Good News: Debian has already backported these patches.
New PKGBUILD:
# Maintainer: André Silva <emulatorman@hyperbola.info>
# Contributor: Márcio Silva <coadde@hyperbola.info>
# Contributor: Luke R. <g4jc@hyperbola.info>
# Contributor: Tobias Dausend <throgh@hyperbola.info>
# Contributor: Jesús E.
# Contributor: rachad
# Contributor (Parabola): Nicolás Reynolds <fauno@kiwwwi.com.ar>
# Contributor (Parabola): Sorin-Mihai Vârgolici <smv@yobicore.org>
# Contributor (Parabola): Michał Masłowski <mtjm@mtjm.eu>
# Contributor (Parabola): Luke Shumaker <lukeshu@sbcglobal.net>
# Contributor (Parabola): David P. <megver83@parabola.nu>
# Contributor (Parabola): Andreas Grapentin <andreas@grapentin.org>
# Contributor: Allen123456hello
# Based on linux-lts package
pkgbase=linux-libre-lts
_pkgbasever=5.10-gnu1
_pkgver=5.10.256-gnu1
_replacesarchkernel=('linux%') # '%' gets replaced with _kernelname
_replacesmainlinearchkernel=('linux%') # '%' gets replaced with _kernelname
_replacesoldkernels=() # '%' gets replaced with _kernelname
_replacesoldmodules=() # '%' gets replaced with _kernelname
_srcname=linux-${_pkgbasever%-*}
_archpkgver=${_pkgver%-*}
pkgver=${_pkgver//-/_}
pkgrel=1
arch=('i686' 'x86_64')
url="https://linux-libre.fsfla.org/"
license=('GPL-2')
makedepends=('xmlto' 'docbook-xsl' 'kmod' 'bc' 'libelf' 'python' 'cpio' 'dwarves')
options=('!strip')
source=("https://linux-libre.fsfla.org/pub/linux-libre/releases/${_pkgbasever}/linux-libre-${_pkgbasever}.tar.lz"
"https://linux-libre.fsfla.org/pub/linux-libre/releases/${_pkgbasever}/linux-libre-${_pkgbasever}.tar.lz.sign"
"https://linux-libre.fsfla.org/pub/linux-libre/releases/${_pkgver}/patch-${_pkgbasever}-${_pkgver}.lz"
"https://linux-libre.fsfla.org/pub/linux-libre/releases/${_pkgver}/patch-${_pkgbasever}-${_pkgver}.lz.sign"
"https://git.hyperbola.info:50100/creatives/linux-libre_logos.git/plain/logo_linux_clut224.ppm"
"https://git.hyperbola.info:50100/creatives/linux-libre_logos.git/plain/logo_linux_clut224.ppm.sig"
"https://git.hyperbola.info:50100/creatives/linux-libre_logos.git/plain/logo_linux_mono.pbm"
"https://git.hyperbola.info:50100/creatives/linux-libre_logos.git/plain/logo_linux_mono.pbm.sig"
"https://git.hyperbola.info:50100/creatives/linux-libre_logos.git/plain/logo_linux_vga16.ppm"
"https://git.hyperbola.info:50100/creatives/linux-libre_logos.git/plain/logo_linux_vga16.ppm.sig"
# the main kernel config files: generated by copying it to .config in kernel tree:
## ARCH=i386 make oldconfig
'config.i686'
## ARCH=x86_64 make oldconfig
'config.x86_64'
# pacman hook for initramfs regeneration
'90-linux.hook'
