python3 + +import sys + +from debian_linux.config import ConfigCoreDump + +section = tuple(s or None for s in sys.argv[1:-1]) +key = sys.argv[-1] +config = ConfigCoreDump(fp=open("debian/config.defines.dump", "rb")) +try: + value = config[section][key] +except KeyError: + sys.exit(1) + +if isinstance(value, str): + # Don't iterate over it + print(value) +else: + # In case it's a sequence, try printing each item + try: + for item in value: + print(item) + except TypeError: + # Otherwise use the default format + print(value) diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper new file mode 100755 index 000000000..43030206f --- /dev/null +++ b/debian/bin/git-tag-gpg-wrapper @@ -0,0 +1,42 @@ +#!/bin/bash -e + +# Instead of calling gpg, call gpgv and provide a local keyring + +debian_dir="$(readlink -f "$(dirname "$0")/..")" + +# Parse the expected options. If the next two lines are combined, a +# failure of getopt won't cause the script to exit. +ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")" +eval "set -- $ordered_args" +gpgv_opts=() +while true; do + case "$1" in + --status-fd) + gpgv_opts+=(--status-fd $2) + shift 2 + ;; + --keyid-format) + # ignore + shift 2 + ;; + --verify) + # ignore + shift 1 + ;; + --) + shift 1 + break + ;; + esac +done + +keyring="$debian_dir/upstream/${DEBIAN_KERNEL_KEYRING:-signing-key.asc}" +case "$keyring" in + *.asc) + keyring_armored="$keyring" + keyring="$(mktemp)" + trap 'rm -f "$keyring"' EXIT + gpg --dearmor <"$keyring_armored" > "$keyring" + ;; +esac +gpgv "${gpgv_opts[@]}" --keyring "$keyring" -- "$@" diff --git a/debian/bin/kconfig.py b/debian/bin/kconfig.py new file mode 100755 index 000000000..6115355f4 --- /dev/null +++ b/debian/bin/kconfig.py @@ -0,0 +1,39 @@ +#!/usr/bin/python3 + +import optparse +import re + +from debian_linux.kconfig import KconfigFile + + +def merge(output, configs, overrides): + kconfig = KconfigFile() + for c in configs: + kconfig.read(open(c)) + for key, value in overrides.items(): + kconfig.set(key, value) + open(output, "w").write(str(kconfig)) + + +def opt_callback_dict(option, opt, value, parser): + match = re.match(r'^\s*(\S+)=(\S+)\s*$', value) + if not match: + raise optparse.OptionValueError('not key=value') + dest = option.dest + data = getattr(parser.values, dest) + data[match.group(1)] = match.group(2) + + +if __name__ == '__main__': + parser = optparse.OptionParser(usage="%prog [OPTION]... FILE...") + parser.add_option( + '-o', '--override', + action='callback', + callback=opt_callback_dict, + default={}, + dest='overrides', + help="Override option", + type='string') + options, args = parser.parse_args() + + merge(args[0], args[1:], options.overrides) diff --git a/debian/bin/no-depmod b/debian/bin/no-depmod new file mode 100755 index 000000000..ed5a8463f --- /dev/null +++ b/debian/bin/no-depmod @@ -0,0 +1,18 @@ +#!/bin/sh + +set -e + +# This is a dummy substitute for depmod. Since we run depmod during +# postinst, we do not need or want to package the files that it +# generates. + +if [ "x$1" = x-V ]; then + # Satisfy version test + echo 'not really module-init-tools' +elif [ "x$1" = x-b -a "${2%/depmod.??????}" != "$2" ]; then + # Satisfy test of short kernel versions + mkdir -p "$2/lib/modules/$3" + touch "$2/lib/modules/$3/modules.dep" +else + echo 'skipping depmod' +fi diff --git a/debian/bin/stable-update b/debian/bin/stable-update new file mode 100755 index 000000000..0ce6112bb --- /dev/null +++ b/debian/bin/stable-update @@ -0,0 +1,135 @@ +#!/usr/bin/python3 + +import sys +import os +import re +import subprocess + +from debian_linux.debian import Changelog, VersionLinux + + +def base_version(ver): + # Assume base version is at least 3.0, thus only 2 components wanted + match = re.match(r'^(\d+\.\d+)', ver) + assert match + return match.group(1) + + +def add_update(ver, inc): + base = base_version(ver) + if base == ver: + update = 0 + else: + update = int(ver[len(base)+1:]) + update += inc + if update == 0: + return base + else: + return '{}.{}'.format(base, update) + + +def next_update(ver): + return add_update(ver, 1) + + +def print_stable_log(log, cur_ver, new_ver): + major_ver = re.sub(r'^(\d+)\..*', r'\1', cur_ver) + while cur_ver != new_ver: + next_ver = next_update(cur_ver) + print(' https://www.kernel.org/pub/linux/kernel/v{}.x/ChangeLog-{}' + .format(major_ver, next_ver), + file=log) + log.flush() # serialise our output with git's + subprocess.check_call(['git', 'log', '--reverse', + '--pretty= - %s', + 'v{}..v{}^'.format(cur_ver, next_ver)], + stdout=log) + cur_ver = next_ver + + +def main(repo, new_ver): + if os.path.exists(os.path.join(repo, '.git')): + os.environ['GIT_DIR'] = os.path.join(repo, '.git') + else: + os.environ['GIT_DIR'] = repo + + changelog = Changelog(version=VersionLinux) + cur_pkg_ver = changelog[0].version + cur_ver = cur_pkg_ver.linux_upstream_full + + if base_version(new_ver) != base_version(cur_ver): + print('{} is not on the same stable series as {}' + .format(new_ver, cur_ver), + file=sys.stderr) + sys.exit(2) + + new_pkg_ver = new_ver + '-1' + if cur_pkg_ver.linux_revision_experimental: + new_pkg_ver += '~exp1' + + # Three possible cases: + # 1. The current version has been released so we need to add a new + # version to the changelog. + # 2. The current version has not been released so we're changing its + # version string. + # (a) There are no stable updates included in the current version, + # so we need to insert an introductory line, the URL(s) and + # git log(s) and a blank line at the top. + # (b) One or more stable updates are already included in the current + # version, so we need to insert the URL(s) and git log(s) after + # them. + + changelog_intro = 'New upstream stable update:' + + # Case 1 + if changelog[0].distribution != 'UNRELEASED': + subprocess.check_call(['dch', '-v', new_pkg_ver, '-D', 'UNRELEASED', + changelog_intro]) + + with open('debian/changelog', 'r') as old_log: + with open('debian/changelog.new', 'w') as new_log: + line_no = 0 + inserted = False + intro_line = ' * {}\n'.format(changelog_intro) + + for line in old_log: + line_no += 1 + + # Case 2 + if changelog[0].distribution == 'UNRELEASED' and line_no == 1: + print('{} ({}) UNRELEASED; urgency={}' + .format(changelog[0].source, new_pkg_ver, + changelog[0].urgency), + file=new_log) + continue + + if not inserted: + # Case 2(a) + if line_no == 3 and line != intro_line: + new_log.write(intro_line) + print_stable_log(new_log, cur_ver, new_ver) + new_log.write('\n') + inserted = True + # Case 1 or 2(b) + elif line_no > 3 and line == '\n': + print_stable_log(new_log, cur_ver, new_ver) + inserted = True + + # Check that we inserted before hitting the end of the + # first version entry + assert not (line.startswith(' -- ') and not inserted) + + new_log.write(line) + + os.rename('debian/changelog.new', 'debian/changelog') + + +if __name__ == '__main__': + if len(sys.argv) != 3: + print('''\ +Usage: {} REPO VERSION +REPO is the git repository to generate a changelog from +VERSION is the stable version (without leading v)'''.format(sys.argv[0]), + file=sys.stderr) + sys.exit(2) + main(*sys.argv[1:]) diff --git a/debian/bin/stable-update.sh b/debian/bin/stable-update.sh new file mode 100755 index 000000000..bd86860c6 --- /dev/null +++ b/debian/bin/stable-update.sh @@ -0,0 +1,2 @@ +#!/bin/sh -e +exec "$(dirname "$0")/stable-update" "$@" diff --git a/debian/bin/test-patches b/debian/bin/test-patches new file mode 100755 index 000000000..ad0d77add --- /dev/null +++ b/debian/bin/test-patches @@ -0,0 +1,142 @@ +#!/bin/bash + +set -e +shopt -s extglob + +# Set defaults from the running kernel +arch="$(dpkg --print-architecture)" +kernelabi="$(uname -r)" +ff="${kernelabi#+([^-])-@(trunk|?(rc)+([0-9])|0.@(bpo|deb+([0-9])).