summaryrefslogtreecommitdiff
path: root/scripts/package-build/linux-kernel/patches
AgeCommit message (Collapse)Author
6 daysKernel: T9067: Update Linux Kernel to 6.18.38Christian Breunig
2026-06-26Merge pull request #1227 from c-po/bnx2-patchViacheslav Hletenko
Kernel: T8914: add support for 2.5G pluggables on BCM57810S
2026-06-26Merge pull request #1189 from c-po/l2tpv3Daniil Baturin
Kernel: T8605: net/l2tp: allow unmanaged tunnel setup without route to peer
2026-06-25Kernel: T8914: add support for 2.5G pluggables on BCM57810SChristian Breunig
Add the well-known JAMESMTL kernel module patch for bnx2x to advertise 2.5Gbit/s capabilities on Broadcom NetXtreme2-X cards with BCM57810S chipset. This is useful for ISP GPON access networks that use 2.5Gbit/s pluggables and need the NIC to negotiate beyond 1000baseT/Full, avoiding the 940Mbit/s practical cap on overprovisioned 1G services. References: * https://hack-gpon.org/broadcom-57810s/ * https://github.com/JAMESMTL/snippets/blob/dceb2fee74d80c66d/bnx2x/patches/bnx2x_warpcore_8727_2_5g_sgmii_txfault.patch
2026-06-25Kernel: T9010: update existing patches to remove "hunk off" noticesChristian Breunig
2026-06-23Kernel: T9010: update Intel OOT module driversChristian Breunig
Update versions: * igb v5.20.28 * ixgbe v6.4.4 * ixgbevf v5.3.36 * i40e v2.30.18 * ice v2.6.6 * iavf v4.13.35
2026-05-23Kernel: T8919: Update Linux Kernel to 6.18.33Christian Breunig
The Kernel 6.18.33 now has an upstream fix for the fragnesia vulnerability
2026-05-15Kernel: T8871: Update Linux Kernel to 6.18.31Christian Breunig
This fixes the LPE https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
2026-05-15kernel: T8871: add a patch for the ptrace vulnerabilityDaniil Baturin
that allows unprivileged users to read files owned by any other user
2026-05-14Kernel: T8864: add patch for "fragnesia" local privilege escalationChristian Breunig
Fragnesia is a universal Linux local privilege escalation exploit, discovered with V12 by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition. The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after data has already been spliced from a file into the receive queue, the kernel processes the queued file pages as ESP ciphertext. The AES-GCM keystream byte at counter block position 2, byte 0 is XORed directly into the cached file page. By selecting the IV nonce to produce a desired keystream byte, any target byte in the file can be set to any value — one byte per trigger invocation. From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md
2026-05-08Kernel: T8605: net/l2tp: allow unmanaged tunnel setup without route to peerChristian Breunig
Kernel-created L2TPv3 tunnels (genetlink L2TP_CMD_TUNNEL_CREATE without L2TP_ATTR_FD) used udp_sock_create() and kernel_connect(), which invoke __ip4_datagram_connect() / __ip6_datagram_connect(). Those paths insist on a successful FIB lookup at connect time. If no route to the configured remote existed yet, tunnel and interface creation failed. The data path already resolves routes on transmit (e.g. __ip_queue_xmit(), inet6_csk_route_socket()). This change defers requiring a route until packets are sent. Details: - UDP encapsulation: bind with udp_sock_create() after zeroing peer_udp_port, then l2tp_udp_sk_set_peer() sets daddr/dport and socket "connected" state without caching sk_dst from connect. - IPv4 L2TP/IP (l2tp_ip): on -ENETUNREACH / -EHOSTUNREACH from __ip4_datagram_connect(), l2tp_ip_connect_deferred() installs peer and bind-table updates without a connect-time route. - IPv6 L2TP/IP (l2tp_ip6): same for __ip6_datagram_connect(), including IPv4-mapped peers and scope / bound-device checks aligned with the normal connect path. Forwarding still only happens once the FIB can reach the peer. Until then outgoing packets follow the existing no-route drop path. Assisted-by: Cursor:claude-4.6-opus Signed-off-by: Christian Breunig <christian@breunig.cc>
2026-05-08Kernel: T6847: add Intel IAVF out-of-tree Kernel driver with custom patchesChristian Breunig
The Intel iavf driver (formerly i40evf) is the Linux virtual function driver for modern Intel Ethernet adapters supporting SR-IOV, including the X700/E800 series. Renamed to iavf to support future devices, it replaced i40evf entirely by 2019. The driver facilitates high-performance networking in virtualized environments. This commit contains custom patches to make the driver build.
2026-05-08Kernel: T6847: add Intel ICE out-of-tree Kernel driver with custom patchesChristian Breunig
The current version of the Intel ice driver does not compile with a recent LTS Kernel due to missing internal Kernel API adjustments in the Intel driver. This commit contains custom patches to make the driver build.
2026-05-08Kernel: T6847: add Intel I40E out-of-tree Kernel driver with custom patchesChristian Breunig
The current version of the Intel i40e driver does not compile with a recent LTS Kernel due to missing internal Kernel API adjustments in the Intel driver. This commit contains custom patches to make the driver build.
