-
Notifications
You must be signed in to change notification settings - Fork 4
Home
Welcome to the CIQ Kernel Source Tree repository.
This is a multi branch tree with all of CIQ's kernels we maintain from our Rocky LTS's to CentOS Bridge (7.9) and some additional branches for RESF SIG/CLOUD and FIPS (true source of truth is here: ciq-fips). There may be some more in the future but for now this is our forked maintenance.
We would like to invite anyone who wishes to help out to contribute but there are a couple of asks to start.
We have a couple of pieces of internal tooling for the moment to make sure we integrate all our changes into a more traditional Dist-git model which is cloned to here: CIQ LTS DIST GIT
We have tooling that uses git cherry-pick -nsx <upstream sha> underneath, which will create the engineer doing the backport the author of the commit. We made this decision so that if someone adds any watcher and e-mailer program from the original authors from getting slammed we're restricting that to the participants in this kernel source tree.
In order to make sure we credit the original author and build tooling for ourselves we include the original author in a commit header.
Most of the fields are pretty optional but we will request changes to this if needed.
<Original Commit Subject>
#Start CIQ HEADER
(optional ticket) jira VULN-####
(optional feature/cve/bugfix/sync/etc) cve CVE-####-###
commit-author [Written Name <email>]
commit <original upstream sha>
(required if modification)upstream-diff`
#End CIQ Header
<original commit message body>
https://github.com/ctrliq/kernel-src-tree/commit/8998df1511050f09e5ee1379e4c099cacdde7434
[kernel-src-tree]$ git log 8998df1511050f09e5ee1379e4c099cacdde7434
commit 8998df1511050f09e5ee1379e4c099cacdde7434
Author: Greg Rose <[email protected]>
Date: Mon Nov 18 11:41:40 2024 -0800
mISDN: fix use-after-free bugs in l1oip timer handlers
jira VULN-168
cve CVE-2022-3565
commit-author Duoming Zhou <[email protected]>
commit 2568a7e0832ee30b0a351016d03062ab4e0e0a3f
The l1oip_cleanup() traverses the l1oip_ilist and calls
release_card() to cleanup module and stack. However,
This is an exmaple of a cherry that went wrong and and explination on why its different than the upstream commit. In the below example Brett used the 5.14 Kernel Long Term kernel as a reference as well.
https://github.com/ctrliq/kernel-src-tree/commit/35efc690ef85be68dd3b1c93e477f555e28a6af1
[kernel-src-tree]$ git log --grep upstream-diff
commit 35efc690ef85be68dd3b1c93e477f555e28a6af1
Author: Brett Mastbergen <[email protected]>
Date: Wed Nov 20 12:46:14 2024 -0500
bpf: Fix crash due to out of bounds access into reg2btf_ids.
jira VULN-136
cve CVE-2022-0500
commit-author Kumar Kartikeya Dwivedi <[email protected]>
commit 45ce4b4f9009102cd9f581196d480a59208690c1
upstream-diff commit 3363bd0cfbb80 ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM
argument support") was introduced after 5.15 and contains an out of bound
reg2btf_ids access. Since that commit hasn't been backported, this patch
doesn't include fix to that access. If we backport that commit in future,
we need to fix its faulting access as well
When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
We do not require a specific methodology for development setting up a PC or VM, however internally we do prioritize the cloud-images for ease of "resetting" the VM if something goes wrong during testing. More will be added to this table as they become available.
We have been making judicious use of kernel-selftests, however as it stands currently we do not have them integrated into github actions.
We request any Pull request include the evidence of their testing that they've shown due diligence on integration. We may ask for clarifications and additional testing methodology. Which we may ask if the contributor is willing to help integrate their testing into out actions for pull requests.
Example Pull Requests: