shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-03-24 19:40:21 +09:00
Code Issues Packages Projects Releases Wiki Activity

ODROID: remove default patches

Browse Source 
Signed-off-by: Dongjin Kim <tobetter@gmail.com>
This commit is contained in:
Dongjin Kim
2019-12-21 11:23:18 +09:00
parent 6422d94162
commit 0e60be213a
97 changed files with 2 additions and 10362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
debian/patches/bugfix/all/cpupower-bump-soname-version.patch vendored
View File

@@ -1,28 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 19 May 2019 17:17:33 +0100
Subject: cpupower: Bump soname version
Several functions in the libcpupower API were renamed or removed in
Linux 4.7, and again in 5.1. This is a backward-incompatible ABI
change, so the library soname should change from libcpupower.so.0 to
libcpupower.so.2.
Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/power/cpupower/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/power/cpupower/Makefile
+++ b/tools/power/cpupower/Makefile
@@ -65,8 +65,8 @@ DESTDIR ?=
# and _should_ modify the PACKAGE_BUGREPORT definition
VERSION= $(shell ./utils/version-gen.sh)
-LIB_MAJ= 0.0.1
-LIB_MIN= 0
+LIB_MAJ= 2.0.1
+LIB_MIN= 2
PACKAGE = cpupower
PACKAGE_BUGREPORT = linux-pm@vger.kernel.org

49
debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch vendored
View File

@@ -1,49 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 03 Nov 2016 15:25:26 -0600
Subject: cpupower: Fix checks for CPU existence
Forwarded: https://marc.info/?l=linux-pm&m=149248268214265
Calls to cpufreq_cpu_exists(cpu) were converted to
cpupower_is_cpu_online(cpu) when libcpupower was introduced and the
former function was deleted. However, cpupower_is_cpu_online() does
not distinguish physically absent and offline CPUs, and does not set
errno.
cpufreq-set has already been fixed (commit c25badc9ceb6).
In cpufreq-bench, which prints an error message for offline CPUs,
properly distinguish and report the zero and negative cases.
Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
Fixes: 53d1cd6b125f ("cpupowerutils: bench - Fix cpu online check")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[carnil: Update/Refresh patch for 4.14.17: The issue with the
incorrect check has been fixed with upstream commit 53d1cd6b125f.
Keep in the patch the distinction and report for the zero and
negative cases.]
---
--- a/tools/power/cpupower/bench/system.c
+++ b/tools/power/cpupower/bench/system.c
@@ -58,12 +58,19 @@ long long int get_time()
int set_cpufreq_governor(char *governor, unsigned int cpu)
{
+ int rc;
dprintf("set %s as cpufreq governor\n", governor);
- if (cpupower_is_cpu_online(cpu) != 1) {
- perror("cpufreq_cpu_exists");
- fprintf(stderr, "error: cpu %u does not exist\n", cpu);
+ rc = cpupower_is_cpu_online(cpu);
+ if (rc != 1) {
+ if (rc < 0)
+ fprintf(stderr, "cpupower_is_cpu_online: %s\n",
+ strerror(-rc));
+ else
+ fprintf(stderr,
+ "error: cpu %u is offline or does not exist\n",
+ cpu);
return -1;
}

93
debian/patches/bugfix/all/disable-some-marvell-phys.patch vendored
View File

@@ -1,93 +0,0 @@
From: Ian Campbell <ijc@hellion.org.uk>
Subject: phy/marvell: disable 4-port phys
Date: Wed, 20 Nov 2013 08:30:14 +0000
Bug-Debian: https://bugs.debian.org/723177
Forwarded: http://thread.gmane.org/gmane.linux.debian.devel.bugs.general/1107774/
The Marvell PHY was originally disabled because it can cause networking
failures on some systems. According to Lennert Buytenhek this is because some
of the variants added did not share the same register layout. Since the known
cases are all 4-ports disable those variants (indicated by a 4 in the
penultimate position of the model name) until they can be audited for
correctness.
[bwh: Also #if-out the init functions for these PHYs to avoid
compiler warnings]
Index: debian-kernel/drivers/net/phy/marvell.c
===================================================================
--- debian-kernel.orig/drivers/net/phy/marvell.c
+++ debian-kernel/drivers/net/phy/marvell.c
@@ -937,6 +937,7 @@ static int m88e1118_config_init(struct p
return genphy_soft_reset(phydev);
}
+#if 0
static int m88e1149_config_init(struct phy_device *phydev)
{
int err;
@@ -962,7 +963,9 @@ static int m88e1149_config_init(struct p
return genphy_soft_reset(phydev);
}
+#endif
+#if 0
static int m88e1145_config_init_rgmii(struct phy_device *phydev)
{
int err;
@@ -1037,6 +1040,7 @@ static int m88e1145_config_init(struct p
return 0;
}
+#endif
static int m88e1540_get_fld(struct phy_device *phydev, u8 *msecs)
{
@@ -2243,6 +2247,7 @@ static struct phy_driver marvell_drivers
.get_strings = marvell_get_strings,
.get_stats = marvell_get_stats,
},
+#if 0
{
.phy_id = MARVELL_PHY_ID_88E1145,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -2262,6 +2267,8 @@ static struct phy_driver marvell_drivers
.get_strings = marvell_get_strings,
.get_stats = marvell_get_stats,
},
+#endif
+#if 0
{
.phy_id = MARVELL_PHY_ID_88E1149R,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -2280,6 +2287,8 @@ static struct phy_driver marvell_drivers
.get_strings = marvell_get_strings,
.get_stats = marvell_get_stats,
},
+#endif
+#if 0
{
.phy_id = MARVELL_PHY_ID_88E1240,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -2298,6 +2307,7 @@ static struct phy_driver marvell_drivers
.get_strings = marvell_get_strings,
.get_stats = marvell_get_stats,
},
+#endif
{
.phy_id = MARVELL_PHY_ID_88E1116R,
.phy_id_mask = MARVELL_PHY_ID_MASK,
@@ -2432,9 +2442,9 @@ static struct mdio_device_id __maybe_unu
{ MARVELL_PHY_ID_88E1111, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1118, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1121R, MARVELL_PHY_ID_MASK },
- { MARVELL_PHY_ID_88E1145, MARVELL_PHY_ID_MASK },
- { MARVELL_PHY_ID_88E1149R, MARVELL_PHY_ID_MASK },
- { MARVELL_PHY_ID_88E1240, MARVELL_PHY_ID_MASK },
+/* { MARVELL_PHY_ID_88E1145, MARVELL_PHY_ID_MASK }, */
+/* { MARVELL_PHY_ID_88E1149R, MARVELL_PHY_ID_MASK }, */
+/* { MARVELL_PHY_ID_88E1240, MARVELL_PHY_ID_MASK }, */
{ MARVELL_PHY_ID_88E1318S, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1116R, MARVELL_PHY_ID_MASK },
{ MARVELL_PHY_ID_88E1510, MARVELL_PHY_ID_MASK },

2576
debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch vendored
View File

File diff suppressed because it is too large Load Diff

79
debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch vendored
View File

@@ -1,79 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: firmware_class: Log every success and failure against given device
Date: Sun, 09 Dec 2012 16:02:00 +0000
Forwarded: no
The hundreds of users of request_firmware() have nearly as many
different log formats for reporting failures. They also have only the
vaguest hint as to what went wrong; only firmware_class really knows
that. Therefore, add specific log messages for the failure modes that
aren't currently logged.
In case of a driver that tries multiple names, this may result in the
impression that it failed to initialise. Therefore, also log successes.
This makes many error messages in drivers redundant, which will be
removed in later patches.
This does not cover the case where we fall back to a user-mode helper
(which is no longer enabled in Debian).
NOTE: hw-detect will depend on the "firmware: failed to load %s (%d)\n"
format to detect missing firmware.
---
drivers/base/firmware_loader/fallback.c | 2 +-
drivers/base/firmware_loader/main.c | 15 ++++++++-------
2 files changed, 9 insertions(+), 8 deletions(-)
--- a/drivers/base/firmware_loader/fallback.c
+++ b/drivers/base/firmware_loader/fallback.c
@@ -557,7 +557,7 @@ static int fw_load_from_user_helper(stru
if (opt_flags & FW_OPT_NOWAIT) {
timeout = usermodehelper_read_lock_wait(timeout);
if (!timeout) {
- dev_dbg(device, "firmware: %s loading timed out\n",
+ dev_err(device, "firmware: %s loading timed out\n",
name);
return -EBUSY;
}
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -496,14 +496,12 @@ fw_get_filesystem_firmware(struct device
rc = kernel_read_file_from_path(path, &buffer, &size,
msize, id);
if (rc) {
- if (rc != -ENOENT)
- dev_warn(device, "loading %s failed with error %d\n",
- path, rc);
- else
- dev_dbg(device, "loading %s failed for no such file or directory.\n",
- path);
+ dev_dbg(device, "loading %s failed with error %d\n",
+ path, rc);
continue;
}
+ dev_info(device, "firmware: direct-loading firmware %s\n",
+ fw_priv->fw_name);
if (decompress) {
dev_dbg(device, "f/w decompressing %s\n",
fw_priv->fw_name);
@@ -516,8 +514,6 @@ fw_get_filesystem_firmware(struct device
continue;
}
} else {
- dev_dbg(device, "direct-loading %s\n",
- fw_priv->fw_name);
if (!fw_priv->data)
fw_priv->data = buffer;
fw_priv->size = size;
@@ -527,6 +523,10 @@ fw_get_filesystem_firmware(struct device
}
__putname(path);
+ if (rc)
+ dev_err(device, "firmware: failed to load %s (%d)\n",
+ fw_priv->fw_name, rc);
+
return rc;
}

69
debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch vendored
View File

@@ -1,69 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 13 Apr 2016 21:48:06 +0100
Subject: fs: Add MODULE_SOFTDEP declarations for hard-coded crypto drivers
Bug-Debian: https://bugs.debian.org/819725
Forwarded: http://mid.gmane.org/20160517133631.GF7555@decadent.org.uk
This helps initramfs builders and other tools to find the full
dependencies of a module.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
---
Index: debian-kernel/fs/btrfs/super.c
===================================================================
--- debian-kernel.orig/fs/btrfs/super.c
+++ debian-kernel/fs/btrfs/super.c
@@ -2455,4 +2455,4 @@ late_initcall(init_btrfs_fs);
module_exit(exit_btrfs_fs)
MODULE_LICENSE("GPL");
-MODULE_SOFTDEP("pre: crc32c");
+MODULE_SOFTDEP("pre: crypto-crc32c");
Index: debian-kernel/fs/ext4/super.c
===================================================================
--- debian-kernel.orig/fs/ext4/super.c
+++ debian-kernel/fs/ext4/super.c
@@ -6199,6 +6199,6 @@ static void __exit ext4_exit_fs(void)
MODULE_AUTHOR("Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others");
MODULE_DESCRIPTION("Fourth Extended Filesystem");
MODULE_LICENSE("GPL");
-MODULE_SOFTDEP("pre: crc32c");
+MODULE_SOFTDEP("pre: crypto-crc32c");
module_init(ext4_init_fs)
module_exit(ext4_exit_fs)
Index: debian-kernel/fs/f2fs/super.c
===================================================================
--- debian-kernel.orig/fs/f2fs/super.c
+++ debian-kernel/fs/f2fs/super.c
@@ -3784,4 +3784,5 @@ module_exit(exit_f2fs_fs)
MODULE_AUTHOR("Samsung Electronics's Praesto Team");
MODULE_DESCRIPTION("Flash Friendly File System");
MODULE_LICENSE("GPL");
+MODULE_SOFTDEP("pre: crypto-crc32c");
Index: debian-kernel/fs/jbd2/journal.c
===================================================================
--- debian-kernel.orig/fs/jbd2/journal.c
+++ debian-kernel/fs/jbd2/journal.c
@@ -2726,6 +2726,7 @@ static void __exit journal_exit(void)
}
MODULE_LICENSE("GPL");
+MODULE_SOFTDEP("pre: crypto-crc32c");
module_init(journal_init);
module_exit(journal_exit);
Index: debian-kernel/fs/nfsd/nfsctl.c
===================================================================
--- debian-kernel.orig/fs/nfsd/nfsctl.c
+++ debian-kernel/fs/nfsd/nfsctl.c
@@ -1574,5 +1574,8 @@ static void __exit exit_nfsd(void)
MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
MODULE_LICENSE("GPL");
+#ifdef CONFIG_NFSD_V4
+MODULE_SOFTDEP("pre: crypto-md5");
+#endif
module_init(init_nfsd)
module_exit(exit_nfsd)

23
debian/patches/bugfix/all/kbuild-fix-recordmcount-dependency.patch vendored
View File

@@ -1,23 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: kbuild: Fix recordmcount dependency for OOT modules
Date: Mon, 08 Sep 2014 18:31:24 +0100
Forwarded: no
We never rebuild anything in-tree when building an out-of-tree
modules, so external modules should not depend on the recordmcount
sources.
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -232,6 +232,11 @@ cmd_record_mcount = \
endif # CC_USING_RECORD_MCOUNT
endif # CONFIG_FTRACE_MCOUNT_RECORD
+# Don't require recordmcount source for an OOT build.
+ifdef KBUILD_EXTMOD
+recordmcount_source :=
+endif
+
ifdef CONFIG_STACK_VALIDATION
ifneq ($(SKIP_STACK_VALIDATION),1)

20
debian/patches/bugfix/all/libcpupower-hide-private-function.patch vendored
View File

@@ -1,20 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 01 Dec 2018 19:22:50 +0000
Subject: libcpupower: Hide private function
cpupower_read_sysfs() (previously known as sysfs_read_file()) is an
internal function in libcpupower and should not be exported when
libcpupower is a shared library. Change its visibility to "hidden".
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/power/cpupower/lib/cpupower.c
+++ b/tools/power/cpupower/lib/cpupower.c
@@ -15,6 +15,7 @@
#include "cpupower.h"
#include "cpupower_intern.h"
+__attribute__((visibility("hidden")))
unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen)
{
int fd;

23
debian/patches/bugfix/all/module-disable-matching-missing-version-crc.patch vendored
View File

@@ -1,23 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 02 Dec 2016 23:06:18 +0000
Subject: module: Disable matching missing version CRC
Forwarded: not-needed
This partly reverts commit cd3caefb4663e3811d37cc2afad3cce642d60061.
We want to fail closed if a symbol version CRC is missing, as the
alternative may allow subverting module signing.
---
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1313,9 +1313,8 @@ static int check_version(const struct lo
goto bad_version;
}
- /* Broken toolchain. Warn once, then let it go.. */
- pr_warn_once("%s: no symbol version for %s\n", info->name, symname);
- return 1;
+ pr_warn("%s: no symbol version for %s\n", info->name, symname);
+ return 0;
bad_version:
pr_warn("%s: disagrees about version of symbol %s\n",

