krd/linux
1
0
Fork 0
Code Activity

release 6.15.2 (preliminary)

Browse Source
This commit is contained in:
Konstantin Demin
2025-06-18 12:24:58 +03:00
parent 4d2691343a
commit 43dc655d2e
242 changed files with 7729 additions and 32303 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch vendored
View File

@@ -31,7 +31,7 @@ cc: linux-efi@vger.kernel.org
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1073,19 +1073,7 @@ void __init setup_arch(char **cmdline_p)
@@ -1127,19 +1127,7 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);

4
debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch vendored
View File

@@ -26,7 +26,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -907,6 +907,8 @@ void __init setup_arch(char **cmdline_p)
@@ -964,6 +964,8 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
@@ -35,7 +35,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
reserve_ibft_region();
x86_init.resources.dmi_setup();
@@ -1073,8 +1075,6 @@ void __init setup_arch(char **cmdline_p)
@@ -1127,8 +1129,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);

22
debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch vendored
View File

@@ -22,9 +22,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1701,6 +1701,11 @@ int perf_cpu_time_max_percent_handler(co
int perf_event_max_stack_handler(const struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos);
@@ -1684,6 +1684,11 @@ extern int sysctl_perf_event_sample_rate
extern void perf_sample_event_took(u64 sample_len_ns);
+static inline bool perf_paranoid_any(void)
+{
@@ -36,7 +36,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -449,8 +449,13 @@ static struct kmem_cache *perf_event_cac
@@ -450,8 +450,13 @@ static struct kmem_cache *perf_event_cac
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
@@ -48,9 +48,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -12813,6 +12818,9 @@ SYSCALL_DEFINE5(perf_event_open,
/* Minimum for 512 kiB + 1 user control page. 'free' kiB per user. */
static int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024);
@@ -13084,6 +13089,9 @@ SYSCALL_DEFINE5(perf_event_open,
if (err)
return err;
@@ -58,13 +58,13 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ return -EACCES;
+
/* Do we allow access to perf_event_open(2) ? */
err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
err = security_perf_event_open(PERF_SECURITY_OPEN);
if (err)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -51,6 +51,15 @@ config PROC_MEM_NO_FORCE
endchoice
@@ -72,6 +72,15 @@ config MSEAL_SYSTEM_MAPPINGS
For complete descriptions of memory sealing, please see
Documentation/userspace-api/mseal.rst
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"

6
debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch vendored
View File

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2264,6 +2264,8 @@
@@ -2288,6 +2288,8 @@
bypassed by not enabling DMAR with this option. In
this case, gfx device will use physical address for
DMA.
@@ -68,7 +68,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
} else if (!strncmp(str, "forcedac", 8)) {
pr_warn("intel_iommu=forcedac deprecated; use iommu.forcedac instead\n");
iommu_dma_forcedac = true;
@@ -1902,6 +1910,9 @@ static int device_def_domain_type(struct
@@ -1935,6 +1943,9 @@ static int device_def_domain_type(struct
if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
return IOMMU_DOMAIN_IDENTITY;
@@ -78,7 +78,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
}
return 0;
@@ -2196,6 +2207,9 @@ static int __init init_dmars(void)
@@ -2229,6 +2240,9 @@ static int __init init_dmars(void)
iommu_set_root_entry(iommu);
}

142
debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch vendored
View File