+([0-9]))-}" +if [ "x$ff" != "x$kernelabi" ]; then + flavour="${ff#@(openvz|rt|vserver|xen)-}" + if [ "x$flavour" != "x$ff" ]; then + featureset="${ff%-$flavour}" + else + featureset=none + fi +else + flavour= + featureset=none +fi + +dbginfo= +fuzz=0 +jobs=$(nproc) + +eval "set -- $(getopt -n "$0" -o "f:gj:s:" -l "fuzz:" -- "$@")" +while true; do + case "$1" in + -f) flavour="$2"; shift 2 ;; + -g) dbginfo=y; shift 1 ;; + -j) jobs="$2"; shift 2 ;; + -s) featureset="$2"; shift 2 ;; + --fuzz) fuzz="$2"; shift 2;; + --) shift 1; break ;; + esac +done + +if [ $# -lt 1 ]; then + echo >&2 "Usage: $0 [<options>] <patch>..." + cat >&2 <<EOF +Options: + -f <flavour> specify the 'flavour' of kernel to build, e.g. 686-pae + -g enable debug info + -j <jobs> specify number of compiler jobs to run in parallel + (default: number of available processors) + -s <featureset> specify an optional featureset to apply, e.g. rt + --fuzz <num> set the maximum patch fuzz factor (default: 0) +EOF + exit 2 +fi + +if [ -z "$flavour" ]; then + echo >&2 "You must specify a flavour to build with the -f option" + exit 2 +fi + +profiles=nodoc,noudeb,pkg.linux.nosource,pkg.linux.mintools +if [ -z "$dbginfo" ]; then + profiles="$profiles,pkg.linux.nokerneldbg,pkg.linux.nokerneldbginfo" +fi + +# Check build-dependencies early if possible +if [ -f debian/control ]; then + dpkg-checkbuilddeps -P"$profiles" +fi + +# Append 'a~test' to Debian version; this should be less than any official +# successor and easily recognisable +version="$(dpkg-parsechangelog | sed 's/^Version: //; t; d')" +if [ "${version%a~test}" = "$version" ]; then + version="$version"a~test + dch -v "$version" --distribution UNRELEASED "Testing patches $*" +fi + +# Ignore user's .quiltrc +alias quilt='quilt --quiltrc -' + +# Try to clean up any previous test patches +if [ "$featureset" = none ]; then + patchdir=debian/patches + while patch="$(quilt top 2>/dev/null)" && \ + [ "${patch#test/}" != "$patch" ]; do + quilt pop -f + done + while patch="$(quilt next 2>/dev/null)" && \ + [ "${patch#test/}" != "$patch" ]; do + quilt delete -r "$patch" + done +else + patchdir=debian/patches-${featureset} + sed -i '/^test\//d' $patchdir/series +fi + +# Prepare a new directory for the patches +rm -rf $patchdir/test/ +mkdir $patchdir/test + +# Prepare a new directory for the config; override ABI name, featuresets, flavours +rm -rf debian/config.local +mkdir debian/config.local debian/config.local/"$arch" debian/config.local/"$arch"/"$featureset" +cat >debian/config.local/defines <<EOF +[abi] +abiname: 0.a.test +EOF +cat >debian/config.local/"$arch"/defines <<EOF +[base] +featuresets: $featureset +EOF +cat >debian/config.local/"$arch"/"$featureset"/defines <<EOF +[base] +flavours: $flavour +EOF +if [ "$featureset" = none ]; then + # default-flavour must refer to a flavour that's enabled + cat >>debian/config.local/"$arch"/"$featureset"/defines <<EOF +default-flavour: $flavour +EOF +fi + +# Regenerate control and included rules +rm -f debian/control debian/rules.gen +debian/rules debian/control-real && exit 1 || true +test -f debian/control +test -f debian/rules.gen + +# Check build-dependencies now that we know debian/control exists +dpkg-checkbuilddeps -P"$profiles" + +# Clean up old build; apply existing patches for featureset +debian/rules clean +debian/rules source + +# Apply the additional patches +for patch in "$@"; do + patch_abs="$(readlink -f "$patch")" + (cd "debian/build/source_${featureset}" && \ + quilt import -P "test/$(basename "$patch")" "$patch_abs" && \ + quilt push --fuzz="$fuzz") +done + +# Build selected binaries +dpkg-buildpackage -b -P"$profiles" -j"$jobs" -nc -uc diff --git a/debian/bin/update-bug-taint-list b/debian/bin/update-bug-taint-list new file mode 100755 index 000000000..76bb1fc2e --- /dev/null +++ b/debian/bin/update-bug-taint-list @@ -0,0 +1,24 @@ +#!/bin/sh -eu + +temp="$(mktemp)" +trap 'rm -f "$temp"' EXIT + +# Copy everything above the existing flag checks. +sed -rne '/^ +_check /q; p' \ + < debian/templates/image.bug/include-1tainted >"$temp" + +# Generate flag checks from the table in tainted-kernels.rst. We +# could alternatively extract them from sysctl/kernel.rst or in the C +# sources, but this is easy to find and parse and is likely to have +# the most useful descriptions. +sed -rne '/^Bit +Log +Number +Reason/,/^$/ { + s/^ *([0-9]+) +.\/(.) +[0-9]+ +(.*)/ _check \1 \2 '\''\3'\''/p + }' \ + < Documentation/admin-guide/tainted-kernels.rst >>"$temp" + +# Copy everything below the existing flag checks. +sed -rne '/^ +echo "\*\* Tainted:/,$p' \ + < debian/templates/image.bug/include-1tainted >>"$temp" + +# Update the bug script in-place. +cp "$temp" debian/templates/image.bug/include-1tainted diff --git a/debian/certs/ci-test-sign/ci-test-sign-key.pem b/debian/certs/ci-test-sign/ci-test-sign-key.pem new file mode 100644 index 000000000..edd06e3e4 --- /dev/null +++ b/debian/certs/ci-test-sign/ci-test-sign-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQCo/R6tgfzFlvtA +bGb9QiwyCur1JB1eRE2UmU8t39jr0VRcr6p55v71fZE+ny4rLZl3ZibsKt1YeEhq +xAg7a7UfvjzT0PWaRV7M/XcwnRfKt032lUyNtcsEiMTp299Iak/Q/jm9M0yiTYxe +W1EsXfu1QrNSe0Zo8EZr9Q6eyFnjilJNgHpOlCyxH/7ujO73tzP84cEDZejFHYlo +ypKsjO2IWLcQssnM+llOlMYZ4mx6a6TxchSMKyYl6PRLviltkK4HF6AD4D4Lgoa0 +38pHPL2kJPEW9eb1cRsnFkzK4edYxGN6si728HUY/rQFSzehSaGXjPYR6kq2OCwQ +am4LcCm/AgMBAAECggEBAJso/df1+C88N6mpXs6+yXGRULaQ2F5LfKgqM+c9FyE+ +7KTFrlOLYyHoj0neQjfnAHf+1VIW8XFfz64oHB7jAEULGTKrNDbX5vl06NE8DDJX +KEB2SPn8p1GceqD2/wawhmSwaDduOLj1VyLz2Y5RJOIDQj9DbRzBMQfC1A+6ib4/ +LscWb1e1gQvZ0FIgSv2ZlOLqdSXVizsg7Am5iCizD5O9Pbw31QfZDyd7IJqpRi63 +Wo234CZS3Hhkr2267QttVeuY9AWgtYU1f6KMRrakEpLPf1mNqVIpY3M8Ee8KoMCr +a3pl39+N9+0DI4GCF5yctmzPn4YqWg25vFVirXJFluECgYEA1bRcPQ2EzTLDjm1U +tVrh3yd6ZPdY1Tch1UhzGf7lGIMY924tZZveDpWs7VGJMGO8hHTdo8Ku32AolJKA +yMW+P05+EcXo0GR8xcJ4Ol3yeJrblWhO4UNiQrTxhE6yy/g25zgVKcKUfbdkq7Cu +VOZpmNlh3bM4Iwno8ZGxvUI+GBcCgYEAym8r9G2MWFCmH6w6cOkt2EpOlzCEKLZ5 +q1nlZXTQBG+UB3EUPxZBviPTAjzZgfY1YS6SFZCb+fFEsVzGUAcz00xH6H2tHgmK +NoCX1bzqA7qDWjs2Dr2x33803jhRClQr/hg3rCwfoAkkImX2tPEf/URF6b5MuxgB +JPAT98lg3JkCgYEAzMG/8vtl99ogxvF4TT9j1ZWUzvKzma72as29AvZX+XF61XAq +bQW38I92nfgWk1esg9kZl9NsDDitCRWJ8VSOIUgKwOq4VBtD9ZOL8JidPvNZW0ES ++wC+QB3wno1tAMO1jzsMA/QcpIu4GEzz7ALMwJfgDjSun9vZ5sNq4mR67EcCgYEA +ibqbsEC8ZPXyIMiANoQfofHkiK8Eq+KC41dVYPLZ+Lqlf26rNMUC08fx76rQ3cBS +zxztXWi3BpXlg7q4XoiX9SIIJqEjILWi6LQTGePfX8wNRF3WyK69j28v3CV61ckw +6T822Zhnp+2wPQsckD0h46II4yCLehu545TIMSU9FrkCgYEAin/3RTg2V0v/36AR +YSMfZvfd+DCQ2Vm1WJQWfPJhdzb/L8DzFei0DDAbPFIiz5CFt9yyCIaag5XE0NqP +gHq3xaNmYqV2LLDX8lswmpeqUN0YpEKUwrT/CGuRLWMJYc2WwbGGgQIOc53nx+Ku +6DKedX7qLoifu/3fq69hNrMXsFs= +-----END PRIVATE KEY----- diff --git a/debian/certs/ci-test-sign/ci-test-sign.pem b/debian/certs/ci-test-sign/ci-test-sign.pem new file mode 100644 index 000000000..7f2f4d00a --- /dev/null +++ b/debian/certs/ci-test-sign/ci-test-sign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEzCCAfugAwIBAgIUM0ot4Y+xMV7+tm0g9Yp70GPmizQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVGVzdCBTaWduZXIgQ0EwHhcNMjIwMjA1MTgyOTIzWhcN +MjIwMzA3MTgyOTIzWjAZMRcwFQYDVQQDDA5UZXN0IFNpZ25lciBDQTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj9Hq2B/MWW+0BsZv1CLDIK6vUkHV5E +TZSZTy3f2OvRVFyvqnnm/vV9kT6fListmXdmJuwq3Vh4SGrECDtrtR++PNPQ9ZpF +Xsz9dzCdF8q3TfaVTI21ywSIxOnb30hqT9D+Ob0zTKJNjF5bUSxd+7VCs1J7Rmjw +Rmv1Dp7IWeOKUk2Aek6ULLEf/u6M7ve3M/zhwQNl6MUdiWjKkqyM7YhYtxCyycz6 +WU6UxhnibHprpPFyFIwrJiXo9Eu+KW2QrgcXoAPgPguChrTfykc8vaQk8Rb15vVx +GycWTMrh51jEY3qyLvbwdRj+tAVLN6FJoZeM9hHqSrY4LBBqbgtwKb8CAwEAAaNT +MFEwHQYDVR0OBBYEFJ2vFS8iN46NNzlnI73JPOXy+8ydMB8GA1UdIwQYMBaAFJ2v +FS8iN46NNzlnI73JPOXy+8ydMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBAFRNfEbkBd0dKw7Ch4b9GMi4yDHFBN9d9KBe6Il92hojluBlQXTBvyKM +OPN12k7CTTHDN1RCLfHaPQl9lrZILgMLI3y5KdLYPhaaGuGwihIUObcNVetU+TGa +iMgdIsRSnF1LaYb5z56mJnnHSYA+5eq+Lnpy+jT7JhXrs0jL2JB7n36lYarpDE0Q +yby09tTHw8fJFONQ2UfUUJu52wcT8hrSygZR0msDz27/l0KmKgKtmM039hZW3Ssa +PZlVfQe3j7lZ0kPi/W9RhA+3LPDdHmjJYhTS2gtCLfeAaaXGj9sFEpMfGbF8Hgl4 +OjiEuTKPVoApKbpa6islqK3O6GR86WE= +-----END CERTIFICATE----- diff --git a/debian/certs/debian-uefi-certs.pem b/debian/certs/debian-uefi-certs.pem new file mode 100644 index 000000000..326a2be37 --- /dev/null +++ b/debian/certs/debian-uefi-certs.