140
debian/patches/bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch vendored
View File

@@ -1,140 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 20 Aug 2019 18:12:35 +0100
Subject: Partially revert "net: socket: implement 64-bit timestamps"
The introduction of SIOCGSTAMP{,NS}_OLD and move of SICOGSTAMP{,NS} to
a different header has caused build failures for various user-space
programs including qemu and suricata. It also causes a test failure
for glibc.
For now, remove the _OLD suffix on the old ioctl numbers and require
programs using 64-bit timestamps to explicitly use SIOCGSTAMP{,NS}_NEW.
References: https://lore.kernel.org/lkml/af0eb47a-5b98-1bd9-3e8d-652e7f28b01f@de.ibm.com/
References: https://bugs.debian.org/934316
References: https://ci.debian.net/data/autopkgtest/testing/amd64/g/glibc/2772289/log.gz
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/alpha/include/uapi/asm/sockios.h
+++ b/arch/alpha/include/uapi/asm/sockios.h
@@ -11,7 +11,7 @@
#define SIOCSPGRP _IOW('s', 8, pid_t)
#define SIOCGPGRP _IOR('s', 9, pid_t)
-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
+#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
+#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
#endif /* _ASM_ALPHA_SOCKIOS_H */
--- a/arch/mips/include/uapi/asm/sockios.h
+++ b/arch/mips/include/uapi/asm/sockios.h
@@ -21,7 +21,7 @@
#define SIOCSPGRP _IOW('s', 8, pid_t)
#define SIOCGPGRP _IOR('s', 9, pid_t)
-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
+#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
+#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
#endif /* _ASM_SOCKIOS_H */
--- a/arch/sh/include/uapi/asm/sockios.h
+++ b/arch/sh/include/uapi/asm/sockios.h
@@ -10,7 +10,6 @@
#define SIOCSPGRP _IOW('s', 8, pid_t)
#define SIOCGPGRP _IOR('s', 9, pid_t)
-#define SIOCGSTAMP_OLD _IOR('s', 100, struct timeval) /* Get stamp (timeval) */
-#define SIOCGSTAMPNS_OLD _IOR('s', 101, struct timespec) /* Get stamp (timespec) */
-
+#define SIOCGSTAMP _IOR('s', 100, struct timeval) /* Get stamp (timeval) */
+#define SIOCGSTAMPNS _IOR('s', 101, struct timespec) /* Get stamp (timespec) */
#endif /* __ASM_SH_SOCKIOS_H */
--- a/arch/xtensa/include/uapi/asm/sockios.h
+++ b/arch/xtensa/include/uapi/asm/sockios.h
@@ -26,7 +26,7 @@
#define SIOCSPGRP _IOW('s', 8, pid_t)
#define SIOCGPGRP _IOR('s', 9, pid_t)
-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
+#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
+#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
#endif /* _XTENSA_SOCKIOS_H */
--- a/include/uapi/asm-generic/sockios.h
+++ b/include/uapi/asm-generic/sockios.h
@@ -8,7 +8,7 @@
#define FIOGETOWN 0x8903
#define SIOCGPGRP 0x8904
#define SIOCATMARK 0x8905
-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
+#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
+#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
#endif /* __ASM_GENERIC_SOCKIOS_H */
--- a/include/uapi/linux/sockios.h
+++ b/include/uapi/linux/sockios.h
@@ -19,7 +19,6 @@
#ifndef _LINUX_SOCKIOS_H
#define _LINUX_SOCKIOS_H
-#include <asm/bitsperlong.h>
#include <asm/sockios.h>
/* Linux-specific socket ioctls */
@@ -37,17 +36,6 @@
/* Get stamp (timespec) */
#define SIOCGSTAMPNS_NEW _IOR(SOCK_IOC_TYPE, 0x07, long long[2])
-#if __BITS_PER_LONG == 64 || (defined(__x86_64__) && defined(__ILP32__))
-/* on 64-bit and x32, avoid the ?: operator */
-#define SIOCGSTAMP SIOCGSTAMP_OLD
-#define SIOCGSTAMPNS SIOCGSTAMPNS_OLD
-#else
-#define SIOCGSTAMP ((sizeof(struct timeval)) == 8 ? \
- SIOCGSTAMP_OLD : SIOCGSTAMP_NEW)
-#define SIOCGSTAMPNS ((sizeof(struct timespec)) == 8 ? \
- SIOCGSTAMPNS_OLD : SIOCGSTAMPNS_NEW)
-#endif
-
/* Routing table calls. */
#define SIOCADDRT 0x890B /* add routing table entry */
#define SIOCDELRT 0x890C /* delete routing table entry */
--- a/net/socket.c
+++ b/net/socket.c
@@ -1170,14 +1170,14 @@ static long sock_ioctl(struct file *file
err = open_related_ns(&net->ns, get_net_ns);
break;
- case SIOCGSTAMP_OLD:
- case SIOCGSTAMPNS_OLD:
+ case SIOCGSTAMP:
+ case SIOCGSTAMPNS:
if (!sock->ops->gettstamp) {
err = -ENOIOCTLCMD;
break;
}
err = sock->ops->gettstamp(sock, argp,
- cmd == SIOCGSTAMP_OLD,
+ cmd == SIOCGSTAMP,
!IS_ENABLED(CONFIG_64BIT));
break;
case SIOCGSTAMP_NEW:
@@ -3341,11 +3341,11 @@ static int compat_sock_ioctl_trans(struc
case SIOCADDRT:
case SIOCDELRT:
return routing_ioctl(net, sock, cmd, argp);
- case SIOCGSTAMP_OLD:
- case SIOCGSTAMPNS_OLD:
+ case SIOCGSTAMP:
+ case SIOCGSTAMPNS:
if (!sock->ops->gettstamp)
return -ENOIOCTLCMD;
- return sock->ops->gettstamp(sock, argp, cmd == SIOCGSTAMP_OLD,
+ return sock->ops->gettstamp(sock, argp, cmd == SIOCGSTAMP,
!COMPAT_USE_64BIT_TIME);
case SIOCBONDSLAVEINFOQUERY:

30
debian/patches/bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch vendored
View File

@@ -1,30 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 11 Jan 2017 04:30:40 +0000
Subject: Partially revert "usb: Kconfig: using select for USB_COMMON dependency"
Forwarded: https://marc.info/?l=linux-usb&m=149248300414300
This reverts commit cb9c1cfc86926d0e86d19c8e34f6c23458cd3478 for
USB_LED_TRIG. This config symbol has bool type and enables extra code
in usb_common itself, not a separate driver. Enabling it should not
force usb_common to be built-in!
Fixes: cb9c1cfc8692 ("usb: Kconfig: using select for USB_COMMON dependency")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/common/Kconfig | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/usb/common/Kconfig b/drivers/usb/common/Kconfig
index d611477aae41..196f4a397587 100644
--- a/drivers/usb/common/Kconfig
+++ b/drivers/usb/common/Kconfig
@@ -6,8 +6,7 @@ config USB_COMMON
config USB_LED_TRIG
bool "USB LED Triggers"
- depends on LEDS_CLASS && LEDS_TRIGGERS
- select USB_COMMON
+ depends on LEDS_CLASS && USB_COMMON && LEDS_TRIGGERS
help
This option adds LED triggers for USB host and/or gadget activity.

139
debian/patches/bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch vendored
View File

@@ -1,139 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: radeon, amdgpu: Firmware is required for DRM and KMS on R600 onward
Date: Tue, 08 Jan 2013 03:25:52 +0000
Bug-Debian: https://bugs.debian.org/607194
Bug-Debian: https://bugs.debian.org/607471
Bug-Debian: https://bugs.debian.org/610851
Bug-Debian: https://bugs.debian.org/627497
Bug-Debian: https://bugs.debian.org/632212
Bug-Debian: https://bugs.debian.org/637943
Bug-Debian: https://bugs.debian.org/649448
Bug-Debian: https://bugs.debian.org/697229
Forwarded: no
radeon requires firmware/microcode for the GPU in all chips, but for
newer chips (apparently R600 'Evergreen' onward) it also expects
firmware for the memory controller and other sub-blocks.
radeon attempts to gracefully fall back and disable some features if
the firmware is not available, but becomes unstable - the framebuffer
and/or system memory may be corrupted, or the display may stay black.
Therefore, perform a basic check for the existence of
/lib/firmware/{radeon,amdgpu} when a device is probed, and abort if it
is missing, except for the pre-R600 case.
---
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 29 ++++++++++++++++++++++++
drivers/gpu/drm/radeon/radeon_drv.c | 30 +++++++++++++++++++++++++
2 files changed, 59 insertions(+)
Index: debian-kernel/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
===================================================================
--- debian-kernel.orig/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ debian-kernel/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -36,6 +36,8 @@
#include <linux/vga_switcheroo.h>
#include <drm/drm_probe_helper.h>
#include <linux/mmu_notifier.h>
+#include <linux/namei.h>
+#include <linux/path.h>
#include "amdgpu.h"
#include "amdgpu_irq.h"
@@ -1030,6 +1032,28 @@ MODULE_DEVICE_TABLE(pci, pciidlist);
static struct drm_driver kms_driver;
+/* Test that /lib/firmware/amdgpu is a directory (or symlink to a
+ * directory). We could try to match the udev search path, but let's
+ * keep it simple.
+ */
+static bool amdgpu_firmware_installed(void)
+{
+#if IS_BUILTIN(CONFIG_DRM_AMDGPU)
+ /* It may be too early to tell. Assume it's there. */
+ return true;
+#else
+ struct path path;
+
+ if (kern_path("/lib/firmware/amdgpu", LOOKUP_DIRECTORY | LOOKUP_FOLLOW,
+ &path) == 0) {
+ path_put(&path);
+ return true;
+ }
+
+ return false;
+#endif
+}
+
static int amdgpu_pci_probe(struct pci_dev *pdev,
const struct pci_device_id *ent)
{
@@ -1083,6 +1107,11 @@ static int amdgpu_pci_probe(struct pci_d
}
#endif
+ if (!amdgpu_firmware_installed()) {
+ DRM_ERROR("amdgpu requires firmware installed\n");
+ return -ENODEV;
+ }
+
/* Get rid of things like offb */
ret = drm_fb_helper_remove_conflicting_pci_framebuffers(pdev, 0, "amdgpudrmfb");
if (ret)
Index: debian-kernel/drivers/gpu/drm/radeon/radeon_drv.c
===================================================================
--- debian-kernel.orig/drivers/gpu/drm/radeon/radeon_drv.c
+++ debian-kernel/drivers/gpu/drm/radeon/radeon_drv.c
@@ -48,6 +48,8 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
#include <drm/radeon_drm.h>
+#include <linux/namei.h>
+#include <linux/path.h>
#include "radeon_drv.h"
@@ -321,6 +323,28 @@ static struct drm_driver kms_driver;
bool radeon_device_is_virtual(void);
+/* Test that /lib/firmware/radeon is a directory (or symlink to a
+ * directory). We could try to match the udev search path, but let's
+ * keep it simple.
+ */
+static bool radeon_firmware_installed(void)
+{
+#if IS_BUILTIN(CONFIG_DRM_RADEON)
+ /* It may be too early to tell. Assume it's there. */
+ return true;
+#else
+ struct path path;
+
+ if (kern_path("/lib/firmware/radeon", LOOKUP_DIRECTORY | LOOKUP_FOLLOW,
+ &path) == 0) {
+ path_put(&path);
+ return true;
+ }
+
+ return false;
+#endif
+}
+
static int radeon_pci_probe(struct pci_dev *pdev,
const struct pci_device_id *ent)
{
@@ -360,6 +384,12 @@ static int radeon_pci_probe(struct pci_d
if (vga_switcheroo_client_probe_defer(pdev))
return -EPROBE_DEFER;
+ if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 &&
+ !radeon_firmware_installed()) {
+ DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n");
+ return -ENODEV;
+ }
+
/* Get rid of things like offb */
ret = drm_fb_helper_remove_conflicting_pci_framebuffers(pdev, 0, "radeondrmfb");
if (ret)

27
debian/patches/bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch vendored
View File

@@ -1,27 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 21 Feb 2016 15:33:15 +0000
Subject: tools/build: Remove bpf() run-time check at build time
Forwarded: no
It is not correct to test that a syscall works on the build system's
kernel. We might be building on an earlier kernel version or with
security restrictions that block bpf().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/build/feature/test-bpf.c
+++ b/tools/build/feature/test-bpf.c
@@ -35,8 +35,10 @@ int main(void)
attr.prog_flags = 0;
/*
- * Test existence of __NR_bpf and BPF_PROG_LOAD.
- * This call should fail if we run the testcase.
+ * bwh: Don't use the bpf() syscall as we might be building on a
+ * much older kernel. Do "use" the attr structure here to avoid
+ * a "set but not used" warning.
*/
- return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
+ (void)&attr;
+ return 0;
}

39
debian/patches/bugfix/all/tools-lib-api-fs-fs.c-fix-misuse-of-strncpy.patch vendored
View File

@@ -1,39 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 19 Jul 2018 23:36:52 +0100
Subject: tools/lib/api/fs/fs.c: Fix misuse of strncpy()
Bug-Debian: https://bugs.debian.org/897802
Forwarded: https://lore.kernel.org/lkml/20180721021026.GQ14131@decadent.org.uk/T/
gcc 8 reports:
In function 'fs__env_override',
inlined from 'fs__get_mountpoint' at fs/fs.c:228:6:
fs/fs.c:222:2: error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
strncpy(fs->path, override_path, sizeof(fs->path));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm not convinced it makes sense to truncate the copied string here,
but since we're already doing so let's ensure it's still null-
terminated. Use strlcpy() instead.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/lib/api/fs/fs.c
+++ b/tools/lib/api/fs/fs.c
@@ -12,6 +12,7 @@
#include <fcntl.h>
#include <unistd.h>
#include <sys/mount.h>
+#include <linux/string.h>
#include "fs.h"
#include "debug-internal.h"
@@ -219,7 +220,7 @@ static bool fs__env_override(struct fs *
return false;
fs->found = true;
- strncpy(fs->path, override_path, sizeof(fs->path));
+ strlcpy(fs->path, override_path, sizeof(fs->path));
return true;
}

44
debian/patches/bugfix/all/tools-perf-man-date.patch vendored
View File

@@ -1,44 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 13 Jul 2015 20:29:20 +0100
Subject: perf tools: Use $KBUILD_BUILD_TIMESTAMP as man page date
Forwarded: http://mid.gmane.org/20160517132809.GE7555@decadent.org.uk
This allows man pages to be built reproducibly.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/Documentation/Makefile | 3 +++
tools/perf/Documentation/asciidoc.conf | 3 +++
2 files changed, 6 insertions(+)
diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
index adc5a7e44b98..2161b2e838b7 100644
--- a/tools/perf/Documentation/Makefile
+++ b/tools/perf/Documentation/Makefile
@@ -132,6 +132,9 @@ endif
ifdef DOCBOOK_SUPPRESS_SP
XMLTO_EXTRA += -m manpage-suppress-sp.xsl
endif
+ifdef KBUILD_BUILD_TIMESTAMP
+ASCIIDOC_EXTRA += -a revdate=$(shell date -u -d '$(KBUILD_BUILD_TIMESTAMP)' +%Y-%m-%d)
+endif
SHELL_PATH ?= $(SHELL)
# Shell quote;
diff --git a/tools/perf/Documentation/asciidoc.conf b/tools/perf/Documentation/asciidoc.conf
index 2b62ba1e72b7..82d3060177ba 100644
--- a/tools/perf/Documentation/asciidoc.conf
+++ b/tools/perf/Documentation/asciidoc.conf
@@ -71,6 +71,9 @@ ifdef::backend-docbook[]
[header]
template::[header-declarations]
<refentry>
+<refentryinfo>
+template::[docinfo]
+</refentryinfo>
ifdef::perf_date[]
<refentryinfo><date>{perf_date}</date></refentryinfo>
endif::perf_date[]
--
2.23.0

165
debian/patches/bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch vendored
View File

@@ -1,165 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 25 Aug 2019 13:49:41 +0100
Subject: tools/perf: pmu-events: Fix reproducibility
Forwarded: https://lore.kernel.org/lkml/20190825131329.naqzd5kwg7mw5d3f@decadent.org.uk/T/#u
jevents.c uses nftw() to enumerate files and outputs the corresponding
C structs in the order they are found. This makes it sensitive to
directory ordering, so that the perf executable is not reproducible.
To avoid this, store all the files and directories found and then sort
them by their (relative) path. (This maintains the parent-first
ordering that nftw() promises.) Then apply the existing callbacks to
them in the sorted order.
Don't both storing the stat buffers as we don't need them.
References: https://tests.reproducible-builds.org/debian/dbdtxt/bullseye/i386/linux_4.19.37-6.diffoscope.txt.gz
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/pmu-events/jevents.c
+++ b/tools/perf/pmu-events/jevents.c
@@ -50,6 +50,12 @@
#include "json.h"
#include "jevents.h"
+struct found_file {
+ const char *fpath;
+ int typeflag;
+ struct FTW ftwbuf;
+};
+
int verbose;
char *prog;
@@ -865,6 +871,44 @@ static int get_maxfds(void)
* nftw() doesn't let us pass an argument to the processing function,
* so use a global variables.
*/
+static struct found_file *found_files;
+static size_t n_found_files;
+static size_t max_found_files;
+
+static int add_one_file(const char *fpath, const struct stat *sb,
+ int typeflag, struct FTW *ftwbuf)
+{
+ struct found_file *file;
+
+ if (ftwbuf->level == 0 || ftwbuf->level > 3)
+ return 0;
+
+ /* Grow array if necessary */
+ if (n_found_files >= max_found_files) {
+ if (max_found_files == 0)
+ max_found_files = 16;
+ else
+ max_found_files *= 2;
+ found_files = realloc(found_files,
+ max_found_files * sizeof(*found_files));
+ }
+
+ file = &found_files[n_found_files++];
+ file->fpath = strdup(fpath);
+ file->typeflag = typeflag;
+ file->ftwbuf = *ftwbuf;
+
+ return 0;
+}
+
+static int compare_files(const void *left, const void *right)
+{
+ const struct found_file *left_file = left;
+ const struct found_file *right_file = right;
+
+ return strcmp(left_file->fpath, right_file->fpath);
+}
+
static FILE *eventsfp;
static char *mapfile;
@@ -919,19 +963,19 @@ static int is_json_file(const char *name
return 0;
}
-static int preprocess_arch_std_files(const char *fpath, const struct stat *sb,
+static int preprocess_arch_std_files(const char *fpath,
int typeflag, struct FTW *ftwbuf)
{
int level = ftwbuf->level;
int is_file = typeflag == FTW_F;
if (level == 1 && is_file && is_json_file(fpath))
- return json_events(fpath, save_arch_std_events, (void *)sb);
+ return json_events(fpath, save_arch_std_events, NULL);
return 0;
}
-static int process_one_file(const char *fpath, const struct stat *sb,
+static int process_one_file(const char *fpath,
int typeflag, struct FTW *ftwbuf)
{
char *tblname, *bname;
@@ -956,9 +1000,9 @@ static int process_one_file(const char *
} else
bname = (char *) fpath + ftwbuf->base;
- pr_debug("%s %d %7jd %-20s %s\n",
+ pr_debug("%s %d %-20s %s\n",
is_file ? "f" : is_dir ? "d" : "x",
- level, sb->st_size, bname, fpath);
+ level, bname, fpath);
/* base dir or too deep */
if (level == 0 || level > 3)
@@ -1070,6 +1114,7 @@ int main(int argc, char *argv[])
const char *output_file;
const char *start_dirname;
struct stat stbuf;
+ size_t i;
prog = basename(argv[0]);
if (argc < 4) {
@@ -1113,8 +1158,26 @@ int main(int argc, char *argv[])
*/
maxfds = get_maxfds();
+ rc = nftw(ldirname, add_one_file, maxfds, 0);
+ if (rc < 0) {
+ /* Make build fail */
+ free_arch_std_events();
+ return 1;
+ } else if (rc) {
+ goto empty_map;
+ }
+
+ /* Sort file names to ensure reproduciblity */
+ qsort(found_files, n_found_files, sizeof(*found_files), compare_files);
+
mapfile = NULL;
- rc = nftw(ldirname, preprocess_arch_std_files, maxfds, 0);
+ for (i = 0; i < n_found_files; i++) {
+ rc = preprocess_arch_std_files(found_files[i].fpath,
+ found_files[i].typeflag,
+ &found_files[i].ftwbuf);
+ if (rc)
+ break;
+ }
if (rc && verbose) {
pr_info("%s: Error preprocessing arch standard files %s\n",
prog, ldirname);
@@ -1127,7 +1190,13 @@ int main(int argc, char *argv[])
goto empty_map;
}
- rc = nftw(ldirname, process_one_file, maxfds, 0);
+ for (i = 0; i < n_found_files; i++) {
+ rc = process_one_file(found_files[i].fpath,
+ found_files[i].typeflag,
+ &found_files[i].ftwbuf);
+ if (rc)
+ break;
+ }
if (rc && verbose) {
pr_info("%s: Error walking file tree %s\n", prog, ldirname);
goto empty_map;

39
debian/patches/bugfix/all/tools-perf-remove-shebangs.patch vendored
View File

@@ -1,39 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 25 Sep 2015 20:09:23 +0100
Subject: tools/perf: Remove shebang lines from perf scripts
Forwarded: no
perf scripts need to be invoked through perf, not directly through
perl (or other language interpreter). So including shebang lines in
them is useless and possibly misleading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/scripts/perl/rw-by-file.pl
+++ b/tools/perf/scripts/perl/rw-by-file.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2009, Tom Zanussi <tzanussi@gmail.com>
--- a/tools/perf/scripts/perl/rw-by-pid.pl
+++ b/tools/perf/scripts/perl/rw-by-pid.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2009, Tom Zanussi <tzanussi@gmail.com>
--- a/tools/perf/scripts/perl/rwtop.pl
+++ b/tools/perf/scripts/perl/rwtop.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2010, Tom Zanussi <tzanussi@gmail.com>
--- a/tools/perf/scripts/perl/wakeup-latency.pl
+++ b/tools/perf/scripts/perl/wakeup-latency.pl
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
# SPDX-License-Identifier: GPL-2.0-only
# (c) 2009, Tom Zanussi <tzanussi@gmail.com>

29
debian/patches/bugfix/all/usbip-document-tcp-wrappers.patch vendored
View File

@@ -1,29 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 24 Jun 2012 02:51:39 +0100
Subject: usbip: Document TCP wrappers
Forwarded: no
Add references to TCP wrappers configuration in the manual page.
--- a/tools/usb/usbip/doc/usbipd.8
+++ b/tools/usb/usbip/doc/usbipd.8
@@ -14,7 +14,8 @@ Devices have to explicitly be exported u
before usbipd makes them available to other hosts.
The daemon accepts connections from USB/IP clients
-on TCP port 3240 by default.
+on TCP port 3240 by default. The clients authorised to connect may be
+configured as documented in hosts_access(5).
.SH OPTIONS
.HP
@@ -69,7 +70,8 @@ Show version.
.B usbipd
offers no authentication or authorization for USB/IP. Any
-USB/IP client can connect and use exported devices.
+USB/IP client running on an authorised host can connect and
+use exported devices.
.SH EXAMPLES

72
debian/patches/bugfix/all/usbip-fix-misuse-of-strncpy.patch vendored
View File

@@ -1,72 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 20 Jul 2018 01:30:24 +0100
Subject: usbip: Fix misuse of strncpy()
Bug-Debian: https://bugs.debian.org/897802
Forwarded: https://marc.info/?l=linux-usb&m=153213915806258
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
gcc 8 reports:
usbip_device_driver.c: In function read_usb_vudc_device:
usbip_device_driver.c:106:2: error: strncpy specified bound 256 equals destination size [-Werror=stringop-truncation]
strncpy(dev->path, path, SYSFS_PATH_MAX);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usbip_device_driver.c:125:2: error: strncpy specified bound 32 equals destination size [-Werror=stringop-truncation]
strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm not convinced it makes sense to truncate the copied strings here,
but since we're already doing so let's ensure they're still null-
terminated. We can't easily use strlcpy() here, so use snprintf().
usbip_common.c has the same problem.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/usb/usbip/libsrc/usbip_common.c | 4 ++--
tools/usb/usbip/libsrc/usbip_device_driver.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
index b8d7d480595a..02aae7cccb2d 100644
--- a/tools/usb/usbip/libsrc/usbip_common.c
+++ b/tools/usb/usbip/libsrc/usbip_common.c
@@ -226,9 +226,9 @@ int read_usb_device(struct udev_device *sdev, struct usbip_usb_device *udev)
path = udev_device_get_syspath(sdev);
name = udev_device_get_sysname(sdev);
- strncpy(udev->path, path, SYSFS_PATH_MAX - 1);
+ snprintf(udev->path, SYSFS_PATH_MAX - 1, "%s", path);
udev->path[SYSFS_PATH_MAX - 1] = '\0';
- strncpy(udev->busid, name, SYSFS_BUS_ID_SIZE - 1);
+ snprintf(udev->busid, SYSFS_BUS_ID_SIZE - 1, "%s", name);
udev->busid[SYSFS_BUS_ID_SIZE - 1] = '\0';
sscanf(name, "%u-%u", &busnum, &devnum);
diff --git a/tools/usb/usbip/libsrc/usbip_device_driver.c b/tools/usb/usbip/libsrc/usbip_device_driver.c
index 051d7d3f443b..1487770603a8 100644
--- a/tools/usb/usbip/libsrc/usbip_device_driver.c
+++ b/tools/usb/usbip/libsrc/usbip_device_driver.c
@@ -91,7 +91,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
copy_descr_attr16(dev, &descr, idProduct);
copy_descr_attr16(dev, &descr, bcdDevice);
- strncpy(dev->path, path, SYSFS_PATH_MAX - 1);
+ snprintf(dev->path, SYSFS_PATH_MAX - 1, "%s", path);
dev->path[SYSFS_PATH_MAX - 1] = '\0';
dev->speed = USB_SPEED_UNKNOWN;
@@ -111,7 +111,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
dev->busnum = 0;
name = udev_device_get_sysname(plat);
- strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE - 1);
+ snprintf(dev->busid, SYSFS_BUS_ID_SIZE - 1, "%s", name);
dev->busid[SYSFS_BUS_ID_SIZE - 1] = '\0';
return 0;
err:
--
2.23.0

79
debian/patches/bugfix/all/usbip-network-fix-unaligned-member-access.patch vendored
View File

@@ -1,79 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 18 Aug 2019 16:15:26 +0100
Subject: usbip: network: Fix unaligned member access
Bug-Debian: https://bugs.debian.org/925766
gcc 9 warns:
usbip_network.c: In function usbip_net_pack_usb_device:
usbip_network.c:79:32: error: taking address of packed member of struct usbip_usb_device may result in an unaligned pointer value [-Werror=address-of-packed-member]
79 | usbip_net_pack_uint32_t(pack, &udev->busnum);
| ^~~~~~~~~~~~~
and similarly for other calls to usbip_net_pack_uint{16,32}_t().
These fields are unaligned because they are declared as part of a
packed structure. Functions operating on the structure will use the
appropriate accessors for unaligned data if necessary, but there
doesn't seem to be a way to declare functions as taking a pointer
to a unaligned scalar.
Instead, change these functions to take a pointer of type void * and
to memcpy() the unaligned value in and out of a local variable.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/usb/usbip/src/usbip_network.c
+++ b/tools/usb/usbip/src/usbip_network.c
@@ -50,28 +50,30 @@ void usbip_setup_port_number(char *arg)
info("using port %d (\"%s\")", usbip_port, usbip_port_string);
}
-void usbip_net_pack_uint32_t(int pack, uint32_t *num)
+void usbip_net_pack_uint32_t(int pack, void *num)
{
uint32_t i;
+ memcpy(&i, num, sizeof(i));
if (pack)
- i = htonl(*num);
+ i = htonl(i);
else
- i = ntohl(*num);
+ i = ntohl(i);
- *num = i;
+ memcpy(num, &i, sizeof(i));
}
-void usbip_net_pack_uint16_t(int pack, uint16_t *num)
+void usbip_net_pack_uint16_t(int pack, void *num)
{
uint16_t i;
+ memcpy(&i, num, sizeof(i));
if (pack)
- i = htons(*num);
+ i = htons(i);
else
- i = ntohs(*num);
+ i = ntohs(i);
- *num = i;
+ memcpy(num, &i, sizeof(i));
}
void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev)
--- a/tools/usb/usbip/src/usbip_network.h
+++ b/tools/usb/usbip/src/usbip_network.h
@@ -166,8 +166,8 @@ struct op_devlist_reply_extra {
usbip_net_pack_uint32_t(pack, &(reply)->ndev);\
} while (0)
-void usbip_net_pack_uint32_t(int pack, uint32_t *num);
-void usbip_net_pack_uint16_t(int pack, uint16_t *num);
+void usbip_net_pack_uint32_t(int pack, void *num);
+void usbip_net_pack_uint16_t(int pack, void *num);
void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev);
void usbip_net_pack_usb_interface(int pack, struct usbip_usb_interface *uinf);

37
debian/patches/bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch vendored
View File

@@ -1,37 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 17 Feb 2017 01:30:30 +0000
Subject: ARM: dts: kirkwood: Fix SATA pinmux-ing for TS419
Forwarded: https://www.spinics.net/lists/arm-kernel/msg563610.html
Bug-Debian: https://bugs.debian.org/855017
The old board code for the TS419 assigns MPP pins 15 and 16 as SATA
activity signals (and none as SATA presence signals). Currently the
device tree assigns the SoC's default pinmux groups for SATA, which
conflict with the second Ethernet port.
Reported-by: gmbh@gazeta.pl
Tested-by: gmbh@gazeta.pl
References: https://bugs.debian.org/855017
Cc: stable@vger.kernel.org # 3.15+
Fixes: 934b524b3f49 ("ARM: Kirkwood: Add DT description of QNAP 419")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/kirkwood-ts419.dtsi | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm/boot/dts/kirkwood-ts419.dtsi b/arch/arm/boot/dts/kirkwood-ts419.dtsi
index 02bd53762705..532506cb0f4a 100644
--- a/arch/arm/boot/dts/kirkwood-ts419.dtsi
+++ b/arch/arm/boot/dts/kirkwood-ts419.dtsi
@@ -73,3 +73,11 @@
phy-handle = <&ethphy1>;
};
};
+
+&pmx_sata0 {
+ marvell,pins = "mpp15";
+};
+
+&pmx_sata1 {
+ marvell,pins = "mpp16";
+};

31
debian/patches/bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch vendored
View File

@@ -1,31 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 11 Jul 2018 23:40:55 +0100
Subject: ARM: mm: Export __sync_icache_dcache() for xen-privcmd
Forwarded: https://marc.info/?l=linux-arm-kernel&m=153134944429241
The xen-privcmd driver, which can be modular, calls set_pte_at()
which in turn may call __sync_icache_dcache().
The call to __sync_icache_dcache() may be optimised out because it is
conditional on !pte_special(), and xen-privcmd calls pte_mkspecial().
However, in a non-LPAE configuration there is no "special" bit and the
call is really unconditional.
Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mm/flush.c | 1 +
1 file changed, 1 insertion(+)
Index: debian-kernel/arch/arm/mm/flush.c
===================================================================
--- debian-kernel.orig/arch/arm/mm/flush.c
+++ debian-kernel/arch/arm/mm/flush.c
@@ -292,6 +292,7 @@ void __sync_icache_dcache(pte_t pteval)
if (pte_exec(pteval))
__flush_icache_all();
}
+EXPORT_SYMBOL_GPL(__sync_icache_dcache);
#endif
/*

90
debian/patches/bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch vendored
View File

@@ -1,90 +0,0 @@
From: Geoff Levand <geoff@infradead.org>
Date: Wed, 13 Jun 2018 10:56:08 -0700
Subject: arm64/acpi: Add fixup for HPE m400 quirks
Forwarded: https://patchwork.codeaurora.org/patch/547277/
Adds a new ACPI init routine acpi_fixup_m400_quirks that adds
a work-around for HPE ProLiant m400 APEI firmware problems.
The work-around disables APEI when CONFIG_ACPI_APEI is set and
m400 firmware is detected. Without this fixup m400 systems
experience errors like these on startup:
[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 2
[Hardware Error]: event severity: fatal
[Hardware Error]: Error 0, type: fatal
[Hardware Error]: section_type: memory error
[Hardware Error]: error_status: 0x0000000000001300
[Hardware Error]: error_type: 10, invalid address
Kernel panic - not syncing: Fatal hardware error!
Signed-off-by: Geoff Levand <geoff@infradead.org>
[bwh: Adjust context to apply to Linux 4.19]
---
arch/arm64/kernel/acpi.c | 40 ++++++++++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 4 deletions(-)
--- a/arch/arm64/kernel/acpi.c
+++ b/arch/arm64/kernel/acpi.c
@@ -33,6 +33,8 @@
#include <asm/pgtable.h>
#include <asm/smp_plat.h>
+#include <acpi/apei.h>
+
int acpi_noirq = 1; /* skip ACPI IRQ initialization */
int acpi_disabled = 1;
EXPORT_SYMBOL(acpi_disabled);
@@ -175,6 +177,33 @@ out:
}
/*
+ * acpi_fixup_m400_quirks - Work-around for HPE ProLiant m400 APEI firmware
+ * problems.
+ */
+static void __init acpi_fixup_m400_quirks(void)
+{
+ acpi_status status;
+ struct acpi_table_header *header;
+#if !defined(CONFIG_ACPI_APEI)
+ int hest_disable = HEST_DISABLED;
+#endif
+
+ if (!IS_ENABLED(CONFIG_ACPI_APEI) || hest_disable != HEST_ENABLED)
+ return;
+
+ status = acpi_get_table(ACPI_SIG_HEST, 0, &header);
+
+ if (ACPI_SUCCESS(status) && !strncmp(header->oem_id, "HPE ", 6) &&
+ !strncmp(header->oem_table_id, "ProLiant", 8) &&
+ MIDR_IMPLEMENTOR(read_cpuid_id()) == ARM_CPU_IMP_APM) {
+ hest_disable = HEST_DISABLED;
+ pr_info("Disabled APEI for m400.\n");
+ }
+
+ acpi_put_table(header);
+}
+
+/*
* acpi_boot_table_init() called from setup_arch(), always.
* 1. find RSDP and get its address, and then find XSDT
* 2. extract all tables and checksums them all
@@ -229,11 +258,14 @@ done:
if (acpi_disabled) {
if (earlycon_acpi_spcr_enable)
early_init_dt_scan_chosen_stdout();
- } else {
- acpi_parse_spcr(earlycon_acpi_spcr_enable, true);
- if (IS_ENABLED(CONFIG_ACPI_BGRT))
- acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt);
+ return;
}
+
+ acpi_parse_spcr(earlycon_acpi_spcr_enable, true);
+ if (IS_ENABLED(CONFIG_ACPI_BGRT))
+ acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt);
+
+ acpi_fixup_m400_quirks();
}
pgprot_t __acpi_get_mem_attribute(phys_addr_t addr)

45
debian/patches/bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch vendored
View File

@@ -1,45 +0,0 @@
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Mon, 4 Jun 2018 19:15:23 +0200
Subject: arm64: dts: rockchip: correct voltage selector on Firefly-RK3399
Bug-Debian: https://bugs.debian.org/900799
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip.git/patch/?id=710e8c4a54be82ee8a97324e7b4330bf191e08bf
Without this patch the Firefly-RK3399 board boot process hangs after these
lines:
fan53555-regulator 0-0040: FAN53555 Option[8] Rev[1] Detected!
fan53555-reg: supplied by vcc_sys
vcc1v8_s3: supplied by vcc_1v8
Blacklisting driver fan53555 allows booting.
The device tree uses a value of fcs,suspend-voltage-selector different to
any other board.
Changing this setting to the usual value is sufficient to enable booting
and also matches the value used in the vendor kernel.
Fixes: 171582e00db1 ("arm64: dts: rockchip: add support for firefly-rk3399 board")
Cc: stable@vger.kernel.org
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
---
arch/arm64/boot/dts/rockchip/rk3399-firefly.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts b/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts
index 86ff1eb..d8a2f0b 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts
@@ -421,7 +421,7 @@
vdd_cpu_b: regulator@40 {
compatible = "silergy,syr827";
reg = <0x40>;
- fcs,suspend-voltage-selector = <0>;
+ fcs,suspend-voltage-selector = <1>;
regulator-name = "vdd_cpu_b";
regulator-min-microvolt = <712500>;
regulator-max-microvolt = <1500000>;
--
cgit v1.1

39
debian/patches/bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch vendored
View File

@@ -1,39 +0,0 @@
From: Krzysztof Kozlowski <krzk@kernel.org>
Date: Wed, 29 Aug 2018 09:32:23 +0200
Subject: powerpc/boot: Fix missing crc32poly.h when building with KERNEL_XZ
Origin: https://patchwork.ozlabs.org/patch/963258/
After commit faa16bc404d7 ("lib: Use existing define with
polynomial") the lib/xz/xz_crc32.c includes a header from include/linux
directory thus any other user of this code should define proper include
path.
This fixes the build error on powerpc with CONFIG_KERNEL_XZ:
In file included from ../arch/powerpc/boot/../../../lib/decompress_unxz.c:233:0,
from ../arch/powerpc/boot/decompress.c:42:
../arch/powerpc/boot/../../../lib/xz/xz_crc32.c:18:29: fatal error: linux/crc32poly.h: No such file or directory
Reported-by: Michal Kubecek <mkubecek@suse.cz>
Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Michal Kubecek <mkubecek@suse.cz>
---
arch/powerpc/boot/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
index 0fb96c26136f..ba4182fb185d 100644
--- a/arch/powerpc/boot/Makefile
+++ b/arch/powerpc/boot/Makefile
@@ -63,7 +63,7 @@ ifeq ($(call cc-option-yn, -fstack-protector),y)
BOOTCFLAGS += -fno-stack-protector
endif
-BOOTCFLAGS += -I$(objtree)/$(obj) -I$(srctree)/$(obj)
+BOOTCFLAGS += -I$(objtree)/$(obj) -I$(srctree)/$(obj) -I$(srctree)/include
DTC_FLAGS ?= -p 1024

46
debian/patches/bugfix/ppc64el/libbpf-fix-readelf-output-parsing-on-powerpc-with-re.patch vendored
View File

@@ -1,46 +0,0 @@
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 1 Dec 2019 20:35:55 +0100
Subject: libbpf: fix readelf output parsing on powerpc with recent binutils
Origin: https://lore.kernel.org/patchwork/patch/1161149/
On powerpc with recent versions of binutils, readelf outputs an extra
field when dumping the symbols of an object file. For example:
35: 0000000000000838 96 FUNC LOCAL DEFAULT [<localentry>: 8] 1 btf_is_struct
The extra "[<localentry>: 8]" prevents the GLOBAL_SYM_COUNT variable to
be computed correctly and causes the checkabi target to fail.
Fix that by looking for the symbol name in the last field instead of the
8th one. This way it should also cope with future extra fields.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
tools/lib/bpf/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/Makefile b/tools/lib/bpf/Makefile
index 99425d0be6ff..333900cf3f4f 100644
--- a/tools/lib/bpf/Makefile
+++ b/tools/lib/bpf/Makefile
@@ -147,7 +147,7 @@ TAGS_PROG := $(if $(shell which etags 2>/dev/null),etags,ctags)
GLOBAL_SYM_COUNT = $(shell readelf -s --wide $(BPF_IN_SHARED) | \
cut -d "@" -f1 | sed 's/_v[0-9]_[0-9]_[0-9].*//' | \
- awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$8}' | \
+ awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}' | \
sort -u | wc -l)
VERSIONED_SYM_COUNT = $(shell readelf -s --wide $(OUTPUT)libbpf.so | \
grep -Eo '[^ ]+@LIBBPF_' | cut -d@ -f1 | sort -u | wc -l)
@@ -216,7 +216,7 @@ check_abi: $(OUTPUT)libbpf.so
"versioned in $(VERSION_SCRIPT)." >&2; \
readelf -s --wide $(OUTPUT)libbpf-in.o | \
cut -d "@" -f1 | sed 's/_v[0-9]_[0-9]_[0-9].*//' | \
- awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$8}'| \
+ awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}'| \
sort -u > $(OUTPUT)libbpf_global_syms.tmp; \
readelf -s --wide $(OUTPUT)libbpf.so | \
grep -Eo '[^ ]+@LIBBPF_' | cut -d@ -f1 | \
--
2.24.0

124
debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch vendored
View File

@@ -1,124 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 19 Aug 2017 21:42:09 +0100
Subject: sh: Do not use hyphen in exported variable names
Forwarded: https://marc.info/?l=linux-sh&m=150317827322995&w=2
arch/sh/Makefile defines and exports ld-bfd to be used by
arch/sh/boot/Makefile and arch/sh/boot/compressed/Makefile. Similarly
arch/sh/boot/Makefile defines and exports suffix-y to be used by
arch/sh/boot/compressed/Makefile. However some shells, including
dash, will not pass through environment variables whose name includes
a hyphen. Usually GNU make does not use a shell to recurse, but if
e.g. $(srctree) contains '~' it will use a shell here.
Rename these variables to ld_bfd and suffix_y.
References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0
Fixes: ef9b542fce00 ("sh: bzip2/lzma uImage support.")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/Makefile | 10 +++++-----
arch/sh/boot/Makefile | 16 ++++++++--------
arch/sh/boot/compressed/Makefile | 6 +++---
arch/sh/boot/romimage/Makefile | 4 ++--
4 files changed, 18 insertions(+), 18 deletions(-)
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -119,16 +119,16 @@ LDFLAGS_vmlinux += --defsym phys_stext=
endif
ifdef CONFIG_CPU_LITTLE_ENDIAN
-ld-bfd := elf32-$(UTS_MACHINE)-linux
-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd)
+ld_bfd := elf32-$(UTS_MACHINE)-linux
+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd)
KBUILD_LDFLAGS += -EL
else
-ld-bfd := elf32-$(UTS_MACHINE)big-linux
-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd)
+ld_bfd := elf32-$(UTS_MACHINE)big-linux
+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd)
KBUILD_LDFLAGS += -EB
endif
-export ld-bfd BITS
+export ld_bfd BITS
head-y := arch/sh/kernel/head_$(BITS).o
--- a/arch/sh/boot/Makefile
+++ b/arch/sh/boot/Makefile
@@ -19,12 +19,12 @@ CONFIG_ZERO_PAGE_OFFSET ?= 0x00001000
CONFIG_ENTRY_OFFSET ?= 0x00001000
CONFIG_PHYSICAL_START ?= $(CONFIG_MEMORY_START)
-suffix-y := bin
-suffix-$(CONFIG_KERNEL_GZIP) := gz
-suffix-$(CONFIG_KERNEL_BZIP2) := bz2
-suffix-$(CONFIG_KERNEL_LZMA) := lzma
-suffix-$(CONFIG_KERNEL_XZ) := xz
-suffix-$(CONFIG_KERNEL_LZO) := lzo
+suffix_y := bin
+suffix_$(CONFIG_KERNEL_GZIP) := gz
+suffix_$(CONFIG_KERNEL_BZIP2) := bz2
+suffix_$(CONFIG_KERNEL_LZMA) := lzma
+suffix_$(CONFIG_KERNEL_XZ) := xz
+suffix_$(CONFIG_KERNEL_LZO) := lzo
targets := zImage vmlinux.srec romImage uImage uImage.srec uImage.gz \
uImage.bz2 uImage.lzma uImage.xz uImage.lzo uImage.bin
@@ -106,10 +106,10 @@ OBJCOPYFLAGS_uImage.srec := -I binary -O
$(obj)/uImage.srec: $(obj)/uImage
$(call if_changed,objcopy)
-$(obj)/uImage: $(obj)/uImage.$(suffix-y)
+$(obj)/uImage: $(obj)/uImage.$(suffix_y)
@ln -sf $(notdir $<) $@
@echo ' Image $@ is ready'
export CONFIG_PAGE_OFFSET CONFIG_MEMORY_START CONFIG_BOOT_LINK_OFFSET \
CONFIG_PHYSICAL_START CONFIG_ZERO_PAGE_OFFSET CONFIG_ENTRY_OFFSET \
- KERNEL_MEMORY suffix-y
+ KERNEL_MEMORY suffix_y
--- a/arch/sh/boot/compressed/Makefile
+++ b/arch/sh/boot/compressed/Makefile
@@ -33,7 +33,7 @@ ORIG_CFLAGS := $(KBUILD_CFLAGS)
KBUILD_CFLAGS = $(subst -pg, , $(ORIG_CFLAGS))
endif
-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \
+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \
-T $(obj)/../../kernel/vmlinux.lds
#
@@ -75,7 +75,7 @@ $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.al
OBJCOPYFLAGS += -R .empty_zero_page
-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
-$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix-y) FORCE
+$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE
$(call if_changed,ld)
--- a/arch/sh/boot/romimage/Makefile
+++ b/arch/sh/boot/romimage/Makefile
@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) :
load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y)
obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y)
-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \
+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \
-T $(obj)/../../kernel/vmlinux.lds
$(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE
@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page
$(obj)/zeropage.bin: vmlinux FORCE
$(call if_changed,objcopy)
-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE
$(call if_changed,ld)