# standard config files for mkinitcpio ramdisk
'linux.preset'
'0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch'
'0002-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch'
'0003-fix-Atmel-maXTouch-touchscreen-support.patch'
'0004-HID-quirks-Add-Apple-Magic-Trackpad-2-to-hid_have_sp.patch'
'0006-v2-kbuild-support-byacc-as-alternative-YACC-to-bison.patch'
'0007-sign-file-full-functionality-with-modern-LibreSSL.patch'
# backported security patches
'rxrpc-input-Open-code-skb_unshare.patch'
'rxrpc-Fix-conn-level-packet-handling-to-unshare-RESP.patch'
'rxrpc-Also-unshare-DATA-RESPONSE-packets-when-paged-.patch')
sha512sums=('b16238c8b746bc9b5078c991847909eba268221f945fb55579e99fc9540b88ccfca5d71f4249f4d3795c522570c30477c986f0f4b98c4029cca1235786c7bc52'
'SKIP'
'a78539b2a395090f094d6e12e4a91ef7d5148908d8d1eadc9ffa6c46492cfb8dc8fbedd80701f00a97e838364987ba4ef3d773b034c3546f6e8008cee81e350b'
'SKIP'
'13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3'
'SKIP'
'267295aa0cea65684968420c68b32f1a66a22d018b9d2b2c1ef14267bcf4cb68aaf7099d073cbfefe6c25c8608bdcbbd45f7ac8893fdcecbf1e621abdfe9ecc1'
'SKIP'
'7a3716bfe3b9f546da309c7492f3e08f8f506813afeb1c737a474c83313d5c313cf4582b65215c2cfce3b74d9d1021c96e8badafe8f6e5b01fe28d2b5c61ae78'
'SKIP'
'0d2cd94aec3d38c84c2e3843ee9baafb1d43812c115d0b9abe1d71f18bf8a0db3c72f78fdaaf1e83f173321988e027074e19a1eb04b8ff5ddae746d3c46e8e01'
'71f98b1c4416a2f3685a2a78493ab3b4841588735a6e198961b9d4547829ce902ff4993373b986f34cade507c4d1f216a6e4a52f03bfdd963f07026afdca3810'
'38ddc517f33fe41dec63b31313a82e0e8c05788e9db5e448d23a01605c50fe3422927cfd902e81c3b0eae17502db06f48e7f713e1ba1c9c76fd26f1473b02983'
'2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf'
'c4507794fa2e01026d0179171865a2352fc56b32af25123c2627ecd444663ebf00d0080c12821ba73e1ddb7ded852cebdd7329e3997321f41c169d2367718037'
'4d7388cb03b873f4c360d345dd20b04f9e5ac815183e8ae588f8bdadab2056d6d8f21ae0dd2055ea32bb59364e2d41b9272276abd532a00b8cc89278f8bf409f'
'5bdb620acf90799b78dea3fd07828c2dc4410f781af47e910c725bd3c8e5ff4695d06e9ab7e59afaa0e759c77917e66e3e2c5f6dd9d4ac59f2a66109adf06cac'
'd6dadc6a563af83e588c67fc11cc40952a43f5bca0cb53cc3990430ce1944cd29df4526a1a34c2def7e44cf3f5d2202a719d18117ce6acaeadd0a9b10968270d'
'57f7cf2356a1e78d58298c638987882b43c23e06ab31d6f7284f5d8e2f59781e1fe42f091943c82b3d3b53d13a9cfaf5e6ee460d6ece0613f734404da57a1147'
'9296c41fab18b2b2ed6a1483061c0012673abf041792ad826d3530a1e837cf82a59e507ada5e05f31be3f780409d5b2defd0bf82de058b92856ada14b243b033'
'8bb38ae7ee61dd78028add18b493bde63df0731dd8acc6933d0381a00069de3cd4617e73619e6997965ba9c8cec680735d70de3ce3b5dbc72e8a80ab8c6d03c7'
