diff options
Diffstat (limited to 'pkgs/os-specific/linux')
18 files changed, 162 insertions, 96 deletions
diff --git a/pkgs/os-specific/linux/firmware/linux-firmware/source.nix b/pkgs/os-specific/linux/firmware/linux-firmware/source.nix index 3739c1dc3e463..adaa4968fd565 100644 --- a/pkgs/os-specific/linux/firmware/linux-firmware/source.nix +++ b/pkgs/os-specific/linux/firmware/linux-firmware/source.nix @@ -1,7 +1,7 @@ # This file is autogenerated! Run ./update.sh to regenerate. { - version = "20240410"; - revision = "20240410"; - sourceHash = "sha256-Qo4f5kdHlBYKlzdFOtoKoCPHXxgDeCawSE3tnRwfC4U="; - outputHash = "sha256-pOYDdb0A1sESiT0kfA4DbWxKJ3+pog54+S3KcQB3BsA="; + version = "20240610"; + revision = "20240610"; + sourceHash = "sha256-tjDqviOMvrBoEG8+Yn+XqdBlIDfQUX0KK2kpW6/jed8="; + outputHash = "sha256-2VxzN778TLov5N1DPSnnkT7wQnLg85PyKsljZOoSoNM="; } diff --git a/pkgs/os-specific/linux/freeipa/default.nix b/pkgs/os-specific/linux/freeipa/default.nix index e94f6370da984..16cffb1de5a70 100644 --- a/pkgs/os-specific/linux/freeipa/default.nix +++ b/pkgs/os-specific/linux/freeipa/default.nix @@ -64,11 +64,11 @@ let in stdenv.mkDerivation rec { pname = "freeipa"; - version = "4.11.1"; + version = "4.11.2"; src = fetchurl { url = "https://releases.pagure.org/freeipa/freeipa-${version}.tar.gz"; - sha256 = "sha256-Ubq2xAqBvjUwrzD2R6tB0i1WsdA0Y0jnJLgi4p4r8D4="; + hash = "sha256-qrMdseQMTX82qKQldIlbYuhkPqGigULbKdZDYVVBWpQ="; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix index 1b983bb90e1e7..9394105efe652 100644 --- a/pkgs/os-specific/linux/iwd/default.nix +++ b/pkgs/os-specific/linux/iwd/default.nix @@ -1,5 +1,6 @@ { lib, stdenv , fetchgit +, fetchpatch , autoreconfHook , pkg-config , ell @@ -20,6 +21,24 @@ stdenv.mkDerivation rec { sha256 = "sha256-i+2R8smgLXooApj0Z5e03FybhYgw1X/kIsJkrDzW8y4="; }; + patches = [ + (fetchpatch { + name = "CVE-2023-52161.patch"; + url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=6415420f1c92012f64063c131480ffcef58e60ca"; + hash = "sha256-bN5mxdWDyKEC2IyyG2vlzTEAL57C4uC7GAJA3jSXJHg="; + }) + (fetchpatch { + name = "netdev-buffer-overflow-32-byte-ssid.patch"; + url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=8d68b33e763aced6d419df9f6534760d2c890279"; + hash = "sha256-BSduzwVUTEcqjVwD88qJYgItApcQZwU43u9gbNMDs8I="; + }) + (fetchpatch { + name = "erp-buffer-overflow-32-byte-ssid.patch"; + url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=bdaae53cf828a1f6ea7a7b57d7d6ebcc7b70ac43"; + hash = "sha256-K/Ib0azlZ0UlFqcqs+8dSfj0hh0j0dZYpfB9f6tEqc8="; + }) + ]; + outputs = [ "out" "man" "doc" ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test"; diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index a27feea36efb8..0445b4507ec2f 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -346,13 +346,14 @@ let DRM_GMA500 = whenAtLeast "5.12" module; DRM_GMA600 = whenOlder "5.13" yes; DRM_GMA3600 = whenOlder "5.12" yes; - DRM_VMWGFX_FBCON = whenOlder "6.2" yes; + DRM_VMWGFX_FBCON = whenOlder "6.1" yes; # (experimental) amdgpu support for verde and newer chipsets DRM_AMDGPU_SI = yes; # (stable) amdgpu support for bonaire and newer chipsets DRM_AMDGPU_CIK = yes; # Allow device firmware updates - DRM_DP_AUX_CHARDEV = yes; + DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes; + DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes; # amdgpu display core (DC) support DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes; DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes; @@ -480,8 +481,8 @@ let F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes; UDF_FS = module; - NFSD_V2_ACL = whenOlder "5.15" yes; - NFSD_V3 = whenOlder "5.15" yes; + NFSD_V2_ACL = whenOlder "5.10" yes; + NFSD_V3 = whenOlder "5.10" yes; NFSD_V3_ACL = yes; NFSD_V4 = yes; NFSD_V4_SECURITY_LABEL = yes; @@ -769,8 +770,10 @@ let # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375 useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9"; in { - KERNEL_XZ = mkIf (!useZstd) yes; - KERNEL_ZSTD = mkIf useZstd yes; + # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V. + KERNEL_UNCOMPRESSED = mkIf stdenv.hostPlatform.isRiscV yes; + KERNEL_XZ = mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes; + KERNEL_ZSTD = mkIf (!stdenv.hostPlatform.isRiscV && useZstd) yes; HID_BATTERY_STRENGTH = yes; # enabled by default in x86_64 but not arm64, so we do that here diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 7aa9c51173526..1e1289f82e814 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -70,12 +70,22 @@ assert (versionAtLeast version "4.9"); GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + # Runtime undefined behaviour checks + # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html + # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan + UBSAN = yes; + UBSAN_TRAP = whenAtLeast "5.7" yes; + UBSAN_BOUNDS = whenAtLeast "5.7" yes; + UBSAN_SANITIZE_ALL = whenOlder "6.9" yes; + UBSAN_LOCAL_BOUNDS = option yes; # clang only + CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. RANDSTRUCT = whenAtLeast "5.19" yes; RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; # Disable various dangerous settings - ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory + ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory PROC_KCORE = no; # Exposes kernel text image layout INET_DIAG = no; # Has been used for heap based attacks in the past diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 21772b2e03eb0..3a424b3b39635 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -2,52 +2,52 @@ "4.19": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-4.19.309-hardened1.patch", - "sha256": "1hww72w5anmfr9czqbl31glzl70s34492k9qz9zax141zg1sf6sp", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.309-hardened1/linux-hardened-4.19.309-hardened1.patch" + "name": "linux-hardened-4.19.315-hardened1.patch", + "sha256": "1w17mwsv618pw5bkahmz6in0i5zjjxd3d14gggafqdd3dgfr1h8q", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.315-hardened1/linux-hardened-4.19.315-hardened1.patch" }, - "sha256": "1yc45kfiwdqsqa11sxafs82b0day6qvgjcll8rx9vipidsmagbcm", - "version": "4.19.309" + "sha256": "1j1j8awy0237jp2r211qpa305c10y7rlcbkxkzdvzbgyhwy4spkc", + "version": "4.19.315" }, "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.10.212-hardened1.patch", - "sha256": "0h04i94vshhcli5m4qpnqg4vsi5v1ifvdhhklk7c0bvkfk35cbml", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.212-hardened1/linux-hardened-5.10.212-hardened1.patch" + "name": "linux-hardened-5.10.218-hardened1.patch", + "sha256": "1ah4pznha17ngg3w7l0j74h4910gjv8qj503adrap7plvapf82m4", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.218-hardened1/linux-hardened-5.10.218-hardened1.patch" }, - "sha256": "14vll2bghd52wngjxy78hgglydcxka59yziji0w56dcdpmky9wqc", - "version": "5.10.212" + "sha256": "1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw", + "version": "5.10.218" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.151-hardened1.patch", - "sha256": "040jc5n9qsdz2wv5ksfvc28vd72nmya2i2f0ps0jiras6l2wlhjz", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.151-hardened1/linux-hardened-5.15.151-hardened1.patch" + "name": "linux-hardened-5.15.160-hardened1.patch", + "sha256": "1r10ylx886rslsmrixlijjm4crhwzkl3wj6kpyn2344qik1gxpqr", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.160-hardened1/linux-hardened-5.15.160-hardened1.patch" }, - "sha256": "0jby224ncdardjwmf8c59s5j71inpvdlzah984ilf2b6y85pc7la", - "version": "5.15.151" + "sha256": "018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl", + "version": "5.15.160" }, "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.4.271-hardened1.patch", - "sha256": "0rw5il7885d0d3k2hmh46541svib6rp32g00fcl5bw37ydmq3z8b", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.271-hardened1/linux-hardened-5.4.271-hardened1.patch" + "name": "linux-hardened-5.4.277-hardened1.patch", + "sha256": "1zjw5wl8lj69j402qm8dg3m4dxgq3ppx2jyz8jks976vyhh8fsg4", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.277-hardened1/linux-hardened-5.4.277-hardened1.patch" }, - "sha256": "0l2qv4xlhnry9crs90rkihsxyny6jz8kxw08bfad7nys9hrn3g6d", - "version": "5.4.271" + "sha256": "0l8zq3k07hdprfpvw69ykkf2pdg8wiv28xz733yxsjcfb0l5n7vy", + "version": "5.4.277" }, "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.1.81-hardened1.patch", - "sha256": "0af9dxdsa858zyqc0vsrzg098afhg5vpb2wpr6gj2ykwc13iaf07", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.81-hardened1/linux-hardened-6.1.81-hardened1.patch" + "name": "linux-hardened-6.1.92-hardened1.patch", + "sha256": "0cw87ygmisi823y3f7xrck12b6zh3mq1qmb7lcmr3hg6w3xskmn3", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.92-hardened1/linux-hardened-6.1.92-hardened1.patch" }, - "sha256": "0arl96yrqplbmp2gjyqcfma1lgc30kbn95m0sflv0yyldwf8dg8f", - "version": "6.1.81" + "sha256": "1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch", + "version": "6.1.92" }, "6.5": { "patch": { @@ -62,12 +62,12 @@ "6.6": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.6.21-hardened1.patch", - "sha256": "0k35s5pj92lvfp6kw3isg78zc3gijsg0xbzcyvxdkmhzaq8j6i1i", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.21-hardened1/linux-hardened-6.6.21-hardened1.patch" + "name": "linux-hardened-6.6.32-hardened1.patch", + "sha256": "19362a6lxs3cnaw19jvda7n791y95lfgn9ki4wmaxnw2qbpi0bgg", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.32-hardened1/linux-hardened-6.6.32-hardened1.patch" }, - "sha256": "0mz420w99agr7jv1jgqfr4fjhzbv005xif086sqx556s900l62zf", - "version": "6.6.21" + "sha256": "1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a", + "version": "6.6.32" }, "6.7": { "patch": { @@ -78,5 +78,25 @@ }, "sha256": "1lrp7pwnxnqyy8c2l4n4nz997039gbnssrfm8ss8kl3h2c7fr2g4", "version": "6.7.6" + }, + "6.8": { + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-6.8.11-hardened1.patch", + "sha256": "08i03dmri9h6jxcjd9g6s7pv0spqi3f4fgch1ars68cgngikvbpq", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.8.11-hardened1/linux-hardened-6.8.11-hardened1.patch" + }, + "sha256": "1di8kr596sf68sm61kp5rz6bn3sb0q5ag1qc5hm8f9dpyq4wv3dp", + "version": "6.8.11" + }, + "6.9": { + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-6.9.2-hardened1.patch", + "sha256": "0ph1m0pnlqrhvddz2mjgcwvs0ddcpzigz8kgi9zi063qinlfbm3q", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.9.2-hardened1/linux-hardened-6.9.2-hardened1.patch" + }, + "sha256": "1yg5j284y1gz7zwxjz2abvlnas259m1y1vzd9lmcqqar5kgmnv6l", + "version": "6.9.2" } } diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index 