35
debian/patches/bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch vendored
View File

@@ -1,35 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 22 Jul 2017 17:37:33 +0100
Subject: perf tools: Fix unwind build on i386
Forwarded: no
EINVAL may not be defined when building unwind-libunwind.c with
REMOTE_UNWIND_LIBUNWIND, resulting in a compiler error in
LIBUNWIND__ARCH_REG_ID(). Its only caller, access_reg(), only checks
for a negative return value and doesn't care what it is. So change
-EINVAL to -1.
Fixes: 52ffe0ff02fc ("Support x86(32-bit) cross platform callchain unwind.")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/arch/x86/util/unwind-libunwind.c
+++ b/tools/perf/arch/x86/util/unwind-libunwind.c
@@ -66,7 +66,7 @@ int LIBUNWIND__ARCH_REG_ID(int regnum)
break;
default:
pr_err("unwind: invalid reg id %d\n", regnum);
- return -EINVAL;
+ return -1;
}
return id;
@@ -106,7 +106,7 @@ int LIBUNWIND__ARCH_REG_ID(int regnum)
break;
default:
pr_err("unwind: invalid reg id %d\n", regnum);
- return -EINVAL;
+ return -1;
}
return id;

22
debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch vendored
View File

@@ -1,22 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 25 Sep 2015 22:50:50 +0100
Subject: Revert "perf build: Fix libunwind feature detection on 32-bit x86"
Forwarded: no
This reverts commit 05b41775e2edd69a83f592e3534930c934d4038e.
It broke feature detection that was working just fine for us.
---
tools/perf/Makefile.config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/Makefile.config
+++ b/tools/perf/Makefile.config
@@ -38,7 +38,7 @@ ifeq ($(SRCARCH),x86)
LIBUNWIND_LIBS = -lunwind-x86_64 -lunwind -llzma
$(call detected,CONFIG_X86_64)
else
- LIBUNWIND_LIBS = -lunwind-x86 -llzma -lunwind
+ LIBUNWIND_LIBS = -lunwind -lunwind-x86
endif
NO_PERF_REGS := 0
endif

34
debian/patches/bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch vendored
View File

@@ -1,34 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 20 Apr 2013 15:52:02 +0100
Subject: viafb: Autoload on OLPC XO 1.5 only
Bug-Debian: https://bugs.debian.org/705788
Forwarded: no
It appears that viafb won't work automatically on all the boards for
which it has a PCI device ID match. Currently, it is blacklisted by
udev along with most other framebuffer drivers, so this doesn't matter
much.
However, this driver is required for console support on the XO 1.5.
We need to allow it to be autoloaded on this model only, and then
un-blacklist it in udev.
---
--- a/drivers/video/fbdev/via/via-core.c
+++ b/drivers/video/fbdev/via/via-core.c
@@ -753,7 +753,14 @@ static struct pci_device_id via_pci_tabl
.driver_data = UNICHROME_VX900 },
{ }
};
-MODULE_DEVICE_TABLE(pci, via_pci_table);
+
+static const struct pci_device_id via_pci_autoload_table[] __initconst = {
+ /* OLPC XO 1.5 */
+ { PCI_DEVICE(PCI_VENDOR_ID_VIA, UNICHROME_VX855_DID),
+ .subvendor = 0x152d, .subdevice = 0x0833 },
+ { }
+};
+MODULE_DEVICE_TABLE(pci, via_pci_autoload_table);
static struct pci_driver via_driver = {
.name = "viafb",

29
debian/patches/bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch vendored
View File

@@ -1,29 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 25 Sep 2018 19:44:13 +0100
Subject: x86-32: Disable 3D-Now in generic config
We want the 686 flavour to run on Geode LX and similar AMD family 5
CPUs as well as family 6 and higher CPUs. This used to work with
CONFIG_M686=y. However commit 25d76ac88821 "x86/Kconfig: Explicitly
enumerate i686-class CPUs in Kconfig" in Linux 4.16 has made the
kernel require family 6 or higher.
It looks like a sensible choice would be to enable CONFIG_MGEODE_LX
and CONFIG_X86_GENERIC (for more generic optimisations), but this
currently enables CONFIG_X86_USE_3D_NOW which will cause the kernel to
crash on CPUs without the AMD-specific 3D-Now instructions.
Make CONFIG_X86_USE_3DNOW depend on CONFIG_X86_GENERIC being disabled.
---
--- a/arch/x86/Kconfig.cpu
+++ b/arch/x86/Kconfig.cpu
@@ -337,7 +337,7 @@ config X86_USE_PPRO_CHECKSUM
config X86_USE_3DNOW
def_bool y
- depends on (MCYRIXIII || MK7 || MGEODE_LX) && !UML
+ depends on (MCYRIXIII || MK7 || MGEODE_LX) && !X86_GENERIC && !UML
#
# P6_NOPs are a relatively minor optimization that require a family >=

93
debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch vendored
View File

@@ -1,93 +0,0 @@
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0000 (+0100)
Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default
Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8
add sysctl to disallow unprivileged CLONE_NEWUSER by default
This is a short-term patch. Unprivileged use of CLONE_NEWUSER
is certainly an intended feature of user namespaces. However
for at least saucy we want to make sure that, if any security
issues are found, we have a fail-safe.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]
---
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -102,6 +102,11 @@
#define CREATE_TRACE_POINTS
#include <trace/events/task.h>
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#else
+#define unprivileged_userns_clone 0
+#endif
/*
* Minimum number of threads to boot the kernel
@@ -1550,6 +1555,10 @@ static __latent_entropy struct task_stru
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+ if (!capable(CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -2343,6 +2352,12 @@ SYSCALL_DEFINE1(unshare, unsigned long,
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+ err = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto bad_unshare_out;
+ }
+
err = check_unshare_flags(unshare_flags);
if (err)
goto bad_unshare_out;
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -105,6 +105,9 @@ extern int core_uses_pid;
extern char core_pattern[];
extern unsigned int core_pipe_limit;
#endif
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#endif
extern int pid_max;
extern int pid_max_min, pid_max_max;
extern int percpu_pagelist_fraction;
@@ -512,6 +515,15 @@ static struct ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec,
},
+#endif
+#ifdef CONFIG_USER_NS
+ {
+ .procname = "unprivileged_userns_clone",
+ .data = &unprivileged_userns_clone,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
#endif
#ifdef CONFIG_PROC_SYSCTL
{
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -26,6 +26,9 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
+/* sysctl */
+int unprivileged_userns_clone;
+
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);

29
debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch vendored
View File

@@ -1,29 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 19 Nov 2010 02:12:48 +0000
Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ieee802154/socket.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -1122,4 +1122,4 @@ module_init(af_ieee802154_init);
module_exit(af_ieee802154_remove);
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
+/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */

110
debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch vendored
View File

@@ -1,110 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 22 Jun 2018 17:27:00 +0100
Subject: android: Enable building ashmem and binder as modules
Bug-Debian: https://bugs.debian.org/901492
We want to enable use of the Android ashmem and binder drivers to
support Anbox, but they should not be built-in as that would waste
resources and increase security attack surface on systems that don't
need them.
- Add a MODULE_LICENSE declaration to ashmem
- Change the Makefiles to build each driver as an object with the
"_linux" suffix (which is what Anbox expects)
- Change config symbol types to tristate
---
drivers/android/Kconfig | 2 +-
drivers/android/Makefile | 7 ++++---
drivers/android/binder_alloc.c | 2 +-
drivers/staging/android/Kconfig | 2 +-
drivers/staging/android/Makefile | 3 ++-
drivers/staging/android/ashmem.c | 3 +++
6 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig
index 6fdf2abe4598..329ec9941fbf 100644
--- a/drivers/android/Kconfig
+++ b/drivers/android/Kconfig
@@ -9,7 +9,7 @@ config ANDROID
if ANDROID
config ANDROID_BINDER_IPC
- bool "Android Binder IPC Driver"
+ tristate "Android Binder IPC Driver"
depends on MMU
default n
---help---
diff --git a/drivers/android/Makefile b/drivers/android/Makefile
index c9d3d0c99c25..55411d9a9c2a 100644
--- a/drivers/android/Makefile
+++ b/drivers/android/Makefile
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: GPL-2.0-only
ccflags-y += -I$(src) # needed for trace events
-obj-$(CONFIG_ANDROID_BINDERFS) += binderfs.o
-obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o binder_alloc.o
-obj-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
+obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o
+binder_linux-y := binder.o binder_alloc.o
+binder_linux-$(CONFIG_ANDROID_BINDERFS) += binderfs.o
+binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index ce5603c2291c..099fef731148 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -37,7 +37,7 @@ enum {
};
static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
-module_param_named(debug_mask, binder_alloc_debug_mask,
+module_param_named(alloc_debug_mask, binder_alloc_debug_mask,
uint, 0644);
#define binder_alloc_debug(mask, x...) \
diff --git a/drivers/staging/android/Kconfig b/drivers/staging/android/Kconfig
index d6d605d5cbde..afe9085369a3 100644
--- a/drivers/staging/android/Kconfig
+++ b/drivers/staging/android/Kconfig
@@ -4,7 +4,7 @@ menu "Android"
if ANDROID
config ASHMEM
- bool "Enable the Anonymous Shared Memory Subsystem"
+ tristate "Enable the Anonymous Shared Memory Subsystem"
depends on SHMEM
help
The ashmem subsystem is a new shared memory allocator, similar to
diff --git a/drivers/staging/android/Makefile b/drivers/staging/android/Makefile
index 14bd9c6ce10d..c202aa4f8323 100644
--- a/drivers/staging/android/Makefile
+++ b/drivers/staging/android/Makefile
@@ -3,5 +3,6 @@ ccflags-y += -I$(src) # needed for trace events
obj-y += ion/
-obj-$(CONFIG_ASHMEM) += ashmem.o
+obj-$(CONFIG_ASHMEM) += ashmem_linux.o
+ashmem_linux-y += ashmem.o
obj-$(CONFIG_ANDROID_VSOC) += vsoc.o
diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 74d497d39c5a..fbbe467b0ba8 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -24,6 +24,7 @@
#include <linux/bitops.h>
#include <linux/mutex.h>
#include <linux/shmem_fs.h>
+#include <linux/module.h>
#include "ashmem.h"
#define ASHMEM_NAME_PREFIX "dev/ashmem/"
@@ -925,3 +926,5 @@ static int __init ashmem_init(void)
return ret;
}
device_initcall(ashmem_init);
+
+MODULE_LICENSE("GPL v2");
--
2.20.1

18
debian/patches/debian/arch-sh4-fix-uimage-build.patch vendored
View File

@@ -1,18 +0,0 @@
From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Subject: [sh4] Fix uImage build
Bug-Debian: https://bugs.debian.org/569034
Forwarded: not-needed
[bwh: This was added without a description, but I think it is done
only to avoid a build-dependency on u-boot-tools.]
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -75,7 +75,6 @@
# Give the various platforms the opportunity to set default image types
defaultimage-$(CONFIG_SUPERH32) := zImage
-defaultimage-$(CONFIG_SH_SH7785LCR) := uImage
defaultimage-$(CONFIG_SH_RSK) := uImage
defaultimage-$(CONFIG_SH_URQUELL) := uImage
defaultimage-$(CONFIG_SH_MIGOR) := uImage

35
debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch vendored
View File

@@ -1,35 +0,0 @@
From: Adam Borowski <kilobyte@angband.pl>
Date: Tue, 28 Mar 2017 16:55:05 +0200
Subject: btrfs: warn about RAID5/6 being experimental at mount time
Bug-Debian: https://bugs.debian.org/863290
Origin: https://bugs.debian.org/863290#5
Too many people come complaining about losing their data -- and indeed,
there's no warning outside a wiki and the mailing list tribal knowledge.
Message severity chosen for consistency with XFS -- "alert" makes dmesg
produce nice red background which should get the point across.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>
[bwh: Also add_taint() so this is flagged in bug reports]
---
fs/btrfs/disk-io.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3060,6 +3060,15 @@ retry_root_backup:
btrfs_set_and_info(fs_info, SSD, "enabling ssd optimizations");
}
+ if ((fs_info->avail_data_alloc_bits |
+ fs_info->avail_metadata_alloc_bits |
+ fs_info->avail_system_alloc_bits) &
+ BTRFS_BLOCK_GROUP_RAID56_MASK) {
+ btrfs_alert(fs_info,
+ "btrfs RAID5/6 is EXPERIMENTAL and has known data-loss bugs");
+ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
+ }
+
/*
* Mount does not set all options immediately, we can do it now and do
* not have to wait for transaction commit

27
debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch vendored
View File

@@ -1,27 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: cdc_ncm,cdc_mbim: Use NCM by default
Date: Sun, 31 Mar 2013 03:58:04 +0100
Forwarded: not-needed
Devices that support both NCM and MBIM modes should be kept in NCM
mode unless there is userland support for MBIM.
Set the default value of cdc_ncm.prefer_mbim to false and leave it to
userland (modem-manager) to override this with a modprobe.conf file
once it's ready to speak MBIM.
---
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -53,11 +53,7 @@
#include <linux/usb/cdc.h>
#include <linux/usb/cdc_ncm.h>
-#if IS_ENABLED(CONFIG_USB_NET_CDC_MBIM)
-static bool prefer_mbim = true;
-#else
static bool prefer_mbim;
-#endif
module_param(prefer_mbim, bool, 0644);
MODULE_PARM_DESC(prefer_mbim, "Prefer MBIM setting on dual NCM/MBIM functions");

