krd/linux
1
0
Fork 0
Code Activity

initial commit

Browse Source 
imported from https://salsa.debian.org/kernel-team/linux.git
commit 9d5cc9d9d6501d7f1dd7e194d4b245bd0b6c6a22
version 6.11.4-1
This commit is contained in:
Konstantin Demin
2024-10-23 12:12:30 +03:00
commit c3d09a3e94
1108 changed files with 137488 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch vendored Normal file
View File

@@ -0,0 +1,49 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 03 Nov 2016 15:25:26 -0600
Subject: cpupower: Fix checks for CPU existence
Forwarded: https://lore.kernel.org/all/20170418023118.GD4152@decadent.org.uk/
Calls to cpufreq_cpu_exists(cpu) were converted to
cpupower_is_cpu_online(cpu) when libcpupower was introduced and the
former function was deleted. However, cpupower_is_cpu_online() does
not distinguish physically absent and offline CPUs, and does not set
errno.
cpufreq-set has already been fixed (commit c25badc9ceb6).
In cpufreq-bench, which prints an error message for offline CPUs,
properly distinguish and report the zero and negative cases.
Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
Fixes: 53d1cd6b125f ("cpupowerutils: bench - Fix cpu online check")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[carnil: Update/Refresh patch for 4.14.17: The issue with the
incorrect check has been fixed with upstream commit 53d1cd6b125f.
Keep in the patch the distinction and report for the zero and
negative cases.]
---
--- a/tools/power/cpupower/bench/system.c
+++ b/tools/power/cpupower/bench/system.c
@@ -58,12 +58,19 @@ long long int get_time()
int set_cpufreq_governor(char *governor, unsigned int cpu)
{
+ int rc;
dprintf("set %s as cpufreq governor\n", governor);
- if (cpupower_is_cpu_online(cpu) != 1) {
- perror("cpufreq_cpu_exists");
- fprintf(stderr, "error: cpu %u does not exist\n", cpu);
+ rc = cpupower_is_cpu_online(cpu);
+ if (rc != 1) {
+ if (rc < 0)
+ fprintf(stderr, "cpupower_is_cpu_online: %s\n",
+ strerror(-rc));
+ else
+ fprintf(stderr,
+ "error: cpu %u is offline or does not exist\n",
+ cpu);
return -1;
}

91
debian/patches/bugfix/all/disable-some-marvell-phys.patch vendored Normal file
View File

@@ -0,0 +1,91 @@
From: Ian Campbell <ijc@hellion.org.uk>
Subject: phy/marvell: disable 4-port phys
Date: Wed, 20 Nov 2013 08:30:14 +0000
Bug-Debian: https://bugs.debian.org/723177
Forwarded: https://lore.kernel.org/netdev/1386932764.20787.85.camel@dagon.hellion.org.uk/
The Marvell PHY was originally disabled because it can cause networking
failures on some systems. According to Lennert Buytenhek this is because some
of the variants added did not share the same register layout. Since the known
cases are all 4-ports disable those variants (indicated by a 4 in the
penultimate position of the model name) until they can be audited for
correctness.
[bwh: Also #if-out the init functions for these PHYs to avoid
compiler warnings]
--- a/drivers/net/phy/marvell.c
+++ b/drivers/net/phy/marvell.c
@@ -1366,6 +1366,7 @@ static int m88e1118_config_init(struct p
return genphy_soft_reset(phydev);
}
+#if 0
static int m88e1149_config_init(struct phy_device *phydev)
{
int err;
@@ -1391,7 +1392,9 @@ static int m88e1149_config_init(struct p
return genphy_soft_reset(phydev);
}
+#endif
+#if 0
static int m88e1145_config_init_rgmii(struct phy_device *phydev)
{
int err;
@@ -1469,6 +1472,7 @@ static int m88e1145_config_init(struct p
return 0;
}
+#endif
static int m88e1540_get_fld(struct phy_device *phydev, u8 *msecs)
{
@@ -3790,6 +3794,7 @@ static struct phy_driver marvell_drivers
.led_hw_control_set = m88e1318_led_hw_control_set,
.led_hw_control_get = m88e1318_led_hw_control_get,
},
+#if 0
{
.phy_id = MARVELL_PHY_ID_88E1145,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -3813,6 +3818,8 @@ static struct phy_driver marvell_drivers
.cable_test_start = m88e1111_vct_cable_test_start,
.cable_test_get_status = m88e1111_vct_cable_test_get_status,
},
+#endif
+#if 0
{
.phy_id = MARVELL_PHY_ID_88E1149R,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -3831,6 +3838,8 @@ static struct phy_driver marvell_drivers
.get_strings = marvell_get_strings,
.get_stats = marvell_get_stats,
},
+#endif
+#if 0
{
.phy_id = MARVELL_PHY_ID_88E1240,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -3851,6 +3860,7 @@ static struct phy_driver marvell_drivers
.get_tunable = m88e1011_get_tunable,
.set_tunable = m88e1011_set_tunable,
},
+#endif
{
.phy_id = MARVELL_PHY_ID_88E1116R,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -4139,9 +4149,9 @@ static struct mdio_device_id __maybe_unu
{ MARVELL_PHY_ID_88E1111_FINISAR, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1118, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1121R, MARVELL_PHY_ID_MASK },
- { MARVELL_PHY_ID_88E1145, MARVELL_PHY_ID_MASK },
- { MARVELL_PHY_ID_88E1149R, MARVELL_PHY_ID_MASK },
- { MARVELL_PHY_ID_88E1240, MARVELL_PHY_ID_MASK },
+/* { MARVELL_PHY_ID_88E1145, MARVELL_PHY_ID_MASK }, */
+/* { MARVELL_PHY_ID_88E1149R, MARVELL_PHY_ID_MASK }, */
+/* { MARVELL_PHY_ID_88E1240, MARVELL_PHY_ID_MASK }, */
{ MARVELL_PHY_ID_88E1318S, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1116R, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1510, MARVELL_PHY_ID_MASK },

32
debian/patches/bugfix/all/documentation-use-relative-source-paths-in-abi-documentation.patch vendored Normal file
View File

@@ -0,0 +1,32 @@
From: Ben Hutchings <benh@debian.org>
Date: Mon, 16 Sep 2024 00:07:04 +0200
Subject: Documentation: Use relative source filenames in ABI documentation
Currently the ABI documentation files contain absolute source
filenames, which makes them unreproducible if the build directory can
vary.
Remove the source base directory ($srctree) from the source filenames
shown in the documentation.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/Documentation/sphinx/kernel_abi.py
+++ b/Documentation/sphinx/kernel_abi.py
@@ -103,6 +103,7 @@ class KernelCmd(Directive):
lines = code_block + "\n\n"
line_regex = re.compile(r"^\.\. LINENO (\S+)\#([0-9]+)$")
+ srctree = os.path.abspath(os.environ["srctree"])
ln = 0
n = 0
f = fname
@@ -127,7 +128,7 @@ class KernelCmd(Directive):
# sphinx counts lines from 0
ln = int(match.group(2)) - 1
else:
- content.append(line, f, ln)
+ content.append(line, os.path.relpath(f, srctree), ln)
kernellog.info(self.state.document.settings.env.app, "%s: parsed %i lines" % (fname, n))

60
debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch vendored Normal file
View File

@@ -0,0 +1,60 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 13 Apr 2016 21:48:06 +0100
Subject: fs: Add MODULE_SOFTDEP declarations for hard-coded crypto drivers
Bug-Debian: https://bugs.debian.org/819725
Forwarded: https://lore.kernel.org/all/20160517133631.GF7555@decadent.org.uk/
This helps initramfs builders and other tools to find the full
dependencies of a module.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
---
fs/btrfs/super.c | 2 +-
fs/ext4/super.c | 2 +-
fs/jbd2/journal.c | 1 +
fs/nfsd/nfsctl.c | 3 +++
4 files changed, 6 insertions(+), 2 deletions(-)
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -2619,7 +2619,7 @@ module_exit(exit_btrfs_fs)
MODULE_DESCRIPTION("B-Tree File System (BTRFS)");
MODULE_LICENSE("GPL");
-MODULE_SOFTDEP("pre: crc32c");
+MODULE_SOFTDEP("pre: crypto-crc32c");
MODULE_SOFTDEP("pre: xxhash64");
MODULE_SOFTDEP("pre: sha256");
MODULE_SOFTDEP("pre: blake2b-256");
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -7404,6 +7404,6 @@ static void __exit ext4_exit_fs(void)
MODULE_AUTHOR("Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others");
MODULE_DESCRIPTION("Fourth Extended Filesystem");
MODULE_LICENSE("GPL");
-MODULE_SOFTDEP("pre: crc32c");
+MODULE_SOFTDEP("pre: crypto-crc32c");
module_init(ext4_init_fs)
module_exit(ext4_exit_fs)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -3194,6 +3194,7 @@ static void __exit journal_exit(void)
MODULE_DESCRIPTION("Generic filesystem journal-writing module");
MODULE_LICENSE("GPL");
+MODULE_SOFTDEP("pre: crypto-crc32c");
module_init(journal_init);
module_exit(journal_exit);
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -2353,5 +2353,8 @@ static void __exit exit_nfsd(void)
MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
MODULE_DESCRIPTION("In-kernel NFS server");
MODULE_LICENSE("GPL");
+#ifdef CONFIG_NFSD_V4
+MODULE_SOFTDEP("pre: crypto-md5");
+#endif
module_init(init_nfsd)
module_exit(exit_nfsd)

45
debian/patches/bugfix/all/kbuild-bpf-fix-btf-reproducibility.patch vendored Normal file
View File

@@ -0,0 +1,45 @@
From: Ben Hutchings <benh@debian.org>
Date: Mon, 16 Sep 2024 01:54:24 +0200
Subject: kbuild, bpf: Fix BTF reproducibility
pahole 1.22 introduced the -j option for parallel processing, and
kbuild uses it, but this makes its output unreproducible.
pahole 1.27 introduced --btf_features=+reproducible_build which makes
the output reproducible even when -j is used.
Assume that if KBUILD_BUILD_TIMESTAMP is set then a reproducible build
is required, and use both options if available or neither if not.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/scripts/Makefile.btf
+++ b/scripts/Makefile.btf
@@ -12,8 +12,6 @@ endif
pahole-flags-$(call test-ge, $(pahole-ver), 121) += --btf_gen_floats
-pahole-flags-$(call test-ge, $(pahole-ver), 122) += -j
-
pahole-flags-$(call test-ge, $(pahole-ver), 125) += --skip_encoding_btf_inconsistent_proto --btf_gen_optimized
else
@@ -27,6 +25,18 @@ endif
endif
+# pahole 1.22 introduced the -j option for parallel processing, but
+# this makes its output unreproducible.
+# pahole 1.27 introduced --btf_features=+reproducible_build which
+# makes the output reproducible even when -j is used.
+# Assume that if KBUILD_BUILD_TIMESTAMP is set then a reproducible
+# build is required and we must not use -j alone.
+ifeq ($(KBUILD_BUILD_TIMESTAMP),)
+pahole-flags-$(call test-ge, $(pahole-ver), 122) += -j
+else
+pahole-flags-$(call test-ge, $(pahole-ver), 127) += -j --btf_features=+reproducible_build
+endif
+
pahole-flags-$(CONFIG_PAHOLE_HAS_LANG_EXCLUDE) += --lang_exclude=rust
export PAHOLE_FLAGS := $(pahole-flags-y)

23
debian/patches/bugfix/all/kbuild-fix-recordmcount-dependency.patch vendored Normal file
View File

@@ -0,0 +1,23 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: kbuild: Fix recordmcount dependency for OOT modules
Date: Mon, 08 Sep 2014 18:31:24 +0100
Forwarded: no
We never rebuild anything in-tree when building an out-of-tree
modules, so external modules should not depend on the recordmcount
sources.
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -210,6 +210,11 @@ cmd_record_mcount = $(if $(findstring $(
$(sub_cmd_record_mcount))
endif # CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT
+# Don't require recordmcount source for an OOT build.
+ifdef KBUILD_EXTMOD
+recordmcount_source :=
+endif
+
# 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory
# 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file
# 'OBJECT_FILES_NON_STANDARD_foo.o := 'n': override directory skip for a file

18
debian/patches/bugfix/all/libapi-define-_fortify_source-as-2-not-empty.patch vendored Normal file
View File

@@ -0,0 +1,18 @@
From: Ben Hutchings <benh@debian.org>
Date: Sat, 15 Jan 2022 22:30:49 +0100
Subject: libapi: Define _FORTIFY_SOURCE as 2, not empty
Forwarded: https://lore.kernel.org/lkml/20230424102049.58338-1-ukleinek@debian.org/
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/tools/lib/api/Makefile
+++ b/tools/lib/api/Makefile
@@ -29,7 +29,7 @@ endif
endif
ifeq ($(DEBUG),0)
- CFLAGS += -D_FORTIFY_SOURCE
+ CFLAGS += -D_FORTIFY_SOURCE=2
endif
# Treat warnings as errors unless directed not to

23
debian/patches/bugfix/all/module-disable-matching-missing-version-crc.patch vendored Normal file
View File

@@ -0,0 +1,23 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 02 Dec 2016 23:06:18 +0000
Subject: module: Disable matching missing version CRC
Forwarded: not-needed
This partly reverts commit cd3caefb4663e3811d37cc2afad3cce642d60061.
We want to fail closed if a symbol version CRC is missing, as the
alternative may allow subverting module signing.
---
--- a/kernel/module/version.c
+++ b/kernel/module/version.c
@@ -46,9 +46,8 @@ int check_version(const struct load_info
goto bad_version;
}
- /* Broken toolchain. Warn once, then let it go.. */
- pr_warn_once("%s: no symbol version for %s\n", info->name, symname);
- return 1;
+ pr_warn("%s: no symbol version for %s\n", info->name, symname);
+ return 0;
bad_version:
pr_warn("%s: disagrees about version of symbol %s\n", info->name, symname);

27
debian/patches/bugfix/all/perf-tools-pass-extra_cflags-through-to-libbpf-build-again.patch vendored Normal file
View File

@@ -0,0 +1,27 @@
From: Ben Hutchings <benh@debian.org>
Date: Fri, 16 Aug 2024 15:58:04 +0200
Subject: perf tools: Pass EXTRA_CFLAGS through to libbpf build again
When perf was statically linked to libbpf, any definition of
EXTRA_CFLAGS passed to Makefile.perf propagated to the sub-make of
libbpf. Since commit 9dabf4003423 ("perf python: Switch module to
linking libraries from building source"), EXTRA_CFLAGS is overridden
to "-fPIC" for the sub-make.
Change to include any user-provided EXTRA_CFLAGS before the "-fPIC"
option.
Fixes: 9dabf4003423 ("perf python: Switch module to linking libraries ...")
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -951,7 +951,7 @@ $(LIBAPI)-clean:
$(LIBBPF): FORCE | $(LIBBPF_OUTPUT)
$(Q)$(MAKE) -C $(LIBBPF_DIR) FEATURES_DUMP=$(FEATURE_DUMP_EXPORT) \
O= OUTPUT=$(LIBBPF_OUTPUT)/ DESTDIR=$(LIBBPF_DESTDIR) prefix= subdir= \
- EXTRA_CFLAGS="-fPIC" $@ install_headers
+ EXTRA_CFLAGS="$(EXTRA_CFLAGS) -fPIC" $@ install_headers
$(LIBBPF)-clean:
$(call QUIET_CLEAN, libbpf)

30
debian/patches/bugfix/all/perf-tools-support-extra-cxxflags.patch vendored Normal file
View File

@@ -0,0 +1,30 @@
From: Ben Hutchings <benh@debian.org>
Date: Mon, 15 May 2023 15:58:39 +0200
Subject: perf tools: Support EXTRA_CXXFLAGS
Add support for an EXTRA_CXXFLAGS variable, used similarly to
EXTRA_CFLAGS.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/tools/perf/Makefile.config
+++ b/tools/perf/Makefile.config
@@ -18,6 +18,7 @@ detected_var = $(shell echo "$(1)=$($(1)
CFLAGS := $(EXTRA_CFLAGS) $(filter-out -Wnested-externs,$(EXTRA_WARNINGS))
HOSTCFLAGS := $(filter-out -Wnested-externs,$(EXTRA_WARNINGS))
+CXXFLAGS := $(EXTRA_CXXFLAGS)
# Enabled Wthread-safety analysis for clang builds.
ifeq ($(CC_NO_CLANG), 0)
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -33,7 +33,7 @@ include ../scripts/utilities.mak
#
# Define LDFLAGS=-static to build a static binary.
#
-# Define EXTRA_CFLAGS=-m64 or EXTRA_CFLAGS=-m32 as appropriate for cross-builds.
+# Define EXTRA_CFLAGS=-m64 or EXTRA_CFLAGS=-m32 as appropriate for cross-builds, and similarly EXTRA_CXXFLAGS.
#
# Define EXCLUDE_EXTLIBS=-lmylib to exclude libmylib from the auto-generated
# EXTLIBS.