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIRAO1UodWvh0iUjZ+JMu6cfDQwDQYJKoZIhvcNAQELBQAw +IDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MDkx +OFoXDTQ2MDgwOTE4MDkxOFowIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290 +IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZXUi5vaEKwuyoI3 +waTLSsMbQpPCeinTbt1kr4Cv6maiG2GcgwzFa7k1Jf/F++gpQ97OSz3GEk2x7yZD +lWjNBBH+wiSb3hTYhlHoOEO9sZoV5Qhr+FRQi7NLX/wU5DVQfAux4gOEqDZI5IDo +6p/6v8UYe17OHL4sgHhJNRXAIc/vZtWKlggrZi9IF7Hn7IKPB+bK4F9xJDlQCo7R +cihQpZ0h9ONhugkDZsjfTiY2CxUPYx8rr6vEKKJWZIWNplVBrjyIld3Qbdkp29jE +aLX89FeJaxTb4O/uQA1iH+pY1KPYugOmly7FaxOkkXemta0jp+sKSRRGfHbpnjK0 +ia9XeQIDAQABo4HSMIHPMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYlaHR0 +cHM6Ly9kc2EuZGViaWFuLm9yZy9zZWN1cmUtYm9vdC1jYTAfBgNVHSMEGDAWgBRs +zs5+TGwNH2FJ890n38xcu0GeoTAUBglghkgBhvhCAQEBAf8EBAMCAPcwEwYDVR0l +BAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFGzOzn5MbA0fYUnz3SffzFy7QZ6hMA0GCSqGSIb3DQEBCwUAA4IB +AQB3lj5Hyc4Jz4uJzlntJg4mC7mtqSu9oeuIeQL/Md7+9WoH72ETEXAev5xOZmzh +YhKXAVdlR91Kxvf03qjxE2LMg1esPKaRFa9VJnJpLhTN3U2z0WAkLTJPGWwRXvKj +8qFfYg8wrq3xSGZkfTZEDQY0PS6vjp3DrcKR2Dfg7npfgjtnjgCKxKTfNRbCcitM +UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr +7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV +305gdrAGewiwbuNknyFWrTkP +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDQzCCAiugAwIBAgIUMqAof4QaA2+jk8HgZcQ65rJCJkMwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTIyMDgxODE3 +MzIzN1oXDTMyMDgxNTE3MzIzN1owMTEvMC0GA1UEAwwmRGViaWFuIFNlY3VyZSBC +b290IFNpZ25lciAyMDIyIC0gbGludXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCv6LgqfsYKPyGcgP12nHWFbtEJDUdixV8n+gOWMgLANs9+NjexyJ4o +V3iG3qTDqm1VGIdQfnf0cEmh3bS1tuoPDZcGU9HaDKq8oPjYyJd9G/aO6sGHKCc3 +aIAvLnPkfH7EfiaxshFwthOeH3yt/K54ICnT6aCWQjDsJz2TCr3s+1izRuv6/VJ8 +/aNPI+RySpeUVtdKT1CQjb4N8HphWS7ZkDbWwVW0dHsZHPXhq0Gd729ctKo0/003 +Is7cw3TSSUHKCatRjVIImTwUiGNqlQe386dIBMjFzTddh19spvU0ootdCkiGShId +Hz6YoDscyb+SQsmIaiXo1nwd2SABFlRLAgMBAAGjZDBiMAsGA1UdDwQEAwIHgDAT +BgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFAESScJnXqjlFIVCICAFgQWE +sl8wHwYDVR0jBBgwFoAUbM7OfkxsDR9hSfPdJ9/MXLtBnqEwDQYJKoZIhvcNAQEL +BQADggEBAJg1omf+js6HaUsZvSBIwEu9qHyEjMcjo0yvc22dKi5Kzxclo+Vmr99/ +rpXjsXMlskPeWIQS7iUOvS/oupmqQq9+0rHMXu/lTP2ITh9IjHwEx2zWEPIOlmYJ +wCYpta7YeX5YExb32f9wJYIJZidHy9p5I0jOIgAInv8J4NZUG14LPxI6I4hfYI1p +mruMdxPS0hllzPbs6rZ2LwWVtNjuPhfmMt4eMKOl4ThXWhoiwvkTOJpDkaCPgnzT +h507wBcDBquUKtDwGnQcQdPWfxMyA8b2v05PXMQS2cH/xJ5th8M+IU4DUfigYGYN +ce00ryZ2rpZIqHs1H1Xc5xJpusY1Q+w= +-----END CERTIFICATE----- diff --git a/debian/certs/wireless-regdb-benh@debian.org.pem b/debian/certs/wireless-regdb-benh@debian.org.pem new file mode 100644 index 000000000..da3981d84 --- /dev/null +++ b/debian/certs/wireless-regdb-benh@debian.org.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvTCCAaUCFFd+Ahy5gODoIIIbp7VLSWG4tPrfMA0GCSqGSIb3DQEBCwUAMBox +GDAWBgNVBAMMD2JlbmhAZGViaWFuLm9yZzAgFw0yMDAxMzAxMzI2MTNaGA8yMTIw +MDEwNjEzMjYxM1owGjEYMBYGA1UEAwwPYmVuaEBkZWJpYW4ub3JnMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAneF3oCSg1XllOgeQyfalph+EHCMHS0+l +A8YP91TVi355gQDS6T30l/6EzVW9yY8hV4gGOZBmQSZ5LMo/lYcBES8vsOELQ/xf +L09nBNtNt3JN0cV2c02RabBxFzbqqwo6zZWbdhuOIRePxQK/JMfAQLE7xIB8caVR +3Pc6WH+xB4GKENH2kxdx4PpReRXU14+tvW844SZ9vPA+gIm07I5pkNuXivAjI4OC +O2qxrOvnmXQqNY6pZP1GnujlSGExbub8GRhUwxtP1gBEhxw3Rer1ycsPDFXsz2rC +RSYjojFSTe4hff1YcsIoxY6p0O4Bdwil8CIrR3krz5pGtY/9ZKK17QIDAQABMA0G +CSqGSIb3DQEBCwUAA4IBAQAgRP6pnt2b6s4ldQjwK1P3WjYcSiN/0EE8Eiu5gE6K +FV0fQKcmKDLDWwYoLT0ICR4B6WfjM+YVRTnuF4PbQv9/NfSsFtu6uBogIUH/85L/ +ZW4pFtC/jd9ILHM2fyLm7ni0Y4MOOeuvECqQ0/zmw4+XW3a/m/WY0lMGi/ikBJsb +YmqdrOZLDcnXVmMVATiMvvFExDgn4M9y1j3k90s70rEM1YNtHhAEaSmIaeB919u0 +WXKNnTxDr8Z9tyEVUorpm2su6Cc8Py2E+5oiCp9qJeY55HRztipwqh3LzNSgGyZx +YwTFEiFIupInBqg+baFDpdIq98rEJuhbH+TcidwfBHk/ +-----END CERTIFICATE----- diff --git a/debian/certs/wireless-regdb-romain.perier@gmail.com.pem b/debian/certs/wireless-regdb-romain.perier@gmail.com.pem new file mode 100644 index 000000000..b20d608e8 --- /dev/null +++ b/debian/certs/wireless-regdb-romain.perier@gmail.com.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzTCCAbUCFDq7xuwUbgnRtgFqudbPcd0jPwMoMA0GCSqGSIb3DQEBCwUAMCIx +IDAeBgNVBAMMF3JvbWFpbi5wZXJpZXJAZ21haWwuY29tMCAXDTIwMDIyNDE5MDE0 +NFoYDzIxMjAwMTMxMTkwMTQ0WjAiMSAwHgYDVQQDDBdyb21haW4ucGVyaWVyQGdt +YWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPC4Tz9wePh0 +RaIorwR1BKPzp8cErLbh/OHAPeAmkIpFYMR18xozN1Z9MAd1DqZ5BpWdFzwJqX+r +lV3t4HUmL2VlzWGxMydnQaEBE+kTam1OmOGeewtbRO9oWm99l6EzIpcSIQmPkOAl +lN2KOvdKYAQmbQCC5M9kHHkVJPJChvUQhqwgiJCH34w3fL811W+fd8PNaSUGwmVR +cYl/bk3l1Yo2Gq3BGNYUQofwk4PxmXTEE6o7ZoVv4LxftkCmQQYKug7pMkQQOVPN +v/PTJva2K0AuuYjB9OOgKHdPuqjKnAW6iJaZVImijfNzoYxKqHHuLtKDFEi9mMbO +3Kijly5AFi8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdl0DPbaWABtuDN27yN+8 +62wBQBorB2ChGuFDV/q+3ruPc/OSoqqDAcEX5J0JQeAyM5dL8twPi6i4WgSG9nGh +l9BUVhCOVJkNKqmvG1VZBiukX7FUpuzH1kPuhiybGJ2PAILBiGEWhTwXVv5qoHpo +xXs9PLYTGJltdGUTZ7f8WkRIcqBzuP8CnXxb+Xx1CjyBgDxB8tX6PR/j2oylFx9T +GnWtThEcB+wKaf0z+jJ+ZvUp6E2K+g1LaMOVEbpvHgeMhcfHycEwo3CwoeDVhRWU +d8EckfFfUM0sV0siT+6V16ekWWKuub/XY1oE/CQRrjRL9AyfC1l9JzlUaU/9bkSf +IQ== +-----END CERTIFICATE----- diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000..6d603a5e6 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,38412 @@ +linux (6.1.76-1) bookworm; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.70 + - bpf: Fix prog_array_map_poke_run map poke update + - HID: i2c-hid: acpi: Unify ACPI ID tables format + - HID: i2c-hid: Add IDEA5002 to i2c_hid_acpi_blacklist[] + - drm/amd/display: fix hw rotated modes when PSR-SU is enabled + - [armhf] OMAP2+: Fix null pointer dereference and memory leak in + omap_soc_device_init + - reset: Fix crash when freeing non-existent optional resets + - [s390x] vx: fix save/restore of fpu kernel context + - wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock + - wifi: mac80211: check if the existing link config remains unchanged + - wifi: mac80211: mesh: check element parsing succeeded + - wifi: mac80211: mesh_plink: fix matches_local logic + - Revert "net/mlx5e: fix double free of encap_header in update funcs" + - Revert "net/mlx5e: fix double free of encap_header" + - net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() + - net/mlx5: Introduce and use opcode getter in command interface + - net/mlx5: Prevent high-rate FW commands from populating all slots + - net/mlx5: Re-organize mlx5_cmd struct + - net/mlx5e: Fix a race in command alloc flow + - net/mlx5e: fix a potential double-free in fs_udp_create_groups + - net/mlx5: Fix fw tracer first block check + - net/mlx5e: Correct snprintf truncation handling for fw_version buffer + - net/mlx5e: Correct snprintf truncation handling for fw_version buffer used + by representors + - [arm64] net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and + above + - net: Return error from sk_stream_wait_connect() if sk_wait_event() fails + - net: sched: ife: fix potential use-after-free + - ethernet: atheros: fix a memleak in atl1e_setup_ring_resources + - net/rose: fix races in rose_kill_by_device() + - Bluetooth: Fix deadlock in vhci_send_frame + - Bluetooth: hci_event: shut up a false-positive warning + - net: mana: select PAGE_POOL + - net: check vlan filter feature in vlan_vids_add_by_dev() and + vlan_vids_del_by_dev() + - afs: Fix the dynamic root's d_delete to always delete unused dentries + - afs: Fix dynamic root lookup DNS check + - net: check dev->gso_max_size in gso_features_check() + - keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry + - afs: Fix overwriting of result of DNS query + - afs: Fix use-after-free due to get/remove race in volume tree + - [arm64,armhf] ASoC: hdmi-codec: fix missing report for jack initial status + - [arm64] ASoC: fsl_sai: Fix channel swap issue on i.MX8MP + - [armhf] i2c: aspeed: Handle the coalesced stop conditions with the start + conditions. + - gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() + - nvme-pci: fix sleeping function called from interrupt context + - [x86] drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 + - [x86] drm/i915: Relocate intel_atomic_setup_scalers() + - [x86] drm/i915: Fix intel_atomic_setup_scalers() plane_state handling + - [x86] drm/i915/dpt: Only do the POT stride remap when using DPT + - [x86] drm/i915/mtl: Add MTL for remapping CCS FBs + - [x86] drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller + than the original + - iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw + - interconnect: qcom: sm8250: Enable sync_state + - scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() + - iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time + table + - [armhf] iio: adc: ti_am335x_adc: Fix return value check of + tiadc_request_dma() + - iio: triggered-buffer: prevent possible freeing of wrong buffer + - ALSA: usb-audio: Increase delay in MOTU M quirk + - usb-storage: Add quirk for incorrect WP on Kingston DT Ultimate 3.0 G3 + - wifi: cfg80211: Add my certificate + - wifi: cfg80211: fix certs build to not depend on file order + - USB: serial: ftdi_sio: update Actisense PIDs constant names + - USB: serial: option: add Quectel EG912Y module support + - USB: serial: option: add Foxconn T99W265 with new baseline + - USB: serial: option: add Quectel RM500Q R13 firmware support + - ALSA: hda/realtek: Add quirk for ASUS ROG GV302XA + - Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent + - Bluetooth: L2CAP: Send reject on command corrupted request + - Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE + - Bluetooth: Add more enc key size check + - net: usb: ax88179_178a: avoid failed operations when device is + disconnected + - [x86] Input: soc_button_array - add mapping for airplane mode button + - net: 9p: avoid freeing uninit memory in p9pdu_vreadf + - net: rfkill: gpio: set GPIO direction + - dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp + - smb: client: fix OOB in cifsd when receiving compounded resps + - smb: client: fix potential OOB in cifs_dump_detail() + - smb: client: fix OOB in SMB2_query_info_init() + - smb: client: fix OOB in smbCalcSize() (CVE-2023-6606) + - [x86] drm/i915: Reject async flips with bigjoiner + - 9p: prevent read overrun in protocol dump tracepoint + - [riscv64] Fix do_notify_resume / do_work_pending prototype + - loop: do not enforce max_loop hard limit by (new) default + - dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client + - Revert "drm/amd/display: Do not set DRR on pipe commit" + - btrfs: zoned: no longer count fresh BG region as zone unusable + - ubifs: fix possible dereference after free + - ublk: move ublk_cancel_dev() out of ub->mutex + - scsi: core: Always send batch on reset or error handling command + - tracing / synthetic: Disable events after testing in + synth_event_gen_test_init() + - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata() + - pinctrl: starfive: jh7100: ignore disabled device tree nodes + - [armhf] bus: ti-sysc: Flush posted write only after srst_udelay + - lib/vsprintf: Fix %pfwf when current node refcount == 0 + - [x86] thunderbolt: Fix memory leak in margining_port_remove() + - [arm64] KVM: arm64: vgic: Simplify kvm_vgic_destroy() + - [arm64] KVM: arm64: vgic: Add a non-locking primitive for + kvm_vgic_vcpu_destroy() + - [arm64] KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy + - [x86] alternatives: Sync core before enabling interrupts + - fuse: share lookup state between submount and its parent + - wifi: cfg80211: fix CQM for non-range use + - wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x) + - loop: deprecate autoloading callback loop_probe() + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.71 + - ksmbd: replace one-element arrays with flexible-array members + - ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption + for this share + - ksmbd: use F_SETLK when unlocking a file + - ksmbd: Fix resource leak in smb2_lock() + - ksmbd: Convert to use sysfs_emit()/sysfs_emit_at() APIs + - ksmbd: Implements sess->rpc_handle_list as xarray + - ksmbd: fix typo, syncronous->synchronous + - ksmbd: Remove duplicated codes + - ksmbd: update Kconfig to note Kerberos support and fix indentation + - ksmbd: Fix spelling mistake "excceed" -> "exceeded" + - ksmbd: Fix parameter name and comment mismatch + - ksmbd: remove unused is_char_allowed function + - ksmbd: delete asynchronous work from list (CVE-2023-1193) + - ksmbd: set NegotiateContextCount once instead of every inc + - ksmbd: avoid duplicate negotiate ctx offset increments + - ksmbd: remove unused compression negotiate ctx packing + - fs: introduce lock_rename_child() helper + - ksmbd: fix racy issue from using ->d_parent and ->d_name + - ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename() + - ksmbd: fix uninitialized pointer read in smb2_create_link() + - ksmbd: call putname after using the last component + - ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() + - ksmbd: add mnt_want_write to ksmbd vfs functions + - ksmbd: remove unused ksmbd_tree_conn_share function + - ksmbd: use kzalloc() instead of __GFP_ZERO + - ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked() + - ksmbd: Change the return value of ksmbd_vfs_query_maximal_access to void + - ksmbd: use kvzalloc instead of kvmalloc + - ksmbd: Replace the ternary conditional operator with min() + - ksmbd: Use struct_size() helper in ksmbd_negotiate_smb_dialect() + - ksmbd: Replace one-element array with flexible-array member + - ksmbd: Fix unsigned expression compared with zero + - ksmbd: check if a mount point is crossed during path lookup + - ksmbd: switch to use kmemdup_nul() helper + - ksmbd: add support for read compound + - ksmbd: fix wrong interim response on compound + - ksmbd: fix `force create mode' and `force directory mode' + - ksmbd: Fix one kernel-doc comment + - ksmbd: add missing calling smb2_set_err_rsp() on error + - ksmbd: remove experimental warning + - ksmbd: remove unneeded mark_inode_dirty in set_info_sec() + - ksmbd: fix passing freed memory 'aux_payload_buf' + - ksmbd: return invalid parameter error response if smb2 request is invalid + - ksmbd: check iov vector index in ksmbd_conn_write() + - ksmbd: fix race condition with fp + - ksmbd: fix race condition from parallel smb2 logoff requests + - ksmbd: fix race condition from parallel smb2 lock requests + - ksmbd: fix race condition between tree conn lookup and disconnect + - ksmbd: fix wrong error response status by using set_smb2_rsp_status() + - ksmbd: fix Null pointer dereferences in ksmbd_update_fstate() + - ksmbd: fix potential double free on smb2_read_pipe() error path + - ksmbd: Remove unused field in ksmbd_user struct + - ksmbd: reorganize ksmbd_iov_pin_rsp() + - ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr() + - ksmbd: fix recursive locking in vfs helpers + - ksmbd: fix missing RDMA-capable flag for IPoIB device in + ksmbd_rdma_capable_netdev() + - ksmbd: add support for surrogate pair conversion + - ksmbd: no need to wait for binded connection termination at logoff + - ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() + - ksmbd: prevent memory leak on error return + - ksmbd: fix possible deadlock in smb2_open + - ksmbd: separately allocate ci per dentry + - ksmbd: move oplock handling after unlock parent dir + - ksmbd: release interim response after sending status pending response + - ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId + - ksmbd: don't update ->op_state as OPLOCK_STATE_NONE