41
debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch vendored
View File

@@ -1,41 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 16 Feb 2017 19:09:17 +0000
Subject: dccp: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.
The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
* values directly, Also cover the case where the protocol is not specified,
* i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
*/
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
* values directly, Also cover the case where the protocol is not specified,
* i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
*/
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");

32
debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch vendored
View File

@@ -1,32 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 20 Nov 2010 02:24:55 +0000
Subject: [PATCH] decnet: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'decnet' protocol is unmaintained and of mostly historical
interest, and the user-space support package 'dnet-common' loads the
module explicitly. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/decnet/af_decnet.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -2359,7 +2359,7 @@ static const struct proto_ops dn_proto_o
MODULE_DESCRIPTION("The Linux DECnet Network Protocol");
MODULE_AUTHOR("Linux DECnet Project Team");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_DECnet);
+/* MODULE_ALIAS_NETPROTO(PF_DECnet); */
static const char banner[] __initconst = KERN_INFO
"NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n";

29
debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch vendored
View File

@@ -1,29 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 13 Apr 2009 17:34:00 +0100
Subject: Remove microcode patches for mgsuvd (not enabled in Debian configs)
Forwarded: not-needed
diff --git a/arch/powerpc/platforms/8xx/Kconfig b/arch/powerpc/platforms/8xx/Kconfig
index 48a920a..81570b6 100644
--- a/arch/powerpc/platforms/8xx/Kconfig
+++ b/arch/powerpc/platforms/8xx/Kconfig
@@ -160,16 +160,19 @@ config NO_UCODE_PATCH
config USB_SOF_UCODE_PATCH
bool "USB SOF patch"
+ depends on BROKEN
help
Help not implemented yet, coming soon.
config I2C_SPI_UCODE_PATCH
bool "I2C/SPI relocation patch"
+ depends on BROKEN
help
Help not implemented yet, coming soon.
config I2C_SPI_SMC1_UCODE_PATCH
bool "I2C/SPI/SMC1 relocation patch"
+ depends on BROKEN
help
Help not implemented yet, coming soon.

18
debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch vendored
View File

@@ -1,18 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 24 Aug 2019 19:00:41 +0100
Subject: Documentation: Fix broken link to CIPSO draft
Forwarded: not-needed
We exclude the CIPSO draft text as its licence is not DFSG compliant.
Link to the IETF's online version instead.
---
--- a/Documentation/netlabel/draft_ietf.rst
+++ b/Documentation/netlabel/draft_ietf.rst
@@ -1,5 +1,4 @@
Draft IETF CIPSO IP Security
----------------------------
- .. include:: draft-ietf-cipso-ipsecurity-01.txt
- :literal:
+https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01

15
debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch vendored
View File

@@ -1,15 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 17 Aug 2009 02:45:41 +0100
Subject: dvb-usb-af9005: mark as broken
Forwarded: not-needed
--- a/drivers/media/usb/dvb-usb/Kconfig
+++ b/drivers/media/usb/dvb-usb/Kconfig
@@ -227,6 +227,7 @@ config DVB_USB_OPERA1
config DVB_USB_AF9005
tristate "Afatech AF9005 DVB-T USB1.1 support"
+ depends on BROKEN
depends on DVB_USB
select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT
select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT

50
debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch vendored
View File

@@ -1,50 +0,0 @@
From: Frederik Schüler <fs@debian.org>
Date: Fri, 05 Jan 2007 15:55:24 +0000
Subject: Add removal patches for: 3c359, smctr, keyspan, cops
Forwarded: not-needed
diff -ruN a/drivers/net/appletalk/Kconfig b/drivers/net/appletalk/Kconfig
--- a/drivers/net/appletalk/Kconfig 2006-11-29 21:57:37.000000000 +0000
+++ b/drivers/net/appletalk/Kconfig 2007-01-05 15:34:44.000000000 +0000
@@ -49,32 +49,6 @@
This driver is experimental, which means that it may not work.
See the file <file:Documentation/networking/ltpc.txt>.
-config COPS
- tristate "COPS LocalTalk PC support"
- depends on DEV_APPLETALK && (ISA || EISA)
- help
- This allows you to use COPS AppleTalk cards to connect to LocalTalk
- networks. You also need version 1.3.3 or later of the netatalk
- package. This driver is experimental, which means that it may not
- work. This driver will only work if you choose "AppleTalk DDP"
- networking support, above.
- Please read the file <file:Documentation/networking/cops.txt>.
-
-config COPS_DAYNA
- bool "Dayna firmware support"
- depends on COPS
- help
- Support COPS compatible cards with Dayna style firmware (Dayna
- DL2000/ Daynatalk/PC (half length), COPS LT-95, Farallon PhoneNET PC
- III, Farallon PhoneNET PC II).
-
-config COPS_TANGENT
- bool "Tangent firmware support"
- depends on COPS
- help
- Support COPS compatible cards with Tangent style firmware (Tangent
- ATB_II, Novell NL-1000, Daystar Digital LT-200.
-
config IPDDP
tristate "Appletalk-IP driver support"
depends on DEV_APPLETALK && ATALK
diff -ruN a/drivers/net/appletalk/Makefile b/drivers/net/appletalk/Makefile
--- a/drivers/net/appletalk/Makefile 2006-11-29 21:57:37.000000000 +0000
+++ b/drivers/net/appletalk/Makefile 2007-01-05 15:34:11.000000000 +0000
@@ -3,5 +3,4 @@
#
obj-$(CONFIG_IPDDP) += ipddp.o
-obj-$(CONFIG_COPS) += cops.o
obj-$(CONFIG_LTPC) += ltpc.o

128
debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch vendored
View File

@@ -1,128 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 2 Jun 2012 19:53:38 +0100
Subject: video: Remove nvidiafb and rivafb
Bug-Debian: https://bugs.debian.org/383481
Forwarded: no
These drivers contain register programming code provided by the
hardware vendor that appears to have been deliberately obfuscated.
This is arguably not the preferred form for modification.
These drivers are also largely redundant with nouveau. The RIVA 128
(NV3) is not supported by nouveau but is about 15 years old and
probably discontinued 10 years ago.
---
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -866,99 +866,6 @@ config FB_ATMEL
help
This enables support for the AT91 LCD Controller.
-config FB_NVIDIA
- tristate "nVidia Framebuffer Support"
- depends on FB && PCI
- select FB_BACKLIGHT if FB_NVIDIA_BACKLIGHT
- select FB_MODE_HELPERS
- select FB_CFB_FILLRECT
- select FB_CFB_COPYAREA
- select FB_CFB_IMAGEBLIT
- select BITREVERSE
- select VGASTATE
- help
- This driver supports graphics boards with the nVidia chips, TNT
- and newer. For very old chipsets, such as the RIVA128, then use
- the rivafb.
- Say Y if you have such a graphics board.
-
- To compile this driver as a module, choose M here: the
- module will be called nvidiafb.
-
-config FB_NVIDIA_I2C
- bool "Enable DDC Support"
- depends on FB_NVIDIA
- select FB_DDC
- help
- This enables I2C support for nVidia Chipsets. This is used
- only for getting EDID information from the attached display
- allowing for robust video mode handling and switching.
-
- Because fbdev-2.6 requires that drivers must be able to
- independently validate video mode parameters, you should say Y
- here.
-
-config FB_NVIDIA_DEBUG
- bool "Lots of debug output"
- depends on FB_NVIDIA
- help
- Say Y here if you want the nVidia driver to output all sorts
- of debugging information to provide to the maintainer when
- something goes wrong.
-
-config FB_NVIDIA_BACKLIGHT
- bool "Support for backlight control"
- depends on FB_NVIDIA
- default y
- help
- Say Y here if you want to control the backlight of your display.
-
-config FB_RIVA
- tristate "nVidia Riva support"
- depends on FB && PCI
- select FB_BACKLIGHT if FB_RIVA_BACKLIGHT
- select FB_MODE_HELPERS
- select FB_CFB_FILLRECT
- select FB_CFB_COPYAREA
- select FB_CFB_IMAGEBLIT
- select BITREVERSE
- select VGASTATE
- help
- This driver supports graphics boards with the nVidia Riva/Geforce
- chips.
- Say Y if you have such a graphics board.
-
- To compile this driver as a module, choose M here: the
- module will be called rivafb.
-
-config FB_RIVA_I2C
- bool "Enable DDC Support"
- depends on FB_RIVA
- select FB_DDC
- help
- This enables I2C support for nVidia Chipsets. This is used
- only for getting EDID information from the attached display
- allowing for robust video mode handling and switching.
-
- Because fbdev-2.6 requires that drivers must be able to
- independently validate video mode parameters, you should say Y
- here.
-
-config FB_RIVA_DEBUG
- bool "Lots of debug output"
- depends on FB_RIVA
- help
- Say Y here if you want the Riva driver to output all sorts
- of debugging information to provide to the maintainer when
- something goes wrong.
-
-config FB_RIVA_BACKLIGHT
- bool "Support for backlight control"
- depends on FB_RIVA
- default y
- help
- Say Y here if you want to control the backlight of your display.
-
config FB_I740
tristate "Intel740 support"
depends on FB && PCI
--- a/drivers/video/fbdev/Makefile
+++ b/drivers/video/fbdev/Makefile
@@ -21,8 +21,6 @@ obj-$(CONFIG_FB_PM3) += pm3fb.o
obj-$(CONFIG_FB_I740) += i740fb.o
obj-$(CONFIG_FB_MATROX) += matrox/
-obj-$(CONFIG_FB_RIVA) += riva/
-obj-$(CONFIG_FB_NVIDIA) += nvidia/
obj-$(CONFIG_FB_ATY) += aty/ macmodes.o
obj-$(CONFIG_FB_ATY128) += aty/ macmodes.o
obj-$(CONFIG_FB_RADEON) += aty/

15
debian/patches/debian/dfsg/vs6624-disable.patch vendored
View File

@@ -1,15 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 27 May 2012 01:56:58 +0100
Subject: vs6624: mark as broken
Forwarded: not-needed
--- a/drivers/media/i2c/Kconfig
+++ b/drivers/media/i2c/Kconfig
@@ -768,6 +768,7 @@ config VIDEO_OV13858
OV13858 camera.
config VIDEO_VS6624
+ depends on BROKEN
tristate "ST VS6624 sensor support"
depends on VIDEO_V4L2 && I2C
depends on MEDIA_CAMERA_SUPPORT

175
debian/patches/debian/export-symbols-needed-by-android-drivers.patch vendored
View File

@@ -1,175 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 26 Jun 2018 16:59:01 +0100
Subject: Export symbols needed by Android drivers
Bug-Debian: https://bugs.debian.org/901492
We want to enable use of the Android ashmem and binder drivers to
support Anbox, but they should not be built-in as that would waste
resources and increase security attack surface on systems that don't
need them.
Export the currently un-exported symbols they depend on.
---
fs/file.c | 5 +++++
kernel/fork.c | 1 +
kernel/sched/core.c | 1 +
kernel/signal.c | 1 +
kernel/task_work.c | 1 +
mm/memory.c | 1 +
mm/shmem.c | 1 +
mm/vmalloc.c | 2 ++
security/security.c | 4 ++++
9 files changed, 17 insertions(+)
--- a/fs/file.c
+++ b/fs/file.c
@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st
return files;
}
+EXPORT_SYMBOL_GPL(get_files_struct);
void put_files_struct(struct files_struct *files)
{
@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc
kmem_cache_free(files_cachep, files);
}
}
+EXPORT_SYMBOL_GPL(put_files_struct);
void reset_files_struct(struct files_struct *files)
{
@@ -533,6 +535,7 @@ out:
spin_unlock(&files->file_lock);
return error;
}
+EXPORT_SYMBOL_GPL(__alloc_fd);
static int alloc_fd(unsigned start, unsigned flags)
{
@@ -606,6 +609,7 @@ void __fd_install(struct files_struct *f
rcu_assign_pointer(fdt->fd[fd], file);
rcu_read_unlock_sched();
}
+EXPORT_SYMBOL_GPL(__fd_install);
void fd_install(unsigned int fd, struct file *file)
{
@@ -668,6 +672,7 @@ out_unlock:
*res = NULL;
return -ENOENT;
}
+EXPORT_SYMBOL(__close_fd_get_file);
void do_close_on_exec(struct files_struct *files)
{
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1085,6 +1085,7 @@ void mmput_async(struct mm_struct *mm)
schedule_work(&mm->async_put_work);
}
}
+EXPORT_SYMBOL_GPL(mmput_async);
#endif
/**
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -3943,6 +3943,7 @@ int can_nice(const struct task_struct *p
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
capable(CAP_SYS_NICE));
}
+EXPORT_SYMBOL_GPL(can_nice);
#ifdef __ARCH_WANT_SYS_NICE
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1353,6 +1353,7 @@ struct sighand_struct *__lock_task_sigha
return sighand;
}
+EXPORT_SYMBOL_GPL(__lock_task_sighand);
/*
* send signal info to all the members of a group
--- a/kernel/task_work.c
+++ b/kernel/task_work.c
@@ -40,6 +40,7 @@ task_work_add(struct task_struct *task,
set_notify_resume(task);
return 0;
}
+EXPORT_SYMBOL(task_work_add);
/**
* task_work_cancel - cancel a pending work added by task_work_add()
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1364,6 +1364,7 @@ void zap_page_range(struct vm_area_struc
mmu_notifier_invalidate_range_end(&range);
tlb_finish_mmu(&tlb, start, range.end);
}
+EXPORT_SYMBOL_GPL(zap_page_range);
/**
* zap_page_range_single - remove user pages in a given range
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -3992,6 +3992,7 @@ int shmem_zero_setup(struct vm_area_stru
return 0;
}
+EXPORT_SYMBOL_GPL(shmem_zero_setup);
/**
* shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags.
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1295,6 +1295,7 @@ int map_kernel_range_noflush(unsigned lo
{
return vmap_page_range_noflush(addr, addr + size, prot, pages);
}
+EXPORT_SYMBOL_GPL(map_kernel_range_noflush);
/**
* unmap_kernel_range_noflush - unmap kernel VM area
@@ -1435,6 +1436,7 @@ struct vm_struct *get_vm_area(unsigned l
NUMA_NO_NODE, GFP_KERNEL,
__builtin_return_address(0));
}
+EXPORT_SYMBOL_GPL(get_vm_area);
struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags,
const void *caller)
--- a/security/security.c
+++ b/security/security.c
@@ -247,24 +247,28 @@ int security_binder_set_context_mgr(stru
{
return call_int_hook(binder_set_context_mgr, 0, mgr);
}
+EXPORT_SYMBOL_GPL(security_binder_set_context_mgr);
int security_binder_transaction(struct task_struct *from,
struct task_struct *to)
{
return call_int_hook(binder_transaction, 0, from, to);
}
+EXPORT_SYMBOL_GPL(security_binder_transaction);
int security_binder_transfer_binder(struct task_struct *from,
struct task_struct *to)
{
return call_int_hook(binder_transfer_binder, 0, from, to);
}
+EXPORT_SYMBOL_GPL(security_binder_transfer_binder);
int security_binder_transfer_file(struct task_struct *from,
struct task_struct *to, struct file *file)
{
return call_int_hook(binder_transfer_file, 0, from, to, file);
}
+EXPORT_SYMBOL_GPL(security_binder_transfer_file);
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{