88
debian/patches/bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch vendored Normal file
View File

@@ -0,0 +1,88 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: radeon, amdgpu: Firmware is required for DRM and KMS on R600 onward
Date: Tue, 08 Jan 2013 03:25:52 +0000
Bug-Debian: https://bugs.debian.org/607194
Bug-Debian: https://bugs.debian.org/607471
Bug-Debian: https://bugs.debian.org/610851
Bug-Debian: https://bugs.debian.org/627497
Bug-Debian: https://bugs.debian.org/632212
Bug-Debian: https://bugs.debian.org/637943
Bug-Debian: https://bugs.debian.org/649448
Bug-Debian: https://bugs.debian.org/697229
Bug-Debian: https://bugs.debian.org/1053764
Forwarded: no
Last-Update: 2023-11-08
radeon requires firmware/microcode for the GPU in all chips, but for
newer chips (apparently R600 'Evergreen' onward) it also expects
firmware for the memory controller and other sub-blocks.
radeon attempts to gracefully fall back and disable some features if
the firmware is not available, but becomes unstable - the framebuffer
and/or system memory may be corrupted, or the display may stay black.
Therefore, perform a basic check for the existence of
/lib/firmware/radeon when a device is probed, and abort if it
is missing, except for the pre-R600 case.
Update 2023-11-08:
In bug 1053764 Mario Limonciello <mario.limonciello@amd.com> states
that the patch isn't needed anymore for amdgpu, so remove that part
of the patch
---
drivers/gpu/drm/radeon/radeon_drv.c | 30 +++++++++++++++++++++++++
1 files changed, 30 insertions(+)
--- a/drivers/gpu/drm/radeon/radeon_drv.c
+++ b/drivers/gpu/drm/radeon/radeon_drv.c
@@ -32,6 +32,8 @@
#include <linux/compat.h>
#include <linux/module.h>
+#include <linux/namei.h>
+#include <linux/path.h>
#include <linux/pm_runtime.h>
#include <linux/vga_switcheroo.h>
#include <linux/mmu_notifier.h>
@@ -255,6 +257,28 @@ MODULE_DEVICE_TABLE(pci, pciidlist);
static const struct drm_driver kms_driver;
+/* Test that /lib/firmware/radeon is a directory (or symlink to a
+ * directory). We could try to match the udev search path, but let's
+ * keep it simple.
+ */
+static bool radeon_firmware_installed(void)
+{
+#if IS_BUILTIN(CONFIG_DRM_RADEON)
+ /* It may be too early to tell. Assume it's there. */
+ return true;
+#else
+ struct path path;
+
+ if (kern_path("/lib/firmware/radeon", LOOKUP_DIRECTORY | LOOKUP_FOLLOW,
+ &path) == 0) {
+ path_put(&path);
+ return true;
+ }
+
+ return false;
+#endif
+}
+
static int radeon_pci_probe(struct pci_dev *pdev,
const struct pci_device_id *ent)
{
@@ -295,6 +319,12 @@ static int radeon_pci_probe(struct pci_d
if (vga_switcheroo_client_probe_defer(pdev))
return -EPROBE_DEFER;
+ if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 &&
+ !radeon_firmware_installed()) {
+ DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n");
+ return -ENODEV;
+ }
+
/* Get rid of things like offb */
ret = drm_aperture_remove_conflicting_pci_framebuffers(pdev, &kms_driver);
if (ret)

21
debian/patches/bugfix/all/revert-tools-build-clean-cflags-and-ldflags-for-fixdep.patch vendored Normal file
View File

@@ -0,0 +1,21 @@
From: Ben Hutchings <benh@debian.org>
Date: Mon, 16 Sep 2024 19:14:19 +0200
Subject: Revert "tools build: Clean CFLAGS and LDFLAGS for fixdep"
This reverts commit 5725dd8fa888b4dcdff58241f9d3d3ac42a048e2. That
was a workaround for the bug fixed by commit 6b3db6f9b970 "tools
build: Make fixdep a hostprog" and is no longer needed.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/tools/build/Makefile.include
+++ b/tools/build/Makefile.include
@@ -2,7 +2,7 @@
build := -f $(srctree)/tools/build/Makefile.build dir=. obj
fixdep:
- $(Q)$(MAKE) -C $(srctree)/tools/build CFLAGS= LDFLAGS= $(OUTPUT)fixdep
+ $(Q)$(MAKE) -C $(srctree)/tools/build $(OUTPUT)fixdep
fixdep-clean:
$(Q)$(MAKE) -C $(srctree)/tools/build clean

27
debian/patches/bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch vendored Normal file
View File

@@ -0,0 +1,27 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 21 Feb 2016 15:33:15 +0000
Subject: tools/build: Remove bpf() run-time check at build time
Forwarded: no
It is not correct to test that a syscall works on the build system's
kernel. We might be building on an earlier kernel version or with
security restrictions that block bpf().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/build/feature/test-bpf.c
+++ b/tools/build/feature/test-bpf.c
@@ -35,8 +35,10 @@ int main(void)
attr.prog_flags = 0;
/*
- * Test existence of __NR_bpf and BPF_PROG_LOAD.
- * This call should fail if we run the testcase.
+ * bwh: Don't use the bpf() syscall as we might be building on a
+ * much older kernel. Do "use" the attr structure here to avoid
+ * a "set but not used" warning.
*/
- return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
+ (void)&attr;
+ return 0;
}

17
debian/patches/bugfix/all/tools-perf-fix-missing-ldflags-for-some-programs.patch vendored Normal file
View File

@@ -0,0 +1,17 @@
From: Ben Hutchings <benh@debian.org>
Date: Sat, 15 Jan 2022 22:59:11 +0100
Subject: tools/perf: Fix missing LDFLAGS for some programs
Signed-off-by: Ben Hutchings <benh@debian.org>
---
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -785,7 +785,7 @@ $(OUTPUT)dlfilters/%.o: dlfilters/%.c in
.SECONDARY: $(DLFILTERS:.so=.o)
$(OUTPUT)dlfilters/%.so: $(OUTPUT)dlfilters/%.o
- $(QUIET_LINK)$(CC) $(EXTRA_CFLAGS) -shared -o $@ $<
+ $(QUIET_LINK)$(CC) $(EXTRA_CFLAGS) $(LDFLAGS) -shared -o $@ $<
ifndef NO_JVMTI
LIBJVMTI_IN := $(OUTPUT)jvmti/jvmti-in.o

39
debian/patches/bugfix/all/tools-perf-remove-shebangs.patch vendored Normal file
View File

@@ -0,0 +1,39 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 25 Sep 2015 20:09:23 +0100
Subject: tools/perf: Remove shebang lines from perf scripts
Forwarded: no
perf scripts need to be invoked through perf, not directly through
perl (or other language interpreter). So including shebang lines in
them is useless and possibly misleading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/scripts/perl/rw-by-file.pl
+++ b/tools/perf/scripts/perl/rw-by-file.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2009, Tom Zanussi <tzanussi@gmail.com>
--- a/tools/perf/scripts/perl/rw-by-pid.pl
+++ b/tools/perf/scripts/perl/rw-by-pid.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2009, Tom Zanussi <tzanussi@gmail.com>
--- a/tools/perf/scripts/perl/rwtop.pl
+++ b/tools/perf/scripts/perl/rwtop.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2010, Tom Zanussi <tzanussi@gmail.com>
--- a/tools/perf/scripts/perl/wakeup-latency.pl
+++ b/tools/perf/scripts/perl/wakeup-latency.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2009, Tom Zanussi <tzanussi@gmail.com>

31
debian/patches/bugfix/all/tools_lib_symbol_use_d_fortify_source_2_for_non_debug_builds.patch vendored Normal file
View File

@@ -0,0 +1,31 @@
From: Uwe Kleine-König <ukleinek@debian.org>
Subject: tools lib symbol: Use -D_FORTIFY_SOURCE=2 for non-debug builds
Date: Mon, 24 Apr 2023 12:28:27 +0200
Forwarded: https://lore.kernel.org/all/20230424102827.58707-1-ukleinek@debian.org/
Commit 160be157eaba ("tool lib symbol: Add Makefile/Build") failed to
define _FORTIFY_SOURCE to 2, probabaly this was cut&pasted from other
Makefiles with the same problem.
Fixes: 160be157eaba ("tool lib symbol: Add Makefile/Build")
Signed-off-by: Uwe Kleine-König <ukleinek@debian.org>
Acked-by: Ian Rogers <irogers@google.com>
---
tools/lib/symbol/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/symbol/Makefile b/tools/lib/symbol/Makefile
index 13d43c6f92b4..4a08cc4e19f2 100644
--- a/tools/lib/symbol/Makefile
+++ b/tools/lib/symbol/Makefile
@@ -39,7 +39,7 @@ endif
endif
ifeq ($(DEBUG),0)
- CFLAGS += -D_FORTIFY_SOURCE
+ CFLAGS += -D_FORTIFY_SOURCE=2
endif
# Treat warnings as errors unless directed not to
--
2.39.2

29
debian/patches/bugfix/all/usbip-document-tcp-wrappers.patch vendored Normal file
View File

@@ -0,0 +1,29 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 24 Jun 2012 02:51:39 +0100
Subject: usbip: Document TCP wrappers
Forwarded: no
Add references to TCP wrappers configuration in the manual page.
--- a/tools/usb/usbip/doc/usbipd.8
+++ b/tools/usb/usbip/doc/usbipd.8
@@ -14,7 +14,8 @@ Devices have to explicitly be exported u
before usbipd makes them available to other hosts.
The daemon accepts connections from USB/IP clients
-on TCP port 3240 by default.
+on TCP port 3240 by default. The clients authorised to connect may be
+configured as documented in hosts_access(5).
.SH OPTIONS
.HP
@@ -69,7 +70,8 @@ Show version.
.B usbipd
offers no authentication or authorization for USB/IP. Any
-USB/IP client can connect and use exported devices.
+USB/IP client running on an authorised host can connect and
+use exported devices.
.SH EXAMPLES

35
debian/patches/bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch vendored Normal file
View File

@@ -0,0 +1,35 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 17 Feb 2017 01:30:30 +0000
Subject: ARM: dts: kirkwood: Fix SATA pinmux-ing for TS419
Forwarded: https://lore.kernel.org/all/20170218003251.GC4152@decadent.org.uk/
Bug-Debian: https://bugs.debian.org/855017
The old board code for the TS419 assigns MPP pins 15 and 16 as SATA
activity signals (and none as SATA presence signals). Currently the
device tree assigns the SoC's default pinmux groups for SATA, which
conflict with the second Ethernet port.
Reported-by: gmbh@gazeta.pl
Tested-by: gmbh@gazeta.pl
References: https://bugs.debian.org/855017
Cc: stable@vger.kernel.org # 3.15+
Fixes: 934b524b3f49 ("ARM: Kirkwood: Add DT description of QNAP 419")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/marvell/kirkwood-ts419.dtsi | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/arch/arm/boot/dts/marvell/kirkwood-ts419.dtsi
+++ b/arch/arm/boot/dts/marvell/kirkwood-ts419.dtsi
@@ -69,3 +69,11 @@
phy-handle = <&ethphy1>;
};
};
+
+&pmx_sata0 {
+ marvell,pins = "mpp15";
+};
+
+&pmx_sata1 {
+ marvell,pins = "mpp16";
+};

31
debian/patches/bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch vendored Normal file
View File

@@ -0,0 +1,31 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 11 Jul 2018 23:40:55 +0100
Subject: ARM: mm: Export __sync_icache_dcache() for xen-privcmd
Forwarded: https://lore.kernel.org/all/20180711225013.GF14131@decadent.org.uk/
The xen-privcmd driver, which can be modular, calls set_pte_at()
which in turn may call __sync_icache_dcache().
The call to __sync_icache_dcache() may be optimised out because it is
conditional on !pte_special(), and xen-privcmd calls pte_mkspecial().
However, in a non-LPAE configuration there is no "special" bit and the
call is really unconditional.
Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mm/flush.c | 1 +
1 file changed, 1 insertion(+)
Index: debian-kernel/arch/arm/mm/flush.c
===================================================================
--- debian-kernel.orig/arch/arm/mm/flush.c
+++ debian-kernel/arch/arm/mm/flush.c
@@ -292,6 +292,7 @@ void __sync_icache_dcache(pte_t pteval)
if (pte_exec(pteval))
__flush_icache_all();
}
+EXPORT_SYMBOL_GPL(__sync_icache_dcache);
#endif
/*

80
debian/patches/bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch vendored Normal file
View File

@@ -0,0 +1,80 @@
From: Geoff Levand <geoff@infradead.org>
Date: Wed, 13 Jun 2018 10:56:08 -0700
Subject: arm64/acpi: Add fixup for HPE m400 quirks
Forwarded: https://lore.kernel.org/all/51d3d738-cdf5-2992-bba5-c3e1f34096c2@infradead.org/
Adds a new ACPI init routine acpi_fixup_m400_quirks that adds
a work-around for HPE ProLiant m400 APEI firmware problems.
The work-around disables APEI when CONFIG_ACPI_APEI is set and
m400 firmware is detected. Without this fixup m400 systems
experience errors like these on startup:
[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 2
[Hardware Error]: event severity: fatal
[Hardware Error]: Error 0, type: fatal
[Hardware Error]: section_type: memory error
[Hardware Error]: error_status: 0x0000000000001300
[Hardware Error]: error_type: 10, invalid address
Kernel panic - not syncing: Fatal hardware error!
Signed-off-by: Geoff Levand <geoff@infradead.org>
[bwh: Adjust context and indentation to apply to Linux 6.10]
---
arch/arm64/kernel/acpi.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
--- a/arch/arm64/kernel/acpi.c
+++ b/arch/arm64/kernel/acpi.c
@@ -36,6 +36,8 @@
#include <asm/daifflags.h>
#include <asm/smp_plat.h>
+#include <acpi/apei.h>
+
int acpi_noirq = 1; /* skip ACPI IRQ initialization */
int acpi_disabled = 1;
EXPORT_SYMBOL(acpi_disabled);
@@ -178,6 +180,33 @@ out:
}
/*
+ * acpi_fixup_m400_quirks - Work-around for HPE ProLiant m400 APEI firmware
+ * problems.
+ */
+static void __init acpi_fixup_m400_quirks(void)
+{
+ acpi_status status;
+ struct acpi_table_header *header;
+#if !defined(CONFIG_ACPI_APEI)
+ int hest_disable = HEST_DISABLED;
+#endif
+
+ if (!IS_ENABLED(CONFIG_ACPI_APEI) || hest_disable != HEST_ENABLED)
+ return;
+
+ status = acpi_get_table(ACPI_SIG_HEST, 0, &header);
+
+ if (ACPI_SUCCESS(status) && !strncmp(header->oem_id, "HPE ", 6) &&
+ !strncmp(header->oem_table_id, "ProLiant", 8) &&
+ MIDR_IMPLEMENTOR(read_cpuid_id()) == ARM_CPU_IMP_APM) {
+ hest_disable = HEST_DISABLED;
+ pr_info("Disabled APEI for m400.\n");
+ }
+
+ acpi_put_table(header);
+}
+
+/*
* acpi_boot_table_init() called from setup_arch(), always.
* 1. find RSDP and get its address, and then find XSDT
* 2. extract all tables and checksums them all
@@ -257,6 +286,8 @@ done:
if (IS_ENABLED(CONFIG_ACPI_BGRT))
acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt);
+
+ acpi_fixup_m400_quirks();
}
}

46
debian/patches/bugfix/powerpc/fbdev-offb-Update-expected-device-name.patch vendored Normal file
View File

@@ -0,0 +1,46 @@
From: Cyril Brulebois <cyril@debamax.com>
Date: Wed, 12 Apr 2023 11:55:08 +0200
Subject: fbdev/offb: Update expected device name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev.git/commit?id=27c74ea74be805ccba1bc1a0a03cc79c51dca6ea
Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"),
as spotted by Frédéric Bonnard, the historical "of-display" device is
gone: the updated logic creates "of-display.0" instead, then as many
"of-display.N" as required.
This means that offb no longer finds the expected device, which prevents
the Debian Installer from setting up its interface, at least on ppc64el.
It might be better to iterate on all possible nodes, but updating the
hardcoded device from "of-display" to "of-display.0" is confirmed to fix
the Debian Installer at the very least.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217328
Link: https://bugs.debian.org/1033058
Fixes: 241d2fb56a18 ("of: Make OF framebuffer device names unique")
Cc: stable@vger.kernel.org
Signed-off-by: Cyril Brulebois <cyril@debamax.com>
Signed-off-by: Helge Deller <deller@gmx.de>
---
drivers/video/fbdev/offb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
index 0065a77b6dbc8..b5fdef2b74359 100644
--- a/drivers/video/fbdev/offb.c
+++ b/drivers/video/fbdev/offb.c
@@ -696,7 +696,7 @@ MODULE_DEVICE_TABLE(of, offb_of_match_display);
static struct platform_driver offb_driver_display = {
.driver = {
- .name = "of-display",
+ .name = "of-display.0",
.of_match_table = offb_of_match_display,
},
.probe = offb_probe_display,
--
2.30.2

39
debian/patches/bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch vendored Normal file
View File

@@ -0,0 +1,39 @@
From: Krzysztof Kozlowski <krzk@kernel.org>
Date: Wed, 29 Aug 2018 09:32:23 +0200
Subject: powerpc/boot: Fix missing crc32poly.h when building with KERNEL_XZ
Origin: https://patchwork.ozlabs.org/patch/963258/
After commit faa16bc404d7 ("lib: Use existing define with
polynomial") the lib/xz/xz_crc32.c includes a header from include/linux
directory thus any other user of this code should define proper include
path.
This fixes the build error on powerpc with CONFIG_KERNEL_XZ:
In file included from ../arch/powerpc/boot/../../../lib/decompress_unxz.c:233:0,
from ../arch/powerpc/boot/decompress.c:42:
../arch/powerpc/boot/../../../lib/xz/xz_crc32.c:18:29: fatal error: linux/crc32poly.h: No such file or directory
Reported-by: Michal Kubecek <mkubecek@suse.cz>
Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Michal Kubecek <mkubecek@suse.cz>
---
arch/powerpc/boot/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux/arch/powerpc/boot/Makefile
===================================================================
--- linux.orig/arch/powerpc/boot/Makefile
+++ linux/arch/powerpc/boot/Makefile
@@ -70,7 +70,7 @@ BOOTCFLAGS += -fno-stack-protector
endif
BOOTCFLAGS += -include $(srctree)/include/linux/compiler_attributes.h
-BOOTCFLAGS += -I$(objtree)/$(obj) -I$(srctree)/$(obj)
+BOOTCFLAGS += -I$(objtree)/$(obj) -I$(srctree)/$(obj) -I$(srctree)/include
DTC_FLAGS ?= -p 1024

