From 07d0e7de67ccc411d21ca33331bb2340833a84cf Mon Sep 17 00:00:00 2001
From: Kyle Harding <kyle@balena.io>
Date: Thu, 30 Apr 2026 09:06:48 -0400
Subject: [PATCH] Bump kernel base from v6.1 to v6.1.170
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pull in ~170 stable releases of security and bug fixes accumulated
since the original v6.1 (December 2022) tag. Notable: the build was
missing every linux-6.1.y backport, including a long backlog of CVE
fixes unrelated to AF_ALG.

Introduces KERNEL_VERSION (defaulting to 6.1.170) as the actual git
tag to clone, while KERNEL_BRANCH (6.1) continues to identify the
patches/ and config/ subdirectories — so future stable bumps only
need a single value change.

Notes on CVE-2026-31431 ("Copy Fail", algif_aead): the upstream fix
(mainline a664bf3d603d) is currently in stable-review for 6.1.y
(Eric Biggers' [PATCH 6.1 0/9] AF_ALG fixes, lore 20260430062731)
and not yet in any 6.1.y release. This kernel build is unaffected
in practice because CONFIG_CRYPTO_USER_API_AEAD (and the rest of
CONFIG_CRYPTO_USER_API_*) is already =n in both arch configs, so
the algif_aead module is never compiled in. Re-bump to 6.1.171+ once
the series lands upstream.

Change-type: patch
Signed-off-by: Kyle Harding <kyle@balena.io>
---
 Dockerfile      |  3 ++-
 Makefile        |  3 +++
 docker-bake.hcl | 10 ++++++++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6a7fc27..290334f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,9 +23,10 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/*
 
 ARG KERNEL_BRANCH=6.1
+ARG KERNEL_VERSION=6.1.170
 
 RUN git clone --depth 1 -c advice.detachedHead=false \
-    --branch "v${KERNEL_BRANCH}" https://github.com/torvalds/linux.git .
+    --branch "v${KERNEL_VERSION}" https://github.com/gregkh/linux.git .
 
 COPY patches/${KERNEL_BRANCH}/*.patch ./
 
diff --git a/Makefile b/Makefile
index bc8a8e8..317f46a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,7 @@
 SHELL := /bin/bash
 ARCH ?= $(shell uname -m)
 KERNEL_BRANCH ?= 6.1
+KERNEL_VERSION ?= 6.1.170
 MAKEFILE_DIR := $(realpath $(shell dirname $(firstword $(MAKEFILE_LIST))))
 
 # normalize machine to docker platform
@@ -19,6 +20,7 @@ linux.git:
 	docker build . \
 		--platform $(PLATFORM) \
 		--build-arg KERNEL_BRANCH=$(KERNEL_BRANCH) \
+		--build-arg KERNEL_VERSION=$(KERNEL_VERSION) \
 		--target linux.git \
 		--output type=image,name=$(IMAGE_TAG)
 
@@ -27,6 +29,7 @@ vmlinux:
 	docker build . \
 		--platform $(PLATFORM) \
 		--build-arg KERNEL_BRANCH=$(KERNEL_BRANCH) \
+		--build-arg KERNEL_VERSION=$(KERNEL_VERSION) \
 		--target vmlinux-out \
 		--output type=local,dest=vmlinux
 
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 1196e43..037fc67 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -2,6 +2,10 @@ variable "KERNEL_BRANCH" {
   default = "6.1"
 }
 
+variable "KERNEL_VERSION" {
+  default = "6.1.170"
+}
+
 target "default" {
   platforms = [
     "linux/amd64",
@@ -9,13 +13,15 @@ target "default" {
   ]
   target = "vmlinux-out"
   args = {
-    KERNEL_BRANCH = KERNEL_BRANCH
+    KERNEL_BRANCH  = KERNEL_BRANCH
+    KERNEL_VERSION = KERNEL_VERSION
   }
 }
 
 target "linux61" {
   inherits = ["default"]
   args = {
-    KERNEL_BRANCH = "6.1"
+    KERNEL_BRANCH  = "6.1"
+    KERNEL_VERSION = "6.1.170"
   }
 }