sys-kernel/pf-sources-extended
Linux kernel: gentoo-sources base + curated pf-kernel patchset
Screenshots
View
Download
BrowseChangeLog
commit 7bf0dbbe3e6cda373d6416142779172349fd85b6
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 24 17:25:33 2026 +0200
sys-kernel/pf-sources-extended: document silent reverts on 6.18 slot
The curated bundle's BBR3 (0002) and fixes-misc (0004) patches were
cut against natalenko's pre-stable-backport snapshot. Applying them on
gentoo-sources state silently reverts a handful of K=37 hardening
changes:
- ~7 WRITE_ONCE conversions in net/ipv4/tcp_{output,timer}.c
(snd_ssthresh, data_segs_out, bytes_sent, total_retrans, snd_una,
total_retrans++, timeout_rehash)
- s32/u32 type fix in tcp_clamp_probe0_to_user_timeout
- SKBFL_SHARED_FRAG line drop in tcp_clone_payload
- re-introduction of AS_NO_DATA_INTEGRITY (linux-stable 6.18.21
removed it; no consumers in K=37, dead code)
x86-64 functional impact is essentially KCSAN-cleanliness only.
No fresher pf-kernel BBR3 source for 6.18 exists upstream — pf-6.18
is GA-frozen at v6.18-pf6 and natalenko maintains BBR3 against 7.x
kernels only. Add an elog block flagging this to installers.
commit 36b1061d9631ebb1eb6439b3af68523e0ffc715f
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 24 14:29:23 2026 +0200
sys-kernel/pf-sources-extended: K bump for 6.1, 6.6, 6.12 LTS slots
No curated bundle changes needed — new stable patches for all three
branches touch no files that the respective curated patchsets modify.
Verified by file-overlap check 2026-05-24.
6.1_p6-r1: K=180→189, linux-stable 6.1.170→6.1.174 (+4 pts)
6.6_p6-r1: K=144→153, linux-stable 6.6.137→6.6.141 (+4 pts)
6.12_p4-r1: K=90→100, linux-stable 6.12.85→6.12.91 (+6 pts)
SRC_URI: add distfiles.gentoo.org as primary genpatches mirror for all
three; alicef prunes old K values. Curated bundle stays at -r70-1.
commit 3768deba5074d418f54b60e5e3b167bbd17b64ae
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 24 14:28:51 2026 +0200
sys-kernel/pf-sources-extended: add 6.18_p6-r1, drop 6.18_p6
K_GENPATCHES_VER 26 → 37 (linux-stable 6.18.26 → 6.18.33, 7 point
releases). genpatches-6.18-37's 1032_linux-6.18.33.patch changes
tcp_bbr.c, include/linux/tcp.h, tcp_output.c, and tcp_timer.c with
WRITE_ONCE conversions and chrono_type layout changes — all files the
BBR3 curated patch touches. Re-cut 0002-bbr3 against the 6.18.33 base
(extra-stuff pf-curated-6.18-r70-2). Patches 0001/0003-0006 unchanged.
tcp_chrono_set/tcp_chrono_start: 1032 moves these from tcp_output.c to
include/net/tcp.h as static inline; BBR3 re-cut excludes the hunk that
would have re-added them to tcp_output.c (avoids duplicate definition).
SRC_URI now lists distfiles.gentoo.org as primary genpatches mirror;
alicef and mpagano as fallbacks. alicef pruned K=26 and K=37 is only
available via distfiles.gentoo.org. verified 2026-05-24.
commit 5e2bce1a77362accaead750226cc7af8b5aac26b
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sat May 16 23:06:21 2026 +0200
sys-kernel/pf-sources-extended: rephrase r1/r2 pointer to acknowledge CVE backports
The per-ebuild postinst elog pointed users at the corresponding pf-sources-X.Y_pZ-rN
for "the full pf-kernel patchset", and described the trade-off as "missing linux-
stable security fixes" (or per-slot "missing all N stable releases"). That's mildly
inaccurate: r1/r2 does miss the bulk of the linux-stable flow, but it ships surgical
CVE backports (pf-cves-surgical) for the most severe upstream vulnerabilities.
Rephrase across all 19 slots to keep the per-slot specificity (count + range on Shape
B; M-N range on Shape C) while making clear that r1/r2 closes the most severe gaps.
Also fix a stale pointer in 6.1_p6 that read "pf-sources-6.1_p6 (without -r70)" — no
such ebuild exists; the actual revisions are -r1 and -r2, so point at -r2 like the
other Shape A slots.
commit 89a4c13d78361c0e7ef1616c07f6b12e3ce08b29
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Fri May 15 13:18:33 2026 +0200
sys-kernel/pf-sources-extended: drop 7.0_p2 (retire 7.0 slot)
Retire the pf-sources-extended 7.0 slot. The 7.0_p2 ebuild pinned
K_GENPATCHES_VER=4 (linux-stable through 7.0.3) and is vulnerable to
CVE-2026-43284 (xfrm ESP shared-frag, fixed in 7.0.5).
