release 6.12.4 (preliminary)

debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -141,10 +141,10 @@ arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
  
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -766,7 +766,8 @@ extern void efi_mem_reserve(phys_addr_t
+@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
+ extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
  extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
- extern void efi_initialize_iomem_resources(struct resource *code_resource,
- 		struct resource *data_resource, struct resource *bss_resource);
 -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
 +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
 +			      u32 *secure_boot);

debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch

@@ -31,7 +31,7 @@ cc: linux-efi@vger.kernel.org
 
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1065,19 +1065,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,19 +1070,7 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -106,7 +106,7 @@ cc: linux-efi@vger.kernel.org
 +}
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -877,6 +877,14 @@ static inline int efi_range_is_wc(unsign
+@@ -875,6 +875,14 @@ static inline int efi_range_is_wc(unsign
  #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
  #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
  #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
@@ -121,7 +121,7 @@ cc: linux-efi@vger.kernel.org
  
  #ifdef CONFIG_EFI
  /*
-@@ -901,6 +909,7 @@ static inline bool efi_rt_services_suppo
+@@ -899,6 +907,7 @@ static inline bool efi_rt_services_suppo
  	return (efi.runtime_supported_mask & mask) == mask;
  }
  extern void efi_find_mirror(void);
@@ -129,7 +129,7 @@ cc: linux-efi@vger.kernel.org
  #else
  static inline bool efi_enabled(int feature)
  {
-@@ -920,6 +929,7 @@ static inline bool efi_rt_services_suppo
+@@ -918,6 +927,7 @@ static inline bool efi_rt_services_suppo
  }
  
  static inline void efi_find_mirror(void) {}
@@ -137,7 +137,7 @@ cc: linux-efi@vger.kernel.org
  #endif
  
  extern int efi_status_to_err(efi_status_t status);
-@@ -1138,13 +1148,6 @@ static inline bool efi_runtime_disabled(
+@@ -1136,13 +1146,6 @@ static inline bool efi_runtime_disabled(
  extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
  extern unsigned long efi_call_virt_save_flags(void);
  

debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -35,7 +35,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
  	reserve_ibft_region();
  	x86_init.resources.dmi_setup();
  
-@@ -1065,8 +1067,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -67,26 +67,26 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
  		default:
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -509,6 +509,7 @@ int security_inode_getsecctx(struct inod
+@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
  int security_locked_down(enum lockdown_reason what);
++int lock_kernel_down(const char *where, enum lockdown_reason level);
  int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
  		      void *val, size_t val_len, u64 id, u64 flags);
-+int lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
- 
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1483,6 +1484,11 @@ static inline int lsm_fill_user_ctx(stru
+ int security_bdev_alloc(struct block_device *bdev);
+@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
  {
- 	return -EOPNOTSUPP;
+ 	return 0;
  }
 +static inline int
 +lock_kernel_down(const char *where, enum lockdown_reason level)
 +{
 +	return -EOPNOTSUPP;
 +}
- #endif	/* CONFIG_SECURITY */
- 
- #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
+ 				    u32 *uctx_len, void *val, size_t val_len,
+ 				    u64 id, u64 flags)
 --- a/security/lockdown/Kconfig
 +++ b/security/lockdown/Kconfig
 @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI

debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/include/linux/perf_event.h
 +++ b/include/linux/perf_event.h
-@@ -1589,6 +1589,11 @@ int perf_cpu_time_max_percent_handler(co
+@@ -1617,6 +1617,11 @@ int perf_cpu_time_max_percent_handler(co
  int perf_event_max_stack_handler(const struct ctl_table *table, int write,
  		void *buffer, size_t *lenp, loff_t *ppos);
  
@@ -36,7 +36,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -419,8 +419,13 @@ static struct kmem_cache *perf_event_cac
+@@ -449,8 +449,13 @@ static struct kmem_cache *perf_event_cac
   *   0 - disallow raw tracepoint access for unpriv
   *   1 - disallow cpu events for unpriv
   *   2 - disallow kernel profiling for unpriv
@@ -50,7 +50,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -12506,6 +12511,9 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -12681,6 +12686,9 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (err)
  		return err;
  

debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch

@@ -15,7 +15,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
 --- a/drivers/iommu/intel/Kconfig
 +++ b/drivers/iommu/intel/Kconfig
-@@ -57,13 +57,24 @@ config INTEL_IOMMU_SVM
+@@ -56,13 +56,24 @@ config INTEL_IOMMU_SVM
  	  to access DMA resources through process address space by
  	  means of a Process Address Space ID (PASID).
  
