#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 4.14.198-ipfire Kernel Configuration
+# Linux/arm64 4.14.206-ipfire Kernel Configuration
#
CONFIG_ARM64=y
CONFIG_64BIT=y
CONFIG_TIMER_ACPI=y
CONFIG_TIMER_PROBE=y
CONFIG_CLKSRC_MMIO=y
+CONFIG_DW_APB_TIMER=y
+CONFIG_DW_APB_TIMER_OF=y
CONFIG_ROCKCHIP_TIMER=y
CONFIG_ARM_ARCH_TIMER=y
CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 4.14.195-ipfire-multi Kernel Configuration
+# Linux/arm 4.14.206-ipfire-multi Kernel Configuration
#
CONFIG_ARM=y
CONFIG_ARM_HAS_SG_CHAIN=y
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.195-ipfire Kernel Configuration
+# Linux/x86 4.14.206-ipfire Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
-# CONFIG_VGACON_SOFT_SCROLLBACK is not set
CONFIG_MDA_CONSOLE=m
CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.195-ipfire Kernel Configuration
+# Linux/x86 4.14.206-ipfire Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
-# CONFIG_VGACON_SOFT_SCROLLBACK is not set
CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
#lib/modules/KVER-ipfire/build/include/config/dw
#lib/modules/KVER-ipfire/build/include/config/dw/apb
#lib/modules/KVER-ipfire/build/include/config/dw/apb/ictl.h
+#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer
+#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer.h
+#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer/of.h
#lib/modules/KVER-ipfire/build/include/config/dw/dmac
#lib/modules/KVER-ipfire/build/include/config/dw/dmac/core.h
#lib/modules/KVER-ipfire/build/include/config/dw/dmac/pci.h
--- /dev/null
+../../../../common/aarch64/linux
\ No newline at end of file
--- /dev/null
+../../../../common/aarch64/linux-initrd
\ No newline at end of file
--- /dev/null
+../../../../common/armv5tel/linux-initrd-multi
\ No newline at end of file
--- /dev/null
+../../../../common/armv5tel/linux-multi
\ No newline at end of file
--- /dev/null
+../../../../common/i586/linux
\ No newline at end of file
--- /dev/null
+../../../../common/i586/linux-initrd
\ No newline at end of file
--- /dev/null
+../../../../common/x86_64/linux
\ No newline at end of file
--- /dev/null
+../../../../common/x86_64/linux-initrd
\ No newline at end of file
core=153
+exit_with_error() {
+ # Set last succesfull installed core.
+ echo $(($core-1)) > /opt/pakfire/db/core/mine
+ # force fsck at next boot, this may fix free space on xfs
+ touch /forcefsck
+ # don't start pakfire again at error
+ killall -KILL pak_update
+ /usr/bin/logger -p syslog.emerg -t ipfire \
+ "core-update-${core}: $1"
+ exit $2
+}
+
# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+ cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks.
+case $(uname -r) in
+ *-ipfire-kirkwood)
+ exit_with_error "ERROR cannot update. kirkwood kernel was not supported." 1
+ ;;
+ *-ipfire*)
+ # Ok.
+ ;;
+ *)
+ exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+ ;;
+esac
+if [ -e /boot/grub/grub.conf ]; then
+ exit_with_error "ERROR unsupported GRUB1/pygrub found!" 1
+fi
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+ exit_with_error "ERROR cannot update because not enough free space on root." 2
+ exit 2
+fi
+
+# Remove the old kernel
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-*-ipfire-*
+rm -rf /boot/zImage-*-ipfire-*
+rm -rf /boot/uInit-*-ipfire-*
+rm -rf /boot/dtb-*-ipfire-*
+rm -rf /lib/modules
+
# Remove files
# Stop services
# Filesytem cleanup
/usr/local/bin/filesystem-cleanup
+# Fix invalid cronjob syntax
+sed -e "s/^%hourly,random \* \* \*/%hourly,random */g" \
+ -i /var/spool/cron/root.orig
+fcrontab -z
+
# Start services
/etc/init.d/suricata restart
# Reload sysctl.conf
sysctl -p
+# remove lm_sensor config after collectd was started
+# to reserch sensors at next boot with updated kernel
+rm -f /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+ sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+ /boot/pakfire-kernel-update ${KVER}
+fi
+
# This update needs a reboot...
touch /var/run/need_reboot
include Config
-VER = 4.14.198
-ARM_PATCHES = 4.14.198-ipfire0
+VER = 4.14.206
+ARM_PATCHES = 4.14.206-ipfire0
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_MD5 = 9bf8f170f93283549cba55df5247b7b8
-arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 84b7afe9148e02568777ae0338da3844
+$(DL_FILE)_MD5 = c08bf53b35b816089d04b99036e0304a
+arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 2b0e8e3ebe9827b2bfed7397b043dbc5
install : $(TARGET)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-random_try_to_actively_add_entropy.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.x-add_timer_setup_on_stack.patch
- # Patch CVE-2020-14386
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch
-
ifeq "$(KCFG)" "-multi"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
+++ /dev/null
-From: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
-
-patch based on acf69c946233259ab4d64f8869d4037a198c7f06
-From: Or Cohen <orcohen@paloaltonetworks.com>
-Subject: net/packet: fix overflow in tpacket_rcv
-
-Using tp_reserve to calculate netoff can overflow as
-tp_reserve is unsigned int and netoff is unsigned short.
-
-This may lead to macoff receving a smaller value then
-sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
-is set, an out-of-bounds write will occur when
-calling virtio_net_hdr_from_skb.
-
-The bug is fixed by converting netoff to unsigned int
-and checking if it exceeds USHRT_MAX.
-
-This addresses CVE-2020-14386
-
-
-diff -Naur linux-4.14.197.org/net/packet/af_packet.c linux-4.14.197/net/packet/af_packet.c
---- linux-4.14.197.org/net/packet/af_packet.c 2020-09-11 22:27:31.003458577 +0200
-+++ linux-4.14.197/net/packet/af_packet.c 2020-09-11 22:38:53.104021712 +0200
-@@ -2201,7 +2201,8 @@
- int skb_len = skb->len;
- unsigned int snaplen, res;
- unsigned long status = TP_STATUS_USER;
-- unsigned short macoff, netoff, hdrlen;
-+ unsigned short macoff, hdrlen;
-+ unsigned int netoff;
- struct sk_buff *copy_skb = NULL;
- struct timespec ts;
- __u32 ts_status;
-@@ -2264,6 +2265,10 @@
- }
- macoff = netoff - maclen;
- }
-+ if (netoff > USHRT_MAX) {
-+ po->stats.stats1.tp_drops++;
-+ goto drop_n_restore;
-+ }
- if (po->tp_version <= TPACKET_V2) {
- if (macoff + snaplen > po->rx_ring.frame_size) {
- if (po->copy_thresh &&