Bumping to K=9 (linux-7.0.7) is mechanically straightforward but
invalidates pf-curated-7.0's 0001-fixes-stable-backports.patch: the
fixes pf cherry-picked have already been backported by linux-stable
into 7.0.5/.6/.7, and re-applying pf's older cuts collides hard on
security/selinux/hooks.c, landlock selftests, and vma stubs. Re-cutting
0001 against natalenko's current fixes-7.0 tip is the recipe-correct
fix but the user-visible delta is near-zero — linux-stable shipped
the same fixes, often in newer form.
Users wanting a security-current 7.0 kernel on this overlay have:
- sys-kernel/pf-sources-7.0_p3-r1 (GA-only; ships pf-7.0-pf3
tarball whose source already carries the CVE-2026-43284 fix from
pf-kernel upstream, plus our ptrace dumpable surgical for the
Qualys advisory)
- sys-kernel/gentoo-sources-7.0.7 from ::gentoo
The pf-sources-extended 7.0 slot will be revisited when natalenko
tags v7.1-pfN or v7.1-flexN and linux-7.1 GAs.
commit e5b6e4674c3038158dbe19af3cef0bcac6fa6a97
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 13 19:17:43 2026 +0200
sys-kernel: migrate r70-model ebuilds to pf-sources-extended
The r70 model (vanilla kernel + Gentoo genpatches + curated pf delta)
is a distinct variant from the original pf-sources models and deserves
its own package name. Rename to sys-kernel/pf-sources-extended.
20 ebuilds moved (6.1_p6 through 7.0_p2), dropping the -r70/-r71
revision suffix — the package name now differentiates the model.
KEYWORDS="" — new package, requires explicit package.accept_keywords.
Distfile bundles on extra-stuff moved in parallel from
sys-kernel/pf-sources/ to sys-kernel/pf-sources-extended/ under new
tags (pf-curated-X.Y-r70-1, pf-genpatches-X.Y-r70-1).
sys-kernel/pf-sources retains the original two models:
- active (no suffix): pf-kernel sourcetree + genpatches
- CVE-backported (-r1/-r2): active base + surgical CVE patches
for vulns pf-kernel hasn't picked up
Both packages' metadata.xml updated: pf-sources gets all three
extra-stuff remote-ids (github/gitlab/codeberg); pf-sources-extended
gets the same, without codeberg:pf-kernel/linux which belongs only
to pf-sources (that package fetches from there; extended fetches
vanilla kernel.org tarballs).
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 24 17:25:33 2026 +0200
sys-kernel/pf-sources-extended: document silent reverts on 6.18 slot
The curated bundle's BBR3 (0002) and fixes-misc (0004) patches were
cut against natalenko's pre-stable-backport snapshot. Applying them on
gentoo-sources state silently reverts a handful of K=37 hardening
changes:
- ~7 WRITE_ONCE conversions in net/ipv4/tcp_{output,timer}.c
(snd_ssthresh, data_segs_out, bytes_sent, total_retrans, snd_una,
total_retrans++, timeout_rehash)
- s32/u32 type fix in tcp_clamp_probe0_to_user_timeout
- SKBFL_SHARED_FRAG line drop in tcp_clone_payload
- re-introduction of AS_NO_DATA_INTEGRITY (linux-stable 6.18.21
removed it; no consumers in K=37, dead code)
x86-64 functional impact is essentially KCSAN-cleanliness only.
No fresher pf-kernel BBR3 source for 6.18 exists upstream — pf-6.18
is GA-frozen at v6.18-pf6 and natalenko maintains BBR3 against 7.x
kernels only. Add an elog block flagging this to installers.
commit 36b1061d9631ebb1eb6439b3af68523e0ffc715f
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 24 14:29:23 2026 +0200
sys-kernel/pf-sources-extended: K bump for 6.1, 6.6, 6.12 LTS slots
No curated bundle changes needed — new stable patches for all three
branches touch no files that the respective curated patchsets modify.
Verified by file-overlap check 2026-05-24.
6.1_p6-r1: K=180→189, linux-stable 6.1.170→6.1.174 (+4 pts)
6.6_p6-r1: K=144→153, linux-stable 6.6.137→6.6.141 (+4 pts)
6.12_p4-r1: K=90→100, linux-stable 6.12.85→6.12.91 (+6 pts)
SRC_URI: add distfiles.gentoo.org as primary genpatches mirror for all
three; alicef prunes old K values. Curated bundle stays at -r70-1.
commit 3768deba5074d418f54b60e5e3b167bbd17b64ae
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 24 14:28:51 2026 +0200
sys-kernel/pf-sources-extended: add 6.18_p6-r1, drop 6.18_p6
K_GENPATCHES_VER 26 → 37 (linux-stable 6.18.26 → 6.18.33, 7 point
releases). genpatches-6.18-37's 1032_linux-6.18.33.patch changes
tcp_bbr.c, include/linux/tcp.h, tcp_output.c, and tcp_timer.c with
WRITE_ONCE conversions and chrono_type layout changes — all files the
BBR3 curated patch touches. Re-cut 0002-bbr3 against the 6.18.33 base
(extra-stuff pf-curated-6.18-r70-2). Patches 0001/0003-0006 unchanged.
tcp_chrono_set/tcp_chrono_start: 1032 moves these from tcp_output.c to
include/net/tcp.h as static inline; BBR3 re-cut excludes the hunk that
would have re-added them to tcp_output.c (avoids duplicate definition).