'50f0df5e8c13291ea8825682664bdeb5561e8de6b2eece16458d83a5bca47d80f3bc695ec74413d97500c1023b078fea05ba75ce75a6b18fcdbcf426b6bd079f'
'65bd1b4ce35e90d45ffc99223bbe0e9ec55aa7963bc926cd9442e4417fd75ea5efed9810812b46ca1d54fa59b7751917c86ee53d96e3fb0a117814c057143ced')
validpgpkeys=('474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
'684D54A189305A9CC95446D36B888913DDB59515') # Márcio Silva
_kernelname=${pkgbase#linux-libre}
_mainlinekernelname=${pkgbase#linux-libre-lts}
_replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}")
_replacesmainlinearchkernel=("${_replacesmainlinearchkernel[@]/\%/${_mainlinekernelname}}")
_replacesoldkernels=("${_replacesoldkernels[@]/\%/${_kernelname}}")
_replacesoldmodules=("${_replacesoldmodules[@]/\%/${_kernelname}}")
case "${CARCH}" in
i686|x86_64) KARCH=x86;;
esac
prepare() {
cd "${srcdir}/${_srcname}"
# add upstream patch
if [ "${_pkgbasever}" != "${_pkgver}" ]; then
lzip -d "${srcdir}/patch-${_pkgbasever}-${_pkgver}.lz"
patch -p1 -i "${srcdir}/patch-${_pkgbasever}-${_pkgver}"
fi
# add freedo as boot logo
install -m644 -t drivers/video/logo \
"${srcdir}/logo_linux_"{clut224.ppm,vga16.ppm,mono.pbm}
# add latest fixes from stable queue, if needed
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
# ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER
patch -p1 -i "${srcdir}/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch"
# maintain the TTY over USB disconnects
# http://www.coreboot.org/EHCI_Gadget_Debug
patch -p1 -i "${srcdir}/0002-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch"
# fix Atmel maXTouch touchscreen support
# https://labs.parabola.nu/issues/877
# http://www.fsfla.org/pipermail/linux-libre/2015-November/003202.html
patch -p1 -i "${srcdir}/0003-fix-Atmel-maXTouch-touchscreen-support.patch"
# HID: quirks: Add Apple Magic Trackpad 2 to hid_have_special_driver list
# https://bugzilla.kernel.org/show_bug.cgi?id=210241
patch -p1 -i "${srcdir}/0004-HID-quirks-Add-Apple-Magic-Trackpad-2-to-hid_have_sp.patch"
# kbuild: support byacc as alternative YACC to bison
# https://patchwork.kernel.org/patch/11218023/
patch -p1 -i "${srcdir}/0006-v2-kbuild-support-byacc-as-alternative-YACC-to-bison.patch"
# sign-file: full functionality with modern LibreSSL
# https://patchwork.kernel.org/patch/11446123/
patch -p1 -i "${srcdir}/0007-sign-file-full-functionality-with-modern-LibreSSL.patch"
# Fix CVE-2026-43500
patch -p1 -i "${srcdir}/rxrpc-input-Open-code-skb_unshare.patch"
patch -p1 -i "${srcdir}/rxrpc-Fix-conn-level-packet-handling-to-unshare-RESP.patch"
patch -p1 -i "${srcdir}/rxrpc-Also-unshare-DATA-RESPONSE-packets-when-paged-.patch"