6a6e66e317300..9585ae305c175 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -1,38 +1,42 @@ { "testing": { - "version": "6.9-rc6", - "hash": "sha256:075l5vhk8zmwln4jks7gr5n5k67s65qvs07l2rpbc7a75fdp6c14" + "version": "6.10-rc5", + "hash": "sha256:1bjqcgik4mgjshwy7p45msd62rmq8wjyz7b60n4fsm3kyk16imcd" }, "6.5": { "version": "6.5.13", "hash": "sha256:1dfbbydmayfj9npx3z0g38p574pmcx3qgs49dv0npigl48wd9yvq" }, "6.1": { - "version": "6.1.90", - "hash": "sha256:07cfg0chssvpc4mqls3aln6s4lqjp6k4x2n63wndmkjgfqpdg8w3" + "version": "6.1.96", + "hash": "sha256:1ab290vm6h8vj1qi1qhxzh9kc6dbgpkwybcwzw1aprz5kl3cjxry" }, "5.15": { - "version": "5.15.158", - "hash": "sha256:1inmdpif3qf1blmvjj4i7y42bylvhv0wyj3b0apq12zxlj1iq1zr" + "version": "5.15.161", + "hash": "sha256:0k277hz6nq62v0xfc1n2hc69cyvmnxpl0qcbszinajywh23gfafn" }, "5.10": { - "version": "5.10.216", - "hash": "sha256:0lg1zfb9y4ps86q85mlnyalb3s90zix003z62jb9bw139f65h473" + "version": "5.10.220", + "hash": "sha256:16z1xqm7djm8pl15s5wvgc4pwq81gydcf00jpxfplw794kwszhvw" }, "5.4": { - "version": "5.4.275", - "hash": "sha256:0k1hyknx854k8z27j4rq1gcp8l0xc0bspmrhc41a033gjilb1lns" + "version": "5.4.278", + "hash": "sha256:1245zf7vk2fyprw9fspljqy9wlzma9bayri7xx2g8iam2430d875" }, "4.19": { - "version": "4.19.313", - "hash": "sha256:1j1r4mrdh1ray468jr5i8d2afiswb653bhq0ck8bcdw4rwp5w558" + "version": "4.19.316", + "hash": "sha256:0lmyhwr4la7kvim7jqdi29scjkvqp9crpvdbhpb4j8d7mj5kgzz4" }, "6.6": { - "version": "6.6.30", - "hash": "sha256:1ilwmgpgvddwkd9nx5999cb6z18scjyq7jklid26k1hg7f35nsmn" + "version": "6.6.36", + "hash": "sha256:1mfdw2prjb54r19y22sm37q8spnk6lyk162ima7gps1pnwl6hrxr" }, "6.8": { - "version": "6.8.9", - "hash": "sha256:1dn9bgmf03bdfbmgq98d043702g808rjikxs2i9yia57iqiz21gr" + "version": "6.8.12", + "hash": "sha256:0fb0m0fv4521g63gq04d7lm6hy8169s1rykiav5bkd99s9b1kcqr" + }, + "6.9": { + "version": "6.9.7", + "hash": "sha256:1y01w26sas7pl24l09yczdr8mzzy2nadykz1wmhx9ygfj76qixg4" } } diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix index 3344808ca2789..a7e1f635880cd 100644 --- a/pkgs/os-specific/linux/kernel/linux-libre.nix +++ b/pkgs/os-specific/linux/kernel/linux-libre.nix @@ -1,8 +1,8 @@ { stdenv, lib, fetchsvn, linux , scripts ? fetchsvn { url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/"; - rev = "19546"; - sha256 = "1yyj7pbfs02fki1rdxfj9gcrxdrl26igisy4fji7czcc9xbw03qm"; + rev = "19584"; + sha256 = "1vhk4jnx8f98lkj2isrms2jm9c5qrpgayxbhawslqrprq1pmzlif"; } , ... }: diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix index b013c7f1bf181..2bb90b38bbec0 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "5.10.215-rt107"; # updated by ./update-rt.sh + version = "5.10.218-rt110"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -17,14 +17,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; - sha256 = "1af6h86flx96pszg006agpak2f9dkk2jqaazfykd7aafqdcs3747"; + sha256 = "1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "0lnnpnfmypafzfzhcmaxqqc18nna4fr236v6hrcyabnxmxam79xj"; + sha256 = "0zam7hlcrphxv53jcza7sw0lv8a9mz15cl35adwb2rd2y1x9nhad"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix index 91774ba38dbd8..620dd0328de2d 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "5.15.153-rt75"; # updated