diff options
Diffstat (limited to 'kernel.spec')
-rw-r--r-- | kernel.spec | 458 |
1 files changed, 238 insertions, 220 deletions
diff --git a/kernel.spec b/kernel.spec index 9aef0b5d5..b1e915307 100644 --- a/kernel.spec +++ b/kernel.spec @@ -49,7 +49,7 @@ Summary: The Linux kernel # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 2 +%define base_sublevel 3 ## If this is a released kernel ## %if 0%{?released_kernel} @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -408,7 +408,11 @@ BuildRequires: rpm-build, elfutils %define debuginfo_args --strict-build-id -r %endif -BuildRequires: openssl +%ifarch %{ix86} x86_64 +# MODULE_SIG is enabled in config-x86-generic and needs these: +BuildRequires: openssl openssl-devel +%endif + %if %{signmodules} BuildRequires: pesign >= 0.10-4 %endif @@ -451,7 +455,7 @@ Source32: config-x86-32-generic Source40: config-x86_64-generic -Source50: config-powerpc-generic +Source50: config-powerpc64-generic Source53: config-powerpc64 Source54: config-powerpc64p7 Source55: config-powerpc64le @@ -515,134 +519,107 @@ Patch05: kbuild-AFTER_LINK.patch # Standalone patches -Patch450: input-kill-stupid-messages.patch -Patch452: no-pcspkr-modalias.patch +Patch451: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch -Patch458: regulator-axp20x-module-alias.patch -Patch470: die-floppy-die.patch +Patch452: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch -Patch510: input-silence-i8042-noise.patch -Patch530: silence-fbcon-logo.patch +Patch453: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch -Patch600: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +Patch454: arm64-avoid-needing-console-to-enable-serial-console.patch -#rhbz 1126580 -Patch601: Kbuild-Add-an-option-to-enable-GCC-VTA.patch +Patch455: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch -Patch800: crash-driver.patch +Patch456: arm64-acpi-drop-expert-patch.patch -# crypto/ +Patch457: ARM-tegra-usb-no-reset.patch -# secure boot -Patch1000: Add-secure_modules-call.patch -Patch1001: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch -Patch1002: x86-Lock-down-IO-port-access-when-module-security-is.patch -Patch1003: ACPI-Limit-access-to-custom_method.patch -Patch1004: asus-wmi-Restrict-debugfs-interface-when-module-load.patch -Patch1005: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch -Patch1006: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch -Patch1007: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch -Patch1008: x86-Restrict-MSR-access-when-module-loading-is-restr.patch -Patch1009: Add-option-to-automatically-enforce-module-signature.patch -Patch1010: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch -Patch1011: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch -Patch1012: efi-Add-EFI_SECURE_BOOT-bit.patch -Patch1013: hibernate-Disable-in-a-signed-modules-environment.patch +Patch458: ARM-dts-Add-am335x-bonegreen.patch -Patch1014: Add-EFI-signature-data-types.patch -Patch1015: Add-an-EFI-signature-blob-parser-and-key-loader.patch -Patch1016: KEYS-Add-a-system-blacklist-keyring.patch -Patch1017: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch -Patch1018: MODSIGN-Support-not-importing-certs-from-db.patch +Patch459: 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch -Patch1019: Add-sysrq-option-to-disable-secure-boot-mode.patch +Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch -# virt + ksm patches +Patch463: arm-i.MX6-Utilite-device-dtb.patch -# DRM +Patch466: input-kill-stupid-messages.patch -# nouveau + drm fixes -# intel drm is all merged upstream -Patch1826: drm-i915-hush-check-crtc-state.patch +Patch467: die-floppy-die.patch -# Quiet boot fixes +Patch468: no-pcspkr-modalias.patch -# fs fixes +Patch470: silence-fbcon-logo.patch -# NFSv4 +Patch471: Kbuild-Add-an-option-to-enable-GCC-VTA.patch -# patches headed upstream -Patch12016: disable-i8042-check-on-apple-mac.patch +Patch472: crash-driver.patch -Patch14010: lis3-improve-handling-of-null-rate.patch +Patch473: Add-secure_modules-call.patch -Patch15000: watchdog-Disable-watchdog-on-virtual-machines.patch +Patch474: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch -# PPC +Patch475: x86-Lock-down-IO-port-access-when-module-security-is.patch -# ARM64 -Patch16000: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch -Patch16001: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch -Patch16002: arm64-avoid-needing-console-to-enable-serial-console.patch -Patch16003: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch -Patch16004: showmem-cma-correct-reserved-memory-calculation.patch +Patch476: ACPI-Limit-access-to-custom_method.patch -# ARMv7 -Patch16020: ARM-tegra-usb-no-reset.patch -Patch16021: arm-dts-am335x-boneblack-lcdc-add-panel-info.patch -Patch16022: arm-dts-am335x-boneblack-add-cpu0-opp-points.patch -Patch16025: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch -Patch16026: pinctrl-pinctrl-single-must-be-initialized-early.patch +Patch477: asus-wmi-Restrict-debugfs-interface-when-module-load.patch -Patch16028: arm-i.MX6-Utilite-device-dtb.patch +Patch478: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch -#rhbz 754518 -Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch +Patch479: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch -# https://fedoraproject.org/wiki/Features/Checkpoint_Restore -Patch21242: criu-no-expert.patch +Patch480: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch -#rhbz 892811 -Patch21247: ath9k-rx-dma-stop-check.patch +Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch -#CVE-2015-2150 rhbz 1196266 1200397 -Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch +Patch482: Add-option-to-automatically-enforce-module-signature.patch -#rhbz 1212230 -Patch26176: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch +Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch -#rhbz 1133378 -Patch26219: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch +Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch -#rhbz 1226743 -Patch26221: drm-i915-turn-off-wc-mmaps.patch +Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch +Patch486: hibernate-Disable-in-a-signed-modules-environment.patch -#rhbz 1244511 -Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch +Patch487: Add-EFI-signature-data-types.patch -Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch +Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch + +Patch489: KEYS-Add-a-system-blacklist-keyring.patch + +Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch + +Patch491: MODSIGN-Support-not-importing-certs-from-db.patch + +Patch492: Add-sysrq-option-to-disable-secure-boot-mode.patch + +Patch493: drm-i915-hush-check-crtc-state.patch + +Patch494: disable-i8042-check-on-apple-mac.patch + +Patch495: lis3-improve-handling-of-null-rate.patch + +Patch496: watchdog-Disable-watchdog-on-virtual-machines.patch + +Patch497: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch + +Patch498: criu-no-expert.patch + +Patch499: ath9k-rx-dma-stop-check.patch -#rhbz 1239050 -Patch509: ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch +Patch500: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch -#rhbz 1253789 -Patch511: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch +Patch501: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch -#rhbz 1257534 -Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch +Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch -#rhbz 1257500 -Patch517: vmwgfx-Rework-device-initialization.patch -Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch +Patch503: drm-i915-turn-off-wc-mmaps.patch -#rhbz 1272172 -Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch -Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch #CVE-2015-7799 rhbz 1271134 1271135 -Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch -Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch +Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch #CVE-2015-8104 rhbz 1278496 1279691 Patch551: KVM-svm-unconditionally-intercept-DB.patch @@ -658,11 +635,6 @@ Patch556: netfilter-ipset-Fix-extension-alignment.patch Patch557: netfilter-ipset-Fix-hash-type-expiration.patch Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch -#rhbz 1278688 -Patch560: 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch -Patch561: 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch -Patch562: 0003-KVM-x86-fix-previous-commit-for-32-bit.patch - #rhbz 1284059 Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch @@ -678,14 +650,66 @@ Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch #rhbz 1286293 Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch +#rhbz 1288687 +Patch572: alua_fix.patch + #CVE-XXXX-XXXX rhbz 1291329 1291332 Patch574: ovl-fix-permission-checking-for-setattr.patch #CVE-2015-7550 rhbz 1291197 1291198 Patch575: KEYS-Fix-race-between-read-and-revoke.patch -#CVE-2015-8543 rhbz 1290475 1290477 -Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch +Patch601: vrf-fix-memory-leak-on-registration.patch + +#CVE-2015-8709 rhbz 1295287 1295288 +Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch + +#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch + +#CVE-2015-7513 rhbz 1284847 1296142 +Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch + +#rhbz 1296677 +Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch + +#rhbz 1281368 +Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch + +#rhbz 1296820 +Patch608: drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch + +#rhbz 1083853 +Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch + +#CVE-2015-7566 rhbz 1296466 1297517 +Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch + +#rhbz 1298309 +#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch + +#rhbz 1298996 +Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch + +#rhbz 1298192 +Patch626: selinux-fix-bug-in-conditional-rules-handling.patch + +#rhbz 1295272 +Patch627: ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch + +Patch628: i915-stable-backports.patch +Patch635: nouveau-stable-backports.patch + +#rhbz 1299810 +Patch629: SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch +Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch + +Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch +Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch + +Patch633: net_43.mbox + +#CVE-2016-0728 rhbz 1296623 1297475 +Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch # END OF PATCH DEFINITIONS @@ -1254,183 +1278,104 @@ ApplyPatch kbuild-AFTER_LINK.patch %if !%{nopatches} -# Architecture patches -# x86(-64) ApplyPatch lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch -# PPC - -# ARM64 ApplyPatch amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch + ApplyPatch amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch + ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch + ApplyPatch usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch -ApplyPatch showmem-cma-correct-reserved-memory-calculation.patch +ApplyPatch arm64-acpi-drop-expert-patch.patch -# -# ARM -# ApplyPatch ARM-tegra-usb-no-reset.patch -ApplyPatch arm-dts-am335x-boneblack-lcdc-add-panel-info.patch -ApplyPatch arm-dts-am335x-boneblack-add-cpu0-opp-points.patch -ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch -ApplyPatch pinctrl-pinctrl-single-must-be-initialized-early.patch - -ApplyPatch arm-i.MX6-Utilite-device-dtb.patch - -# -# bugfixes to drivers and filesystems -# - -# ext4 - -# xfs - -# btrfs - -# eCryptfs - -# NFSv4 - -# USB - -# WMI - -# ACPI - -# -# PCI -# - -# -# SCSI Bits. -# +ApplyPatch ARM-dts-Add-am335x-bonegreen.patch -# ACPI +ApplyPatch 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch -# ALSA +ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch -# Networking +ApplyPatch arm-i.MX6-Utilite-device-dtb.patch -# Misc fixes -# The input layer spews crap no-one cares about. ApplyPatch input-kill-stupid-messages.patch -# stop floppy.ko from autoloading during udev... ApplyPatch die-floppy-die.patch ApplyPatch no-pcspkr-modalias.patch -# Silence some useless messages that still get printed with 'quiet' -ApplyPatch input-silence-i8042-noise.patch - -# Make fbcon not show the penguins with 'quiet' ApplyPatch silence-fbcon-logo.patch -# Changes to upstream defaults. -#rhbz 1126580 ApplyPatch Kbuild-Add-an-option-to-enable-GCC-VTA.patch -# /dev/crash driver. ApplyPatch crash-driver.patch -# crypto/ - -# secure boot ApplyPatch Add-secure_modules-call.patch + ApplyPatch PCI-Lock-down-BAR-access-when-module-security-is-ena.patch + ApplyPatch x86-Lock-down-IO-port-access-when-module-security-is.patch + ApplyPatch ACPI-Limit-access-to-custom_method.patch + ApplyPatch asus-wmi-Restrict-debugfs-interface-when-module-load.patch + ApplyPatch Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch + ApplyPatch acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch + ApplyPatch kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch + ApplyPatch x86-Restrict-MSR-access-when-module-loading-is-restr.patch + ApplyPatch Add-option-to-automatically-enforce-module-signature.patch + ApplyPatch efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch + ApplyPatch efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch + ApplyPatch efi-Add-EFI_SECURE_BOOT-bit.patch + ApplyPatch hibernate-Disable-in-a-signed-modules-environment.patch ApplyPatch Add-EFI-signature-data-types.patch + ApplyPatch Add-an-EFI-signature-blob-parser-and-key-loader.patch + ApplyPatch KEYS-Add-a-system-blacklist-keyring.patch + ApplyPatch MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch + ApplyPatch MODSIGN-Support-not-importing-certs-from-db.patch ApplyPatch Add-sysrq-option-to-disable-secure-boot-mode.patch -# Assorted Virt Fixes - -# DRM core - -# Nouveau DRM - -# Intel DRM ApplyPatch drm-i915-hush-check-crtc-state.patch -# Radeon DRM - -# Patches headed upstream ApplyPatch disable-i8042-check-on-apple-mac.patch ApplyPatch lis3-improve-handling-of-null-rate.patch -# Disable watchdog on virtual machines. ApplyPatch watchdog-Disable-watchdog-on-virtual-machines.patch -#rhbz 754518 ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch -# https://fedoraproject.org/wiki/Features/Checkpoint_Restore ApplyPatch criu-no-expert.patch -#rhbz 892811 ApplyPatch ath9k-rx-dma-stop-check.patch -#CVE-2015-2150 rhbz 1196266 1200397 ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch -#rhbz 1212230 ApplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch -#rhbz 1133378 ApplyPatch firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch -#rhbz 1226743 ApplyPatch drm-i915-turn-off-wc-mmaps.patch -#rhbz 1212230 -# pplyPatch Input-Revert-Revert-synaptics-use-dmax-in-input_mt_a.patch -# pplyPatch Input-synaptics-allocate-3-slots-to-keep-stability-i.patch -# pplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch - -#rhbz 1244511 -ApplyPatch HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch - ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch -#rhbz 1239050 -ApplyPatch ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch - -#rhbz 1253789 -ApplyPatch iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch - -#rhbz 1257534 -ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch - -#rhbz 1257500 -ApplyPatch vmwgfx-Rework-device-initialization.patch -ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch - -ApplyPatch regulator-axp20x-module-alias.patch - -#rhbz 1272172 -ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch -ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch - #CVE-2015-7799 rhbz 1271134 1271135 ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch @@ -1449,11 +1394,6 @@ ApplyPatch netfilter-ipset-Fix-extension-alignment.patch ApplyPatch netfilter-ipset-Fix-hash-type-expiration.patch ApplyPatch netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch -#rhbz 1278688 -ApplyPatch 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch -ApplyPatch 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch -ApplyPatch 0003-KVM-x86-fix-previous-commit-for-32-bit.patch - #rhbz 1284059 ApplyPatch KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch @@ -1469,14 +1409,66 @@ ApplyPatch HID-multitouch-enable-palm-rejection-if-device-imple.patch #rhbz 1286293 ApplyPatch ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch +#rhbz 1288687 +ApplyPatch alua_fix.patch + #CVE-XXXX-XXXX rhbz 1291329 1291332 ApplyPatch ovl-fix-permission-checking-for-setattr.patch #CVE-2015-7550 rhbz 1291197 1291198 ApplyPatch KEYS-Fix-race-between-read-and-revoke.patch -#CVE-2015-8543 rhbz 1290475 1290477 -ApplyPatch net-add-validation-for-the-socket-syscall-protocol-a.patch +ApplyPatch vrf-fix-memory-leak-on-registration.patch + +#CVE-2015-8709 rhbz 1295287 1295288 +ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch + +#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch + +#CVE-2015-7513 rhbz 1284847 