on error + - ksmbd: set epoch in create context v2 lease + - ksmbd: set v2 lease capability + - ksmbd: downgrade RWH lease caching state to RH for directory + - ksmbd: send v2 lease break notification for directory + - ksmbd: lazy v2 lease break on smb2_write() + - ksmbd: avoid duplicate opinfo_put() call on error of + smb21_lease_break_ack() + - ksmbd: fix wrong allocation size update in smb2_open() + - spi: Introduce spi_get_device_match_data() helper + - iio: imu: adis16475: add spi_device_id table + - nfsd: separate nfsd_last_thread() from nfsd_put() + - nfsd: call nfsd_last_thread() before final nfsd_put() + - linux/export: Ensure natural alignment of kcrctab array + - spi: Reintroduce spi_set_cs_timing() + - spi: Add APIs in spi core to set/get spi->chip_select and spi->cs_gpiod + - block: renumber QUEUE_FLAG_HW_WC + - ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() (CVE-2024-22705) + - mm/filemap: avoid buffered read/write race to read inconsistent data + - mm: migrate high-order folios in swap cache correctly + - mm/memory-failure: cast index to loff_t before shifting it + - mm/memory-failure: check the mapcount of the precise page + - ring-buffer: Fix wake ups when buffer_percent is set to 100 + - tracing: Fix blocked reader of snapshot buffer + - ring-buffer: Remove useless update to write_stamp in rb_try_to_discard() + - ring-buffer: Fix slowpath of interrupted event + - NFSD: fix possible oops when nfsd/pool_stats is closed. + - spi: Constify spi parameters of chip select APIs + - device property: Allow const parameter to dev_fwnode() + - kallsyms: Make module_kallsyms_on_each_symbol generally available + - tracing/kprobes: Fix symbol counting logic by looking at modules as well + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.72 + - keys, dns: Fix missing size check of V1 server-list header + - block: Don't invalidate pagecache for invalid falloc modes + - ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series + - ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook + - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6 + - mptcp: prevent tcp diag from closing listener subflows + - Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()" + - [x86] drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, + G200SE + - cifs: cifs_chan_is_iface_active should be called with chan_lock held + - cifs: do not depend on release_iface for maintaining iface_list + - [x86] KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL + - wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ (Closes: #1058887) + - [arm64] drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in + AUX xfer + - netfilter: use skb_ip_totlen and iph_totlen + - netfilter: nf_tables: set transport offset from mac header for + netdev/egress + - nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to + llcp_local + - [x86] drm/i915/dp: Fix passing the correct DPCD_REV for + drm_dp_set_phy_test_pattern + - ice: Fix link_down_on_close message + - ice: Shut down VSI with "link-down-on-close" enabled + - i40e: Fix filter input checks to prevent config with invalid values + - igc: Report VLAN EtherType matching back to user + - igc: Check VLAN TCI mask + - igc: Check VLAN EtherType mask + - net: sched: em_text: fix possible memory leak in em_text_destroy() + - r8169: Fix PCI error on system resume + - can: raw: add support for SO_MARK + - net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps + - net: annotate data-races around sk->sk_tsflags + - net: annotate data-races around sk->sk_bind_phc + - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) + - [armhf] sun9i: smp: Fix array-index-out-of-bounds read in + sunxi_mc_smp_init + - sfc: fix a double-free bug in efx_probe_filters + - [arm64] net: bcmgenet: Fix FCS generation for fragmented skbuffs + - netfilter: nft_immediate: drop chain reference counter on error + - net: Save and restore msg_namelen in sock_sendmsg + - i40e: fix use-after-free in i40e_aqc_add_filters() + - [arm64] ASoC: meson: g12a-toacodec: Validate written enum values + - [arm64] ASoC: meson: g12a-tohdmitx: Validate written enum values + - [arm64] ASoC: meson: g12a-toacodec: Fix event generation + - [arm64] ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux + - i40e: Restore VF MSI-X state during PCI reset + - igc: Fix hicredit calculation + - net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues + - net/smc: fix invalid link access in dumping SMC-R connections + - asix: Add check for usbnet_get_endpoints + - bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() + - net: Implement missing SO_TIMESTAMPING_NEW cmsg support + - cpu/SMT: Create topology_smt_thread_allowed() + - cpu/SMT: Make SMT control more robust against enumeration failures + - srcu: Fix callbacks acceleration mishandling + - [x86] bpf, x64: Fix tailcall infinite loop + - [x86] bpf, x86: Simplify the parsing logic of structure parameters + - [x86] bpf, x86: save/restore regs with BPF_DW size + - net: Declare MSG_SPLICE_PAGES internal sendmsg() flag + - udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES + - splice, net: Add a splice_eof op to file-ops and socket-ops + - ipv4, ipv6: Use splice_eof() to flush + - udp: introduce udp->udp_flags + - udp: move udp->no_check6_tx to udp->udp_flags + - udp: move udp->no_check6_rx to udp->udp_flags + - udp: move udp->gro_enabled to udp->udp_flags + - udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags + - udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO + - udp: annotate data-races around udp->encap_type + - wifi: iwlwifi: yoyo: swap cdb and jacket bits values + - [arm64] dts: qcom: sdm845: align RPMh regulator nodes with bindings + - [arm64] dts: qcom: sdm845: Fix PSCI power domain names + - bpf: decouple prune and jump points + - bpf: remove unnecessary prune and jump points + - bpf: Remove unused insn_cnt argument from visit_[func_call_]insn() + - bpf: clean up visit_insn()'s instruction processing + - bpf: Support new 32bit offset jmp instruction + - bpf: handle ldimm64 properly in check_cfg() + - bpf: fix precision backtracking instruction iteration + - blk-mq: make sure active queue usage is held for bio_integrity_prep() + - net/mlx5: Increase size of irq name buffer + - [s390x] mm: add missing arch_set_page_dat() call to vmem_crst_alloc() + - [s390x] cpumf: support user space events for counting + - f2fs: clean up i_compress_flag and i_compress_level usage + - f2fs: convert to use bitmap API + - f2fs: assign default compression level + - f2fs: set the default compress_level on ioctl + - ext4: convert move_extent_per_page() to use folios + - khugepage: replace try_to_release_page() with filemap_release_folio() + - memory-failure: convert truncate_error_page() to use folio + - mm: merge folio_has_private()/filemap_release_folio() call pairs + - mm, netfs, fscache: stop read optimisation when folio removed from + pagecache + - filemap: add a per-mapping stable writes flag + - block: update the stable_writes flag in bdev_add + - smb: client: fix missing mode bits for SMB symlinks + - net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats + - dpaa2-eth: recycle the RX buffer only after all processing done + - ethtool: don't propagate EOPNOTSUPP from dumps + - bpf, sockmap: af_unix stream sockets need to hold ref for pair sock + - [arm64] firmware: arm_scmi: Fix frequency truncation by promoting + multiplier type + - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 + - genirq/affinity: Remove the 'firstvec' parameter from + irq_build_affinity_masks + - genirq/affinity: Pass affinity managed mask array to + irq_build_affinity_masks + - genirq/affinity: Don't pass irq_affinity_desc array to + irq_build_affinity_masks + - genirq/affinity: Rename irq_build_affinity_masks as group_cpus_evenly + - genirq/affinity: Move group_cpus_evenly() into lib/ + - lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly + - mm/memory_hotplug: add missing mem_hotplug_lock + - mm/memory_hotplug: fix error handling in add_memory_resource() + - net: sched: call tcf_ct_params_free to free params in tcf_ct_init + - netfilter: flowtable: allow unidirectional rules + - netfilter: flowtable: cache info of last offload + - net/sched: act_ct: offload UDP NEW connections + - net/sched: act_ct: Fix promotion of offloaded unreplied tuple + - netfilter: flowtable: GC pushes back packets to classic path + - net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table + - btrfs: fix qgroup_free_reserved_data int overflow + - btrfs: mark the len field in struct btrfs_ordered_sum as unsigned + - ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg() + - firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines + and ASM108x/VT630x PCIe cards + - [x86] kprobes: fix incorrect return address calculation in + kprobe_emulate_call_indirect + - mm: fix unmap_mapping_range high bits shift bug + - drm/amdgpu: skip gpu_info fw loading on navi12 + - drm/amd/display: add nv12 bounding box + - mmc: rpmb: fixes pause retune on all RPMB partitions. + - mmc: core: Cancel delayed work before releasing host + - genirq/affinity: Only build SMP-only helper functions on SMP kernels + - f2fs: compress: fix to assign compress_level for lz4 correctly + - net/sched: act_ct: additional checks for outdated flows + - net/sched: act_ct: Always fill offloading tuple iifidx + - bpf: Fix a verifier bug due to incorrect branch offset comparison with + cpu=v4 + - bpf: syzkaller found null ptr deref in unix_bpf proto add + - smb3: Replace smb2pdu 1-element arrays with flex-arrays + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.73 + - Revert "nfsd: call nfsd_last_thread() before final nfsd_put()" + - Revert "nfsd: separate nfsd_last_thread() from nfsd_put()" + - ipv6: remove max_size check inline with ipv4 (CVE-2023-52340) + - cifs: fix flushing folio regression for 6.1 backport (Closes: #1060005) + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.74 + - f2fs: explicitly null-terminate the xattr list + - ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro + - mptcp: fix uninit-value in mptcp_incoming_options + - wifi: cfg80211: lock wiphy mutex for rfkill poll + - wifi: avoid offset calculation on NULL pointer + - wifi: mac80211: handle 320 MHz in ieee80211_ht_cap_ie_to_sta_ht_cap + - debugfs: fix automount d_fsdata usage + - ALSA: hda: intel-nhlt: Ignore vbps when looking for DMIC 32 bps format + - nvme-core: fix a memory leak in nvme_ns_info_from_identify() + - drm/amd/display: update dcn315 lpddr pstate latency + - drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer + - blk-mq: don't count completed flush data request as inflight in case of + quiesce + - nvme-core: check for too small lba shift + - [x86] ASoC: Intel: Skylake: Fix mem leak in few functions + - [x86] ASoC: Intel: Skylake: mem leak in skl register function + - ASoC: rt5650: add mutex to avoid the jack detection failure + - [x86] ASoC: Intel: skl_hda_dsp_generic: Drop HDMI routes when HDMI is not + available + - nouveau/tu102: flush all pdbs on vmm flush + - [x86] ASoC: amd: yc: Add DMI entry to support System76 Pangolin 13 + - [x86] ASoC: hdac_hda: Conditionally register dais for HDMI and Analog + - net/tg3: fix race condition in tg3_reset_task() + - ASoC: da7219: Support low DC impedance headset + - ASoC: ops: add correct range check for limiting volume + - nvme: introduce helper function to get ctrl state + - nvme: prevent potential spectre v1 gadget + - [arm64] dts: rockchip: Fix PCI node addresses on rk3399-gru + - drm/amdgpu: Add NULL checks for function pointers + - [armhf] drm/exynos: fix a potential error pointer dereference + - [armhf] drm/exynos: fix a wrong error checking + - [x86] hwmon: (corsair-psu) Fix probe when built-in + - [arm64] clk: rockchip: rk3568: Add PLL rate for 292.5MHz + - [armhf] clk: rockchip: rk3128: Fix HCLK_OTG gate register + - jbd2: correct the printing of write_flags in jbd2_write_superblock() + - jbd2: increase the journal IO's priority + - drm/crtc: Fix uninit-value bug in drm_mode_setcrtc + - neighbour: Don't let neigh_forced_gc() disable preemption for long + - [x86] platform/x86: intel-vbtn: Fix missing tablet-mode-switch events + - jbd2: fix soft lockup in journal_finish_inode_data_buffers() + - tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing + - tracing: Add size check when printing trace_marker output + - tracing: Fix uaf issue when open the hist or hist_debug file + - ring-buffer: Do not record in NMI if the arch does not support cmpxchg in + NMI + - Input: psmouse - enable Synaptics InterTouch for ThinkPad L14 G1 + - [arm64] reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning + - Input: atkbd - skip ATKBD_CMD_GETID in translated mode + - Input: i8042 - add nomux quirk for Acer P459-G2-M + - [s390x] scm: fix virtual vs physical address confusion + - wifi: iwlwifi: pcie: avoid a NULL pointer dereference + - Input: xpad - add Razer Wolverine V2 support + - HID: nintendo: fix initializer element is not constant error + - [x86] platform/x86: thinkpad_acpi: fix for incorrect fan reporting on some + ThinkPad systems + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Medion Lifetab S10346 + - [x86] ASoC: Intel: bytcr_rt5640: Add new swapped-speakers quirk + - ALSA: hda/realtek: Add quirks for ASUS Zenbook 2022 Models + - dm audit: fix Kconfig so DM_AUDIT depends on BLK_DEV_DM + - HID: nintendo: Prevent divide-by-zero on code + - smb: client: fix potential OOB in smb2_dump_detail() (CVE-2023-6610) + - [arm64,armhf] i2c: rk3x: fix potential spinlock recursion on poll + - drm/amd/display: get dprefclk ss info from integration info table + - ida: Fix crash in ida_free when the bitmap is empty (CVE-2023-6915) + - virtio_blk: fix snprintf truncation compiler warning + - net: qrtr: ns: Return 0 if server port is not present + - [armhf] sun9i: smp: fix return code check of of_property_match_string + - drm/crtc: fix uninitialized variable use + - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 13-ay0xxx + - ACPI: resource: Add another DMI match for the TongFang GMxXGxx + - [x86] ASoC: SOF: Intel: hda-codec: Delay the codec device registration + - btf, scripts: Exclude Rust CUs with pahole + - bpf: Add --skip_encoding_btf_inconsistent_proto, --btf_gen_optimized to + pahole flags for v1.25 + - ksmbd: don't allow O_TRUNC open on read-only share + - ksmbd: free ppace array on error in parse_dacl + - Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" + - [arm*] binder: use EPOLLERR from eventpoll.h + - [arm*] binder: fix use-after-free in shinker's callback + - [arm*] binder: fix trivial typo of binder_free_buf_locked() + - [arm*] binder: fix comment on binder_alloc_new_buf() return value + - uio: Fix use-after-free in uio_open + - parport: parport_serial: Add Brainboxes BAR details + - parport: parport_serial: Add Brainboxes device IDs and geometry + - PCI: Add ACS quirk for more Zhaoxin Root Ports + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.75 + - [x86] lib: Fix overflow when counting digits + - [x86] mce/inject: Clear test status value + - [arm64] EDAC/thunderx: Fix possible out-of-bounds string access + - [powerpc*] remove checks for binutils older than 2.25 + - [powerpc*] add crtsavres.o to always-y instead of extra-y + - [powerpc*] 44x: select I2C for CURRITUCK + - [powerpc*] pseries/memhp: Fix access beyond end of drmem array + - [powerpc*] powernv: Add a null pointer check to scom_debug_init_one() + - [powerpc*] powernv: Add a null pointer check in opal_event_init() + - [powerpc*] powernv: Add a null pointer check in opal_powercap_init() + - [powerpc*] imc-pmu: Add a null pointer check in update_events_in_group() + - ACPI: video: check for error while searching for backlight