cat "${srcdir}/config.${CARCH}" > ./.config
# append pkgrel to extraversion
sed -ri "s|^(EXTRAVERSION =.*\S).*|\1-${pkgrel}|" Makefile
# don't run depmod on 'make install'. We'll do this ourselves in packaging
sed -i '2iexit 0' scripts/depmod.sh
# get kernel version
yes "" | make prepare
# load configuration
# Configure the kernel. Replace the line below with one of your choice.
#make menuconfig # CLI menu for configuration
#make nconfig # new CLI menu for configuration
#make xconfig # X-based configuration
#make oldconfig # using old config from previous kernel version
# ... or manually edit .config
# rewrite configuration
yes "" | make config >/dev/null
}
build() {
cd "${srcdir}/${_srcname}"
make ${MAKEFLAGS} LOCALVERSION= bzImage modules
}
_package() {
pkgdesc="The ${pkgbase^} kernel and modules"
[ "${pkgbase}" = "linux-libre-lts" ] && groups=('base')
depends=('coreutils' 'kmod' 'mkinitcpio>=0.7')
optdepends=('kernel-firmware: firmware files for Linux-libre'
'crda: to set the correct wireless channels of your country')
provides=("${_replacesarchkernel[@]/%/=${_archpkgver}}" "${_replacesoldkernels[@]}" "kernel=${_archpkgver}" "${_replacesmainlinearchkernel[@]}")
conflicts=("${_replacesarchkernel[@]}" "${_replacesoldkernels[@]}" "${_replacesoldmodules[@]}" "${_replacesmainlinearchkernel[@]}")
replaces=("${_replacesarchkernel[@]}" "${_replacesoldkernels[@]}" "${_replacesoldmodules[@]}" "${_replacesmainlinearchkernel[@]}")
backup=("etc/mkinitcpio.d/${pkgbase}.preset")
install=linux.install
cd "${srcdir}/${_srcname}"
# get kernel version
_kernver="$(make LOCALVERSION= kernelrelease)"
_basekernel=${_kernver%%-*}
_basekernel=${_basekernel%.*}
mkdir -p "${pkgdir}"/{lib/modules,lib/firmware,boot}
install -Dm644 arch/$KARCH/boot/bzImage "${pkgdir}/boot/vmlinuz-${pkgbase}"
make LOCALVERSION= INSTALL_MOD_PATH="${pkgdir}" INSTALL_MOD_STRIP=1 modules_install
# set correct depmod command for install
sed -e "s|%PKGBASE%|${pkgbase}|g;s|%KERNVER%|${_kernver}|g" \
"${startdir}/${install}" > "${startdir}/${install}.pkg"
true && install=${install}.pkg
# install mkinitcpio preset file for kernel
sed "s|%PKGBASE%|${pkgbase}|g" "${srcdir}/linux.preset" |
install -D -m644 /dev/stdin "${pkgdir}/etc/mkinitcpio.d/${pkgbase}.preset"
# install pacman hook for initramfs regeneration
sed "s|%PKGBASE%|${pkgbase}|g" "${srcdir}/90-linux.hook" |
install -D -m644 /dev/stdin "${pkgdir}/usr/share/libalpm/hooks/90-${pkgbase}.hook"
# remove build and source links
rm -f "${pkgdir}"/lib/modules/${_kernver}/{source,build}
# remove the firmware
rm -rf "${pkgdir}/lib/firmware"
# make room for external modules
ln -s "../extramodules-${_basekernel}${_kernelname}" "${pkgdir}/lib/modules/${_kernver}/extramodules"
# add real version for building modules and running depmod from post_install/upgrade
mkdir -p "${pkgdir}/lib/modules/extramodules-${_basekernel}${_kernelname}"
echo "${_kernver}" > "${pkgdir}/lib/modules/extramodules-${_basekernel}${_kernelname}/version"
# Now we call depmod...
depmod -b "${pkgdir}" -F System.map "${_kernver}"
# add kernel configuration file
# https://issues.hyperbola.info/index.php?do=details&task_id=146
install -D -m644 .config "${pkgdir}/boot/config-${pkgbase}"
# install license file
install -D -m644 COPYING "${pkgdir}/usr/share/licenses/$pkgname/COPYING"
}
_package-headers() {
pkgdesc="Header files and scripts for building modules for ${pkgbase^} kernel"
provides=("${_replacesarchkernel[@]/%/-headers=${_archpkgver}}" "${_replacesoldkernels[@]/%/-headers}" "${_replacesmainlinearchkernel[@]/%/-headers}")
conflicts=("${_replacesarchkernel[@]/%/-headers}" "${_replacesoldkernels[@]/%/-headers}" "${_replacesmainlinearchkernel[@]/%/-headers}")
