[security] Upgrade kernel to 3.16.57-2 on 201803 branch (#2116)

* [security] Upgrade kernel to 3.16.57-2

Fix issues below:
https://www.debian.org/security/2018/dsa-4120
https://www.debian.org/security/2018/dsa-4179
https://www.debian.org/security/2018/dsa-4187
https://www.debian.org/security/2018/dsa-4188
https://www.debian.org/security/2018/dsa-4196

and more.

* update opennsl-modules-3.16.0-6-amd64_3.4.1.11-7_amd64.deb package

Signed-off-by: Guohan Lu <[email protected]>

* [mellanox] update sdk base url (new kernel version)

build_debian.sh

@@ -114,7 +114,7 @@ echo '[INFO] Install SONiC linux kernel image'
 ## Note: duplicate apt-get command to ensure every line return zero
 sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/initramfs-tools_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
-sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/linux-image-3.16.0-5-amd64_*.deb || \
+sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/linux-image-3.16.0-6-amd64_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
 ## Update initramfs for booting with squashfs+aufs
@@ -152,10 +152,10 @@ sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/union-fsck
 sudo chroot $FILESYSTEM_ROOT update-initramfs -u
 
 ## Install latest intel igb driver
-sudo cp target/debs/igb.ko $FILESYSTEM_ROOT/lib/modules/3.16.0-5-amd64/kernel/drivers/net/ethernet/intel/igb/igb.ko
+sudo cp target/debs/igb.ko $FILESYSTEM_ROOT/lib/modules/3.16.0-6-amd64/kernel/drivers/net/ethernet/intel/igb/igb.ko
 
 ## Install latest intel ixgbe driver
-sudo cp target/debs/ixgbe.ko $FILESYSTEM_ROOT/lib/modules/3.16.0-5-amd64/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
+sudo cp target/debs/ixgbe.ko $FILESYSTEM_ROOT/lib/modules/3.16.0-6-amd64/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
 
 ## Install docker
 echo '[INFO] Install docker'

files/build_templates/swss.service.j2

@@ -2,16 +2,16 @@
 Description=switch state service
 Requires=database.service updategraph.service
 {% if sonic_asic_platform == 'broadcom' %}
-Requires=opennsl-modules-3.16.0-5-amd64.service
+Requires=opennsl-modules-3.16.0-6-amd64.service
 {% elif sonic_asic_platform == 'nephos' %}
-Requires=nps-modules-3.16.0-5-amd64.service
+Requires=nps-modules-3.16.0-6-amd64.service
 {% endif %}
 After=database.service updategraph.service
 After=interfaces-config.service
 {% if sonic_asic_platform == 'broadcom' %}
-After=opennsl-modules-3.16.0-5-amd64.service
+After=opennsl-modules-3.16.0-6-amd64.service
 {% elif sonic_asic_platform == 'nephos' %}
-After=nps-modules-3.16.0-5-amd64.service
+After=nps-modules-3.16.0-6-amd64.service
 {% endif %}
 
 [Service]

installer/x86_64/install.sh

@@ -570,11 +570,11 @@ menuentry '$demo_grub_entry' {
         if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
         insmod part_msdos
         insmod ext2
-        linux   /$image_dir/boot/vmlinuz-3.16.0-5-amd64 root=$grub_cfg_root rw $GRUB_CMDLINE_LINUX  \
+        linux   /$image_dir/boot/vmlinuz-3.16.0-6-amd64 root=$grub_cfg_root rw $GRUB_CMDLINE_LINUX  \
                 loop=$image_dir/$FILESYSTEM_SQUASHFS loopfstype=squashfs                       \
                 apparmor=1 security=apparmor varlog_size=$VAR_LOG_SIZE usbcore.autosuspend=-1 $ONIE_PLATFORM_EXTRA_CMDLINE_LINUX
         echo    'Loading $demo_volume_label $demo_type initial ramdisk ...'
-        initrd  /$image_dir/boot/initrd.img-3.16.0-5-amd64
+        initrd  /$image_dir/boot/initrd.img-3.16.0-6-amd64
 }
 EOF
 