device parent + - ACPI: LPIT: Avoid u32 multiplication overflow + - KEYS: encrypted: Add check for strsep + - [x86] platform/x86/intel/vsec: Enhance and Export intel_vsec_add_aux() + - [x86] platform/x86/intel/vsec: Support private data + - [x86] platform/x86/intel/vsec: Use mutex for ida_alloc() and ida_free() + - [x86] platform/x86/intel/vsec: Fix xa_alloc memory leak + - of: Add of_property_present() helper + - cpufreq: Use of_property_present() for testing DT property presence + - cpufreq: scmi: process the result of devm_of_clk_add_hw_provider() + - calipso: fix memory leak in netlbl_calipso_add_pass() + - efivarfs: force RO when remounting if SetVariable is not supported + - efivarfs: Free s_fs_info on unmount + - ACPI: LPSS: Fix the fractional clock divider flags + - ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the + error + - mtd: Fix gluebi NULL pointer dereference caused by ftl notifier + - selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket + - crypto: virtio - Handle dataq logic with tasklet + - [x86] crypto: ccp - fix memleak in ccp_init_dm_workarea + - crypto: af_alg - Disallow multiple in-flight AIO requests + - [arm64] crypto: safexcel - Add error handling for dma_map_sg() calls + - crypto: hisilicon/qm - save capability registers in qm init process + - crypto: hisilicon/zip - add zip comp high perf mode configuration + - crypto: hisilicon/qm - add a function to set qm algs + - crypto: hisilicon/hpre - save capability registers in probe process + - crypto: hisilicon/sec2 - save capability registers in probe process + - crypto: hisilicon/zip - save capability registers in probe process + - pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() + - erofs: fix memory leak on short-lived bounced pages + - fs: indicate request originates from old mount API + - gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump + - crypto: virtio - Wait for tasklet to complete on device remove + - crypto: scomp - fix req->dst buffer overflow + - csky: fix arch_jump_label_transform_static override + - blocklayoutdriver: Fix reference leak of pnfs_device_node + - NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT + - SUNRPC: fix _xprt_switch_find_current_entry logic + - pNFS: Fix the pnfs block driver's calculation of layoutget size + - wifi: plfxlc: check for allocation failure in plfxlc_usb_wreq_async() + - wifi: rtw88: fix RX filter in FIF_ALLMULTI flag + - bpf, lpm: Fix check prefixlen before walking trie + - bpf: Add crosstask check to __bpf_get_stack + - wifi: ath11k: Defer on rproc_get failure + - wifi: libertas: stop selecting wext + - [armhf] net/ncsi: Fix netlink major/minor version numbers + - [arm64] firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() + - [arm64] firmware: meson_sm: populate platform devices from sm device tree + data + - wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior + - md: synchronize flush io with array reconfiguration + - bpf: enforce precision of R0 on callback return + - rcu-tasks: Provide rcu_trace_implies_rcu_gp() + - bpf: add percpu stats for bpf_map elements insertions/deletions + - bpf: Add map and need_defer parameters to .map_fd_put_ptr() + - bpf: Defer the free of inner map when necessary + - bpf: fix check for attempt to corrupt spilled pointer + - scsi: fnic: Return error if vmalloc() failed + - [arm64] dts: qcom: qrb5165-rb5: correct LED panic indicator + - [arm64] dts: qcom: sdm845-db845c: correct LED panic indicator + - bpf: Fix verification of indirect var-off stack access + - dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with + generic names + - wifi: mt76: mt7921: fix country count limitation for CLC + - block: Set memalloc_noio to false on device_add_disk() error path + - [arm64] scsi: hisi_sas: Replace with standard error code return value + - [arm64] scsi: hisi_sas: Rollback some operations if FLR failed + - [arm64] scsi: hisi_sas: Correct the number of global debugfs registers + - [armhf] dts: stm32: don't mix SCMI and non-SCMI board compatibles + - ipmr: support IP_PKTINFO on cache report IGMP msg + - virtio/vsock: fix logic which reduces credit update messages + - dma-mapping: clear dev->dma_mem to NULL after freeing it + - [arm64] dts: qcom: sm8150-hdk: fix SS USB regulators + - block: add check of 'minors' and 'first_minor' in device_add_disk() + - wifi: rtlwifi: add calculate_bit_shift() + - wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() + - wifi: rtlwifi: rtl8192c: using calculate_bit_shift() + - wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() + - wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() + - wifi: rtlwifi: rtl8192de: using calculate_bit_shift() + - wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() + - wifi: rtlwifi: rtl8192se: using calculate_bit_shift() + - wifi: iwlwifi: mvm: set siso/mimo chains to 1 in FW SMPS request + - wifi: iwlwifi: mvm: send TX path flush in rfkill + - netfilter: nf_tables: mark newset as dead on transaction abort + - Bluetooth: Fix bogus check for re-auth no supported with non-ssp + - Bluetooth: btmtkuart: fix recv_buf() return value + - block: make BLK_DEF_MAX_SECTORS unsigned + - null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS + - bpf: sockmap, fix proto update hook to avoid dup calls + - sctp: support MSG_ERRQUEUE flag in recvmsg() + - sctp: fix busy polling + - net/sched: act_ct: fix skb leak and crash on ooo frags + - mlxbf_gige: Fix intermittent no ip issue + - mlxbf_gige: Enable the GigE port in mlxbf_gige_open + - ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() + - [armhf] Revert "drm/omapdrm: Annotate dma-fence critical section in commit + path" + - [arm64,armhf] drm/panfrost: Really power off GPU cores in + panfrost_gpu_power_off() + - RDMA/usnic: Silence uninitialized symbol smatch warnings + - [arm64] RDMA/hns: Fix inappropriate err code for unsupported operations + - drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer + - drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function + - drm/tilcdc: Fix irq free on unload + - media: pvrusb2: fix use after free on context disconnection + - media: mtk-jpegdec: export jpeg decoder functions + - media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the + crash of multi-core JPEG devices + - media: verisilicon: Hook the (TRY_)DECODER_CMD stateless ioctls + - media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls + - drm/bridge: Fix typo in post_disable() description + - f2fs: fix to avoid dirent corruption + - drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() + - drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() + - drm/radeon: check return value of radeon_ring_lock() + - [arm64] drm/msm/mdp4: flush vblank event on disable + - [arm64] drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks + - drm/drv: propagate errors from drm_modeset_register_all() + - [x86] ASoC: Intel: glk_rt5682_max98357a: fix board id mismatch + - [arm64,armhf] drm/panfrost: Ignore core_mask for poweroff and disable + PWRTRANS irq + - drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() + - drm/radeon/dpm: fix a memleak in sumo_parse_power_table + - drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table + - drm/bridge: cdns-mhdp8546: Fix use of uninitialized variable + - drm/bridge: tc358767: Fix return value on error case + - media: cx231xx: fix a memleak in cx231xx_init_isoc + - [arm64] RDMA/hns: Fix memory leak in free_mr_init() + - drm/panel: st7701: Fix AVCL calculation + - f2fs: fix to wait on block writeback for post_read case + - f2fs: fix to check compress file in f2fs_move_file_range() + - f2fs: fix to update iostat correctly in f2fs_filemap_fault() + - media: dvbdev: drop refcount on error path in dvb_device_open() + - media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling + path of m88ds3103_probe() + - [arm64] drm/msm/dpu: Set