95
debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch vendored Normal file
View File

@@ -0,0 +1,95 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 07 Feb 2022 00:00:26 +0100
Subject: sh: Do not use hyphen in exported variable names
arch/sh/Makefile defines and exports ld-bfd to be used by
arch/sh/boot/Makefile and arch/sh/boot/compressed/Makefile. However
some shells, including dash, will not pass through environment
variables whose name includes a hyphen. Usually GNU make does not use
a shell to recurse, but if e.g. $(srctree) contains '~' it will use a
shell here.
Rename the variable to ld_bfd.
(Another instance of this problem was fixed upstream by commit
82977af93a0d "sh: rename suffix-y to suffix_y".)
References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0
Fixes: ef9b542fce00 ("sh: bzip2/lzma uImage support.")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/Makefile | 10 +++++-----
arch/sh/boot/compressed/Makefile | 4 ++--
arch/sh/boot/romimage/Makefile | 4 ++--
3 files changed, 9 insertions(+), 9 deletions(-)
Index: linux/arch/sh/Makefile
===================================================================
--- linux.orig/arch/sh/Makefile
+++ linux/arch/sh/Makefile
@@ -102,16 +102,16 @@ UTS_MACHINE := sh
LDFLAGS_vmlinux += -e _stext
ifdef CONFIG_CPU_LITTLE_ENDIAN
-ld-bfd := elf32-sh-linux
-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd)
+ld_bfd := elf32-sh-linux
+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd)
KBUILD_LDFLAGS += -EL
else
-ld-bfd := elf32-shbig-linux
-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd)
+ld_bfd := elf32-shbig-linux
+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd)
KBUILD_LDFLAGS += -EB
endif
-export ld-bfd
+export ld_bfd
# Mach groups
machdir-$(CONFIG_SOLUTION_ENGINE) += mach-se
Index: linux/arch/sh/boot/compressed/Makefile
===================================================================
--- linux.orig/arch/sh/boot/compressed/Makefile
+++ linux/arch/sh/boot/compressed/Makefile
@@ -36,7 +36,7 @@ endif
ccflags-remove-$(CONFIG_MCOUNT) += -pg
-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \
+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \
-T $(obj)/../../kernel/vmlinux.lds
KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
@@ -60,7 +60,7 @@ $(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.b
OBJCOPYFLAGS += -R .empty_zero_page
-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE
$(call if_changed,ld)
Index: linux/arch/sh/boot/romimage/Makefile
===================================================================
--- linux.orig/arch/sh/boot/romimage/Makefile
+++ linux/arch/sh/boot/romimage/Makefile
@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) :
load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y)
obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y)
-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \
+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \
-T $(obj)/../../kernel/vmlinux.lds
$(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE
@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page
$(obj)/zeropage.bin: vmlinux FORCE
$(call if_changed,objcopy)
-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE
$(call if_changed,ld)

35
debian/patches/bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch vendored Normal file
View File

@@ -0,0 +1,35 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 22 Jul 2017 17:37:33 +0100
Subject: perf tools: Fix unwind build on i386
Forwarded: no
EINVAL may not be defined when building unwind-libunwind.c with
REMOTE_UNWIND_LIBUNWIND, resulting in a compiler error in
LIBUNWIND__ARCH_REG_ID(). Its only caller, access_reg(), only checks
for a negative return value and doesn't care what it is. So change
-EINVAL to -1.
Fixes: 52ffe0ff02fc ("Support x86(32-bit) cross platform callchain unwind.")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/arch/x86/util/unwind-libunwind.c
+++ b/tools/perf/arch/x86/util/unwind-libunwind.c
@@ -66,7 +66,7 @@ int LIBUNWIND__ARCH_REG_ID(int regnum)
break;
default:
pr_err("unwind: invalid reg id %d\n", regnum);
- return -EINVAL;
+ return -1;
}
return id;
@@ -106,7 +106,7 @@ int LIBUNWIND__ARCH_REG_ID(int regnum)
break;
default:
pr_err("unwind: invalid reg id %d\n", regnum);
- return -EINVAL;
+ return -1;
}
return id;

22
debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch vendored Normal file
View File

@@ -0,0 +1,22 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 25 Sep 2015 22:50:50 +0100
Subject: Revert "perf build: Fix libunwind feature detection on 32-bit x86"
Forwarded: no
This reverts commit 05b41775e2edd69a83f592e3534930c934d4038e.
It broke feature detection that was working just fine for us.
---
tools/perf/Makefile.config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/Makefile.config
+++ b/tools/perf/Makefile.config
@@ -38,7 +38,7 @@ ifeq ($(SRCARCH),x86)
LIBUNWIND_LIBS = -lunwind-x86_64 -lunwind -llzma
$(call detected,CONFIG_X86_64)
else
- LIBUNWIND_LIBS = -lunwind-x86 -llzma -lunwind
+ LIBUNWIND_LIBS = -lunwind -lunwind-x86
endif
endif

34
debian/patches/bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch vendored Normal file
View File

@@ -0,0 +1,34 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 20 Apr 2013 15:52:02 +0100
Subject: viafb: Autoload on OLPC XO 1.5 only
Bug-Debian: https://bugs.debian.org/705788
Forwarded: no
It appears that viafb won't work automatically on all the boards for
which it has a PCI device ID match. Currently, it is blacklisted by
udev along with most other framebuffer drivers, so this doesn't matter
much.
However, this driver is required for console support on the XO 1.5.
We need to allow it to be autoloaded on this model only, and then
un-blacklist it in udev.
---
--- a/drivers/video/fbdev/via/via-core.c
+++ b/drivers/video/fbdev/via/via-core.c
@@ -695,7 +695,14 @@ static const struct pci_device_id via_pc
.driver_data = UNICHROME_VX900 },
{ }
};
-MODULE_DEVICE_TABLE(pci, via_pci_table);
+
+static const struct pci_device_id via_pci_autoload_table[] __initconst = {
+ /* OLPC XO 1.5 */
+ { PCI_DEVICE(PCI_VENDOR_ID_VIA, UNICHROME_VX855_DID),
+ .subvendor = 0x152d, .subdevice = 0x0833 },
+ { }
+};
+MODULE_DEVICE_TABLE(pci, via_pci_autoload_table);
static const struct dev_pm_ops via_pm_ops = {
#ifdef CONFIG_PM_SLEEP

101
debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch vendored Normal file
View File

@@ -0,0 +1,101 @@
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0000 (+0100)
Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default
Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8
add sysctl to disallow unprivileged CLONE_NEWUSER by default
This is a short-term patch. Unprivileged use of CLONE_NEWUSER
is certainly an intended feature of user namespaces. However
for at least saucy we want to make sure that, if any security
issues are found, we have a fail-safe.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]
[bwh: Keep this sysctl, but change the default to enabled]
---
kernel/fork.c | 16 ++++++++++++++++
kernel/sysctl.c | 13 +++++++++++++
kernel/user_namespace.c | 3 +++
3 files changed, 32 insertions(+)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -118,6 +118,12 @@
#include <kunit/visibility.h>
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#else
+#define unprivileged_userns_clone 0
+#endif
+
/*
* Minimum number of threads to boot the kernel
*/
@@ -2138,6 +2144,10 @@ __latent_entropy struct task_struct *cop
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+ if (!capable(CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -3287,6 +3297,12 @@ int ksys_unshare(unsigned long unshare_f
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+ err = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto bad_unshare_out;
+ }
+
err = check_unshare_flags(unshare_flags);
if (err)
goto bad_unshare_out;
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -135,6 +135,10 @@ static enum sysctl_writes_mode sysctl_wr
int sysctl_legacy_va_layout;
#endif
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#endif
+
#endif /* CONFIG_SYSCTL */
/*
@@ -1618,6 +1622,15 @@ static struct ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec,
},
+#ifdef CONFIG_USER_NS
+ {
+ .procname = "unprivileged_userns_clone",
+ .data = &unprivileged_userns_clone,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+#endif
#ifdef CONFIG_PROC_SYSCTL
{
.procname = "tainted",
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -22,6 +22,9 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
+/* sysctl */
+int unprivileged_userns_clone = 1;
+
static struct kmem_cache *user_ns_cachep __ro_after_init;
static DEFINE_MUTEX(userns_state_mutex);

29
debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch vendored Normal file
View File

@@ -0,0 +1,29 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 19 Nov 2010 02:12:48 +0000
Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ieee802154/socket.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -1138,4 +1138,4 @@ module_init(af_ieee802154_init);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("IEEE 802.15.4 socket interface");
-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
+/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */

62
debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch vendored Normal file
View File

@@ -0,0 +1,62 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 22 Jun 2018 17:27:00 +0100
Subject: android: Enable building ashmem and binder as modules
Bug-Debian: https://bugs.debian.org/901492
We want to enable use of the Android ashmem and binder drivers to
support Anbox, but they should not be built-in as that would waste
resources and increase security attack surface on systems that don't
need them.
- Add a MODULE_LICENSE declaration to ashmem
- Change the Makefiles to build each driver as an object with the
"_linux" suffix (which is what Anbox expects)
- Change config symbol types to tristate
Update:
In upstream commit 721412ed3d titled "staging: remove ashmem" the ashmem
driver was removed entirely. Secondary commit message:
"The mainline replacement for ashmem is memfd, so remove the legacy
code from drivers/staging/"
Consequently, the ashmem part of this patch has been removed.
---
drivers/android/Kconfig | 2 +-
drivers/android/Makefile | 7 ++++---
drivers/android/binder_alloc.c | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/android/Kconfig
+++ b/drivers/android/Kconfig
@@ -2,7 +2,7 @@
menu "Android"
config ANDROID_BINDER_IPC
- bool "Android Binder IPC Driver"
+ tristate "Android Binder IPC Driver"
depends on MMU
default n
help
--- a/drivers/android/Makefile
+++ b/drivers/android/Makefile
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: GPL-2.0-only
ccflags-y += -I$(src) # needed for trace events
-obj-$(CONFIG_ANDROID_BINDERFS) += binderfs.o
-obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o binder_alloc.o
-obj-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
+obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o
+binder_linux-y := binder.o binder_alloc.o
+binder_linux-$(CONFIG_ANDROID_BINDERFS) += binderfs.o
+binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -38,7 +38,7 @@ enum {
};
static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
-module_param_named(debug_mask, binder_alloc_debug_mask,
+module_param_named(alloc_debug_mask, binder_alloc_debug_mask,
uint, 0644);
#define binder_alloc_debug(mask, x...) \

26
debian/patches/debian/arch-sh4-fix-uimage-build.patch vendored Normal file
View File

@@ -0,0 +1,26 @@
From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Subject: [sh4] Fix uImage build
Bug-Debian: https://bugs.debian.org/569034
Forwarded: not-needed
[bwh: This was added without a description, but I think it is done
only to avoid a build-dependency on u-boot-tools.]
---
arch/sh/Makefile | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/sh/Makefile b/arch/sh/Makefile
index da9cf952f33c..974bbd9dcfcf 100644
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -85,7 +85,6 @@ OBJCOPYFLAGS := -O binary -R .note -R .note.gnu.build-id -R .comment \
# Give the various platforms the opportunity to set default image types
defaultimage-y := zImage
-defaultimage-$(CONFIG_SH_SH7785LCR) := uImage
defaultimage-$(CONFIG_SH_RSK) := uImage
defaultimage-$(CONFIG_SH_URQUELL) := uImage
defaultimage-$(CONFIG_SH_MIGOR) := uImage
--
2.27.0

45
debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch vendored Normal file
View File

@@ -0,0 +1,45 @@
From: Adam Borowski <kilobyte@angband.pl>
Date: Tue, 28 Mar 2017 16:55:05 +0200
Subject: btrfs: warn about RAID5/6 being experimental at mount time
Bug-Debian: https://bugs.debian.org/863290
Origin: https://bugs.debian.org/863290#5
Forwarded: https://lore.kernel.org/linux-btrfs/4105665.mVaztBssJx@bagend/
Too many people come complaining about losing their data -- and indeed,
there's no warning outside a wiki and the mailing list tribal knowledge.
Message severity chosen for consistency with XFS -- "alert" makes dmesg
produce nice red background which should get the point across.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>
[bwh: Also add_taint() so this is flagged in bug reports]
[2023-01-10: still accurate according to btrfs-progs own manpage:
https://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git/commit/?id=922797e15590b836e377d6dc47b828356cafc2a9]
[2024-03-17: still accurate; manpage is now in Documentation/btrfs-man5.rst
implementation went from disk-io.c to super.c; forwarded the issue]
---
fs/btrfs/super.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 101f786963d4..2c409bce1bf5 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -731,6 +731,18 @@ static void set_device_specific_options(struct btrfs_fs_info *fs_info)
!fs_info->fs_devices->rotating)
btrfs_set_opt(fs_info->mount_opt, SSD);
+ /*
+ * Warn about RAID5/6 being experimental at mount time
+ */
+ if ((fs_info->avail_data_alloc_bits |
+ fs_info->avail_metadata_alloc_bits |
+ fs_info->avail_system_alloc_bits) &
+ BTRFS_BLOCK_GROUP_RAID56_MASK) {
+ btrfs_alert(fs_info,
+ "btrfs RAID5/6 is EXPERIMENTAL and has known data-loss bugs");
+ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
+ }
+
/*
* For devices supporting discard turn on discard=async automatically,
* unless it's already set or disabled. This could be turned off by

27
debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch vendored Normal file
View File

@@ -0,0 +1,27 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: cdc_ncm,cdc_mbim: Use NCM by default
Date: Sun, 31 Mar 2013 03:58:04 +0100
Forwarded: not-needed
Devices that support both NCM and MBIM modes should be kept in NCM
mode unless there is userland support for MBIM.
Set the default value of cdc_ncm.prefer_mbim to false and leave it to
userland (modem-manager) to override this with a modprobe.conf file
once it's ready to speak MBIM.
---
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -53,11 +53,7 @@
#include <linux/usb/cdc.h>
#include <linux/usb/cdc_ncm.h>
-#if IS_ENABLED(CONFIG_USB_NET_CDC_MBIM)
-static bool prefer_mbim = true;
-#else
static bool prefer_mbim;
-#endif
module_param(prefer_mbim, bool, 0644);
MODULE_PARM_DESC(prefer_mbim, "Prefer MBIM setting on dual NCM/MBIM functions");

41
debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch vendored Normal file
View File

@@ -0,0 +1,41 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 16 Feb 2017 19:09:17 +0000
Subject: dccp: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.
The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
* values directly, Also cover the case where the protocol is not specified,
* i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
*/
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
* values directly, Also cover the case where the protocol is not specified,
* i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
*/
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");

29
debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch vendored Normal file
View File

@@ -0,0 +1,29 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 13 Apr 2009 17:34:00 +0100
Subject: Remove microcode patches for mgsuvd (not enabled in Debian configs)
Forwarded: not-needed
diff --git a/arch/powerpc/platforms/8xx/Kconfig b/arch/powerpc/platforms/8xx/Kconfig
index 48a920a..81570b6 100644
--- a/arch/powerpc/platforms/8xx/Kconfig
+++ b/arch/powerpc/platforms/8xx/Kconfig
@@ -160,16 +160,19 @@ config NO_UCODE_PATCH
config USB_SOF_UCODE_PATCH
bool "USB SOF patch"
+ depends on BROKEN
help
Help not implemented yet, coming soon.
config I2C_SPI_UCODE_PATCH
bool "I2C/SPI relocation patch"
+ depends on BROKEN
help
Help not implemented yet, coming soon.
config I2C_SPI_SMC1_UCODE_PATCH
bool "I2C/SPI/SMC1 relocation patch"
+ depends on BROKEN
help
Help not implemented yet, coming soon.