1296142 +ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch + +#rhbz 1296677 +ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch + +#rhbz 1281368 +ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch + +#rhbz 1296820 +ApplyPatch drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch + +#rhbz 1083853 +ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch + +#CVE-2015-7566 rhbz 1296466 1297517 +ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch + +#rhbz 1298309 +#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch + +#rhbz 1298996 +ApplyPatch block-ensure-to-split-after-potentially-bouncing-a-b.patch + +#rhbz 1298192 +ApplyPatch selinux-fix-bug-in-conditional-rules-handling.patch + +#rhbz 1295272 +ApplyPatch ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch + +ApplyPatch i915-stable-backports.patch +ApplyPatch nouveau-stable-backports.patch + +#rhbz 1299810 +ApplyPatch SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch +ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch + +ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch +ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch + +ApplyPatch net_43.mbox + +#CVE-2016-0728 rhbz 1296623 1297475 +ApplyPatch KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch # END OF PATCH APPLICATIONS @@ -1597,11 +1589,9 @@ BuildKernel() { cp configs/$Config .config %if %{signmodules} - cp %{SOURCE11} . + cp %{SOURCE11} certs/. %endif - chmod +x scripts/sign-file - Arch=`head -1 .config | cut -b 3-` echo USING ARCH=$Arch @@ -1837,8 +1827,8 @@ BuildKernel() { %if %{signmodules} # Save the signing keys so we can sign the modules in __modsign_install_post - cp signing_key.priv signing_key.priv.sign${Flav} - cp signing_key.x509 signing_key.x509.sign${Flav} + cp certs/signing_key.pem certs/signing_key.pem.sign${Flav} + cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav} %endif # Move the devel headers out of the root file system @@ -1933,16 +1923,16 @@ popd %define __modsign_install_post \ if [ "%{signmodules}" -eq "1" ]; then \ if [ "%{with_pae}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ + %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ fi \ if [ "%{with_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ + %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ fi \ if [ "%{with_pae_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ + %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ fi \ if [ "%{with_up}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ + %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ fi \ fi \ if [ "%{zipmodules}" -eq "1" ]; then \ @@ -2203,6 +2193,7 @@ fi %dir %{_libdir}/traceevent/plugins %{_libdir}/traceevent/plugins/* %dir %{_libexecdir}/perf-core +%{_datadir}/perf-core/* %{_libexecdir}/perf-core/* %{_mandir}/man[1-8]/perf* %{_sysconfdir}/bash_completion.d/perf @@ -2328,6 +2319,33 @@ fi # # %changelog +* Tue Jan 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.3-200 +- Rebase to 4.3.y +- Backport nouveau stable fixes (rhbz 1299349) +- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623 1297475) +- Add currently queued networking stable patches +- Add a couple btrfs patches cc'd to stable upstream +- Add SCSI patches to avoid blacklist false positives (rhbz 1299810) + +* Fri Jan 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8767 sctp: DoS during timeout (rhbz 1297389 1298437) + +* Tue Jan 12 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7566 usb: visor: Crash on invalid USB dev descriptors (rhbz 1296466 1297517) +- Fix backtrace from PNP conflict on Broadwell (rhbz 1083853) + +* Thu Jan 07 2016 Josh Boyer <jwboyer@fedorparoject.org> +- CVE-2015-7513 kvm: divide by zero DoS (rhbz 1284847 1296142) + +* Tue Jan 05 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8709 ptrace: potential priv escalation with userns (rhbz 1295287 1295288) + +* Fri Dec 18 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8575 information leak in sco_sock_bind (rhbz 1292840 1292841) + +* Thu Dec 17 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8569 info leak from getsockname (rhbz 1292045 1292047) + * Tue Dec 15 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.8-200 - Linux v4.2.8 |