SRC_URI now lists distfiles.gentoo.org as primary genpatches mirror;
alicef and mpagano as fallbacks. alicef pruned K=26 and K=37 is only
available via distfiles.gentoo.org. verified 2026-05-24.
commit 5e2bce1a77362accaead750226cc7af8b5aac26b
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sat May 16 23:06:21 2026 +0200
sys-kernel/pf-sources-extended: rephrase r1/r2 pointer to acknowledge CVE backports
The per-ebuild postinst elog pointed users at the corresponding pf-sources-X.Y_pZ-rN
for "the full pf-kernel patchset", and described the trade-off as "missing linux-
stable security fixes" (or per-slot "missing all N stable releases"). That's mildly
inaccurate: r1/r2 does miss the bulk of the linux-stable flow, but it ships surgical
CVE backports (pf-cves-surgical) for the most severe upstream vulnerabilities.
Rephrase across all 19 slots to keep the per-slot specificity (count + range on Shape
B; M-N range on Shape C) while making clear that r1/r2 closes the most severe gaps.
Also fix a stale pointer in 6.1_p6 that read "pf-sources-6.1_p6 (without -r70)" — no
such ebuild exists; the actual revisions are -r1 and -r2, so point at -r2 like the
other Shape A slots.
commit 89a4c13d78361c0e7ef1616c07f6b12e3ce08b29
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Fri May 15 13:18:33 2026 +0200
sys-kernel/pf-sources-extended: drop 7.0_p2 (retire 7.0 slot)
Retire the pf-sources-extended 7.0 slot. The 7.0_p2 ebuild pinned
K_GENPATCHES_VER=4 (linux-stable through 7.0.3) and is vulnerable to
CVE-2026-43284 (xfrm ESP shared-frag, fixed in 7.0.5).
Bumping to K=9 (linux-7.0.7) is mechanically straightforward but
invalidates pf-curated-7.0's 0001-fixes-stable-backports.patch: the
fixes pf cherry-picked have already been backported by linux-stable
into 7.0.5/.6/.7, and re-applying pf's older cuts collides hard on
security/selinux/hooks.c, landlock selftests, and vma stubs. Re-cutting
0001 against natalenko's current fixes-7.0 tip is the recipe-correct
fix but the user-visible delta is near-zero — linux-stable shipped
the same fixes, often in newer form.
Users wanting a security-current 7.0 kernel on this overlay have:
- sys-kernel/pf-sources-7.0_p3-r1 (GA-only; ships pf-7.0-pf3
tarball whose source already carries the CVE-2026-43284 fix from
pf-kernel upstream, plus our ptrace dumpable surgical for the
Qualys advisory)
- sys-kernel/gentoo-sources-7.0.7 from ::gentoo
The pf-sources-extended 7.0 slot will be revisited when natalenko
tags v7.1-pfN or v7.1-flexN and linux-7.1 GAs.
commit e5b6e4674c3038158dbe19af3cef0bcac6fa6a97
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 13 19:17:43 2026 +0200
sys-kernel: migrate r70-model ebuilds to pf-sources-extended
The r70 model (vanilla kernel + Gentoo genpatches + curated pf delta)
is a distinct variant from the original pf-sources models and deserves
its own package name. Rename to sys-kernel/pf-sources-extended.
20 ebuilds moved (6.1_p6 through 7.0_p2), dropping the -r70/-r71
revision suffix — the package name now differentiates the model.
KEYWORDS="" — new package, requires explicit package.accept_keywords.
Distfile bundles on extra-stuff moved in parallel from
sys-kernel/pf-sources/ to sys-kernel/pf-sources-extended/ under new
tags (pf-curated-X.Y-r70-1, pf-genpatches-X.Y-r70-1).
sys-kernel/pf-sources retains the original two models:
- active (no suffix): pf-kernel sourcetree + genpatches
- CVE-backported (-r1/-r2): active base + surgical CVE patches
for vulns pf-kernel hasn't picked up
Both packages' metadata.xml updated: pf-sources gets all three
extra-stuff remote-ids (github/gitlab/codeberg); pf-sources-extended
gets the same, without codeberg:pf-kernel/linux which belongs only
to pf-sources (that package fetches from there; extended fetches
vanilla kernel.org tarballs).