input_sel bit for INTF + - [arm64] drm/msm/dpu: Drop enable and frame_count parameters from + dpu_hw_setup_misr() + - drm/amdgpu/debugfs: fix error code when smc register accessors are NULL + - drm/amd/pm: fix a double-free in si_dpm_init + - drivers/amd/pm: fix a use-after-free in kv_parse_power_table + - gpu/drm/radeon: fix two memleaks in radeon_vm_init + - drm/amd/pm: fix a double-free in amdgpu_parse_extended_power_table + - f2fs: fix to check return value of f2fs_recover_xattr_data + - dt-bindings: clock: Update the videocc resets for sm8150 + - [arm64] drivers: clk: zynqmp: calculate closest mux rate + - [arm64] drivers: clk: zynqmp: update divider round rate logic + - watchdog: set cdev owner before adding + - watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO + - watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling + - watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused + - [arm64] clk: si5341: fix an error code problem in + si5341_output_clk_set_rate + - accel/habanalabs: fix information leak in sec_attest_info() + (CVE-2023-50431) + - clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw + - ASoC: rt5645: Drop double EF20 entry from dmi_platform_data[] + - ALSA: scarlett2: Add missing error check to scarlett2_config_save() + - ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config() + - ALSA: scarlett2: Allow passing any output to line_out_remap() + - ALSA: scarlett2: Add missing error checks to *_ctl_get() + - ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put() + - IB/iser: Prevent invalidating wrong MR + - drm/amd/pm/smu7: fix a memleak in smu7_hwmgr_backend_init + - ksmbd: validate the zero field of packet header + - of: Fix double free in of_parse_phandle_with_args_map + - keys, dns: Fix size check of V1 server-list header + - [arm*] binder: fix async space check for 0-sized buffers + - [arm*] binder: fix unused alloc->free_async_space + - [mipel*] smp: Call rcutree_report_cpu_starting() earlier + - Input: atkbd - use ab83 as id when skipping the getid command + - xen-netback: don't produce zero-size SKB frags (CVE-2023-46838) + - [arm*] binder: fix race between mmput() and do_exit() + - [arm64,armhf] clocksource/drivers/timer-ti-dm: Fix make W=n kerneldoc + warnings + - [powerpc*] 64s: Increase default stack size to 32KB + - tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug + - [armhf] usb: phy: mxs: remove CONFIG_USB_OTG condition for + mxs_phy_is_otg_host() + - [arm64,armhf] usb: dwc: ep0: Update request status in + dwc3_ep0_stall_restart + - [arm64,armhf] Revert "usb: dwc3: Soft reset phy on probe for host" + - [arm64,armhf] Revert "usb: dwc3: don't reset device side if dwc3 was + configured as host-only" + - [arm64,armhf] usb: chipidea: wait controller resume finished for wakeup + irq + - Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" + - usb: typec: class: fix typec_altmode_put_partner to put plugs + - usb: mon: Fix atomicity violation in mon_bin_vma_fault + - serial: core: fix sanitizing check for RTS settings + - serial: core: make sure RS485 cannot be enabled when it is not supported + - [arm64,armhf] serial: 8250_bcm2835aux: Restore clock error handling + - serial: core, imx: do not set RS485 enabled if it is not supported + - [arm64,armhf] serial: imx: Ensure that imx_uart_rs485_config() is called + with enabled clock + - serial: 8250_exar: Set missing rs485_supported flag + - [armhf] serial: omap: do not override settings for RS485 support + - drm/vmwgfx: Fix possible invalid drm gem put calls + - drm/vmwgfx: Keep a gem reference to user bos in surfaces (CVE-2023-5633) + - ALSA: oxygen: Fix right channel of capture volume mixer + - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq2xxx + - ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on HP + ZBook + - ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5 + - ksmbd: validate mech token in session setup + - ksmbd: fix UAF issue in ksmbd_tcp_new_connection() + - ksmbd: only v2 leases handle the directory + - io_uring/rw: ensure io->bytes_done is always initialized + - fbdev: flush deferred work in fb_deferred_io_fsync() + - fbdev: flush deferred IO before closing + - scsi: ufs: core: Simplify power management during async scan + - scsi: target: core: add missing file_{start,end}_write() + - scsi: mpi3mr: Refresh sdev queue depth after controller reset + - scsi: mpi3mr: Block PEL Enable Command on Controller Reset and + Unrecoverable State + - drm/amd: Enable PCIe PME from D3 + - block: add check that partition length needs to be aligned with block size + - block: Fix iterating over an empty bio with bio_for_each_folio_all + - netfilter: nf_tables: check if catch-all set element is active in next + generation (CVE-2024-1085) + - pwm: Fix out-of-bounds access in of_pwm_single_xlate() + - md/raid1: Use blk_opf_t for read and write operations + - rootfs: Fix support for rootfstype= when root= is given + - Bluetooth: Fix atomicity violation in {min,max}_key_size_set + - bpf: Fix re-attachment branch in bpf_tracing_prog_attach + - [arm64] iommu/arm-smmu-qcom: Add missing GMU entry to match table + - iommu/dma: Trace bounce buffer usage when mapping buffers + - wifi: mt76: fix broken precal loading from MTD for mt7915 + - wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code + - wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors + - wifi: mwifiex: configure BSSID consistently when starting AP + - Revert "net: rtnetlink: Enslave device before bringing it up" + - cxl/port: Fix decoder initialization when nr_targets > interleave_ways + - PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg() + - [x86] kvm: Do not try to disable kvmclock if it was not enabled + - [arm64] KVM: arm64: vgic-v4: Restore pending state on host userspace write + - [arm64] KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache + - iio: adc: ad7091r: Pass iio_dev to event handler + - HID: wacom: Correct behavior when processing some confidence == false + touches + - mfd: syscon: Fix null pointer dereference in of_syscon_register() + - [x86] mfd: intel-lpss: Fix the fractional clock divider flags + - [mipsel] Fix incorrect max_low_pfn adjustment + - [arm64] power: supply: cw2015: correct time_to_empty units in sysfs + - [arm64] serial: 8250: omap: Don't skip resource freeing if + pm_runtime_resume_and_get() failed + - libapi: Add missing linux/types.h header to get the __u64 type on io.h + - base/node.c: initialize the accessor list before registering + - acpi: property: Let args be NULL in __acpi_node_get_property_reference + - software node: Let args be NULL in software_node_get_reference_args + - serial: imx: fix tx statemachine deadlock + - iio: adc: ad9467: fix reset gpio handling + - iio: adc: ad9467: don't ignore error codes + - iio: adc: ad9467: fix scale setting + - perf header: Fix one memory leakage in perf_event__fprintf_event_update() + - perf hisi-ptt: Fix one memory leakage in hisi_ptt_process_auxtrace_event() + - perf genelf: Set ELF program header addresses properly + - tty: change tty_write_lock()'s ndelay parameter to bool + - tty: early return from send_break() on TTY_DRIVER_HARDWARE_BREAK + - tty: don't check for signal_pending() in send_break() + - tty: use 'if' in send_break() instead of 'goto' + - usb: cdc-acm: return correct error code on unsupported break + - nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length + - nvmet-tcp: fix a crash in nvmet_req_complete() + - perf env: Avoid recursively taking env->bpf_progs.lock + - cxl/region: fix x9 interleave typo + - apparmor: avoid crash when parsed profile name is empty + - [arm64,armhf] serial: imx: Correct clock error message in function probe() + - nvmet: re-fix tracing strncpy() warning + - nvme: trace: avoid memcpy overflow warning + - nvmet-tcp: Fix the H2C expected PDU len calculation + - [s390x] pci: fix max size calc |