2026-05-03Kernel: T8147: upgrade to 6.18Christian Breunig
* Forwared port all out-of-tree driver patches * Add Intel QAT patch to make it compile for LInux 6.18 * Remove out-of-tree OpenVPN DCO module - now available upstream
2026-05-03Kernel: T8147: drop out-of-tree INOTIFY_STACKFS patchChristian Breunig
The inotify support for overlayfs is no longer needed. Native upstream support landed in kernel 4.16 (commit 31747eda41ef/764baba80168 in 2018, which made overlayfs hash inodes by their lower inode so fsnotify works on overlay mounts), and kernel 6.8 (commit bc2473c90fca in 2023) extended it so fsnotify generates events for operations on the real underlying files of an overlay. The patch was an out-of-tree workaround that never went upstream and predates these solutions.
2026-03-25Kernel: T8427: Update Linux Kernel to 6.6.130Christian Breunig
The custom patch "nft_ct: Added nfct_seqadj_ext_add() for DNAT'ed - conntrack." is now available upstream in the Kernel tree.
2026-03-05Kernel: T8345: Update Linux Kernel to 6.6.128Christian Breunig
2026-01-26Merge pull request #1109 from c-po/kernel-6.6.121John Estabrook
Kernel: T8203: Update Linux Kernel to 6.6.121
2026-01-24Kernel: T8203: update Linux Kernel to v6.6.121Christian Breunig
2026-01-13T8162: Migrate to ipt-NETFLOW forkKyrylo Yatsenko
Switch to https://github.com/nuclearcat/ipt-netflow as it has up-to-date kernel support. Remove outdated patches.
2025-11-24Kernel: T8035: update Linux Kernel to v6.6.117Christian Breunig
2025-10-27kernel: T6788: Added patch to fix sequence adjustment for FTP DNATAndrii Melnychenko
The patch adds seqadj initialization for NATed conntrack. This fixes access to FTP servers "behind" the NAT router. The patch itself was proposed to the kernel and was accepted. In future versions it should be included into the kernel. Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
2025-10-07T7706: linux‑perf package missing required shared librariesAndrii Klymenko
Add missing libraries to the linux‑perf package: libpfm4, libslang2, libtraceevent1.
2025-09-29Merge pull request #1038 from sever-sever/T7843Daniil Baturin
T7843: Remove accel-ppp form the packages
2025-09-28Kernel: T5887: update Linux Kernel to v6.6.108Christian Breunig
2025-09-19T7843: Remove accel-ppp form the packagesViacheslav
Remove the `accel-ppp` from the packages, as we migrated to the `accel-ppp-ng` and do not need it anymore. Remove build scripts and patches.
2025-09-02T75: ipt-netflow fix aggregation modeKyrylo Yatsenko
* 0004-Change-aggregation-parameter-mode-400-444.patch: Tests need to read 'aggregation' parameter. All other parameters have modes 444 or 644. Change mode of 'aggregation' 400 -> 444
2025-09-01Merge pull request #1021 from c-po/kernel-6.6.103Christian Breunig
Kernel: T5887: update Linux Kernel to v6.6.103
2025-09-01T75: ipt-netflow enable direction + fix vlan outKyrylo Yatsenko
* add --enable-direction as requested * Fix output of `cat /proc/net/stat/ipt_netflow_flows`: previously if no VLAN, there was no output and table columns were shifted when parsed.
2025-08-31T75: ipt-netflow enable sampler, mac and vlanKyrylo Yatsenko
Enable sampler, MAC address and VLAN recording. For this to work two patches are needed: * 0001-Fix-prandom_u32-_max-get_random_u32-_below: fix interface updates for random numbers, took fix from https://github.com/aabc/ipt-netflow/commit/0c5759d002131ac3ae161713f4ce0d515037c1de * 0002-Fix-lu-llu-where-64bit: Fix lu -> llu for 64-bit fields
2025-08-31Kernel: T5887: update Linux Kernel to v6.6.103Christian Breunig
2025-07-11Kernel: T5887: update Linux Kernel to v6.6.96Christian Breunig
2025-06-10Merge pull request #927 from sever-sever/T4409Daniil Baturin
T4409: Fix Framed-Route with attr Accel-VRF-Name
2025-05-12Kernel: T7253: build linux-perf-$version packageChristian Breunig
Previous patch was removed during VyOS 1.3 -> 1.4 development cycle as the internal handling for Kernel package generation changed. This brings back the perf binary in a new linux-perf-$KERNELVERSION Debian package.
2025-05-12Kernel: T5887: update Linux Kernel to v6.6.90Christian Breunig
2025-04-24T7384: Radius patch for Dns-Server-IPv6-Address attribute - accel-ppp (#926)AlexIT-FT
* Add 0002-Radius-Dns-Server-IPv6-Address.patch This adds the ability to pull IPv6 DNS servers from the radius response not just hard coded in the config file
2025-03-13T4409: Fix Framed-Route with attr Accel-VRF-NameViacheslav Hletenko
If you use attribute Accel-VRF-Name we are expecting a route in a specific VRF, the cuurent implementation set the Framed-Route/Framed-IPv6-Route to the default VRf (no VRF) Fixes this, so routes are installed in the proper VRF name
2025-02-25Kernel: T5887: update Linux Kernel to v6.6.79Christian Breunig
2025-02-15intel: T6847: port patches to latest driver version 6.0.5Christian Breunig
2025-01-02Kernel: T5887: update Linux Kernel to v6.6.69Christian Breunig
2024-10-02T6754: Delete Jenkins build packagesViacheslav Hletenko
2024-09-06T6674: Add symlink to original linux-kernel arch and patchesViacheslav Hletenko
2024-08-29T6674: Add build-scrips for packages without JenkinsViacheslav Hletenko
Add build scripts for .deb packages without Jenkins. To exclude Jenkins we need some place where we can put new builds-scripts to run in parallel (old/new) during meantime We will deprecate old Jenkins package builds in the future.