replaces=("${_replacesarchkernel[@]/%/-headers}" "${_replacesoldkernels[@]/%/-headers}" "${_replacesmainlinearchkernel[@]/%/-headers}")
install -dm755 "${pkgdir}/lib/modules/${_kernver}"
cd "${srcdir}/${_srcname}"
install -D -m644 Makefile \
"${pkgdir}/lib/modules/${_kernver}/build/Makefile"
install -D -m644 kernel/Makefile \
"${pkgdir}/lib/modules/${_kernver}/build/kernel/Makefile"
install -D -m644 .config \
"${pkgdir}/lib/modules/${_kernver}/build/.config"
install -D -m644 vmlinux \
"${pkgdir}/lib/modules/${_kernver}/build/vmlinux"
install -D -m644 System.map \
"${pkgdir}/lib/modules/${_kernver}/build/System.map"
install -D -m644 Module.symvers \
"${pkgdir}/lib/modules/${_kernver}/build/Module.symvers"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/include"
for i in acpi asm-generic clocksource config crypto drm dt-bindings \
generated keys kunit kvm linux math-emu media memory misc net \
pcmcia ras rdma scsi soc sound target trace uapi vdso video xen; do
cp -a include/${i} "${pkgdir}/lib/modules/${_kernver}/build/include/"
done
# copy arch includes for external modules
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/arch/${KARCH}"
cp -a arch/${KARCH}/include "${pkgdir}/lib/modules/${_kernver}/build/arch/${KARCH}/"
# copy files necessary for later builds
cp -a scripts "${pkgdir}/lib/modules/${_kernver}/build"
# fix permissions on scripts dir
chmod og-w -R "${pkgdir}/lib/modules/${_kernver}/build/scripts"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/.tmp_versions"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/arch/${KARCH}/kernel"
cp arch/${KARCH}/Makefile "${pkgdir}/lib/modules/${_kernver}/build/arch/${KARCH}/"
if [ "${CARCH}" = "i686" ]; then
cp arch/${KARCH}/Makefile_32.cpu "${pkgdir}/lib/modules/${_kernver}/build/arch/${KARCH}/"
fi
cp arch/${KARCH}/kernel/asm-offsets.s "${pkgdir}/lib/modules/${_kernver}/build/arch/${KARCH}/kernel/"
# add dm headers
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/drivers/md"
cp drivers/md/*.h "${pkgdir}/lib/modules/${_kernver}/build/drivers/md"
# add inotify.h
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/include/linux"
cp include/linux/inotify.h "${pkgdir}/lib/modules/${_kernver}/build/include/linux/"
# add wireless headers
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/net/mac80211/"
cp net/mac80211/*.h "${pkgdir}/lib/modules/${_kernver}/build/net/mac80211/"
# add dvb headers for external modules
# http://bugs.archlinux.org/task/11194
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/include/config/dvb/"
cp include/config/dvb/*.h "${pkgdir}/lib/modules/${_kernver}/build/include/config/dvb/"
# add dvb headers for http://mcentral.de/hg/~mrec/em28xx-new
# in reference to:
# http://bugs.archlinux.org/task/13146
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/dvb-frontends/"
cp drivers/media/dvb-frontends/lgdt330x.h "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/dvb-frontends/"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/i2c/"
cp drivers/media/i2c/msp3400-driver.h "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/i2c/"
# add dvb headers
# in reference to:
# http://bugs.archlinux.org/task/20402
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/usb/dvb-usb"
cp drivers/media/usb/dvb-usb/*.h "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/usb/dvb-usb/"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/dvb-frontends"
cp drivers/media/dvb-frontends/*.h "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/dvb-frontends/"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/tuners"
cp drivers/media/tuners/*.h "${pkgdir}/lib/modules/${_kernver}/build/drivers/media/tuners/"
# add xfs and shmem for aufs building
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/fs/xfs"