18
debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch vendored Normal file
View File

@@ -0,0 +1,18 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 24 Aug 2019 19:00:41 +0100
Subject: Documentation: Fix broken link to CIPSO draft
Forwarded: not-needed
We exclude the CIPSO draft text as its licence is not DFSG compliant.
Link to the IETF's online version instead.
---
--- a/Documentation/netlabel/draft_ietf.rst
+++ b/Documentation/netlabel/draft_ietf.rst
@@ -1,5 +1,4 @@
Draft IETF CIPSO IP Security
----------------------------
- .. include:: draft-ietf-cipso-ipsecurity-01.txt
- :literal:
+https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01

15
debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch vendored Normal file
View File

@@ -0,0 +1,15 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 17 Aug 2009 02:45:41 +0100
Subject: dvb-usb-af9005: mark as broken
Forwarded: not-needed
--- a/drivers/media/usb/dvb-usb/Kconfig
+++ b/drivers/media/usb/dvb-usb/Kconfig
@@ -227,6 +227,7 @@ config DVB_USB_OPERA1
config DVB_USB_AF9005
tristate "Afatech AF9005 DVB-T USB1.1 support"
+ depends on BROKEN
depends on DVB_USB
select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT
select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT

129
debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch vendored Normal file
View File

@@ -0,0 +1,129 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 2 Jun 2012 19:53:38 +0100
Subject: video: Remove nvidiafb and rivafb
Bug-Debian: https://bugs.debian.org/383481
Forwarded: no
These drivers contain register programming code provided by the
hardware vendor that appears to have been deliberately obfuscated.
This is arguably not the preferred form for modification.
These drivers are also largely redundant with nouveau. The RIVA 128
(NV3) is not supported by nouveau but is about 15 years old and
probably discontinued 10 years ago.
---
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -654,100 +654,6 @@ config FB_ATMEL
help
This enables support for the AT91 LCD Controller.
-config FB_NVIDIA
- tristate "nVidia Framebuffer Support"
- depends on FB && PCI
- select FB_BACKLIGHT if FB_NVIDIA_BACKLIGHT
- select FB_CFB_FILLRECT
- select FB_CFB_COPYAREA
- select FB_CFB_IMAGEBLIT
- select FB_IOMEM_FOPS
- select BITREVERSE
- select VGASTATE
- help
- This driver supports graphics boards with the nVidia chips, TNT
- and newer. For very old chipsets, such as the RIVA128, then use
- the rivafb.
- Say Y if you have such a graphics board.
-
- To compile this driver as a module, choose M here: the
- module will be called nvidiafb.
-
-config FB_NVIDIA_I2C
- bool "Enable DDC Support"
- depends on FB_NVIDIA
- select FB_DDC
- help
- This enables I2C support for nVidia Chipsets. This is used
- only for getting EDID information from the attached display
- allowing for robust video mode handling and switching.
-
- Because fbdev-2.6 requires that drivers must be able to
- independently validate video mode parameters, you should say Y
- here.
-
-config FB_NVIDIA_DEBUG
- bool "Lots of debug output"
- depends on FB_NVIDIA
- help
- Say Y here if you want the nVidia driver to output all sorts
- of debugging information to provide to the maintainer when
- something goes wrong.
-
-config FB_NVIDIA_BACKLIGHT
- bool "Support for backlight control"
- depends on FB_NVIDIA
- default y
- help
- Say Y here if you want to control the backlight of your display.
-
-config FB_RIVA
- tristate "nVidia Riva support"
- depends on FB && PCI
- select FB_BACKLIGHT if FB_RIVA_BACKLIGHT
- select FB_CFB_FILLRECT
- select FB_CFB_COPYAREA
- select FB_CFB_IMAGEBLIT
- select FB_IOMEM_FOPS
- select FB_MODE_HELPERS
- select BITREVERSE
- select VGASTATE
- help
- This driver supports graphics boards with the nVidia Riva/Geforce
- chips.
- Say Y if you have such a graphics board.
-
- To compile this driver as a module, choose M here: the
- module will be called rivafb.
-
-config FB_RIVA_I2C
- bool "Enable DDC Support"
- depends on FB_RIVA
- select FB_DDC
- help
- This enables I2C support for nVidia Chipsets. This is used
- only for getting EDID information from the attached display
- allowing for robust video mode handling and switching.
-
- Because fbdev-2.6 requires that drivers must be able to
- independently validate video mode parameters, you should say Y
- here.
-
-config FB_RIVA_DEBUG
- bool "Lots of debug output"
- depends on FB_RIVA
- help
- Say Y here if you want the Riva driver to output all sorts
- of debugging information to provide to the maintainer when
- something goes wrong.
-
-config FB_RIVA_BACKLIGHT
- bool "Support for backlight control"
- depends on FB_RIVA
- default y
- help
- Say Y here if you want to control the backlight of your display.
-
config FB_I740
tristate "Intel740 support"
depends on FB && PCI
--- a/drivers/video/fbdev/Makefile
+++ b/drivers/video/fbdev/Makefile
@@ -22,8 +22,6 @@ obj-$(CONFIG_FB_PM3) += pm3fb.o
obj-$(CONFIG_FB_I740) += i740fb.o
obj-$(CONFIG_FB_MATROX) += matrox/
-obj-$(CONFIG_FB_RIVA) += riva/
-obj-$(CONFIG_FB_NVIDIA) += nvidia/
obj-$(CONFIG_FB_ATY) += aty/ macmodes.o
obj-$(CONFIG_FB_ATY128) += aty/ macmodes.o
obj-$(CONFIG_FB_RADEON) += aty/

56
debian/patches/debian/documentation-drop-sphinx-version-check.patch vendored Normal file
View File

@@ -0,0 +1,56 @@
From 252aa79fdbd4ac2da09d9b98f81bf11f5e3e1870 Mon Sep 17 00:00:00 2001
From: Bastian Blank <waldi@debian.org>
Date: Tue, 4 Aug 2020 09:44:19 +0000
Subject: [PATCH 1/2] Documentation: Drop sphinx version check
Forwarded: not-needed
---
Documentation/Makefile | 6 ------
1 file changed, 6 deletions(-)
--- a/Documentation/Makefile
+++ b/Documentation/Makefile
@@ -118,7 +118,6 @@ $(YNL_RST_DIR)/%.rst: $(YNL_YAML_DIR)/%.
htmldocs texinfodocs latexdocs epubdocs xmldocs: $(YNL_INDEX)
htmldocs:
- @$(srctree)/scripts/sphinx-pre-install --version-check
@+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,html,$(var),,$(var)))
# If Rust support is available and .config exists, add rustdoc generated contents.
@@ -132,7 +131,6 @@ endif
endif
texinfodocs:
- @$(srctree)/scripts/sphinx-pre-install --version-check
@+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,texinfo,$(var),texinfo,$(var)))
# Note: the 'info' Make target is generated by sphinx itself when
@@ -144,7 +142,6 @@ linkcheckdocs:
@$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,linkcheck,$(var),,$(var)))
latexdocs:
- @$(srctree)/scripts/sphinx-pre-install --version-check
@+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,latex,$(var),latex,$(var)))
ifeq ($(HAVE_PDFLATEX),0)
@@ -157,7 +154,6 @@ else # HAVE_PDFLATEX
pdfdocs: DENY_VF = XDG_CONFIG_HOME=$(FONTS_CONF_DENY_VF)
pdfdocs: latexdocs
- @$(srctree)/scripts/sphinx-pre-install --version-check
$(foreach var,$(SPHINXDIRS), \
$(MAKE) PDFLATEX="$(PDFLATEX)" LATEXOPTS="$(LATEXOPTS)" $(DENY_VF) -C $(BUILDDIR)/$(var)/latex || sh $(srctree)/scripts/check-variable-fonts.sh || exit; \
mkdir -p $(BUILDDIR)/$(var)/pdf; \
@@ -167,11 +163,9 @@ pdfdocs: latexdocs
endif # HAVE_PDFLATEX
epubdocs:
- @$(srctree)/scripts/sphinx-pre-install --version-check
@+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,epub,$(var),epub,$(var)))
xmldocs:
- @$(srctree)/scripts/sphinx-pre-install --version-check
@+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,xml,$(var),xml,$(var)))
endif # HAVE_SPHINX

126
debian/patches/debian/export-symbols-needed-by-android-drivers.patch vendored Normal file
View File

@@ -0,0 +1,126 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 05 Aug 2024 03:26:48 +0200
Subject: Export symbols needed by binder
Bug-Debian: https://bugs.debian.org/901492
We want to enable use of the Android binder driver to support
Waydroid, but it should not be built-in as that would waste resources
and increase security attack surface on systems that don't need it.
Export the currently un-exported symbols it depends on.
---
fs/file.c | 1 +
ipc/msgutil.c | 1 +
ipc/namespace.c | 1 +
kernel/sched/syscalls.c | 1 +
kernel/sched/wait.c | 1 +
kernel/task_work.c | 1 +
mm/memory.c | 1 +
security/security.c | 4 ++++
8 files changed, 11 insertions(+)
--- a/fs/file.c
+++ b/fs/file.c
@@ -823,6 +823,7 @@ struct file *file_close_fd(unsigned int
return file;
}
+EXPORT_SYMBOL_GPL(file_close_fd);
void do_close_on_exec(struct files_struct *files)
{
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -33,6 +33,7 @@ struct ipc_namespace init_ipc_ns = {
.ns.ops = &ipcns_operations,
#endif
};
+EXPORT_SYMBOL_GPL(init_ipc_ns);
struct msg_msgseg {
struct msg_msgseg *next;
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -205,6 +205,7 @@ void put_ipc_ns(struct ipc_namespace *ns
schedule_work(&free_ipc_work);
}
}
+EXPORT_SYMBOL_GPL(put_ipc_ns);
static inline struct ipc_namespace *to_ipc_ns(struct ns_common *ns)
{
--- a/kernel/sched/syscalls.c
+++ b/kernel/sched/syscalls.c
@@ -140,6 +140,7 @@ int can_nice(const struct task_struct *p
{
return is_nice_reduction(p, nice) || capable(CAP_SYS_NICE);
}
+EXPORT_SYMBOL_GPL(can_nice);
#ifdef __ARCH_WANT_SYS_NICE
--- a/kernel/sched/wait.c
+++ b/kernel/sched/wait.c
@@ -212,6 +212,7 @@ void __wake_up_pollfree(struct wait_queu
/* POLLFREE must have cleared the queue. */
WARN_ON_ONCE(waitqueue_active(wq_head));
}
+EXPORT_SYMBOL_GPL(__wake_up_pollfree);
/*
* Note: we use "set_current_state()" _after_ the wait-queue add,
--- a/kernel/task_work.c
+++ b/kernel/task_work.c
@@ -97,6 +97,7 @@ int task_work_add(struct task_struct *ta
return 0;
}
+EXPORT_SYMBOL_GPL(task_work_add);
/**
* task_work_cancel_match - cancel a pending work added by task_work_add()
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1934,6 +1934,7 @@ void zap_page_range_single(struct vm_are
tlb_finish_mmu(&tlb);
hugetlb_zap_end(vma, details);
}
+EXPORT_SYMBOL_GPL(zap_page_range_single);
/**
* zap_vma_ptes - remove ptes mapping the vma
--- a/security/security.c
+++ b/security/security.c
@@ -890,6 +890,7 @@ int security_binder_set_context_mgr(cons
{
return call_int_hook(binder_set_context_mgr, mgr);
}
+EXPORT_SYMBOL_GPL(security_binder_set_context_mgr);
/**
* security_binder_transaction() - Check if a binder transaction is allowed
@@ -905,6 +906,7 @@ int security_binder_transaction(const st
{
return call_int_hook(binder_transaction, from, to);
}
+EXPORT_SYMBOL_GPL(security_binder_transaction);
/**
* security_binder_transfer_binder() - Check if a binder transfer is allowed
@@ -920,6 +922,7 @@ int security_binder_transfer_binder(cons
{
return call_int_hook(binder_transfer_binder, from, to);
}
+EXPORT_SYMBOL_GPL(security_binder_transfer_binder);
/**
* security_binder_transfer_file() - Check if a binder file xfer is allowed
@@ -936,6 +939,7 @@ int security_binder_transfer_file(const
{
return call_int_hook(binder_transfer_file, from, to, file);
}
+EXPORT_SYMBOL_GPL(security_binder_transfer_file);
/**
* security_ptrace_access_check() - Check if tracing is allowed

29
debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch vendored Normal file
View File

@@ -0,0 +1,29 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
Date: Wed, 13 Jul 2016 01:37:22 +0100
Forwarded: not-needed
Various free and proprietary AV products use this feature and users
apparently want it. But punting access checks to userland seems like
an easy way to deadlock the system, and there will be nothing we can
do about that. So warn and taint the kernel if this feature is
actually used.
---
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1661,6 +1661,14 @@ static int do_fanotify_mark(int fanotify
umask = FANOTIFY_EVENT_FLAGS;
}
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ if (mask & FANOTIFY_PERM_EVENTS) {
+ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
+ current->comm, current->pid);
+ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
+ }
+#endif
+
f = fdget(fanotify_fd);
if (unlikely(!f.file))
return -EBADF;

37
debian/patches/debian/firmware_loader-log-direct-loading-failures-as-info-for-d-i.path vendored Normal file
View File

@@ -0,0 +1,37 @@
From: Ben Hutchings <benh@debian.org>
Subject: firmware_loader: Log direct loading failures as info for d-i
Date: Thu, 30 May 2024 13:14:32 +0100
Forwarded: not-needed
On an installed Debian system, firmware packages will normally be
installed automatically based on a mapping of device IDs to firmware.
Within the Debian installer this has not yet happened and we need a
way to detect missing firmware.
Although many/most drivers log firmware loading failures, they do so
using many different formats. This adds a single log message to the
firmware loader, which the installer's hw-detect package will look
for. The log level is set to "info" because some failures are
expected and we do not want to confuse users with bogus error messages
(like in bug #966218).
NOTE: The log message format must not be changed without coordinating
this with the check-missing-firmware.sh in hw-detect.
---
drivers/base/firmware_loader/fallback.c | 2 +-
drivers/base/firmware_loader/main.c | 17 ++++++++---------
2 files changed, 9 insertions(+), 10 deletions(-)
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -586,6 +586,10 @@ fw_get_filesystem_firmware(struct device
}
__putname(path);
+ if (rc)
+ dev_info(device, "firmware: failed to load %s (%d)\n",
+ fw_priv->fw_name, rc);
+
return rc;
}

26
debian/patches/debian/fixdep-allow-overriding-hostcc-and-hostld.patch vendored Normal file
View File

@@ -0,0 +1,26 @@
From: Ben Hutchings <benh@debian.org>
Date: Sat, 13 May 2023 13:03:26 +0200
Subject: fixdep: Allow overriding HOSTCC and HOSTLD
Forwarded: not-needed
objtool always uses HOSTCC, HOSTLD, and HOSTAR, so we need to override
these on the command line for cross-builds of linux-kbuild. But it
also builds fixdep which still needs to be native in a cross-build.
Add support for REALHOSTCC and REALHOSTLD variables which, if set,
override HOSTCC and HOSTLD for fixdep only.
---
--- a/tools/build/Makefile.include
+++ b/tools/build/Makefile.include
@@ -2,7 +2,10 @@
build := -f $(srctree)/tools/build/Makefile.build dir=. obj
fixdep:
- $(Q)$(MAKE) -C $(srctree)/tools/build $(OUTPUT)fixdep
+ $(Q)$(MAKE) -C $(srctree)/tools/build \
+ $(if $(REALHOSTCC),HOSTCC=$(REALHOSTCC) HOSTCFLAGS=) \
+ $(if $(REALHOSTLD),HOSTLD=$(REALHOSTLD) KBUILD_HOSTLDFLAGS=) \
+ $(OUTPUT)fixdep
fixdep-clean:
$(Q)$(MAKE) -C $(srctree)/tools/build clean

26
debian/patches/debian/fjes-disable-autoload.patch vendored Normal file
View File

@@ -0,0 +1,26 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 18 Mar 2017 20:47:58 +0000
Subject: fjes: Disable auto-loading
Bug-Debian: https://bugs.debian.org/853976
Forwarded: no
fjes matches a generic ACPI device ID, and relies on its probe
function to distinguish whether that really corresponds to a supported
device. Very few system will need the driver and it wastes memory on
all the other systems where the same device ID appears, so disable
auto-loading.
---
Index: linux/drivers/net/fjes/fjes_main.c
===================================================================
--- linux.orig/drivers/net/fjes/fjes_main.c
+++ linux/drivers/net/fjes/fjes_main.c
@@ -36,7 +36,7 @@ static const struct acpi_device_id fjes_
{ACPI_MOTHERBOARD_RESOURCE_HID, 0},
{"", 0},
};
-MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids);
+/* MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); */
static bool is_extended_socket_device(struct acpi_device *device)
{

22
debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch vendored Normal file
View File

@@ -0,0 +1,22 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: fs: Enable link security restrictions by default
Date: Fri, 02 Nov 2012 05:32:06 +0000
Bug-Debian: https://bugs.debian.org/609455
Forwarded: not-needed
This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
('VFS: don't do protected {sym,hard}links by default').
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1020,8 +1020,8 @@ static inline void put_link(struct namei
path_put(&last->link);
}
-static int sysctl_protected_symlinks __read_mostly;
-static int sysctl_protected_hardlinks __read_mostly;
+static int sysctl_protected_symlinks __read_mostly = 1;
+static int sysctl_protected_hardlinks __read_mostly = 1;
static int sysctl_protected_fifos __read_mostly;
static int sysctl_protected_regular __read_mostly;

55
debian/patches/debian/gitignore.patch vendored Normal file
View File

@@ -0,0 +1,55 @@
From: Ian Campbell <ijc@hellion.org.uk>
Date: Thu, 17 Jan 2013 08:55:21 +0000
Subject: Tweak gitignore for Debian pkg-kernel using git
Forwarded: not-needed
[bwh: Tweak further for pure git]
---
.gitignore | 25 +++++++------------------
1 file changed, 7 insertions(+), 18 deletions(-)
--- a/.gitignore
+++ b/.gitignore
@@ -78,11 +78,6 @@ modules.order
/rpmbuild/
#
-# Debian directory (make deb-pkg)
-#
-/debian/
-
-#
# Snap directory (make snap-pkg)
#
/snap/
@@ -99,19 +94,6 @@ modules.order
/pacman/
#
-# We don't want to ignore the following even if they are dot-files
-#
-!.clang-format
-!.cocciconfig
-!.editorconfig
-!.get_maintainer.ignore
-!.gitattributes
-!.gitignore
-!.kunitconfig
-!.mailmap
-!.rustfmt.toml
-
-#
# Generated include files
#
/include/config/
@@ -177,3 +159,10 @@ sphinx_*/
# Rust analyzer configuration
/rust-project.json
+
+#
+# Debian packaging: ignore everything at the top level, since it isn't
+# included in our repository
+#
+/*
+!/debian/

48
debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch vendored Normal file
View File