platform/broadcom/sdk.mk

@@ -1,4 +1,6 @@
-BRCM_OPENNSL_KERNEL = opennsl-modules-3.16.0-5-amd64_3.4.1.11-2_amd64.deb
-$(BRCM_OPENNSL_KERNEL)_URL = "https://sonicstorage.blob.core.windows.net/packages/opennsl-modules-3.16.0-5-amd64_3.4.1.11-2_amd64.deb?sv=2015-04-05&sr=b&sig=xtf8nafmS1pcqx5hhBsfmLNSx2BeqmwN4Dwq5uwM1bo%3D&se=2031-11-16T21%3A54%3A27Z&sp=r"
+# mock link here, need to be replaced by real link from MSFT
+
+BRCM_OPENNSL_KERNEL = opennsl-modules-3.16.0-6-amd64_3.4.1.11-7_amd64.deb
+$(BRCM_OPENNSL_KERNEL)_URL = "https://sonicstorage.blob.core.windows.net/packages/bcmsai/opennsl-modules-3.16.0-6-amd64_3.4.1.11-7_amd64.deb?sv=2015-04-05&sr=b&sig=HGePoJSCcURIMW3bPRh5iXlx6z5SWiElmqD44mqUchI%3D&se=2155-08-28T16%3A31%3A48Z&sp=r"
 
 SONIC_ONLINE_DEBS += $(BRCM_OPENNSL_KERNEL)

platform/broadcom/sonic-platform-modules-accton/as5712-54x/utils/README

@@ -39,7 +39,7 @@ User is not necessary to handle docker environment creation.
   - Copy patches and series from patch/kernel of this release to 
     sonic-linux-kernel/patch.
   - Build kernel by "make".
-  - The built kernel package, linux-image-3.16.0-5-amd64_3.16.51-3+deb8u1_amd64.deb
+  - The built kernel package, linux-image-3.16.0-6-amd64_3.16.51-3+deb8u1_amd64.deb
     , is generated.
 3. Build installer 
   - Change directory back to sonic-buildimage/.
@@ -52,7 +52,7 @@ User is not necessary to handle docker environment creation.
     The default user and password are "admin" & "YourPaSsWoRd" respectively.
   - Run "make configure PLATFORM=broadcom"
   - Copy the built kernel debian package to target/debs/.
-    The file is linux-image-3.16.0-5-amd64_*_amd64.deb under directory
+    The file is linux-image-3.16.0-6-amd64_*_amd64.deb under directory
     src/sonic-linux-kernel/.
   - Run "make target/sonic-generic.bin"
   - Get the installer, target/sonic-generic.bin, to target machine and install.

platform/broadcom/sonic-platform-modules-accton/as7312-54x/utils/README

@@ -39,7 +39,7 @@ User is not necessary to handle docker environment creation.
   - Copy patches and series from patch/kernel of this release to 
     sonic-linux-kernel/patch.
   - Build kernel by "make".
-  - The built kernel package, linux-image-3.16.0-5-amd64_3.16.51-3+deb8u1_amd64.deb
+  - The built kernel package, linux-image-3.16.0-6-amd64_3.16.51-3+deb8u1_amd64.deb
     , is generated.
 3. Build installer 
   - Change directory back to sonic-buildimage/.
@@ -52,7 +52,7 @@ User is not necessary to handle docker environment creation.
     The default user and password are "admin" & "YourPaSsWoRd" respectively.
   - Run "make configure PLATFORM=broadcom"
   - Copy the built kernel debian package to target/debs/.
-    The file is linux-image-3.16.0-5-amd64_*_amd64.deb under directory
+    The file is linux-image-3.16.0-6-amd64_*_amd64.deb under directory
     src/sonic-linux-kernel/.
   - Run "make target/sonic-generic.bin"
   - Get the installer, target/sonic-generic.bin, to target machine and install.