by ./update-rt.sh + version = "5.15.160-rt77"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; - sha256 = "1g44gjcwcdq5552vwinljqwiy90bxax72jjvdasp71x88khv3pfp"; + sha256 = "018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "04i22p0ap4dsqybf9jbbmrbzva11qknilnyk46z18gzrr0msjldl"; + sha256 = "0id4m1k1xq84bxgnchm8r2iwfqw6nacv5n1ksgyzj6q6v66ik3wk"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix index 06028d209779d..e232e2a5927ee 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.1.83-rt28"; # updated by ./update-rt.sh + version = "6.1.95-rt34"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "145iw3wii7znhrqdmgnwhswk235g6gw8axjjji2cw4rn148rddl8"; + sha256 = "1gfz2j6iixbr0dfkb8jkwnb4gicrm5rc5lsa24wmyrkm3nmg0q19"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "07wv3zd7n5378k8ywdavrp5ndqkdcis923dwpswfv7062xm34y5h"; + sha256 = "1kz9j8d677vr5sfxrvfd2a8vpmz3vsrvb82rdvvf09ikpdvsa6iy"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix index eb85f9c3cd091..55d5fb2874d46 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.6.25-rt29"; # updated by ./update-rt.sh + version = "6.6.35-rt34"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "0i0zvqlj02rm6wpbidji0rn9559vrpfc1b8gbfjk70lhhyz11llr"; + sha256 = "17nxymy3r9q45cfzc9rqp937m37zr1b8fjn1m0x0dv8jhxrfxqzw"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "15mb4zycv86yp1cbs5svgs3pnmh8jihjhf4jxc4h4ywlzglkb1za"; + sha256 = "0rijfk9n3fdrwg61ih2x95w4ffjs037hfjv3bza3xb7j04y7hxgy"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/xanmod-kernels.nix b/pkgs/os-specific/linux/kernel/xanmod-kernels.nix index 8d87ee3598ec6..8a60abae111f0 100644 --- a/pkgs/os-specific/linux/kernel/xanmod-kernels.nix +++ b/pkgs/os-specific/linux/kernel/xanmod-kernels.nix @@ -6,16 +6,14 @@ let # NOTE: When updating these, please also take a look at the changes done to # kernel config in the xanmod version commit ltsVariant = { - version = "6.6.28"; - suffix = "xanmod2"; - hash = "sha256-U5L7i/g808GuUZhLjHE+v0VOQVdTPe+Tnx/rLQoGxx4="; + version = "6.6.33"; + hash = "sha256-3qGxIYNVm2f69rym0Ya1X497G7yRNj3lLCtVgyEZ9yw="; variant = "lts"; }; mainVariant = { - version = "6.8.7"; - suffix = "xanmod2"; - hash = "sha256-/RhtRASEedYI4Zf9pUiiyDD3SgOL46cutTXo68gjBg8="; + version = "6.9.4"; + hash = "sha256-gY0t77aPWOuRZFESNp0OLIsjLAv+rf0NHbab9WF2VtA="; variant = "main"; }; @@ -48,8 +46,13 @@ let HZ_250 = yes; HZ_1000 = no; - # Disable writeback throttling by default - BLK_WBT_MQ = lib.mkOverride 60 no; + # RCU_BOOST and RCU_EXP_KTHREAD + RCU_EXPERT = yes; + RCU_FANOUT = freeform "64"; + RCU_FANOUT_LEAF = freeform "16"; + RCU_BOOST = yes; + RCU_BOOST_DELAY = freeform "0"; + RCU_EXP_KTHREAD = yes; }; extraMeta = { diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index 1f36e36c2335e..0ee27776eadc1 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -4,16 +4,16 @@ let # comments with variant added for update script # ./update-zen.py zen zenVariant = { - version = "6.8.6"; #zen + version = "6.9.2"; #zen suffix = "zen1"; #zen - sha256 = "09233xbvkwjd8yglzjh50pbw5n3pk7d8l5pb270ric9rnnl383jn"; #zen + sha256 = "1fsmpryk7an6xqppvilcf3bmxs41mqpc3v4f4c81jgrikg21gxbb"; #zen isLqx = false; }; # ./update-zen.py lqx lqxVariant = { - version = "6.8.6"; #lqx - suffix = "lqx2"; #lqx - sha256 = "0mxbl0h8s021m0ab12yy778qyhdlb5789qjbn66l8qxsw0dv4ags"; #lqx + version = "6.8.11"; #lqx + suffix = "lqx1"; #lqx + sha256 = "1dj4znir4wp6jqs680dcxn8z6p02d518993rmrx54ch04jyy5brj"; #lqx isLqx = true; }; zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // { diff --git a/pkgs/os-specific/linux/microcode/intel.nix b/pkgs/os-specific/linux/microcode/intel.nix index 6953bbca8963e..6e133564e28ce 100644 --- a/pkgs/os-specific/linux/microcode/intel.nix +++ b/pkgs/os-specific/linux/microcode/intel.