@@ -0,0 +1,48 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 05 Aug 2019 00:29:11 +0100
Subject: hamradio: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.
The 'ham' radio protocols (ax25, netrom, rose) are not actively
maintained or widely used. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1986,7 +1986,7 @@ module_init(ax25_init);
MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
MODULE_DESCRIPTION("The amateur radio AX.25 link layer protocol");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_AX25);
+/* MODULE_ALIAS_NETPROTO(PF_AX25); */
static void __exit ax25_exit(void)
{
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1486,7 +1486,7 @@ MODULE_PARM_DESC(nr_ndevs, "number of NE
MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
MODULE_DESCRIPTION("The amateur radio NET/ROM network and transport layer protocol");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_NETROM);
+/* MODULE_ALIAS_NETPROTO(PF_NETROM); */
static void __exit nr_exit(void)
{
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1577,7 +1577,7 @@ MODULE_PARM_DESC(rose_ndevs, "number of
MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
MODULE_DESCRIPTION("The amateur radio ROSE network layer protocol");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_ROSE);
+/* MODULE_ALIAS_NETPROTO(PF_ROSE); */
static void __exit rose_exit(void)
{

26
debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch vendored Normal file
View File

@@ -0,0 +1,26 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: iwlwifi: Do not request unreleased firmware for IWL6000
Bug-Debian: https://bugs.debian.org/689416
Forwarded: not-needed
The iwlwifi driver currently supports firmware API versions 4-6 for
these devices. It will request the file for the latest supported
version and then fall back to earlier versions. However, the latest
version that has actually been released is 4, so we expect the
requests for versions 6 and then 5 to fail.
The installer appears to report any failed request, and it is probably
not easy to detect that this particular failure is harmless. So stop
requesting the unreleased firmware.
--- a/drivers/net/wireless/intel/iwlwifi/cfg/6000.c
+++ b/drivers/net/wireless/intel/iwlwifi/cfg/6000.c
@@ -31,7 +31,7 @@
#include "dvm/commands.h" /* needed for BT for now */
/* Highest firmware API version supported */
-#define IWL6000_UCODE_API_MAX 6
+#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */
#define IWL6050_UCODE_API_MAX 5
#define IWL6000G2_UCODE_API_MAX 6
#define IWL6035_UCODE_API_MAX 6

37
debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch vendored Normal file
View File

@@ -0,0 +1,37 @@
From: Ben Hutchings <benh@debian.org>
Date: Mon, 26 Apr 2021 18:27:16 +0200
Subject: kbuild: Abort build if SUBDIRS used
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/987575
DKMS and module-assistant both build OOT modules as root. If they
build an old OOT module that still use SUBDIRS this causes Kbuild
to try building a full kernel, which obviously fails but not before
deleting files from the installed headers package.
To avoid such mishaps, detect this situation and abort the build.
The error message is based on that used in commit 0126be38d988
"kbuild: announce removal of SUBDIRS if used".
---
--- a/Makefile
+++ b/Makefile
@@ -218,6 +218,18 @@ ifeq ("$(origin M)", "command line")
KBUILD_EXTMOD := $(M)
endif
+# Old syntax make ... SUBDIRS=$PWD should be rejected to avoid mishaps
+# (see Debian bugs #982334, #987575)
+ifndef KBUILD_EXTMOD
+ ifdef SUBDIRS
+ $(warning =============== ERROR ==============)
+ $(warning 'SUBDIRS' was removed in Linux 5.3)
+ $(warning Use 'M=' or 'KBUILD_EXTMOD=' instead)
+ $(warning ====================================)
+ $(error .)
+ endif
+endif
+
$(if $(word 2, $(KBUILD_EXTMOD)), \
$(error building multiple external modules is not supported))

57
debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch vendored Normal file
View File

@@ -0,0 +1,57 @@
From: Ben Hutchings <benh@debian.org>
Date: Thu, 10 Dec 2020 17:31:39 +0100
Subject: kbuild: Look for module.lds under arch directory too
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/975571
The module.lds linker script is now built under the scripts directory,
where previously it was under arch/$(SRCARCH).
However, we package the scripts directory as linux-kbuild, which is
meant to be able to do support native and cross-builds. That means it
shouldn't contain files for a specific target architecture without a
wrapper to select between them, and it doesn't appear that linker
scripts are powerful enough to implement such a wrapper.
Building module.lds in a different location would require relatively
large changes. Moving it in the package build rules can work, but we
need to support custom kernel builds from the same source so we can't
assume it's moved.
Therefore, we move module.lds under the arch build directory in
rules.real and change Makefile.modfinal to look for it in both places.
---
scripts/Makefile.modfinal | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
index 8568d256d6fb..415cff66539b 100644
--- a/scripts/Makefile.modfinal
+++ b/scripts/Makefile.modfinal
@@ -28,11 +28,13 @@ quiet_cmd_cc_o_c = CC [M] $@
%.mod.o: %.mod.c FORCE
$(call if_changed_dep,cc_o_c)
+ARCH_MODULE_LDS := $(word 1,$(wildcard scripts/module.lds arch/$(SRCARCH)/module.lds))
+
quiet_cmd_ld_ko_o = LD [M] $@
cmd_ld_ko_o += \
$(LD) -r $(KBUILD_LDFLAGS) \
$(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \
- -T scripts/module.lds -o $@ $(filter %.o, $^)
+ -T $(ARCH_MODULE_LDS) -o $@ $(filter %.o, $^)
quiet_cmd_btf_ko = BTF [M] $@
cmd_btf_ko = \
@@ -52,7 +54,7 @@ if_changed_except = $(if $(call newer_prereqs_except,$(2))$(cmd-check), \
printf '%s\n' 'savedcmd_$@ := $(make-cmd)' > $(dot-target).cmd, @:)
# Re-generate module BTFs if either module's .ko or vmlinux changed
-%.ko: %.o %.mod.o scripts/module.lds $(and $(CONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),vmlinux) FORCE
+%.ko: %.o %.mod.o $(ARCH_MODULE_LDS) $(and $(CONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),vmlinux) FORCE
+$(call if_changed_except,ld_ko_o,vmlinux)
ifdef CONFIG_DEBUG_INFO_BTF_MODULES
+$(if $(newer-prereqs),$(call cmd,btf_ko))
--
2.42.0

92
debian/patches/debian/kernelvariables.patch vendored Normal file
View File

@@ -0,0 +1,92 @@
From: Bastian Blank <waldi@debian.org>
Subject: kbuild: Make the toolchain variables easily overwritable
Date: Sun, 22 Feb 2009 15:39:35 +0100
Forwarded: not-needed
Allow make variables to be overridden for each flavour by a file in
the build tree, .kernelvariables.
We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
also CROSS_COMPILE, KCFLAGS.
This file can only be read after we establish the build tree, and all
use of $(ARCH) needs to be moved after this.
[bwh: Updated for 5.3: include .kernelvariables from current directory
rather than using undefined $(obj).]
---
--- a/Makefile
+++ b/Makefile
@@ -406,36 +406,6 @@ include $(srctree)/scripts/subarch.inclu
# Note: Some architectures assign CROSS_COMPILE in their arch/*/Makefile
ARCH ?= $(SUBARCH)
-# Architecture as present in compile.h
-UTS_MACHINE := $(ARCH)
-SRCARCH := $(ARCH)
-
-# Additional ARCH settings for x86
-ifeq ($(ARCH),i386)
- SRCARCH := x86
-endif
-ifeq ($(ARCH),x86_64)
- SRCARCH := x86
-endif
-
-# Additional ARCH settings for sparc
-ifeq ($(ARCH),sparc32)
- SRCARCH := sparc
-endif
-ifeq ($(ARCH),sparc64)
- SRCARCH := sparc
-endif
-
-# Additional ARCH settings for parisc
-ifeq ($(ARCH),parisc64)
- SRCARCH := parisc
-endif
-
-export cross_compiling :=
-ifneq ($(SRCARCH),$(SUBARCH))
-cross_compiling := 1
-endif
-
KCONFIG_CONFIG ?= .config
export KCONFIG_CONFIG
@@ -551,6 +521,35 @@ RUSTFLAGS_KERNEL =
AFLAGS_KERNEL =
LDFLAGS_vmlinux =
+-include .kernelvariables
+
+# Architecture as present in compile.h
+UTS_MACHINE := $(ARCH)
+SRCARCH := $(ARCH)
+
+# Additional ARCH settings for x86
+ifeq ($(ARCH),i386)
+ SRCARCH := x86
+endif
+ifeq ($(ARCH),x86_64)
+ SRCARCH := x86
+endif
+
+# Additional ARCH settings for sparc
+ifeq ($(ARCH),sparc64)
+ SRCARCH := sparc
+endif
+
+# Additional ARCH settings for parisc
+ifeq ($(ARCH),parisc64)
+ SRCARCH := parisc
+endif
+
+# Additional ARCH settings for sh
+ifeq ($(ARCH),sh64)
+ SRCARCH := sh
+endif
+
# Use USERINCLUDE when you must reference the UAPI directories only.
USERINCLUDE := \
-I$(srctree)/arch/$(SRCARCH)/include/uapi \

52
debian/patches/debian/linux-perf-remove-remaining-source-filenames-from-executable.patch vendored Normal file
View File

@@ -0,0 +1,52 @@
From: Ben Hutchings <benh@debian.org>
Date: Tue, 30 May 2023 00:16:39 +0200
Subject: linux-perf: Remove remaining source filenames from executable
When we build perf with -ffile-prefix-map, there are still 2
source directory names embedded in the executable:
1. The Documentation subdirectory, used as a fallback from the
installed location.
2. The python subdirectory, used in the Python script test.
Remove (1) since it is an unnecessary fallback. Change (2)
to the installed location.
---
--- a/tools/perf/builtin-report.c
+++ b/tools/perf/builtin-report.c
@@ -654,10 +654,12 @@ static int report__browse_hists(struct r
path = system_path(TIPDIR);
if (perf_tip(&help, path) || help == NULL) {
+#if 0
/* fallback for people who don't install perf ;-) */
free(path);
path = system_path(DOCDIR);
if (perf_tip(&help, path) || help == NULL)
+#endif
help = strdup("Cannot load tips.txt file, please install perf!");
}
free(path);
--- a/tools/perf/tests/Build
+++ b/tools/perf/tests/Build
@@ -73,7 +73,7 @@ perf-test-$(CONFIG_DWARF_UNWIND) += dwar
endif
CFLAGS_attr.o += -DBINDIR="BUILD_STR($(bindir_SQ))" -DPYTHON="BUILD_STR($(PYTHON_WORD))"
-CFLAGS_python-use.o += -DPYTHONPATH="BUILD_STR($(OUTPUT)python)" -DPYTHON="BUILD_STR($(PYTHON_WORD))"
+CFLAGS_python-use.o += -DPYTHONPATH="BUILD_STR($(perfexec_instdir_SQ)/scripts/python)" -DPYTHON="BUILD_STR($(PYTHON_WORD))"
CFLAGS_dwarf-unwind.o += -fno-optimize-sibling-calls
perf-test-y += workloads/
--- a/tools/perf/Build
+++ b/tools/perf/Build
@@ -51,7 +51,7 @@ CFLAGS_perf.o += -DPERF_HTM
-DPREFIX="BUILD_STR($(prefix_SQ))"
CFLAGS_builtin-trace.o += -DSTRACE_GROUPS_DIR="BUILD_STR($(STRACE_GROUPS_DIR_SQ))"
CFLAGS_builtin-report.o += -DTIPDIR="BUILD_STR($(tipdir_SQ))"
-CFLAGS_builtin-report.o += -DDOCDIR="BUILD_STR($(srcdir_SQ)/Documentation)"
+#CFLAGS_builtin-report.o += -DDOCDIR="BUILD_STR($(srcdir_SQ)/Documentation)"
perf-util-y += util/
perf-util-y += arch/

31
debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch vendored Normal file
View File

@@ -0,0 +1,31 @@
From: Ben Hutchings <benh@debian.org>
Date: Thu, 15 Sep 2022 02:14:03 +0200
Subject: Makefile: Make compiler version comparison optional
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/1019749
The top-level Makefile warns if the compiler version string changes at
all between the kernel build and an out-of-tree module build.
We expect that major compiler version changes could introduce ABI
changes, and override the CC variable in out-of-tree module builds to
ensure that the same major compiler version is used. But minor
version changes should not make a difference, so this exact version
comparison produces false warnings.
Since custom kernel packages don't have that, don't remove the version
comparison. Instead, skip it if $(DEBIAN_KERNEL_NO_CC_VERSION_CHECK)
is non-empty.
---
--- a/Makefile
+++ b/Makefile
@@ -1753,7 +1753,7 @@ PHONY += prepare
# now expand this into a simple variable to reduce the cost of shell evaluations
prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT)
prepare:
- @if [ "$(CC_VERSION_TEXT)" != "$(CONFIG_CC_VERSION_TEXT)" ]; then \
+ @if [ -z "$(DEBIAN_KERNEL_NO_CC_VERSION_CHECK)" ] && [ "$(CC_VERSION_TEXT)" != "$(CONFIG_CC_VERSION_TEXT)" ]; then \
echo >&2 "warning: the compiler differs from the one used to build the kernel"; \
echo >&2 " The kernel was built by: $(CONFIG_CC_VERSION_TEXT)"; \
echo >&2 " You are using: $(CC_VERSION_TEXT)"; \

22
debian/patches/debian/mips-boston-disable-its.patch vendored Normal file
View File

@@ -0,0 +1,22 @@
From: YunQiang Su <syq@debian.org>
Date: Mon, 14 May 2018 16:16:18 +0800
Subject: Disable uImage generation for mips generic
Forwarded: not-needed
MIPS generic trys to generate uImage when build, which then ask for
u-boot-tools.
[bwh: Updated for 5.17:
- zload-y is no longer assigned here and appears to default to empty
- Adjust context]
--- a/arch/mips/generic/Platform
+++ b/arch/mips/generic/Platform
@@ -13,7 +13,6 @@ cflags-$(CONFIG_MACH_INGENIC_SOC) += -I$
cflags-$(CONFIG_MIPS_GENERIC) += -I$(srctree)/arch/mips/include/asm/mach-generic
load-$(CONFIG_MIPS_GENERIC) += 0xffffffff80100000
-all-$(CONFIG_MIPS_GENERIC) += vmlinux.gz.itb
its-y := vmlinux.its.S
its-$(CONFIG_FIT_IMAGE_FDT_BOSTON) += board-boston.its.S

20
debian/patches/debian/mips-enable-r2-to-r6-emu-by-default.patch vendored Normal file
View File

@@ -0,0 +1,20 @@
From: YunQiang Su <syq@debian.org>
Date: Mon, 14 May 2018 16:16:18 +0800
Subject: Enable R2 to R6 emulator by default
Forwarded: not-needed
In upstream code, 'mipsr2emu' kernel option is needed
to enable R2 to R6 emulator. Since we need r6 kernel
for our r2 port, let's always enable it.
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -56,7 +56,7 @@ extern const unsigned int fpucondbit[8];
#define MIPS_R2_EMUL_TOTAL_PASS 10
-int mipsr2_emulation = 0;
+int mipsr2_emulation = 1;
static int __init mipsr2emu_enable(char *s)
{

35
debian/patches/debian/mips-ieee754-relaxed.patch vendored Normal file
View File

@@ -0,0 +1,35 @@
From: YunQiang Su <syq@debian.org>
Date: Mon 16 Nov 2020 09:11:00 +0800
Subject: Use RELAXED ieee754 mode for Loongson-3 as 3A 4000 is 2008-only
Forwarded: not-needed
There are 2 mode of value of IEEE NaN hardcoded by CPU.
Currently, our mipsel/mips64el port is in so-called lagacy mode.
Loongson 3A 4000 is set as the so-called 2008 mode.
To make Debian workable on Loongson 3A 4000, we need set the kerenl in
RELAXED mode.
https://web.archive.org/web/20180830093617/https://dmz-portal.mips.com/wiki/MIPS_ABI_-_NaN_Interlinking
[bwh: Update for addition of EMULATED mode in 6.11]
---
arch/mips/kernel/fpu-probe.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/mips/kernel/fpu-probe.c
+++ b/arch/mips/kernel/fpu-probe.c
@@ -144,7 +144,12 @@ static void cpu_set_fpu_2008(struct cpui
* IEEE 754 conformance mode to use. Affects the NaN encoding and the
* ABS.fmt/NEG.fmt execution mode.
*/
-static enum { STRICT, EMULATED, LEGACY, STD2008, RELAXED } ieee754 = STRICT;
+enum ieee754_mode { STRICT, EMULATED, LEGACY, STD2008, RELAXED };
+#ifdef CONFIG_CPU_LOONGSON64
+static enum ieee754_mode ieee754 = RELAXED;
+#else
+static enum ieee754_mode ieee754 = STRICT;
+#endif
/*
* Set the IEEE 754 NaN encodings and the ABS.fmt/NEG.fmt execution modes

40
debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch vendored Normal file
View File

@@ -0,0 +1,40 @@
From cd02fc78859ef9aefd7c92406f9523622da0b472 Mon Sep 17 00:00:00 2001
From: Bastian Blank <waldi@debian.org>
Date: Tue, 4 Aug 2020 09:44:37 +0000
Subject: [PATCH 2/2] perf/traceevent: Support asciidoctor for documentation
Forwarded: not-needed
---
tools/lib/perf/Documentation/Makefile | 2 +-
tools/perf/Documentation/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/lib/perf/Documentation/Makefile b/tools/lib/perf/Documentation/Makefile
index 972754082a85..272d06173a3e 100644
--- a/tools/lib/perf/Documentation/Makefile
+++ b/tools/lib/perf/Documentation/Makefile
@@ -35,7 +35,7 @@ htmldir = $(docdir)/html
exdir = $(docdir)/examples
ASCIIDOC = asciidoc
-ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf
+ASCIIDOC_EXTRA =
ASCIIDOC_HTML = xhtml11
MANPAGE_XSL = manpage-normal.xsl
XMLTO_EXTRA =
diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
index 6e54979c2124..7bfa6ae971ab 100644
--- a/tools/perf/Documentation/Makefile
+++ b/tools/perf/Documentation/Makefile
@@ -48,7 +48,7 @@ man5dir=$(mandir)/man5
man7dir=$(mandir)/man7
ASCIIDOC=asciidoc
-ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
+ASCIIDOC_EXTRA +=
ASCIIDOC_HTML = xhtml11
MANPAGE_XSL = manpage-normal.xsl
XMLTO_EXTRA =
--
2.28.0

