# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 # Define what default functions to run. ETYPE="sources" # Use genpatches but don't include the 'experimental' use flag. K_EXP_GENPATCHES_NOUSE="1" # Genpatches version to use. -pf patch set already includes vanilla linux updates. Regularly "1" # is the wanted value here, but the genpatches patch set can be bumped if it includes some # important fixes. src_prepare() will handle deleting the updated vanilla linux patches. # See https://archives.gentoo.org/gentoo-kernel/ (or subscribe to the list) to see all patches. K_GENPATCHES_VER="35" # -pf patch set already sets EXTRAVERSION to kernel Makefile. K_NOSETEXTRAVERSION="1" # pf-sources is not officially supported/covered by the Gentoo security team. K_SECURITY_UNSUPPORTED="1" # Define which parts to use from genpatches - experimental is already included in the -pf patch # set. K_WANT_GENPATCHES="base extras" # Major kernel version, e.g. 5.14. SHPV="${PV/_p*/}" # Replace "_p" with "-pf", since using "-pf" is not allowed for an ebuild name by PMS. PFPV="${PV/_p/-pf}" inherit kernel-2 optfeature detect_version DESCRIPTION="Linux kernel fork that includes the pf-kernel patchset and Gentoo's genpatches" HOMEPAGE="https://pfkernel.natalenko.name/ https://dev.gentoo.org/~alicef/genpatches/" SRC_URI="https://codeberg.org/pf-kernel/linux/archive/v${PFPV}.tar.gz -> linux-${PFPV}.tar.gz https://dev.gentoo.org/~alicef/genpatches/tarballs/genpatches-${SHPV}-${K_GENPATCHES_VER}.base.tar.xz https://dev.gentoo.org/~alicef/genpatches/tarballs/genpatches-${SHPV}-${K_GENPATCHES_VER}.extras.tar.xz https://raw.githubusercontent.com/istitov/extra-stuff/pf-cves-cumulative-${SHPV}-r2-0/sys-kernel/pf-sources/pf-cves-cumulative-${SHPV}.tar.xz -> pf-cves-cumulative-${SHPV}-r2-0.tar.xz" S="${WORKDIR}/linux-${PFPV}" KEYWORDS="~amd64 ~x86" K_EXTRAEINFO="For more info on pf-sources and details on how to report problems, see: ${HOMEPAGE}." pkg_setup() { ewarn "" ewarn "${PN} is *not* supported by the Gentoo Kernel Project in any way." ewarn "If you need support, please contact the pf developers directly." ewarn "Do *not* open bugs in Gentoo's bugzilla unless you have issues with" ewarn "the ebuilds. Thank you." ewarn "" kernel-2_pkg_setup } src_unpack() { # Since the Codeberg-hosted pf-sources include full kernel sources, we need to manually override # the src_unpack phase because kernel-2_src_unpack() does a lot of unwanted magic here. unpack ${A} mv linux linux-${PFPV} || die "Failed to move source directory" } src_prepare() { # When genpatches basic version is bumped, it also includes vanilla linux updates. Those are # already in the -pf patch set, so need to remove the vanilla linux patches to avoid conflicts. if [[ ${K_GENPATCHES_VER} -ne 1 ]]; then find "${WORKDIR}"/ -type f -name '1*linux*.patch' -delete || die "Failed to delete vanilla linux patches in src_prepare." fi # kernel-2_src_prepare doesn't apply PATCHES(). Chosen genpatches are also applied here. eapply "${WORKDIR}"/*.patch # CVE-2026-31431 ("Copy Fail") — local privilege escalation via # algif_aead in-place AAD copy. Mainline fix is upstream commit # a664bf3d603d (2026-03-26); the linux-stable backport landed in # 6.6.137 as cherry-pick 3115af9644c3. Mainline patch and stable # backport both fail against pf-sources's v6.6.0 + pf source # because their context targets a 6.6.X-stable codebase. Carry a # cumulative diff (v6.6 → v6.6.137 over the 4 affected crypto # files) instead — this picks up the CVE fix together with the # other algif_aead/af_alg fixes that landed in 6.6.X stable. eapply "${WORKDIR}/pf-cves-cumulative-6.6/cve-2026-31431-algif_aead-cumulative-6.6.patch" # CVE-2026-43037 + CVE-2026-43038 — twin IPv6 cb[] type-confusion # fixes (Eric Dumazet, 20260326155138.2429480-1): # * 43037: ip6_tunnel.c::ip4ip6_err() — stack OOB write # * 43038: icmp.c::ip6_err_gen_icmpv6_unreach — OOB read # Both backported into 6.6.134. Same surgical-context-mismatch # situation as 31431 — carry a cumulative v6.6 → v6.6.137 diff # restricted to net/ipv6/ip6_tunnel.c + net/ipv6/icmp.c. Same # window as the crypto cumulative for consistency. eapply "${WORKDIR}/pf-cves-cumulative-6.6/cve-2026-43037-43038-cumulative-6.6.patch" default } pkg_postinst() { # Fixes "wrongly" detected directory name, bgo#862534. local KV_FULL="${PFPV}" kernel-2_pkg_postinst optfeature "userspace KSM helper" sys-process/uksmd } pkg_postrm() { # Same here, bgo#862534. local KV_FULL="${PFPV}" kernel-2_pkg_postrm }