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/mm"
# removed in 3.17-gnu series
# cp fs/xfs/xfs_sb.h "${pkgdir}/lib/modules/${_kernver}/build/fs/xfs/xfs_sb.h"
# copy in Kconfig files
for i in $(find . -name "Kconfig*"); do
mkdir -p "${pkgdir}"/lib/modules/${_kernver}/build/`echo ${i} | sed 's|/Kconfig.*||'`
cp ${i} "${pkgdir}/lib/modules/${_kernver}/build/${i}"
done
# add objtool for external module building and enabled VALIDATION_STACK option
if [ -f tools/objtool/objtool ]; then
mkdir -p "${pkgdir}/lib/modules/${_kernver}/build/tools/objtool"
cp -a tools/objtool/objtool ${pkgdir}/lib/modules/${_kernver}/build/tools/objtool/
fi
chown -R root.root "${pkgdir}/lib/modules/${_kernver}/build"
find "${pkgdir}/lib/modules/${_kernver}/build" -type d -exec chmod 755 {} \;
# strip scripts directory
find "${pkgdir}/lib/modules/${_kernver}/build/scripts" -type f -perm -u+w 2>/dev/null | while read binary ; do
case "$(file -bi "${binary}")" in
*application/x-sharedlib*) # Libraries (.so)
/usr/bin/strip ${STRIP_SHARED} "${binary}";;
*application/x-archive*) # Libraries (.a)
/usr/bin/strip ${STRIP_STATIC} "${binary}";;
*application/x-executable*) # Binaries
/usr/bin/strip ${STRIP_BINARIES} "${binary}";;
*application/x-pie-executable\;*) # Relocatable binaries
/usr/bin/strip ${$STRIP_SHARED} "${binary}";;
esac
done
# strip vmlinux
strip -v $STRIP_STATIC "${pkgdir}/lib/modules/${_kernver}/build/vmlinux"
# remove unneeded architectures
find "${pkgdir}"/lib/modules/${_kernver}/build/arch -mindepth 1 -maxdepth 1 -type d -not -name "$KARCH" -exec rm -rf {} +
# remove documentation
rm -r "${pkgdir}/lib/modules/${_kernver}/build/Documentation"
# remove broken symlinks
find -L "${pkgdir}/lib/modules/${_kernver}/build" -type l -printf 'Removing %P\n' -delete
# remove loose objects
find "${pkgdir}/lib/modules/${_kernver}/build" -type f -name '*.o' -printf 'Removing %P\n' -delete
# add symlink
mkdir -p "$pkgdir/usr/src"
ln -sr "${pkgdir}/lib/modules/${_kernver}/build" "$pkgdir/usr/src/$pkgbase"
# install license file
install -D -m644 COPYING "${pkgdir}/usr/share/licenses/$pkgname/COPYING"
}
_package-docs() {
pkgdesc="Kernel hackers manual - HTML documentation that comes with the ${pkgbase^} kernel"
provides=("${_replacesarchkernel[@]/%/-docs=${_archpkgver}}" "${_replacesoldkernels[@]/%/-docs}" "${_replacesmainlinearchkernel[@]/%/-docs}")
conflicts=("${_replacesarchkernel[@]/%/-docs}" "${_replacesoldkernels[@]/%/-docs}" "${_replacesmainlinearchkernel[@]/%/-docs}")
replaces=("${_replacesarchkernel[@]/%/-docs}" "${_replacesoldkernels[@]/%/-docs}" "${_replacesmainlinearchkernel[@]/%/-docs}")
cd "${srcdir}/${_srcname}"
mkdir -p "${pkgdir}/usr/share/doc/${pkgname}"
cp -al Documentation/* "${pkgdir}/usr/share/doc/${pkgname}"
find "${pkgdir}" -type f -exec chmod 444 {} \;
find "${pkgdir}" -type d -exec chmod 755 {} \;
# install license file
install -D -m644 COPYING "${pkgdir}/usr/share/licenses/$pkgname/COPYING"
}
pkgname=("${pkgbase}" "${pkgbase}-headers" "${pkgbase}-docs")
for _p in ${pkgname[@]}; do
eval "package_${_p}() {
$(declare -f "_package${_p#${pkgbase}}")
_package${_p#${pkgbase}}
}"
done
# vim:set ts=8 sts=2 sw=2 et:
rxrpc-Also-unshare-DATA-RESPONSE-packets-when-paged-.patch
From: Hyunwoo Kim <imv4bel@gmail.com>
Date: Thu, 30 Apr 2026 08:35:55 +0900
Subject: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries paged fragments (skb->data_len != 0)
falls through to the in-place decryption path, which binds the frag
pages directly into the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate so that any skb with non-linear data is also copied,
ensuring the security handler always operates on a fully linear skb.
The OOM/trace handling already in place is reused.
Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
[bwh: Backported to 5.10: The cloning of input data packets is in
rxrpc_input_packet() here]
Signed-off-by: Ben Hutchings <benh@debian.org>
---
net/rxrpc/conn_event.c | 2 +-
net/rxrpc/input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -291,7 +291,7 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn,
{
int ret;
- if (skb_cloned(skb)) {
+ if (skb_cloned(skb) || skb_is_nonlinear(skb)) {
/* Copy the packet if shared so that we can do in-place
* decryption.
*/
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -1287,7 +1287,7 @@ int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb)
* decryption.
*/
if (sp->hdr.securityIndex != 0 &&
- skb_cloned(skb)) {
+ (skb_cloned(skb) || skb_is_nonlinear(skb))) {
struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
if (!nskb) {
kfree_skb(skb);
rxrpc-Fix-conn-level-packet-handling-to-unshare-RESP.patch
From: David Howells <dhowells@redhat.com>
Date: Wed, 22 Apr 2026 17:14:33 +0100
Subject: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Origin: https://git.kernel.org/linus/24481a7f573305706054c59e275371f8d0fe919f
The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).
Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[bwh: Backport to 5.10:
- rxrpc_security::verify_response() takes an additional parameter, so make
rxrpc_verify_response() pass that through
- Use trace event enumerators that are available here
]
Signed-off-by: Ben Hutchings <benh@debian.org>
---
net/rxrpc/conn_event.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -285,6 +285,35 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
}
}
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+ struct sk_buff *skb,
+ u32 *_abort_code)
+{
+ int ret;
+
+ if (skb_cloned(skb)) {
+ /* Copy the packet if shared so that we can do in-place
+ * decryption.
+ */
+ struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+ if (nskb) {
+ rxrpc_new_skb(nskb, rxrpc_skb_unshared);
+ ret = conn->security->verify_response(conn, nskb,
+ _abort_code);
+ rxrpc_free_skb(nskb, rxrpc_skb_freed);
+ } else {
+ /* OOM - Drop the packet. */
+ rxrpc_see_skb(skb, rxrpc_skb_unshared_nomem);
+ ret = -ENOMEM;
+ }
+ } else {
+ ret = conn->security->verify_response(conn, skb, _abort_code);
+ }
+
+ return ret;
+}
+
/*
* connection-level Rx packet processor
*/
@@ -337,7 +366,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
_abort_code);
case RXRPC_PACKET_TYPE_RESPONSE:
- ret = conn->security->verify_response(conn, skb, _abort_code);
+ ret = rxrpc_verify_response(conn, skb, _abort_code);
if (ret < 0)
return ret;
rxrpc-input-Open-code-skb_unshare.patch
From: Ben Hutchings <benh@debian.org>
Date: Thu, 7 May 2026 22:17:01 +0200
Subject: rxrpc: input: Open-code skb_unshare()
As preparation for a later fix, replace the call to skb_unshare() from
rxrpc_input_packet() with an open-coded version. The same
transformation was done as part of upstream commit 1f2740150f90
"rxrpc: Fix potential UAF after skb_unshare() failure", but that
depends on much larger changes in 6.2 that cannot be backported.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
net/rxrpc/input.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -1286,19 +1286,20 @@ int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb)
/* Unshare the packet so that it can be modified for in-place
* decryption.
*/
- if (sp->hdr.securityIndex != 0) {
- struct sk_buff *nskb = skb_unshare(skb, GFP_ATOMIC);
+ if (sp->hdr.securityIndex != 0 &&
+ skb_cloned(skb)) {
+ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
if (!nskb) {
+ kfree_skb(skb);
rxrpc_eaten_skb(skb, rxrpc_skb_unshared_nomem);
goto out;
}
- if (nskb != skb) {
- rxrpc_eaten_skb(skb, rxrpc_skb_received);
- skb = nskb;
- rxrpc_new_skb(skb, rxrpc_skb_unshared);
- sp = rxrpc_skb(skb);
- }
+ consume_skb(skb);
+ rxrpc_eaten_skb(skb, rxrpc_skb_received);
+ skb = nskb;
+ rxrpc_new_skb(skb, rxrpc_skb_unshared);
+ sp = rxrpc_skb(skb);
}
break;
It would be great to have one helping hand for testing.