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "microcode-intel"; - version = "20240312"; + version = "20240531"; src = fetchFromGitHub { owner = "intel"; repo = "Intel-Linux-Processor-Microcode-Data-Files"; rev = "microcode-${version}"; - hash = "sha256-4ZSA+LVczfjZINXhImmFOCc/6kKNrrUQvrXPdOvMM8g="; + hash = "sha256-64vcEc3UiiV5Rg4Eh3Wsi/WSCj5DbjvZBzKLr7EgNOU="; }; nativeBuildInputs = [ iucode-tool libarchive ]; diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index d710fabb7ace0..58213e1947456 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, pkg-config, zlib, shadow +{ lib, stdenv, fetchurl, fetchpatch, pkg-config, zlib, shadow , capabilitiesSupport ? stdenv.isLinux , libcap_ng , libxcrypt @@ -30,6 +30,12 @@ stdenv.mkDerivation rec { patches = [ ./rtcwake-search-PATH-for-shutdown.patch ./bcachefs-patch-set.patch + + (fetchpatch { + name = "CVE-2024-28085.patch"; + url = "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/patch/?id=f4f0782f66692112311659086fd552d40d7a6f59"; + hash = "sha256-1OQ/FG/gCeGKF+FpeNABMuv+dLhMhFclTfk/vB3Y1N0="; + }) ]; # We separate some of the utilities into their own outputs. This diff --git a/pkgs/os-specific/linux/zfs/stable.nix b/pkgs/os-specific/linux/zfs/stable.nix index 5b5084511a51a..171dceb459562 100644 --- a/pkgs/os-specific/linux/zfs/stable.nix +++ b/pkgs/os-specific/linux/zfs/stable.nix @@ -14,17 +14,17 @@ callPackage ./generic.nix args { # this attribute is the correct one for this package. kernelModuleAttribute = "zfs"; # check the release notes for compatible kernels - kernelCompatible = kernel.kernelOlder "6.8"; + kernelCompatible = kernel.kernelOlder "6.9"; - latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6; + latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_8; # this package should point to the latest release. - version = "2.2.3"; + version = "2.2.4"; tests = [ nixosTests.zfs.installer nixosTests.zfs.stable ]; - hash = "sha256-Bzkow15OitUUQ+mTYhCXgTrQl+ao/B4feleHY/rSSjg="; + hash = "sha256-SSp/1Tu1iGx5UDcG4j0k2fnYxK05cdE8gzfSn8DU5Z4="; } diff --git a/pkgs/os-specific/linux/zfs/unstable.nix b/pkgs/os-specific/linux/zfs/unstable.nix index a9ad7a218207e..df0ffd3c3c425 100644 --- a/pkgs/os-specific/linux/zfs/unstable.nix +++ b/pkgs/os-specific/linux/zfs/unstable.nix @@ -17,18 +17,19 @@ callPackage ./generic.nix args { # check the release notes for compatible kernels kernelCompatible = kernel.kernelOlder "6.9"; - latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6; + latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_8; # this package should point to a version / git revision compatible with the latest kernel release # IMPORTANT: Always use a tagged release candidate or commits from the # zfs-<version>-staging branch, because this is tested by the OpenZFS # maintainers. - version = "2.2.2"; + version = "2.2.4"; + # rev = ""; isUnstable = true; tests = [ nixosTests.zfs.unstable ]; - hash = "sha256-CqhETAwhWMhbld5ib3Rz1dxms+GQbLwjEZw/V7U/2nE="; + hash = "sha256-SSp/1Tu1iGx5UDcG4j0k2fnYxK05cdE8gzfSn8DU5Z4="; } |