29
debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch vendored
View File

@@ -1,29 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
Date: Wed, 13 Jul 2016 01:37:22 +0100
Forwarded: not-needed
Various free and proprietary AV products use this feature and users
apparently want it. But punting access checks to userland seems like
an easy way to deadlock the system, and there will be nothing we can
do about that. So warn and taint the kernel if this feature is
actually used.
---
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -846,6 +846,14 @@ static int do_fanotify_mark(int fanotify
if (mask & ~valid_mask)
return -EINVAL;
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ if (mask & FANOTIFY_PERM_EVENTS) {
+ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
+ current->comm, current->pid);
+ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
+ }
+#endif
+
f = fdget(fanotify_fd);
if (unlikely(!f.file))
return -EBADF;

52
debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch vendored
View File

@@ -1,52 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 12 Mar 2018 01:14:03 +0000
Subject: firmware_class: Refer to Debian wiki page when logging missing firmware
Bug-Debian: https://bugs.debian.org/888405
Forwarded: not-needed
If firmware loading fails due to a missing file, log a second error
message referring to our wiki page about firmware. This will explain
why some firmware is in non-free, or can't be packaged at all. Only
do this once per boot.
Do something similar in the radeon and amdgpu drivers, where we have
an early check to avoid failing at a point where we cannot display
anything.
---
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -334,9 +334,12 @@ fw_get_filesystem_firmware(struct device
}
__putname(path);
- if (rc)
+ if (rc) {
dev_err(device, "firmware: failed to load %s (%d)\n",
fw_priv->fw_name, rc);
+ if (rc == -ENOENT)
+ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n");
+ }
return rc;
}
--- a/drivers/gpu/drm/radeon/radeon_drv.c
+++ b/drivers/gpu/drm/radeon/radeon_drv.c
@@ -367,6 +367,7 @@ static int radeon_pci_probe(struct pci_d
if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 &&
!radeon_firmware_installed()) {
DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n");
+ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n");
return -ENODEV;
}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -626,6 +626,7 @@ static int amdgpu_pci_probe(struct pci_d
if (!amdgpu_firmware_installed()) {
DRM_ERROR("amdgpu requires firmware installed\n");
+ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n");
return -ENODEV;
}

24
debian/patches/debian/fjes-disable-autoload.patch vendored
View File

@@ -1,24 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 18 Mar 2017 20:47:58 +0000
Subject: fjes: Disable auto-loading
Bug-Debian: https://bugs.debian.org/853976
Forwarded: no
fjes matches a generic ACPI device ID, and relies on its probe
function to distinguish whether that really corresponds to a supported
device. Very few system will need the driver and it wastes memory on
all the other systems where the same device ID appears, so disable
auto-loading.
---
--- a/drivers/net/fjes/fjes_main.c
+++ b/drivers/net/fjes/fjes_main.c
@@ -81,7 +81,7 @@ static const struct acpi_device_id fjes_
{ACPI_MOTHERBOARD_RESOURCE_HID, 0},
{"", 0},
};
-MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids);
+/* MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); */
static struct acpi_driver fjes_acpi_driver = {
.name = DRV_NAME,

22
debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch vendored
View File

@@ -1,22 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: fs: Enable link security restrictions by default
Date: Fri, 02 Nov 2012 05:32:06 +0000
Bug-Debian: https://bugs.debian.org/609455
Forwarded: not-needed
This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
('VFS: don't do protected {sym,hard}links by default').
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -885,8 +885,8 @@ static inline void put_link(struct namei
path_put(&last->link);
}
-int sysctl_protected_symlinks __read_mostly = 0;
-int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_symlinks __read_mostly = 1;
+int sysctl_protected_hardlinks __read_mostly = 1;
int sysctl_protected_fifos __read_mostly;
int sysctl_protected_regular __read_mostly;

49
debian/patches/debian/gitignore.patch vendored
View File

@@ -1,49 +0,0 @@
From: Ian Campbell <ijc@hellion.org.uk>
Date: Thu, 17 Jan 2013 08:55:21 +0000
Subject: Tweak gitignore for Debian pkg-kernel using git svn.
Forwarded: not-needed
[bwh: Tweak further for pure git]
--- a/.gitignore
+++ b/.gitignore
@@ -67,11 +67,6 @@ modules.builtin
/*.spec
#
-# Debian directory (make deb-pkg)
-#
-/debian/
-
-#
# Snap directory (make snap-pkg)
#
/snap/
@@ -82,16 +77,6 @@ modules.builtin
/tar-install/
#
-# We don't want to ignore the following even if they are dot-files
-#
-!.clang-format
-!.cocciconfig
-!.get_maintainer.ignore
-!.gitattributes
-!.gitignore
-!.mailmap
-
-#
# Generated include files
#
/include/config/
@@ -145,3 +130,10 @@ x509.genkey
# Clang's compilation database file
/compile_commands.json
+
+#
+# Debian packaging: ignore everything at the top level, since it isn't
+# included in our repository
+#
+/*
+!/debian/

48
debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch vendored
View File

@@ -1,48 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 05 Aug 2019 00:29:11 +0100
Subject: hamradio: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.
The 'ham' radio protocols (ax25, netrom, rose) are not actively
maintained or widely used. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1986,7 +1986,7 @@ module_init(ax25_init);
MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
MODULE_DESCRIPTION("The amateur radio AX.25 link layer protocol");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_AX25);
+/* MODULE_ALIAS_NETPROTO(PF_AX25); */
static void __exit ax25_exit(void)
{
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1486,7 +1486,7 @@ MODULE_PARM_DESC(nr_ndevs, "number of NE
MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
MODULE_DESCRIPTION("The amateur radio NET/ROM network and transport layer protocol");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_NETROM);
+/* MODULE_ALIAS_NETPROTO(PF_NETROM); */
static void __exit nr_exit(void)
{
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1577,7 +1577,7 @@ MODULE_PARM_DESC(rose_ndevs, "number of
MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
MODULE_DESCRIPTION("The amateur radio ROSE network layer protocol");
MODULE_LICENSE("GPL");
-MODULE_ALIAS_NETPROTO(PF_ROSE);
+/* MODULE_ALIAS_NETPROTO(PF_ROSE); */
static void __exit rose_exit(void)
{

27
debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch vendored
View File

@@ -1,27 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 16 Feb 2016 02:45:42 +0000
Subject: [i386/686-pae] PCI: Set pci=nobios by default
Forwarded: not-needed
CONFIG_PCI_GOBIOS results in physical addresses 640KB-1MB being mapped
W+X, which is undesirable for security reasons and will result in a
warning at boot now that we enable CONFIG_DEBUG_WX.
This can be overridden using the kernel parameter "pci=nobios", but we
want to disable W+X by default. Disable PCI BIOS probing by default;
it can still be enabled using "pci=bios".
---
--- a/arch/x86/pci/common.c
+++ b/arch/x86/pci/common.c
@@ -19,8 +19,8 @@
#include <asm/pci_x86.h>
#include <asm/setup.h>
-unsigned int pci_probe = PCI_PROBE_BIOS | PCI_PROBE_CONF1 | PCI_PROBE_CONF2 |
- PCI_PROBE_MMCONF;
+unsigned int pci_probe = PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | PCI_PROBE_MMCONF |
+ (IS_ENABLED(CONFIG_X86_64) || IS_ENABLED(CONFIG_X86_PAE) ? 0 : PCI_PROBE_BIOS);
static int pci_bf_sort;
int pci_routeirq;

78
debian/patches/debian/ia64-hardcode-arch-script-output.patch vendored
View File

@@ -1,78 +0,0 @@
From: dann frazier <dannf@debian.org>
Subject: Hardcode arch script output
Date: Mon, 26 Mar 2007 16:30:51 -0600
Bug-Debian: https://bugs.debian.org/392592
Forwarded: not-needed
Here's a patch that simply uses hardcoded definitions instead of
doing the dynamic tests that require architecture-specific scripts.
I don't particularly like this approach because it restricts
portability and diverts from upstream. But, it is simpler, and this
really needs to be fixed somehow before etch (along with a rebuild of
linux-modules-extra-2.6), so I'm willing to live with it if my other
patch is deemed unacceptable.
My primary concern is that, in the future, the output of these scripts
will change and we (or our successors) will either not notice or
forget to update the hardcoded values.
Including the scripts in linux-kbuild will avoid this manual step
altogether, and allow for the possibility of other archs to provide
their own scripts in the future.
---
arch/ia64/Makefile | 17 ++---------------
1 file changed, 2 insertions(+), 15 deletions(-)
diff --git a/arch/ia64/Makefile b/arch/ia64/Makefile
index 32240000dc0c..27c1b0bc39c1 100644
--- a/arch/ia64/Makefile
+++ b/arch/ia64/Makefile
@@ -28,16 +28,7 @@ cflags-y := -pipe $(EXTRA) -ffixed-r13 -mfixed-range=f12-f15,f32-f127 \
-falign-functions=32 -frename-registers -fno-optimize-sibling-calls
KBUILD_CFLAGS_KERNEL := -mconstant-gp
-GAS_STATUS = $(shell $(srctree)/arch/ia64/scripts/check-gas "$(CC)" "$(OBJDUMP)")
-KBUILD_CPPFLAGS += $(shell $(srctree)/arch/ia64/scripts/toolchain-flags "$(CC)" "$(OBJDUMP)" "$(READELF)")
-
-ifeq ($(GAS_STATUS),buggy)
-$(error Sorry, you need a newer version of the assember, one that is built from \
- a source-tree that post-dates 18-Dec-2002. You can find a pre-compiled \
- static binary of such an assembler at: \
- \
- ftp://ftp.hpl.hp.com/pub/linux-ia64/gas-030124.tar.gz)
-endif
+KBUILD_CPPFLAGS += -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE
quiet_cmd_gzip = GZIP $@
cmd_gzip = cat $(real-prereqs) | gzip -n -f -9 > $@
@@ -57,7 +48,7 @@ drivers-$(CONFIG_OPROFILE) += arch/ia64/oprofile/
PHONY += compressed check
-all: compressed unwcheck
+all: compressed
compressed: vmlinux.gz
@@ -69,9 +60,6 @@ vmlinux.gz: vmlinux.bin FORCE
vmlinux.bin: vmlinux FORCE
$(call if_changed,objcopy)
-unwcheck: vmlinux
- -$(Q)READELF=$(READELF) $(PYTHON) $(srctree)/arch/ia64/scripts/unwcheck.py $<
-
archclean:
archheaders:
@@ -85,7 +73,6 @@ install: vmlinux.gz
define archhelp
echo '* compressed - Build compressed kernel image'
echo ' install - Install compressed kernel image'
- echo '* unwcheck - Check vmlinux for invalid unwind info'
endef
archprepare: make_nr_irqs_h
--
2.23.0

26
debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch vendored
View File

@@ -1,26 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: iwlwifi: Do not request unreleased firmware for IWL6000
Bug-Debian: https://bugs.debian.org/689416
Forwarded: not-needed
The iwlwifi driver currently supports firmware API versions 4-6 for
these devices. It will request the file for the latest supported
version and then fall back to earlier versions. However, the latest
version that has actually been released is 4, so we expect the
requests for versions 6 and then 5 to fail.
The installer appears to report any failed request, and it is probably
not easy to detect that this particular failure is harmless. So stop
requesting the unreleased firmware.
--- a/drivers/net/wireless/intel/iwlwifi/cfg/6000.c
+++ b/drivers/net/wireless/intel/iwlwifi/cfg/6000.c
@@ -31,7 +31,7 @@
#include "dvm/commands.h" /* needed for BT for now */
/* Highest firmware API version supported */
-#define IWL6000_UCODE_API_MAX 6
+#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */
#define IWL6050_UCODE_API_MAX 5
#define IWL6000G2_UCODE_API_MAX 6
#define IWL6035_UCODE_API_MAX 6

82
debian/patches/debian/kernelvariables.patch vendored
View File

@@ -1,82 +0,0 @@
From: Bastian Blank <waldi@debian.org>
Subject: kbuild: Make the toolchain variables easily overwritable
Date: Sun, 22 Feb 2009 15:39:35 +0100
Forwarded: not-needed
Allow make variables to be overridden for each flavour by a file in
the build tree, .kernelvariables.
We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
also CROSS_COMPILE, KCFLAGS.
This file can only be read after we establish the build tree, and all
use of $(ARCH) needs to be moved after this.
[bwh: Updated for 5.3: include .kernelvariables from current directory
rather than using undefined $(obj).]
---
--- a/Makefile
+++ b/Makefile
@@ -363,31 +363,6 @@ include scripts/subarch.include
# Note: Some architectures assign CROSS_COMPILE in their arch/*/Makefile
ARCH ?= $(SUBARCH)
-# Architecture as present in compile.h
-UTS_MACHINE := $(ARCH)
-SRCARCH := $(ARCH)
-
-# Additional ARCH settings for x86
-ifeq ($(ARCH),i386)
- SRCARCH := x86
-endif
-ifeq ($(ARCH),x86_64)
- SRCARCH := x86
-endif
-
-# Additional ARCH settings for sparc
-ifeq ($(ARCH),sparc32)
- SRCARCH := sparc
-endif
-ifeq ($(ARCH),sparc64)
- SRCARCH := sparc
-endif
-
-# Additional ARCH settings for sh
-ifeq ($(ARCH),sh64)
- SRCARCH := sh
-endif
-
KCONFIG_CONFIG ?= .config
export KCONFIG_CONFIG
@@ -442,6 +417,30 @@ CFLAGS_KERNEL =
AFLAGS_KERNEL =
LDFLAGS_vmlinux =
+-include .kernelvariables
+
+# Architecture as present in compile.h
+UTS_MACHINE := $(ARCH)
+SRCARCH := $(ARCH)
+
+# Additional ARCH settings for x86
+ifeq ($(ARCH),i386)
+ SRCARCH := x86
+endif
+ifeq ($(ARCH),x86_64)
+ SRCARCH := x86
+endif
+
+# Additional ARCH settings for sparc
+ifeq ($(ARCH),sparc64)
+ SRCARCH := sparc
+endif
+
+# Additional ARCH settings for sh
+ifeq ($(ARCH),sh64)
+ SRCARCH := sh
+endif
+
# Use USERINCLUDE when you must reference the UAPI directories only.
USERINCLUDE := \
-I$(srctree)/arch/$(SRCARCH)/include/uapi \