34
debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch vendored Normal file
View File

@@ -0,0 +1,34 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 19 Nov 2010 02:12:48 +0000
Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'rds' protocol is one such protocol that has been found to be
vulnerable, and which was not present in the 'lenny' kernel.
Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/rds/af_rds.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index 98e0538..d8d4525 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets"
" v" DRV_VERSION " (" DRV_RELDATE ")");
MODULE_VERSION(DRV_VERSION);
MODULE_LICENSE("Dual BSD/GPL");
-MODULE_ALIAS_NETPROTO(PF_RDS);
+/* MODULE_ALIAS_NETPROTO(PF_RDS); */
--
1.7.2.3

30
debian/patches/debian/snd-pcsp-disable-autoload.patch vendored Normal file
View File

@@ -0,0 +1,30 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 05 Feb 2014 23:01:30 +0000
Subject: snd-pcsp: Disable autoload
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/697709
There are two drivers claiming the platform:pcspkr device:
- pcspkr creates an input(!) device that can only beep
- snd-pcsp creates an equivalent input device plus a PCM device that can
play barely recognisable renditions of sampled sound
snd-pcsp is blacklisted by the alsa-base package, but not everyone
installs that. On PCs where no sound is wanted at all, both drivers
will still be loaded and one or other will complain that it couldn't
claim the relevant I/O range.
In case anyone finds snd-pcsp useful, we continue to build it. But
remove the alias, to ensure it's not loaded where it's not wanted.
--- a/sound/drivers/pcsp/pcsp.c
+++ b/sound/drivers/pcsp/pcsp.c
@@ -22,7 +22,7 @@
MODULE_AUTHOR("Stas Sergeev <stsp@users.sourceforge.net>");
MODULE_DESCRIPTION("PC-Speaker driver");
MODULE_LICENSE("GPL");
-MODULE_ALIAS("platform:pcspkr");
+/*MODULE_ALIAS("platform:pcspkr");*/
static int index = SNDRV_DEFAULT_IDX1; /* Index 0-MAX */
static char *id = SNDRV_DEFAULT_STR1; /* ID for this card */

26
debian/patches/debian/tools-perf-install-python-bindings.patch vendored Normal file
View File

@@ -0,0 +1,26 @@
From: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Date: Mon, 4 Apr 2022 13:38:33 +0200
Subject: tools: install perf python bindings
Bug-Debian: http://bugs.debian.org/860957
Forwarded: not-needed
---
tools/perf/Makefile.perf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf
index 80522bcfafe0..b011c7aae742 100644
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -1026,7 +1026,7 @@ install-bin: install-tools install-tests install-traceevent-plugins
install: install-bin try-install-man
install-python_ext:
- $(PYTHON_WORD) util/setup.py --quiet install --root='/$(DESTDIR_SQ)'
+ $(PYTHON_WORD) util/setup.py --quiet install --root='/$(DESTDIR_SQ)' --install-layout=deb
# 'make install-doc' should call 'make -C Documentation install'
$(INSTALL_DOC_TARGETS):
--
2.30.2

32
debian/patches/debian/tools-perf-perf-read-vdso-in-libexec.patch vendored Normal file
View File

@@ -0,0 +1,32 @@
From: Ben Hutchings <benh@debian.org>
Date: Mon, 11 May 2015 02:51:07 +0000
Subject: linux-tools: Install perf-read-vdso{,x}32 in directory under /usr/lib
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -943,21 +943,21 @@ install-tools: all install-gtk
$(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf' '$(DESTDIR_SQ)$(bindir_SQ)/trace'; \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(includedir_SQ)/perf'; \
$(INSTALL) -m 644 include/perf/perf_dlfilter.h -t '$(DESTDIR_SQ)$(includedir_SQ)/perf'
+ $(call QUIET_INSTALL, libexec) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
ifndef NO_PERF_READ_VDSO32
$(call QUIET_INSTALL, perf-read-vdso32) \
- $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(bindir_SQ)';
+ $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)';
endif
ifndef NO_PERF_READ_VDSOX32
$(call QUIET_INSTALL, perf-read-vdsox32) \
- $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(bindir_SQ)';
+ $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)';
endif
ifndef NO_JVMTI
$(call QUIET_INSTALL, $(LIBJVMTI)) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \
$(INSTALL) $(OUTPUT)$(LIBJVMTI) '$(DESTDIR_SQ)$(libdir_SQ)';
endif
- $(call QUIET_INSTALL, libexec) \
- $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
$(call QUIET_INSTALL, perf-archive) \
$(INSTALL) $(OUTPUT)perf-archive -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
$(call QUIET_INSTALL, perf-iostat) \

26
debian/patches/debian/uname-version-timestamp.patch vendored Normal file
View File

@@ -0,0 +1,26 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: Make mkcompile_h accept an alternate timestamp string
Date: Tue, 12 May 2015 19:29:22 +0100
Forwarded: not-needed
We want to include the Debian version in the utsname::version string
instead of a full timestamp string. However, we still need to provide
a standard timestamp string for gen_initramfs_list.sh to make the
kernel image reproducible.
Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
$KBUILD_BUILD_TIMESTAMP.
Index: linux/init/Makefile
===================================================================
--- linux.orig/init/Makefile
+++ linux/init/Makefile
@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC) :
preempt-flag-$(CONFIG_PREEMPT_RT) := PREEMPT_RT
build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
# Maximum length of UTS_VERSION is 64 chars
filechk_uts_version = \

153
debian/patches/debian/version.patch vendored Normal file
View File

@@ -0,0 +1,153 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: Include package version along with kernel release in stack traces
Date: Tue, 24 Jul 2012 03:13:10 +0100
Forwarded: not-needed
For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.
---
Makefile | 16 +++++++++++++++-
arch/powerpc/kernel/process.c | 6 ++++--
arch/x86/um/sysrq_64.c | 6 ++++--
kernel/hung_task.c | 6 ++++--
lib/dump_stack.c | 7 +++++--
5 files changed, 32 insertions(+), 9 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -1186,7 +1186,8 @@ PHONY += prepare archprepare
archprepare: outputmakefile archheaders archscripts scripts include/config/kernel.release \
asm-generic $(version_h) include/generated/utsrelease.h \
- include/generated/compile.h include/generated/autoconf.h remove-stale-files
+ include/generated/compile.h include/generated/autoconf.h \
+ include/generated/package.h remove-stale-files
prepare0: archprepare
$(Q)$(MAKE) $(build)=scripts/mod
@@ -1244,6 +1245,16 @@ define filechk_version.h
echo \#define LINUX_VERSION_SUBLEVEL $(SUBLEVEL)
endef
+ifneq ($(DISTRIBUTION_OFFICIAL_BUILD),)
+define filechk_package.h
+ echo \#define LINUX_PACKAGE_ID \" $(DISTRIBUTOR) $(DISTRIBUTION_VERSION)\"
+endef
+else
+define filechk_package.h
+ echo \#define LINUX_PACKAGE_ID \"\"
+endef
+endif
+
$(version_h): private PATCHLEVEL := $(or $(PATCHLEVEL), 0)
$(version_h): private SUBLEVEL := $(or $(SUBLEVEL), 0)
$(version_h): FORCE
@@ -1258,6 +1269,9 @@ filechk_compile.h = $(srctree)/scripts/m
include/generated/compile.h: FORCE
$(call filechk,compile.h)
+include/generated/package.h: $(srctree)/Makefile FORCE
+ $(call filechk,package.h)
+
PHONY += headerdep
headerdep:
$(Q)find $(srctree)/include/ -name '*.h' | xargs --max-args 1 \
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -38,6 +38,7 @@
#include <linux/uaccess.h>
#include <linux/pkeys.h>
#include <linux/seq_buf.h>
+#include <generated/package.h>
#include <asm/interrupt.h>
#include <asm/io.h>
@@ -1562,8 +1563,9 @@ static void __show_regs(struct pt_regs *
printk("NIP: "REG" LR: "REG" CTR: "REG"\n",
regs->nip, regs->link, regs->ctr);
- printk("REGS: %px TRAP: %04lx %s (%s)\n",
- regs, regs->trap, print_tainted(), init_utsname()->release);
+ printk("REGS: %px TRAP: %04lx %s (%s%s)\n",
+ regs, regs->trap, print_tainted(), init_utsname()->release,
+ LINUX_PACKAGE_ID);
printk("MSR: "REG" ", regs->msr);
print_msr_bits(regs->msr);
pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer);
--- a/arch/x86/um/sysrq_64.c
+++ b/arch/x86/um/sysrq_64.c
@@ -10,6 +10,7 @@
#include <linux/sched.h>
#include <linux/sched/debug.h>
#include <linux/utsname.h>
+#include <generated/package.h>
#include <asm/current.h>
#include <asm/ptrace.h>
#include <asm/sysrq.h>
@@ -18,8 +19,9 @@ void show_regs(struct pt_regs *regs)
{
printk("\n");
print_modules();
- printk(KERN_INFO "Pid: %d, comm: %.20s %s %s\n", task_pid_nr(current),
- current->comm, print_tainted(), init_utsname()->release);
+ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s%s\n", task_pid_nr(current),
+ current->comm, print_tainted(), init_utsname()->release,
+ LINUX_PACKAGE_ID);
printk(KERN_INFO "RIP: %04lx:%pS\n", PT_REGS_CS(regs) & 0xffff,
(void *)PT_REGS_IP(regs));
printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs),
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -24,6 +24,7 @@
#include <linux/sched/sysctl.h>
#include <trace/events/sched.h>
+#include <generated/package.h>
/*
* The number of tasks checked:
@@ -132,10 +133,11 @@ static void check_hung_task(struct task_
sysctl_hung_task_warnings--;
pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n",
t->comm, t->pid, (jiffies - t->last_switch_time) / HZ);
- pr_err(" %s %s %.*s\n",
+ pr_err(" %s %s %.*s%s\n",
print_tainted(), init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
- init_utsname()->version);
+ init_utsname()->version,
+ LINUX_PACKAGE_ID);
pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\""
" disables this message.\n");
sched_show_task(t);
--- a/lib/dump_stack.c
+++ b/lib/dump_stack.c
@@ -14,6 +14,7 @@
#include <linux/kexec.h>
#include <linux/utsname.h>
#include <linux/stop_machine.h>
+#include <generated/package.h>
static char dump_stack_arch_desc_str[128];
@@ -54,7 +55,7 @@ void __init dump_stack_set_arch_desc(con
*/
void dump_stack_print_info(const char *log_lvl)
{
- printk("%sCPU: %d UID: %u PID: %d Comm: %.20s %s%s %s %.*s" BUILD_ID_FMT "\n",
+ printk("%sCPU: %d UID: %u PID: %d Comm: %.20s %s%s %s %.*s %s" BUILD_ID_FMT "\n",
log_lvl, raw_smp_processor_id(),
__kuid_val(current_real_cred()->euid),
current->pid, current->comm,
@@ -62,7 +63,9 @@ void dump_stack_print_info(const char *l
print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
- init_utsname()->version, BUILD_ID_VAL);
+ init_utsname()->version,
+ LINUX_PACKAGE_ID,
+ BUILD_ID_VAL);
if (get_taint())
printk("%s%s\n", log_lvl, print_tainted_verbose());

1452
debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch vendored Normal file
View File

File diff suppressed because it is too large Load Diff

32
debian/patches/debian/yama-disable-by-default.patch vendored Normal file
View File

@@ -0,0 +1,32 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: yama: Disable by default
Date: Wed, 19 Jun 2013 04:35:28 +0100
Bug-Debian: https://bugs.debian.org/712740
Forwarded: not-needed
---
security/yama/yama_lsm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index efac68556b45..95ff3e778a17 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -25,7 +25,7 @@
#define YAMA_SCOPE_CAPABILITY 2
#define YAMA_SCOPE_NO_ATTACH 3
-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
+static int ptrace_scope = YAMA_SCOPE_DISABLED;
/* describe a ptrace relationship for potential exception */
struct ptrace_relation {
@@ -476,7 +476,7 @@ static inline void yama_init_sysctl(void) { }
static int __init yama_init(void)
{
- pr_info("Yama: becoming mindful.\n");
+ pr_info("Yama: disabled by default; enable with sysctl kernel.yama.*\n");
security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid);
yama_init_sysctl();
return 0;

130
debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch vendored Normal file
View File

@@ -0,0 +1,130 @@
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:38:02 +0800
Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a
kernel module
Origin: https://lore.kernel.org/patchwork/patch/933175/
This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.
For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT
Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.19:
- The type parameter to is_hash_blacklisted() is now an enumeration
rather than a string
- Adjust filename, context]
---
kernel/module/signing.c | 59 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 57 insertions(+), 2 deletions(-)
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -13,6 +13,8 @@
#include <linux/verification.h>
#include <linux/security.h>
#include <crypto/public_key.h>
+#include <crypto/hash.h>
+#include <keys/system_keyring.h>
#include <uapi/linux/module.h>
#include "internal.h"
@@ -37,13 +39,60 @@
sig_enforce = true;
}
+static int mod_is_hash_blacklisted(const void *mod, size_t verifylen)
+{
+ struct crypto_shash *tfm;
+ struct shash_desc *desc;
+ size_t digest_size, desc_size;
+ u8 *digest;
+ int ret;
+
+ tfm = crypto_alloc_shash("sha256", 0, 0);
+ if (IS_ERR(tfm)) {
+ ret = PTR_ERR(tfm);
+ goto error_return;
+ }
+
+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
+ digest_size = crypto_shash_digestsize(tfm);
+ digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
+ if (!digest) {
+ pr_err("digest memory buffer allocate fail\n");
+ ret = -ENOMEM;
+ goto error_digest;
+ }
+ desc = (void *)digest + digest_size;
+ desc->tfm = tfm;
+ ret = crypto_shash_init(desc);
+ if (ret < 0)
+ goto error_shash;
+
+ ret = crypto_shash_finup(desc, mod, verifylen, digest);
+ if (ret < 0)
+ goto error_shash;
+
+ pr_debug("%ld digest: %*phN\n", verifylen, (int) digest_size, digest);
+
+ ret = is_hash_blacklisted(digest, digest_size, BLACKLIST_HASH_BINARY);
+ if (ret == -EKEYREJECTED)
+ pr_err("Module hash %*phN is blacklisted\n",
+ (int) digest_size, digest);
+
+error_shash:
+ kfree(digest);
+error_digest:
+ crypto_free_shash(tfm);
+error_return:
+ return ret;
+}
+
/*
* Verify the signature on a module.
*/
int mod_verify_sig(const void *mod, struct load_info *info)
{
struct module_signature ms;
- size_t sig_len, modlen = info->len;
+ size_t sig_len, modlen = info->len, wholelen;
int ret;
pr_devel("==>%s(,%zu)\n", __func__, modlen);
@@ -51,6 +100,7 @@
if (modlen <= sizeof(ms))
return -EBADMSG;
+ wholelen = modlen + sizeof(MODULE_SIG_STRING) - 1;
memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
ret = mod_check_sig(&ms, modlen, "module");
@@ -61,10 +111,17 @@
modlen -= sig_len + sizeof(ms);
info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
VERIFY_USE_SECONDARY_KEYRING,
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
+ pr_devel("verify_pkcs7_signature() = %d\n", ret);
+
+ /* checking hash of module is in blacklist */
+ if (!ret)
+ ret = mod_is_hash_blacklisted(mod, wholelen);
+
+ return ret;
}
int module_sig_check(struct load_info *info, int flags)

33
debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch vendored Normal file
View File

@@ -0,0 +1,33 @@
From: Robert Holmes <robeholmes@gmail.com>
Date: Tue, 23 Apr 2019 07:39:29 +0000
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
verify
Bug-Debian: https://bugs.debian.org/935945
Bug-Debian: https://bugs.debian.org/1030200
Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
Forwarded: https://lore.kernel.org/linux-modules/qvgp2il2co4iyxkzxvcs4p2bpyilqsbfgcprtpfrsajwae2etc@3z2s2o52i3xg/t/#u
This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
[bwh: Forward-ported to 5.19: adjust filename]
[наб: reinstate for 6.1, re-write description]
---
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -116,6 +116,13 @@ int mod_verify_sig(const void *mod, stru
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
pr_devel("verify_pkcs7_signature() = %d\n", ret);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ pr_devel("verify_pkcs7_signature() = %d\n", ret);
+ }
/* checking hash of module is in blacklist */
if (!ret)

29
debian/patches/features/all/db-mok-keyring/trust-machine-keyring-by-default.patch vendored Normal file
View File

@@ -0,0 +1,29 @@
From 585cbcb982bffc4a8cee2f3d8d099fc64f9a74b9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 14 Oct 2022 00:22:06 +0200
Subject: [PATCH] trust machine keyring (MoK) by default
Forwarded: not-needed
Debian always trusted keys in MoK by default. Upstream made it
conditional on a new EFI variable being set.
To keep backward compatibility skip this check.
---
security/integrity/platform_certs/machine_keyring.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index a401640a63cd..0627f14eacbe 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -68,10 +68,7 @@ static bool __init trust_moklist(void)
if (!initialized) {
initialized = true;
- trust_mok = false;
-
- if (uefi_check_trust_mok_keys())
- trust_mok = true;
+ trust_mok = true;
}
return trust_mok;

