Bug#991830: unblock: linux/5.10.46-4

To: Paul Gevers <elbrus@debian.org>
Cc: 991830@bugs.debian.org
Subject: Bug#991830: unblock: linux/5.10.46-4
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 3 Aug 2021 09:03:49 +0200
Message-id: <[🔎] YQjqVWAWndMK2PL4@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 991830@bugs.debian.org
In-reply-to: <[🔎] 7898d4a2-9b17-dcad-13e6-363f283651ec@debian.org>
References: <[🔎] 162793555976.918746.13740164333529258388.reportbug@eldamar.lan> <[🔎] 7898d4a2-9b17-dcad-13e6-363f283651ec@debian.org> <[🔎] 162793555976.918746.13740164333529258388.reportbug@eldamar.lan>

Control: tags -1 - moreinfo

Hi Paul,

On Mon, Aug 02, 2021 at 10:53:00PM +0200, Paul Gevers wrote:
> Control: tags -1 confirmed moreinfo
> 
> Hi Salvatore,
> 
> On 02-08-2021 22:19, Salvatore Bonaccorso wrote:
> > Upstream added in 5.13-rc4 a new kconfig know to diable unprivilged
> > bpf by default, but without making it irreversible. I cherry-picked
> > this commit as well, and set BPF_UNPRIV_DEFAULT_OFF, closing #990411.
> 
> I wonder if this would warrant a NEWS item and if you have time left to
> squeeze it in.

Yes, I have added a NEWS entry accordingly describing the default in
Debian staring with the 5.10.46-4 upload. Thanks for raising this.

> > Would you agree on such a very short timed upload still to be
> > targetting for bullseye?
> 
> If all (including magic of signing) can be build and ready for Saturday
> I think this issue is worth it. Normally you kernel people know very
> well what you're doing.

Thank you for the ack, this is very much appreciated. The full set of
changes, for the record were (but not adding a debdiff now):

   * bpf: Introduce BPF nospec instruction for mitigating Spectre v4
     (CVE-2021-34556, CVE-2021-35477)
   * bpf: Fix leakage due to insufficient speculative store bypass mitigation
     (CVE-2021-34556, CVE-2021-35477)
   * bpf: Remove superfluous aux sanitation on subprog rejection
   * Ignore ABI changes for bpf_offload_dev_create and bpf_verifier_log_write
   * bpf: Add kconfig knob for disabling unpriv bpf by default
   * init: Enable BPF_UNPRIV_DEFAULT_OFF (Closes: #990411)
   * linux-image: Add NEWS entry documenting that unprivileged calls to bpf() are
     disabled by default in Debian.
   * bpf: verifier: Allocate idmap scratch in verifier env
   * bpf: Fix pointer arithmetic mask tightening under state pruning

Regards,
Salvatore

Reply to:

References:
- Bug#991830: unblock: linux/5.10.46-4
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#991830: unblock: linux/5.10.46-4
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Processed: Re: Bug#991830: unblock: linux/5.10.46-4
Next by Date: Bug#991787: marked as done (unblock: ucspi-unix/1.0-2)
Previous by thread: Bug#991830: unblock: linux/5.10.46-4
Next by thread: Bug#991830: unblock: linux/5.10.46-4
Index(es):
- Date
- Thread