@@ -48,7 +48,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  	def_bool y
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
-@@ -214,13 +214,13 @@ static LIST_HEAD(dmar_satc_units);
+@@ -205,13 +205,13 @@ static LIST_HEAD(dmar_satc_units);
  
  static void intel_iommu_domain_free(struct iommu_domain *domain);
  
@@ -64,7 +64,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  static int intel_iommu_superpage = 1;
  static int iommu_identity_mapping;
  static int iommu_skip_te_disable;
-@@ -259,6 +259,7 @@ static int __init intel_iommu_setup(char
+@@ -250,6 +250,7 @@ static int __init intel_iommu_setup(char
  	while (*str) {
  		if (!strncmp(str, "on", 2)) {
  			dmar_disabled = 0;

debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2201,6 +2201,8 @@
+@@ -2218,6 +2218,8 @@
  			bypassed by not enabling DMAR with this option. In
  			this case, gfx device will use physical address for
  			DMA.
@@ -43,7 +43,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #define IS_USB_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_SERIAL_USB)
  #define IS_ISA_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA)
  #define IS_AZALIA(pdev) ((pdev)->vendor == 0x8086 && (pdev)->device == 0x3a3e)
-@@ -217,12 +220,14 @@ int intel_iommu_sm = IS_ENABLED(CONFIG_I
+@@ -208,12 +211,14 @@ int intel_iommu_sm = IS_ENABLED(CONFIG_I
  int intel_iommu_enabled = 0;
  EXPORT_SYMBOL_GPL(intel_iommu_enabled);
  
@@ -58,7 +58,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  const struct iommu_ops intel_iommu_ops;
  static const struct iommu_dirty_ops intel_dirty_ops;
-@@ -262,6 +267,9 @@ static int __init intel_iommu_setup(char
+@@ -253,6 +258,9 @@ static int __init intel_iommu_setup(char
  		} else if (!strncmp(str, "igfx_off", 8)) {
  			disable_igfx_iommu = 1;
  			pr_info("Disable GFX device mapping\n");
@@ -68,7 +68,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  		} else if (!strncmp(str, "forcedac", 8)) {
  			pr_warn("intel_iommu=forcedac deprecated; use iommu.forcedac instead\n");
  			iommu_dma_forcedac = true;
-@@ -2168,6 +2176,9 @@ static int device_def_domain_type(struct
+@@ -2046,6 +2054,9 @@ static int device_def_domain_type(struct
  
  		if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
  			return IOMMU_DOMAIN_IDENTITY;
@@ -78,7 +78,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  	}
  
  	return 0;
-@@ -2468,6 +2479,9 @@ static int __init init_dmars(void)
+@@ -2344,6 +2355,9 @@ static int __init init_dmars(void)
  		iommu_set_root_entry(iommu);
  	}
  
@@ -87,4 +87,4 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +
  	check_tylersburg_isoch();
  
- 	ret = si_domain_init(hw_pass_through);
+ 	/*

debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch

@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -6578,6 +6578,10 @@
+@@ -6641,6 +6641,10 @@
  			later by a loaded module cannot be set this way.
  			Example: sysctl.vm.swappiness=40
  
@@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			Ignore sysrq setting - this boot parameter will
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -3069,6 +3069,14 @@ config COMPAT_32
+@@ -3164,6 +3164,14 @@ config COMPAT_32
  	select HAVE_UID16
  	select OLD_SIGSUSPEND3