149
debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch vendored Normal file
View File

@@ -0,0 +1,149 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 24 Aug 2009 23:19:58 +0100
Subject: af9005: Use request_firmware() to load register init script
Forwarded: no
Read the register init script from the Windows driver. This is sick
but should avoid the potential copyright infringement in distributing
a version of the script which is directly derived from the driver.
---
drivers/media/dvb/dvb-usb/Kconfig | 2 +-
drivers/media/dvb/dvb-usb/af9005-fe.c | 66 ++++++++++++++++++++++++++------
2 files changed, 54 insertions(+), 14 deletions(-)
Index: debian-kernel/drivers/media/usb/dvb-usb/Kconfig
===================================================================
--- debian-kernel.orig/drivers/media/usb/dvb-usb/Kconfig
+++ debian-kernel/drivers/media/usb/dvb-usb/Kconfig
@@ -260,10 +260,10 @@ config DVB_USB_OPERA1
config DVB_USB_AF9005
tristate "Afatech AF9005 DVB-T USB1.1 support"
- depends on BROKEN
depends on DVB_USB
select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT
select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT
+ select FW_LOADER
help
Say Y here to support the Afatech AF9005 based DVB-T USB1.1 receiver
and the TerraTec Cinergy T USB XE (Rev.1)
Index: debian-kernel/drivers/media/usb/dvb-usb/af9005-fe.c
===================================================================
--- debian-kernel.orig/drivers/media/usb/dvb-usb/af9005-fe.c
+++ debian-kernel/drivers/media/usb/dvb-usb/af9005-fe.c
@@ -9,10 +9,26 @@
* see Documentation/driver-api/media/drivers/dvb-usb.rst for more information
*/
#include "af9005.h"
-#include "af9005-script.h"
#include "mt2060.h"
#include "qt1010.h"
#include <asm/div64.h>
+#include <linux/firmware.h>
+
+/* Register initialisation script to be extracted from the Windows driver */
+
+typedef struct {
+ __le16 reg;
+ u8 pos;
+ u8 len;
+ u8 val;
+ u8 pad;
+} __packed RegDesc;
+
+#define WIN_DRV_NAME "AF05BDA.sys"
+#define WIN_DRV_VERSION "6.3.2.1"
+#define WIN_DRV_SIZE 133504
+#define WIN_DRV_SCRIPT_OFFSET 88316
+#define WIN_DRV_SCRIPT_SIZE 1110
struct af9005_fe_state {
struct dvb_usb_device *d;
@@ -804,6 +820,8 @@ static int af9005_fe_init(struct dvb_fro
{
struct af9005_fe_state *state = fe->demodulator_priv;
struct dvb_usb_adapter *adap = fe->dvb->priv;
+ const struct firmware *fw;
+ const RegDesc *script;
int ret, i, scriptlen;
u8 temp, temp0 = 0, temp1 = 0, temp2 = 0;
u8 buf[2];
@@ -956,37 +974,55 @@ static int af9005_fe_init(struct dvb_fro
if ((ret = af9005_write_ofdm_register(state->d, 0xaefb, 0x01)))
return ret;
- /* load init script */
- deb_info("load init script\n");
- scriptlen = sizeof(script) / sizeof(RegDesc);
+ /* load and validate init script */
+ deb_info("load init script from Windows driver\n");
+ ret = request_firmware(&fw, WIN_DRV_NAME, &state->d->udev->dev);
+ if (ret)
+ return ret;
+ BUILD_BUG_ON(sizeof(RegDesc) != 6);
+ if (fw->size != WIN_DRV_SIZE ||
+ memcmp(fw->data + WIN_DRV_SCRIPT_OFFSET,
+ "\x80\xa1\x00\x08\x0a\x00", 6) ||
+ memcmp(fw->data + WIN_DRV_SCRIPT_OFFSET + WIN_DRV_SCRIPT_SIZE - 6,
+ "\x49\xa3\x00\x06\x02\x00", 6)) {
+ err("%s is invalid - should be version %s, size %u bytes\n",
+ WIN_DRV_NAME, WIN_DRV_VERSION, WIN_DRV_SIZE);
+ ret = -EINVAL;
+ goto fail_release;
+ }
+
+ script = (const RegDesc *)(fw->data + WIN_DRV_SCRIPT_OFFSET);
+ scriptlen = WIN_DRV_SCRIPT_SIZE / sizeof(RegDesc);
for (i = 0; i < scriptlen; i++) {
+ u16 reg = le16_to_cpu(script[i].reg);
if ((ret =
- af9005_write_register_bits(state->d, script[i].reg,
+ af9005_write_register_bits(state->d, reg,
script[i].pos,
script[i].len, script[i].val)))
- return ret;
+ goto fail_release;
/* save 3 bytes of original fcw */
- if (script[i].reg == 0xae18)
+ if (reg == 0xae18)
temp2 = script[i].val;
- if (script[i].reg == 0xae19)
+ if (reg == 0xae19)
temp1 = script[i].val;
- if (script[i].reg == 0xae1a)
+ if (reg == 0xae1a)
temp0 = script[i].val;
/* save original unplug threshold */
- if (script[i].reg == xd_p_reg_unplug_th)
+ if (reg == xd_p_reg_unplug_th)
state->original_if_unplug_th = script[i].val;
- if (script[i].reg == xd_p_reg_unplug_rf_gain_th)
+ if (reg == xd_p_reg_unplug_rf_gain_th)
state->original_rf_unplug_th = script[i].val;
- if (script[i].reg == xd_p_reg_unplug_dtop_if_gain_th)
+ if (reg == xd_p_reg_unplug_dtop_if_gain_th)
state->original_dtop_if_unplug_th = script[i].val;
- if (script[i].reg == xd_p_reg_unplug_dtop_rf_gain_th)
+ if (reg == xd_p_reg_unplug_dtop_rf_gain_th)
state->original_dtop_rf_unplug_th = script[i].val;
}
state->original_fcw =
((u32) temp2 << 16) + ((u32) temp1 << 8) + (u32) temp0;
+ release_firmware(fw);
/* save original TOPs */
deb_info("save original TOPs\n");
@@ -1066,6 +1102,10 @@ static int af9005_fe_init(struct dvb_fro
deb_info("profit!\n");
return 0;
+
+fail_release:
+ release_firmware(fw);
+ return ret;
}
static int af9005_fe_sleep(struct dvb_frontend *fe)

153
debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch vendored Normal file
View File

@@ -0,0 +1,153 @@
From: Linn Crosetto <linn@hpe.com>
Date: Tue, 30 Aug 2016 11:54:38 -0600
Subject: arm64: add kernel config option to lock down when in Secure Boot mode
Bug-Debian: https://bugs.debian.org/831827
Forwarded: no
Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.
Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.
Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
- Pass result of efi_get_secureboot() in stub through to
efi_set_secure_boot() in main kernel
- Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
sys_table parameter]
[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
- Add Secure Boot mode to the parameter enumeration in fdtparams.c
- Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
- Since Xen does not have a property name defined for Secure Boot mode,
change efi_get_fdt_prop() to handle a missing property name by clearing
the output variable]
[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
---
drivers/firmware/efi/efi-init.c | 5 ++++-
drivers/firmware/efi/fdtparams.c | 12 +++++++++++-
drivers/firmware/efi/libstub/fdt.c | 6 ++++++
include/linux/efi.h | 3 ++-
4 files changed, 23 insertions(+), 3 deletions(-)
--- a/drivers/firmware/efi/efi-init.c
+++ b/drivers/firmware/efi/efi-init.c
@@ -210,9 +210,10 @@ void __init efi_init(void)
{
struct efi_memory_map_data data;
u64 efi_system_table;
+ u32 secure_boot;
/* Grab UEFI information placed in FDT by stub */
- efi_system_table = efi_get_fdt_params(&data);
+ efi_system_table = efi_get_fdt_params(&data, &secure_boot);
if (!efi_system_table)
return;
@@ -234,6 +235,8 @@ void __init efi_init(void)
return;
}
+ efi_set_secure_boot(secure_boot);
+
reserve_regions();
/*
* For memblock manipulation, the cap should come after the memblock_add().
--- a/drivers/firmware/efi/fdtparams.c
+++ b/drivers/firmware/efi/fdtparams.c
@@ -16,6 +16,7 @@ enum {
MMSIZE,
DCSIZE,
DCVERS,
+ SBMODE,
PARAMCOUNT
};
@@ -26,6 +27,7 @@ static __initconst const char name[][22]
[MMSIZE] = "MemMap Size ",
[DCSIZE] = "MemMap Desc. Size ",
[DCVERS] = "MemMap Desc. Version ",
+ [SBMODE] = "Secure Boot Enabled ",
};
static __initconst const struct {
@@ -41,6 +43,7 @@ static __initconst const struct {
[MMSIZE] = "xen,uefi-mmap-size",
[DCSIZE] = "xen,uefi-mmap-desc-size",
[DCVERS] = "xen,uefi-mmap-desc-ver",
+ [SBMODE] = "",
}
}, {
#endif
@@ -51,6 +54,7 @@ static __initconst const struct {
[MMSIZE] = "linux,uefi-mmap-size",
[DCSIZE] = "linux,uefi-mmap-desc-size",
[DCVERS] = "linux,uefi-mmap-desc-ver",
+ [SBMODE] = "linux,uefi-secure-boot",
}
}
};
@@ -62,6 +66,11 @@ static int __init efi_get_fdt_prop(const
int len;
u64 val;
+ if (!pname[0]) {
+ memset(var, 0, size);
+ return 0;
+ }
+
prop = fdt_getprop(fdt, node, pname, &len);
if (!prop)
return 1;
@@ -79,7 +88,7 @@ static int __init efi_get_fdt_prop(const
return 0;
}
-u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
+u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
{
const void *fdt = initial_boot_params;
unsigned long systab;
@@ -93,6 +102,7 @@ u64 __init efi_get_fdt_params(struct efi
[MMSIZE] = { &mm->size, sizeof(mm->size) },
[DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) },
[DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) },
+ [SBMODE] = { secure_boot, sizeof(*secure_boot) },
};
BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -148,6 +148,12 @@ static efi_status_t update_fdt(void *ori
}
}
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+ &fdt_val32, sizeof(fdt_val32));
+ if (status)
+ goto fdt_set_fail;
+
/* Shrink the FDT back to its minimum size: */
fdt_pack(fdt);
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -662,7 +662,8 @@ extern void efi_mem_reserve(phys_addr_t
extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
extern void efi_initialize_iomem_resources(struct resource *code_resource,
struct resource *data_resource, struct resource *bss_resource);
-extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
+extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
+ u32 *secure_boot);
extern struct kobject *efi_kobj;
extern int efi_reboot_quirk_mode;

153
debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch vendored Normal file
View File

@@ -0,0 +1,153 @@
From: David Howells <dhowells@redhat.com>
Date: Mon, 18 Feb 2019 12:45:03 +0000
Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
[rperier: Forward-ported to 5.5:
- Use pr_warn()
- Adjust context]
[bwh: Forward-ported to 5.6: adjust context]
[bwh: Forward-ported to 5.7:
- Use the next available bit in efi.flags
- Adjust context]
---
arch/x86/kernel/setup.c | 14 +----------
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
include/linux/efi.h | 16 ++++++++-----
4 files changed, 51 insertions(+), 19 deletions(-)
create mode 100644 drivers/firmware/efi/secureboot.c
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1193,19 +1193,7 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
- if (efi_enabled(EFI_BOOT)) {
- switch (boot_params.secure_boot) {
- case efi_secureboot_mode_disabled:
- pr_info("Secure boot disabled\n");
- break;
- case efi_secureboot_mode_enabled:
- pr_info("Secure boot enabled\n");
- break;
- default:
- pr_info("Secure boot could not be determined\n");
- break;
- }
- }
+ efi_set_secure_boot(boot_params.secure_boot);
reserve_initrd();
--- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m
obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
obj-$(CONFIG_EFI_TEST) += test/
obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
+obj-$(CONFIG_EFI) += secureboot.o
obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o
--- /dev/null
+++ b/drivers/firmware/efi/secureboot.c
@@ -0,0 +1,39 @@
+
+/* Core kernel secure boot support.
+ *
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/efi.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+
+/*
+ * Decide what to do when UEFI secure boot mode is enabled.
+ */
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
+{
+ if (efi_enabled(EFI_BOOT)) {
+ switch (mode) {
+ case efi_secureboot_mode_disabled:
+ pr_info("Secure boot disabled\n");
+ break;
+ case efi_secureboot_mode_enabled:
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
+ pr_info("Secure boot enabled\n");
+ break;
+ default:
+ pr_warn("Secure boot could not be determined (mode %u)\n",
+ mode);
+ break;
+ }
+ }
+}
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console
#define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
#define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */
#define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */
+#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */
+
+enum efi_secureboot_mode {
+ efi_secureboot_mode_unset,
+ efi_secureboot_mode_unknown,
+ efi_secureboot_mode_disabled,
+ efi_secureboot_mode_enabled,
+};
#ifdef CONFIG_EFI
/*
@@ -895,6 +903,7 @@ static inline bool efi_rt_services_suppo
return (efi.runtime_supported_mask & mask) == mask;
}
extern void efi_find_mirror(void);
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
#else
static inline bool efi_enabled(int feature)
{
@@ -914,6 +923,7 @@ static inline bool efi_rt_services_suppo
}
static inline void efi_find_mirror(void) {}
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
#endif
extern int efi_status_to_err(efi_status_t status);
@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(
extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
extern unsigned long efi_call_virt_save_flags(void);
-enum efi_secureboot_mode {
- efi_secureboot_mode_unset,
- efi_secureboot_mode_unknown,
- efi_secureboot_mode_disabled,
- efi_secureboot_mode_enabled,
-};
-
static inline
enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
{

121
debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch vendored Normal file
View File

@@ -0,0 +1,121 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 10 Sep 2019 11:54:28 +0100
Subject: efi: Lock down the kernel if booted in secure boot mode
Based on an earlier patch by David Howells, who wrote the following
description:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
---
arch/x86/kernel/setup.c | 4 ++--
drivers/firmware/efi/secureboot.c | 3 +++
include/linux/security.h | 6 ++++++
security/lockdown/Kconfig | 15 +++++++++++++++
security/lockdown/lockdown.c | 2 +-
5 files changed, 27 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -900,6 +900,8 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
reserve_ibft_region();
x86_init.resources.dmi_setup();
@@ -1061,8 +1063,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
- efi_set_secure_boot(boot_params.secure_boot);
-
reserve_initrd();
acpi_table_upgrade();
--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -15,6 +15,7 @@
#include <linux/efi.h>
#include <linux/kernel.h>
#include <linux/printk.h>
+#include <linux/security.h>
/*
* Decide what to do when UEFI secure boot mode is enabled.
@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
break;
case efi_secureboot_mode_enabled:
set_bit(EFI_SECURE_BOOT, &efi.flags);
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ lock_kernel_down("EFI Secure Boot",
+ LOCKDOWN_INTEGRITY_MAX);
+#endif
pr_info("Secure boot enabled\n");
break;
default:
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -509,6 +509,7 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
void *val, size_t val_len, u64 id, u64 flags);
+int lock_kernel_down(const char *where, enum lockdown_reason level);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1483,6 +1484,11 @@ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
{
return -EOPNOTSUPP;
}
+static inline int
+lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return -EOPNOTSUPP;
+}
#endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
disabled.
endchoice
+
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
+ depends on SECURITY_LOCKDOWN_LSM
+ depends on EFI
+ select SECURITY_LOCKDOWN_LSM_EARLY
+ help
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
+ will only load signed bootloaders and kernels. Secure boot mode may
+ be determined from EFI variables provided by the system firmware if
+ not indicated by the boot parameters.
+
+ Enabling this option results in kernel lockdown being
+ triggered in integrity mode if EFI Secure Boot is set.
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
/*
* Put the kernel into lock-down mode.
*/
-static int lock_kernel_down(const char *where, enum lockdown_reason level)
+int lock_kernel_down(const char *where, enum lockdown_reason level)
{
if (kernel_locked_down >= level)
return -EPERM;

75
debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch vendored Normal file
View File

@@ -0,0 +1,75 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Aug 2019 15:54:24 +0100
Subject: mtd: phram,slram: Disable when the kernel is locked down
Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is
locked down.
* Add the HWPARAM flag to the module parameters
* When slram is built-in, it uses __setup() to read kernel parameters,
so add an explicit check security_locked_down() check
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Joern Engel <joern@lazybastard.org>
Cc: linux-mtd@lists.infradead.org
---
drivers/mtd/devices/phram.c | 6 +++++-
drivers/mtd/devices/slram.c | 9 ++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c
@@ -364,7 +364,11 @@ static int phram_param_call(const char *
#endif
}
-module_param_call(phram, phram_param_call, NULL, NULL, 0200);
+static const struct kernel_param_ops phram_param_ops = {
+ .set = phram_param_call
+};
+__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
+ 0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);
MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
#ifdef CONFIG_OF
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -43,6 +43,7 @@
#include <linux/ioctl.h>
#include <linux/init.h>
#include <linux/io.h>
+#include <linux/security.h>
#include <linux/mtd/mtd.h>
@@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
#ifdef MODULE
static char *map[SLRAM_MAX_DEVICES_PARAMS];
-module_param_array(map, charp, NULL, 0);
+module_param_hw_array(map, charp, iomem, NULL, 0);
MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
#else
static char *map;
@@ -281,11 +282,17 @@ static int __init init_slram(void)
#ifndef MODULE
char *devstart;
char *devlength;
+ int ret;
if (!map) {
E("slram: not enough parameters.\n");
return(-EINVAL);
}
+
+ ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);
+ if (ret)
+ return ret;
+
while (map) {
devname = devstart = devlength = NULL;