@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -7004,6 +7004,10 @@
@@ -7044,6 +7044,10 @@
later by a loaded module cannot be set this way.
Example: sysctl.vm.swappiness=40
@@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ignore sysrq setting - this boot parameter will
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -3202,6 +3202,14 @@ config COMPAT_32
@@ -3169,6 +3169,14 @@ config COMPAT_32
select HAVE_UID16
select OLD_SIGSUSPEND3
@@ -57,9 +57,70 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
config COMPAT
def_bool y
depends on IA32_EMULATION || X86_X32_ABI
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -64,7 +64,7 @@ static __always_inline bool do_syscall_x
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -12,6 +12,9 @@
#include <asm/user.h>
#include <asm/auxvec.h>
#include <asm/fsgsbase.h>
+#ifndef COMPILE_OFFSETS /* avoid a circular dependency on asm-offsets.h */
+#include <asm/syscall.h>
+#endif
typedef unsigned long elf_greg_t;
@@ -152,7 +155,8 @@ do { \
#define compat_elf_check_arch(x) \
((elf_check_arch_ia32(x) && ia32_enabled_verbose()) || \
- (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
+ (IS_ENABLED(CONFIG_X86_X32_ABI) && x32_enabled && \
+ (x)->e_machine == EM_X86_64))
static inline void elf_common_init(struct thread_struct *t,
struct pt_regs *regs, const u16 ds)
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -13,6 +13,7 @@
#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
+#include <linux/jump_label.h>
#include <asm/thread_info.h> /* for TS_COMPAT */
#include <asm/unistd.h>
@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p
extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
+#if defined(CONFIG_X86_X32_ABI)
+#if defined(CONFIG_X86_X32_DISABLED)
+DECLARE_STATIC_KEY_FALSE(x32_enabled_skey);
+#define x32_enabled static_branch_unlikely(&x32_enabled_skey)
+#else
+DECLARE_STATIC_KEY_TRUE(x32_enabled_skey);
+#define x32_enabled static_branch_likely(&x32_enabled_skey)
+#endif
+#else
+#define x32_enabled 0
+#endif
+
/*
* Only the low 32 bits of orig_ax are meaningful, so we return int.
* This importantly ignores the high bits on 64-bit, so comparisons
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -7,6 +7,9 @@
#include <linux/syscalls.h>
#include <linux/entry-common.h>
#include <linux/nospec.h>
+#include <linux/moduleparam.h>
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "syscall."
#include <asm/syscall.h>
#define __SYSCALL(nr, sym) extern long __x64_##sym(const struct pt_regs *);
@@ -75,7 +78,7 @@ static __always_inline bool do_syscall_x
*/
unsigned int xnr = nr - __X32_SYSCALL_BIT;
@@ -68,23 +129,12 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
xnr = array_index_nospec(xnr, X32_NR_syscalls);
regs->ax = x32_sys_call(regs, xnr);
return true;
--- a/arch/x86/entry/syscall_x32.c
+++ b/arch/x86/entry/syscall_x32.c
@@ -4,6 +4,9 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/moduleparam.h>
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "syscall."
#include <linux/syscalls.h>
#include <asm/syscall.h>
@@ -23,3 +26,46 @@ long x32_sys_call(const struct pt_regs *
default: return __x64_sys_ni_syscall(regs);
}
};
@@ -139,3 +142,48 @@ __visible noinstr bool do_syscall_64(str
/* Use SYSRET to exit to userspace */
return true;
}
+
+#ifdef CONFIG_X86_X32_ABI
+/* Maybe enable x32 syscalls */
+
+#if defined(CONFIG_X86_X32_DISABLED)
@@ -127,54 +177,4 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+};
+
+arch_param_cb(x32, &x32_param_ops, NULL, 0444);
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -12,6 +12,9 @@
#include <asm/user.h>
#include <asm/auxvec.h>
#include <asm/fsgsbase.h>
+#ifndef COMPILE_OFFSETS /* avoid a circular dependency on asm-offsets.h */
+#include <asm/syscall.h>
+#endif
typedef unsigned long elf_greg_t;
@@ -151,7 +154,8 @@ do { \
#define compat_elf_check_arch(x) \
((elf_check_arch_ia32(x) && ia32_enabled_verbose()) || \
- (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
+ (IS_ENABLED(CONFIG_X86_X32_ABI) && x32_enabled && \
+ (x)->e_machine == EM_X86_64))
static inline void elf_common_init(struct thread_struct *t,
struct pt_regs *regs, const u16 ds)
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -13,6 +13,7 @@
#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
+#include <linux/jump_label.h>
#include <asm/thread_info.h> /* for TS_COMPAT */
#include <asm/unistd.h>
@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p
extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
+#if defined(CONFIG_X86_X32_ABI)
+#if defined(CONFIG_X86_X32_DISABLED)
+DECLARE_STATIC_KEY_FALSE(x32_enabled_skey);
+#define x32_enabled static_branch_unlikely(&x32_enabled_skey)
+#else
+DECLARE_STATIC_KEY_TRUE(x32_enabled_skey);
+#define x32_enabled static_branch_likely(&x32_enabled_skey)
+#endif
+#else
+#define x32_enabled 0
+#endif
+
/*
* Only the low 32 bits of orig_ax are meaningful, so we return int.
* This importantly ignores the high bits on 64-bit, so comparisons