platform/broadcom/sonic-platform-modules-accton/as7716-32x/utils/README

@@ -39,7 +39,7 @@ User is not necessary to handle docker environment creation.
   - Copy patches and series from patch/kernel of this release to 
     sonic-linux-kernel/patch.
   - Build kernel by "make".
-  - The built kernel package, linux-image-3.16.0-5-amd64_3.16.51-3+deb8u1_amd64.deb
+  - The built kernel package, linux-image-3.16.0-6-amd64_3.16.51-3+deb8u1_amd64.deb
     , is generated.
 3. Build installer 
   - Change directory back to sonic-buildimage/.
@@ -52,7 +52,7 @@ User is not necessary to handle docker environment creation.
     The default user and password are "admin" & "YourPaSsWoRd" respectively.
   - Run "make configure PLATFORM=broadcom"
   - Copy the built kernel debian package to target/debs/.
-    The file is linux-image-3.16.0-5-amd64_*_amd64.deb under directory
+    The file is linux-image-3.16.0-6-amd64_*_amd64.deb under directory
     src/sonic-linux-kernel/.
   - Run "make target/sonic-generic.bin"
   - Get the installer, target/sonic-generic.bin, to target machine and install.

platform/broadcom/sonic-platform-modules-accton/debian/control

@@ -7,35 +7,35 @@ Standards-Version: 3.9.3
 
 Package: sonic-platform-accton-as7712-32x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: sonic-platform-accton-as5712-54x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: sonic-platform-accton-as7816-64x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: sonic-platform-accton-as7716-32x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: sonic-platform-accton-as7716-32xb
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: sonic-platform-accton-as7312-54x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: sonic-platform-accton-as7326-56x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp

platform/broadcom/sonic-platform-modules-arista/confs/arista-drivers.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Arista kernel modules init
 After=local-fs.target
-Before=opennsl-modules-3.16.0-5-amd64.service
+Before=opennsl-modules-3.16.0-6-amd64.service
 ConditionKernelCommandLine=Aboot
 
 [Service]

platform/broadcom/sonic-platform-modules-arista/confs/gardena-watchdog-stop.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Disable the watchdog after boot
 After=swss.service
-After=opennsl-modules-3.16.0-5-amd64.service
+After=opennsl-modules-3.16.0-6-amd64.service
 ConditionKernelCommandLine=sid=Gardena
 
 [Service]

platform/broadcom/sonic-platform-modules-arista/debian/control

@@ -21,7 +21,7 @@ Package: drivers-sonic-platform-arista
 Architecture: amd64
 Depends:
    ${misc:Depends},
-   linux-image-3.16.0-5-amd64
+   linux-image-3.16.0-6-amd64
 Description: Arista kernel modules for arista platform devices such as fan, led, sfp, psu
 
 Package: python-sonic-platform-arista

platform/broadcom/sonic-platform-modules-arista/utils/boot0

@@ -18,8 +18,8 @@
 
 set -x
 
-kernel=boot/vmlinuz-3.16.0-5-amd64
-initrd=boot/initrd.img-3.16.0-5-amd64
+kernel=boot/vmlinuz-3.16.0-6-amd64
+initrd=boot/initrd.img-3.16.0-6-amd64
 kernel_params=kernel-params
 
 aboot_machine="arista_unknown"

platform/broadcom/sonic-platform-modules-cel/debian/control

@@ -7,6 +7,6 @@ Standards-Version: 3.9.3
 
 Package: platform-modules-dx010
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 

platform/broadcom/sonic-platform-modules-dell/debian/control

@@ -7,11 +7,11 @@ Standards-Version: 3.9.3
 
 Package: platform-modules-z9100
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: platform-modules-s6100
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 

platform/broadcom/sonic-platform-modules-delta/debian/control

@@ -7,15 +7,15 @@ Standards-Version: 3.9.3
 
 Package: platform-modules-ag9032v1
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: platform-modules-ag9064
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: platform-modules-ag5648
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp

platform/broadcom/sonic-platform-modules-inventec/debian/control

@@ -7,11 +7,11 @@ Standards-Version: 3.9.3
 
 Package: platform-modules-d7032q28b
 Architecture: amd64 
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led
 