80
debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch vendored Normal file
View File

@@ -0,0 +1,80 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 11 Jan 2016 15:23:55 +0000
Subject: security,perf: Allow further restriction of perf_event_open
Forwarded: https://lore.kernel.org/all/20160111152355.GS28542@decadent.org.uk/
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/perf_event.h | 5 +++++
kernel/events/core.c | 8 ++++++++
security/Kconfig | 9 +++++++++
3 files changed, 22 insertions(+)
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1589,6 +1589,11 @@ int perf_cpu_time_max_percent_handler(co
int perf_event_max_stack_handler(const struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos);
+static inline bool perf_paranoid_any(void)
+{
+ return sysctl_perf_event_paranoid > 2;
+}
+
/* Access to perf_event_open(2) syscall. */
#define PERF_SECURITY_OPEN 0
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -419,8 +419,13 @@ static struct kmem_cache *perf_event_cac
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
+ * 3 - disallow all unpriv perf event use
*/
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -12506,6 +12511,9 @@ SYSCALL_DEFINE5(perf_event_open,
if (err)
return err;
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
/* Do we allow access to perf_event_open(2) ? */
err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
if (err)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -51,6 +51,15 @@ config PROC_MEM_NO_FORCE
endchoice
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"
+ depends on PERF_EVENTS
+ help
+ If you say Y here, the kernel.perf_event_paranoid sysctl
+ will be set to 3 by default, and no unprivileged use of the
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
config SECURITY
bool "Enable different security models"
depends on SYSFS

74
debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch vendored Normal file
View File

@@ -0,0 +1,74 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 21 Aug 2019 00:32:16 +0100
Subject: intel-iommu: Add Kconfig option to exclude iGPU by default
Bug-Debian: https://bugs.debian.org/935270
Bug-Kali: https://bugs.kali.org/view.php?id=5644
There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage.
Replace CONFIG_INTEL_IOMMU_DEFAULT_ON with a 3-way choice
corresponding to "on", "off", and "on,intgpu_off".
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/iommu/intel/Kconfig
+++ b/drivers/iommu/intel/Kconfig
@@ -57,13 +57,24 @@ config INTEL_IOMMU_SVM
to access DMA resources through process address space by
means of a Process Address Space ID (PASID).
-config INTEL_IOMMU_DEFAULT_ON
- bool "Enable Intel DMA Remapping Devices by default"
- default y
+choice
+ prompt "Default state of Intel DMA Remapping Devices"
+ default INTEL_IOMMU_DEFAULT_ON
help
- Selecting this option will enable a DMAR device at boot time if
- one is found. If this option is not selected, DMAR support can
- be enabled by passing intel_iommu=on to the kernel.
+ Choose whether Intel DMA Remapping Devices should be enabled
+ by default. This can be overridden at boot time using the
+ intel_iommu= kernel parameter.
+
+config INTEL_IOMMU_DEFAULT_ON
+ bool "Enable"
+
+config INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF
+ bool "Enable, excluding integrated GPU"
+
+config INTEL_IOMMU_DEFAULT_OFF
+ bool "Disable"
+
+endchoice
config INTEL_IOMMU_FLOPPY_WA
def_bool y
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -218,13 +218,13 @@ static LIST_HEAD(dmar_satc_units);
static void intel_iommu_domain_free(struct iommu_domain *domain);
-int dmar_disabled = !IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_ON);
+int dmar_disabled = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_OFF);
int intel_iommu_sm = IS_ENABLED(CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON);
int intel_iommu_enabled = 0;
EXPORT_SYMBOL_GPL(intel_iommu_enabled);
-static int dmar_map_intgpu = 1;
+static int dmar_map_intgpu = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_ON);
static int intel_iommu_superpage = 1;
static int iommu_identity_mapping;
static int iommu_skip_te_disable;
@@ -263,6 +263,7 @@ static int __init intel_iommu_setup(char
while (*str) {
if (!strncmp(str, "on", 2)) {
dmar_disabled = 0;
+ dmar_map_intgpu = 1;
pr_info("IOMMU enabled\n");
} else if (!strncmp(str, "off", 3)) {
dmar_disabled = 1;

90
debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch vendored Normal file
View File

@@ -0,0 +1,90 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 21 Aug 2019 00:05:30 +0100
Subject: intel-iommu: Add option to exclude integrated GPU only
Bug-Debian: https://bugs.debian.org/935270
Bug-Kali: https://bugs.kali.org/view.php?id=5644
There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage, but turning it off
for all graphics devices seems like a major weakness.
Add an option, intel_iommu=intgpu_off, to exclude only integrated GPUs
from remapping. This is a narrower exclusion than igfx_off: it only
affects Intel devices on the root bus. Devices attached through an
external port (Thunderbolt or ExpressCard) won't be on the root bus.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/admin-guide/kernel-parameters.txt | 2 ++
drivers/iommu/intel/iommu.c | 14 ++++++++++++++
2 files changed, 16 insertions(+)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2174,6 +2174,8 @@
bypassed by not enabling DMAR with this option. In
this case, gfx device will use physical address for
DMA.
+ intgpu_off [Default Off]
+ Bypass the DMAR unit for an integrated GPU only.
strict [Default Off]
Deprecated, equivalent to iommu.strict=1.
sp_off [Default Off]
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -35,6 +35,9 @@
#define CONTEXT_SIZE VTD_PAGE_SIZE
#define IS_GFX_DEVICE(pdev) ((pdev->class >> 16) == PCI_BASE_CLASS_DISPLAY)
+#define IS_INTGPU_DEVICE(pdev) (IS_GFX_DEVICE(pdev) && \
+ (pdev)->vendor == 0x8086 && \
+ pci_is_root_bus((pdev)->bus))
#define IS_USB_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_SERIAL_USB)
#define IS_ISA_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA)
#define IS_AZALIA(pdev) ((pdev)->vendor == 0x8086 && (pdev)->device == 0x3a3e)
@@ -221,12 +224,14 @@ int intel_iommu_sm = IS_ENABLED(CONFIG_I
int intel_iommu_enabled = 0;
EXPORT_SYMBOL_GPL(intel_iommu_enabled);
+static int dmar_map_intgpu = 1;
static int intel_iommu_superpage = 1;
static int iommu_identity_mapping;
static int iommu_skip_te_disable;
static int disable_igfx_iommu;
#define IDENTMAP_AZALIA 4
+#define IDENTMAP_INTGPU 8
const struct iommu_ops intel_iommu_ops;
static const struct iommu_dirty_ops intel_dirty_ops;
@@ -266,6 +271,9 @@ static int __init intel_iommu_setup(char
} else if (!strncmp(str, "igfx_off", 8)) {
disable_igfx_iommu = 1;
pr_info("Disable GFX device mapping\n");
+ } else if (!strncmp(str, "intgpu_off", 10)) {
+ dmar_map_intgpu = 0;
+ pr_info("Disable integrated GPU device mapping\n");
} else if (!strncmp(str, "forcedac", 8)) {
pr_warn("intel_iommu=forcedac deprecated; use iommu.forcedac instead\n");
iommu_dma_forcedac = true;
@@ -2401,6 +2409,9 @@ static int device_def_domain_type(struct
if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
return IOMMU_DOMAIN_IDENTITY;
+
+ if ((iommu_identity_mapping & IDENTMAP_INTGPU) && IS_INTGPU_DEVICE(pdev))
+ return IOMMU_DOMAIN_IDENTITY;
}
return 0;
@@ -2701,6 +2712,9 @@ static int __init init_dmars(void)
iommu_set_root_entry(iommu);
}
+ if (!dmar_map_intgpu)
+ iommu_identity_mapping |= IDENTMAP_INTGPU;
+
check_tylersburg_isoch();
ret = si_domain_init(hw_pass_through);

180
debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch vendored Normal file
View File

@@ -0,0 +1,180 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 12 Feb 2018 23:59:26 +0000
Subject: x86: Make x32 syscall support conditional on a kernel parameter
Bug-Debian: https://bugs.debian.org/708070
Forwarded: https://lore.kernel.org/lkml/1415245982.3398.53.camel@decadent.org.uk/T/#u
Enabling x32 in the standard amd64 kernel would increase its attack
surface while provide no benefit to the vast majority of its users.
No-one seems interested in regularly checking for vulnerabilities
specific to x32 (at least no-one with a white hat).
Still, adding another flavour just to turn on x32 seems wasteful. And
the only differences on syscall entry are a few instructions that mask
out the x32 flag and compare the syscall number.
Use a static key to control whether x32 syscalls are really enabled, a
Kconfig parameter to set its default value and a kernel parameter
"syscall.x32" to change it at boot time.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
.../admin-guide/kernel-parameters.txt | 4 ++
arch/x86/Kconfig | 8 ++++
arch/x86/entry/common.c | 3 +-
arch/x86/entry/syscall_64.c | 46 +++++++++++++++++++
arch/x86/include/asm/elf.h | 6 ++-
arch/x86/include/asm/syscall.h | 13 ++++++
6 files changed, 78 insertions(+), 2 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -6498,6 +6498,10 @@
later by a loaded module cannot be set this way.
Example: sysctl.vm.swappiness=40
+ syscall.x32= [KNL,x86_64] Enable/disable use of x32 syscalls on
+ an x86_64 kernel where CONFIG_X86_X32 is enabled.
+ Default depends on CONFIG_X86_X32_DISABLED.
+
sysrq_always_enabled
[KNL]
Ignore sysrq setting - this boot parameter will
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -3058,6 +3058,14 @@ config COMPAT_32
select HAVE_UID16
select OLD_SIGSUSPEND3
+config X86_X32_DISABLED
+ bool "x32 ABI disabled by default"
+ depends on X86_X32_ABI
+ default n
+ help
+ Disable the x32 ABI unless explicitly enabled using the
+ kernel paramter "syscall.x32=y".
+
config COMPAT
def_bool y
depends on IA32_EMULATION || X86_X32_ABI
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -64,7 +64,7 @@ static __always_inline bool do_syscall_x
*/
unsigned int xnr = nr - __X32_SYSCALL_BIT;
- if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) {
+ if (IS_ENABLED(CONFIG_X86_X32_ABI) && unlikely(x32_enabled) && likely(xnr < X32_NR_syscalls)) {
xnr = array_index_nospec(xnr, X32_NR_syscalls);
regs->ax = x32_sys_call(regs, xnr);
return true;
--- a/arch/x86/entry/syscall_x32.c
+++ b/arch/x86/entry/syscall_x32.c
@@ -4,6 +4,9 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/moduleparam.h>
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "syscall."
#include <linux/syscalls.h>
#include <asm/syscall.h>
@@ -20,3 +23,46 @@
default: return __x64_sys_ni_syscall(regs);
}
};
+
+/* Maybe enable x32 syscalls */
+
+#if defined(CONFIG_X86_X32_DISABLED)
+DEFINE_STATIC_KEY_FALSE(x32_enabled_skey);
+#else
+DEFINE_STATIC_KEY_TRUE(x32_enabled_skey);
+#endif
+
+static int __init x32_param_set(const char *val, const struct kernel_param *p)
+{
+ bool enabled;
+ int ret;
+
+ ret = kstrtobool(val, &enabled);
+ if (ret)
+ return ret;
+ if (IS_ENABLED(CONFIG_X86_X32_DISABLED)) {
+ if (enabled) {
+ static_key_enable(&x32_enabled_skey.key);
+ pr_info("Enabled x32 syscalls\n");
+ }
+ } else {
+ if (!enabled) {
+ static_key_disable(&x32_enabled_skey.key);
+ pr_info("Disabled x32 syscalls\n");
+ }
+ }
+ return 0;
+}
+
+static int x32_param_get(char *buffer, const struct kernel_param *p)
+{
+ return sprintf(buffer, "%c\n",
+ static_key_enabled(&x32_enabled_skey) ? 'Y' : 'N');
+}
+
+static const struct kernel_param_ops x32_param_ops = {
+ .set = x32_param_set,
+ .get = x32_param_get,
+};
+
+arch_param_cb(x32, &x32_param_ops, NULL, 0444);
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -12,6 +12,9 @@
#include <asm/user.h>
#include <asm/auxvec.h>
#include <asm/fsgsbase.h>
+#ifndef COMPILE_OFFSETS /* avoid a circular dependency on asm-offsets.h */
+#include <asm/syscall.h>
+#endif
typedef unsigned long elf_greg_t;
@@ -151,7 +154,8 @@ do { \
#define compat_elf_check_arch(x) \
((elf_check_arch_ia32(x) && ia32_enabled_verbose()) || \
- (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
+ (IS_ENABLED(CONFIG_X86_X32_ABI) && x32_enabled && \
+ (x)->e_machine == EM_X86_64))
static inline void elf_common_init(struct thread_struct *t,
struct pt_regs *regs, const u16 ds)
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -13,6 +13,7 @@
#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
+#include <linux/jump_label.h>
#include <asm/thread_info.h> /* for TS_COMPAT */
#include <asm/unistd.h>
@@ -28,6 +29,18 @@ extern const sys_call_ptr_t ia32_sys_cal
extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
+#if defined(CONFIG_X86_X32_ABI)
+#if defined(CONFIG_X86_X32_DISABLED)
+DECLARE_STATIC_KEY_FALSE(x32_enabled_skey);
+#define x32_enabled static_branch_unlikely(&x32_enabled_skey)
+#else
+DECLARE_STATIC_KEY_TRUE(x32_enabled_skey);
+#define x32_enabled static_branch_likely(&x32_enabled_skey)
+#endif
+#else
+#define x32_enabled 0
+#endif
+
/*
* Only the low 32 bits of orig_ax are meaningful, so we return int.
* This importantly ignores the high bits on 64-bit, so comparisons

28
debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch vendored Normal file
View File

@@ -0,0 +1,28 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 5 Dec 2011 04:00:58 +0000
Subject: x86: memtest: WARN if bad RAM found
Bug-Debian: https://bugs.debian.org/613321
Forwarded: https://lore.kernel.org/all/20120402150522.GA4980@burratino/
Since this is not a particularly thorough test, if we find any bad
bits of RAM then there is a fair chance that there are other bad bits
we fail to detect.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/memtest.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
--- a/mm/memtest.c
+++ b/mm/memtest.c
@@ -26,6 +26,10 @@ static u64 patterns[] __initdata = {
static void __init reserve_bad_mem(u64 pattern, phys_addr_t start_bad, phys_addr_t end_bad)
{
+#ifdef CONFIG_X86
+ WARN_ONCE(1, "Bad RAM detected. Use memtest86+ to perform a thorough test\n"
+ "and the memmap= parameter to reserve the bad areas.");
+#endif
pr_info(" %016llx bad mem addr %pa - %pa reserved\n",
cpu_to_be64(pattern), &start_bad, &end_bad);
memblock_reserve(start_bad, end_bad - start_bad);

113
debian/patches/series vendored Normal file
View File

@@ -0,0 +1,113 @@
debian/gitignore.patch
# Disable features broken by exclusion of upstream files
debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
# Changes to support package build system
debian/version.patch
debian/uname-version-timestamp.patch
debian/kernelvariables.patch
debian/mips-boston-disable-its.patch
debian/mips-ieee754-relaxed.patch
debian/mips-enable-r2-to-r6-emu-by-default.patch
debian/arch-sh4-fix-uimage-build.patch
debian/tools-perf-perf-read-vdso-in-libexec.patch
debian/tools-perf-install-python-bindings.patch
debian/wireless-add-debian-wireless-regdb-certificates.patch
debian/export-symbols-needed-by-android-drivers.patch
debian/android-enable-building-ashmem-and-binder-as-modules.patch
debian/documentation-drop-sphinx-version-check.patch
debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
debian/kbuild-abort-build-if-subdirs-used.patch
debian/makefile-make-compiler-version-comparison-optional.patch
bugfix/all/revert-tools-build-clean-cflags-and-ldflags-for-fixdep.patch
debian/fixdep-allow-overriding-hostcc-and-hostld.patch
debian/linux-perf-remove-remaining-source-filenames-from-executable.patch
# Fixes/improvements to firmware loading
features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
debian/iwlwifi-do-not-request-unreleased-firmware.patch
debian/firmware_loader-log-direct-loading-failures-as-info-for-d-i.path
bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
# Change some defaults for security reasons
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/fs-enable-link-security-restrictions-by-default.patch
# Set various features runtime-disabled by default
debian/yama-disable-by-default.patch
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
# Disable autoloading/probing of various drivers by default
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
debian/snd-pcsp-disable-autoload.patch
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
debian/fjes-disable-autoload.patch
# Taint if dangerous features are used
debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
# Arch bug fixes
bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
# Arch features
features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
features/x86/x86-make-x32-syscall-support-conditional.patch
# Miscellaneous bug fixes
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/documentation-use-relative-source-paths-in-abi-documentation.patch
# Miscellaneous features
# Lockdown missing pieces
features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Improve integrity platform keyring for kernel modules verification
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
features/all/db-mok-keyring/trust-machine-keyring-by-default.patch
# Security fixes
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
bugfix/all/tools-perf-remove-shebangs.patch
bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
bugfix/all/libapi-define-_fortify_source-as-2-not-empty.patch
bugfix/all/tools-perf-fix-missing-ldflags-for-some-programs.patch
bugfix/all/tools_lib_symbol_use_d_fortify_source_2_for_non_debug_builds.patch
bugfix/all/perf-tools-support-extra-cxxflags.patch
bugfix/all/perf-tools-pass-extra_cflags-through-to-libbpf-build-again.patch
bugfix/all/kbuild-bpf-fix-btf-reproducibility.patch
# debian-installer fixes
bugfix/powerpc/fbdev-offb-Update-expected-device-name.patch
# ABI maintenance