 Package: platform-modules-d7054q28b
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led
 

platform/broadcom/sonic-platform-modules-mitac/debian/control

@@ -7,6 +7,6 @@ Standards-Version: 3.9.3
 
 Package: sonic-platform-mitac-ly1200-32x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 

platform/broadcom/sonic-platform-modules-quanta/debian/control

@@ -7,6 +7,6 @@ Standards-Version: 3.9.3
 
 Package: sonic-platform-quanta-ix1b-32x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as psu, led, sfp
 

platform/broadcom/sonic-platform-modules-s6000/debian/control

@@ -7,6 +7,6 @@ Standards-Version: 3.9.3
 
 Package: platform-modules-s6000
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 

platform/centec/sonic-platform-modules-e582/debian/control

@@ -7,11 +7,11 @@ Standards-Version: 3.9.3
 
 Package: platform-modules-e582-48x2q4z
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 
 Package: platform-modules-e582-48x6q
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp
 

platform/mellanox/sdk.mk

@@ -1,4 +1,4 @@
-MLNX_SDK_BASE_URL = https://github.com/Mellanox/SAI-Implementation/raw/5675ef1037813992cd234d3afcee43959e1ca4f6/sdk
+MLNX_SDK_BASE_URL = https://github.com/Mellanox/SAI-Implementation/raw/dc2bafed31d0a84d9282d65bd94b5e20574d1a4d/sdk
 MLNX_SDK_VERSION = 4.2.7303
 MLNX_SDK_RDEBS += $(APPLIBS) $(IPROUTE2_MLNX) $(SX_ACL_RM) $(SX_COMPLIB) \
 		  $(SX_EXAMPLES) $(SX_GEN_UTILS) $(SX_SCEW) $(SX_SDN_HAL) \

platform/nephos/sdk.mk

@@ -1,4 +1,4 @@
-NEPHOS_NPS_KERNEL = nps-modules-3.16.0-5_2.0.3_3147dc_amd64.deb
-$(NEPHOS_NPS_KERNEL)_URL = "https://github.com/NephosInc/SONiC/raw/master/sdk/nps-modules-3.16.0-5_2.0.3_3147dc_amd64.deb"
+NEPHOS_NPS_KERNEL = nps-modules-3.16.0-6_2.0.3_3147dc_amd64.deb
+$(NEPHOS_NPS_KERNEL)_URL = "https://github.com/NephosInc/SONiC/raw/master/sdk/nps-modules-3.16.0-6_2.0.3_3147dc_amd64.deb"
 
 SONIC_ONLINE_DEBS += $(NEPHOS_NPS_KERNEL)

platform/nephos/sonic-platform-modules-accton/debian/control

@@ -7,5 +7,5 @@ Standards-Version: 3.9.3
 
 Package: sonic-platform-accton-as7116-54x
 Architecture: amd64
-Depends: linux-image-3.16.0-5-amd64
+Depends: linux-image-3.16.0-6-amd64
 Description: kernel modules for platform devices such as fan, led, sfp

rules/linux-kernel.mk

@@ -1,9 +1,9 @@
 # linux kernel package
 
-KVERSION_SHORT = 3.16.0-5
+KVERSION_SHORT = 3.16.0-6
 KVERSION ?= $(KVERSION_SHORT)-amd64
-KERNEL_VERSION = 3.16.51
-KERNEL_SUBVERSION = 3+deb8u1
+KERNEL_VERSION = 3.16.57
+KERNEL_SUBVERSION = 2
 
 export KVERSION_SHORT KVERSION KERNEL_VERSION KERNEL_SUBVERSION