20
debian/patches/debian/mips-boston-disable-its.patch vendored
View File

@@ -1,20 +0,0 @@
From: YunQiang Su <syq@debian.org>
Date: Mon, 14 May 2018 16:16:18 +0800
Subject: Disable uImage generation for mips generic
Forwarded: not-needed
MIPS generic trys to generate uImage when build, which then ask for
u-boot-tools.
--- a/arch/mips/generic/Platform
+++ b/arch/mips/generic/Platform
@@ -11,9 +11,7 @@
platform-$(CONFIG_MIPS_GENERIC) += generic/
cflags-$(CONFIG_MIPS_GENERIC) += -I$(srctree)/arch/mips/include/asm/mach-generic
load-$(CONFIG_MIPS_GENERIC) += 0xffffffff80100000
-all-$(CONFIG_MIPS_GENERIC) := vmlinux.gz.itb
-its-y := vmlinux.its.S
its-$(CONFIG_FIT_IMAGE_FDT_BOSTON) += board-boston.its.S
its-$(CONFIG_FIT_IMAGE_FDT_NI169445) += board-ni169445.its.S
its-$(CONFIG_FIT_IMAGE_FDT_OCELOT) += board-ocelot.its.S

23
debian/patches/debian/mips-disable-werror.patch vendored
View File

@@ -1,23 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 13 Sep 2010 02:16:18 +0100
Subject: [PATCH] Partially revert "MIPS: Add -Werror to arch/mips/Kbuild"
Forwarded: not-needed
This reverts commits 66f9ba101f54bda63ab1db97f9e9e94763d0651b and
5373633cc9253ba82547473e899cab141c54133e.
We really don't want to add -Werror anywhere.
---
--- a/arch/mips/Kbuild
+++ b/arch/mips/Kbuild
@@ -1,10 +1,4 @@
# SPDX-License-Identifier: GPL-2.0
-# Fail on warnings - also for files referenced in subdirs
-# -Werror can be disabled for specific files using:
-# CFLAGS_<file.o> := -Wno-error
-ifeq ($(W),)
-subdir-ccflags-y := -Werror
-endif
# platform specific definitions
include arch/mips/Kbuild.platforms

22
debian/patches/debian/ntfs-mark-it-as-broken.patch vendored
View File

@@ -1,22 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 25 Apr 2019 15:31:33 +0100
Subject: ntfs: mark it as broken
NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and
CVE-2018-12931. ntfs-3g is a better supported alternative.
Make sure it can't be enabled even in custom kernels.
---
Index: debian-kernel/fs/ntfs/Kconfig
===================================================================
--- debian-kernel.orig/fs/ntfs/Kconfig
+++ debian-kernel/fs/ntfs/Kconfig
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: GPL-2.0-only
config NTFS_FS
tristate "NTFS file system support"
+ depends on BROKEN
select NLS
help
NTFS is the file system of Microsoft Windows NT, 2000, XP and 2003.

59
debian/patches/debian/overlayfs-permit-mounts-in-userns.patch vendored
View File

@@ -1,59 +0,0 @@
From: Nicolas Schier <nicolas@fjasle.eu>
Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel)
Date: Mon, 19 Nov 2018 20:36:14 +0100
Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.
Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.
Testable with:
sudo modprobe overlay permit_mounts_in_userns=1
sudo sysctl -w kernel.unprivileged_userns_clone=1
mkdir -p lower upper work mnt
unshare --map-root-user --mount \
mount -t overlay none mnt \
-o lowerdir=lower,upperdir=upper,workdir=work
[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Index: debian-kernel/fs/overlayfs/super.c
===================================================================
--- debian-kernel.orig/fs/overlayfs/super.c
+++ debian-kernel/fs/overlayfs/super.c
@@ -53,6 +53,11 @@ module_param_named(xino_auto, ovl_xino_a
MODULE_PARM_DESC(xino_auto,
"Auto enable xino feature");
+static bool ovl_permit_mounts_in_userns;
+module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns,
+ bool, 0444);
+MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces");
+
static void ovl_entry_stack_free(struct ovl_entry *oe)
{
unsigned int i;
@@ -1718,6 +1723,11 @@ static int __init ovl_init(void)
if (ovl_inode_cachep == NULL)
return -ENOMEM;
+ if (unlikely(ovl_permit_mounts_in_userns)) {
+ pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n");
+ ovl_fs_type.fs_flags |= FS_USERNS_MOUNT;
+ }
+
err = register_filesystem(&ovl_fs_type);
if (err)
kmem_cache_destroy(ovl_inode_cachep);

34
debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch vendored
View File

@@ -1,34 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 19 Nov 2010 02:12:48 +0000
Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'rds' protocol is one such protocol that has been found to be
vulnerable, and which was not present in the 'lenny' kernel.
Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/rds/af_rds.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index 98e0538..d8d4525 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets"
" v" DRV_VERSION " (" DRV_RELDATE ")");
MODULE_VERSION(DRV_VERSION);
MODULE_LICENSE("Dual BSD/GPL");
-MODULE_ALIAS_NETPROTO(PF_RDS);
+/* MODULE_ALIAS_NETPROTO(PF_RDS); */
--
1.7.2.3

52
debian/patches/debian/revert-objtool-fix-config_stack_validation-y-warning.patch vendored
View File

@@ -1,52 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 14 Jan 2018 19:27:18 +0000
Subject: Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for
out-of-tree modules"
This reverts commit 9f0c18aec620bc9d82268b3cb937568dd07b43ff. This
check doesn't make sense for OOT modules as they should always use
a pre-built objtool.
---
Makefile | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
Index: debian-kernel/Makefile
===================================================================
--- debian-kernel.orig/Makefile
+++ debian-kernel/Makefile
@@ -993,17 +993,6 @@ export mod_sign_cmd
HOST_LIBELF_LIBS = $(shell pkg-config libelf --libs 2>/dev/null || echo -lelf)
-ifdef CONFIG_STACK_VALIDATION
- has_libelf := $(call try-run,\
- echo "int main() {}" | $(HOSTCC) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0)
- ifeq ($(has_libelf),1)
- objtool_target := tools/objtool FORCE
- else
- SKIP_STACK_VALIDATION := 1
- export SKIP_STACK_VALIDATION
- endif
-endif
-
PHONY += prepare0
export MODORDER := $(extmod-prefix)modules.order
@@ -1122,6 +1111,17 @@ uapi-asm-generic:
$(Q)$(MAKE) $(asm-generic)=arch/$(SRCARCH)/include/generated/uapi/asm \
generic=include/uapi/asm-generic
+ifdef CONFIG_STACK_VALIDATION
+ has_libelf := $(call try-run,\
+ echo "int main() {}" | $(HOSTCC) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0)
+ ifeq ($(has_libelf),1)
+ objtool_target := tools/objtool FORCE
+ else
+ SKIP_STACK_VALIDATION := 1
+ export SKIP_STACK_VALIDATION
+ endif
+endif
+
PHONY += prepare-objtool
prepare-objtool: $(objtool_target)
ifeq ($(SKIP_STACK_VALIDATION),1)

19
debian/patches/debian/sched-autogroup-disabled.patch vendored
View File

@@ -1,19 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: sched: Do not enable autogrouping by default
Date: Wed, 16 Mar 2011 03:17:06 +0000
Forwarded: not-needed
We want to provide the option of autogrouping but without enabling
it by default yet.
--- a/kernel/sched/autogroup.c
+++ b/kernel/sched/autogroup.c
@@ -5,7 +5,7 @@
#include <linux/nospec.h>
#include "sched.h"
-unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
+unsigned int __read_mostly sysctl_sched_autogroup_enabled = 0;
static struct autogroup autogroup_default;
static atomic_t autogroup_seq_nr;

30
debian/patches/debian/snd-pcsp-disable-autoload.patch vendored
View File

@@ -1,30 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 05 Feb 2014 23:01:30 +0000
Subject: snd-pcsp: Disable autoload
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/697709
There are two drivers claiming the platform:pcspkr device:
- pcspkr creates an input(!) device that can only beep
- snd-pcsp creates an equivalent input device plus a PCM device that can
play barely recognisable renditions of sampled sound
snd-pcsp is blacklisted by the alsa-base package, but not everyone
installs that. On PCs where no sound is wanted at all, both drivers
will still be loaded and one or other will complain that it couldn't
claim the relevant I/O range.
In case anyone finds snd-pcsp useful, we continue to build it. But
remove the alias, to ensure it's not loaded where it's not wanted.
--- a/sound/drivers/pcsp/pcsp.c
+++ b/sound/drivers/pcsp/pcsp.c
@@ -21,7 +21,7 @@ MODULE_AUTHOR("Stas Sergeev <stsp@users.
MODULE_DESCRIPTION("PC-Speaker driver");
MODULE_LICENSE("GPL");
MODULE_SUPPORTED_DEVICE("{{PC-Speaker, pcsp}}");
-MODULE_ALIAS("platform:pcspkr");
+/*MODULE_ALIAS("platform:pcspkr");*/
static int index = SNDRV_DEFAULT_IDX1; /* Index 0-MAX */
static char *id = SNDRV_DEFAULT_STR1; /* ID for this card */

51
debian/patches/debian/tools-perf-install.patch vendored
View File

@@ -1,51 +0,0 @@
From: Bastian Blank <waldi@debian.org>
Date: Fri, 07 Oct 2011 21:37:52 +0100
Subject: Install perf scripts non-executable
Forwarded: no
[bwh: Forward-ported to 4.13]
---
tools/perf/Makefile.perf | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -854,8 +854,8 @@ endif
ifndef NO_LIBPERL
$(call QUIET_INSTALL, perl-scripts) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
- $(INSTALL) scripts/perl/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
- $(INSTALL) scripts/perl/*.pl -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl'; \
+ $(INSTALL) -m 644 scripts/perl/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
+ $(INSTALL) -m 644 scripts/perl/*.pl -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl'; \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'; \
$(INSTALL) scripts/perl/bin/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'
endif
@@ -869,21 +869,21 @@ ifndef NO_LIBPYTHON
endif
$(call QUIET_INSTALL, perf_completion-script) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \
- $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)'
+ $(INSTALL) -m 644 perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)'
$(call QUIET_INSTALL, perf-tip) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \
- $(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)'
+ $(INSTALL) -m 644 Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)'
install-tests: all install-gtk
$(call QUIET_INSTALL, tests) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
- $(INSTALL) tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
+ $(INSTALL) -m 644 tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \
- $(INSTALL) tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \
+ $(INSTALL) -m 644 tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \
- $(INSTALL) tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \
+ $(INSTALL) -m 644 tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'; \
- $(INSTALL) tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'
+ $(INSTALL) -m 644 tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'
install-bin: install-tools install-tests install-traceevent-plugins

111
debian/patches/debian/tools-perf-version.patch vendored
View File

@@ -1,111 +0,0 @@
From: Bastian Blank <waldi@debian.org>
Date: Mon, 26 Sep 2011 13:53:12 +0100
Subject: Create manpages and binaries including the version
Forwarded: no
[bwh: Fix version insertion in perf man page cross-references and perf
man page title. Install bash_completion script for perf with a
version-dependent name. And do the same for trace.]
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -759,23 +759,23 @@ endif
install-tools: all install-gtk
$(call QUIET_INSTALL, binaries) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(bindir_SQ)'; \
- $(INSTALL) $(OUTPUT)perf '$(DESTDIR_SQ)$(bindir_SQ)'; \
- $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf' '$(DESTDIR_SQ)$(bindir_SQ)/trace'
+ $(INSTALL) $(OUTPUT)perf '$(DESTDIR_SQ)$(bindir_SQ)/perf_$(VERSION)'; \
+ $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf_$(VERSION)' '$(DESTDIR_SQ)$(bindir_SQ)/trace_$(VERSION)'
+ $(call QUIET_INSTALL, libexec) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
ifndef NO_PERF_READ_VDSO32
$(call QUIET_INSTALL, perf-read-vdso32) \
- $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(bindir_SQ)';
+ $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)';
endif
ifndef NO_PERF_READ_VDSOX32
$(call QUIET_INSTALL, perf-read-vdsox32) \
- $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(bindir_SQ)';
+ $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)';
endif
ifndef NO_JVMTI
$(call QUIET_INSTALL, $(LIBJVMTI)) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \
$(INSTALL) $(OUTPUT)$(LIBJVMTI) '$(DESTDIR_SQ)$(libdir_SQ)';
endif
- $(call QUIET_INSTALL, libexec) \
- $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
ifndef NO_LIBBPF
$(call QUIET_INSTALL, bpf-headers) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perf_include_instdir_SQ)/bpf'; \
@@ -811,7 +811,7 @@ ifndef NO_LIBPYTHON
endif
$(call QUIET_INSTALL, perf_completion-script) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \
- $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf'
+ $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)'
$(call QUIET_INSTALL, perf-tip) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \
$(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)'
@@ -836,7 +836,7 @@ install-python_ext:
# 'make install-doc' should call 'make -C Documentation install'
$(INSTALL_DOC_TARGETS):
- $(QUIET_SUBDIR0)Documentation $(QUIET_SUBDIR1) $(@:-doc=)
+ $(QUIET_SUBDIR0)Documentation $(QUIET_SUBDIR1) $(@:-doc=) VERSION=$(VERSION)
### Cleaning rules
--- a/tools/perf/Documentation/Makefile
+++ b/tools/perf/Documentation/Makefile
@@ -194,14 +194,16 @@ ifdef missing_tools
$(error "You need to install $(missing_tools) for man pages")
endif
-do-install-man: man
+do-install-man: $(addprefix install-man-,$(_DOC_MAN1))
+
+install-man-perf.1: $(OUTPUT)perf.1
+ $(INSTALL) -d -m 755 $(DESTDIR)$(man1dir)
+ sed -e 's/"PERF"/"PERF_$(VERSION)"/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION).1
+
+install-man-perf%.1: $(OUTPUT)perf%.1
$(call QUIET_INSTALL, Documentation-man) \
$(INSTALL) -d -m 755 $(DESTDIR)$(man1dir); \
-# $(INSTALL) -d -m 755 $(DESTDIR)$(man5dir); \
-# $(INSTALL) -d -m 755 $(DESTDIR)$(man7dir); \
- $(INSTALL) -m 644 $(DOC_MAN1) $(DESTDIR)$(man1dir); \
-# $(INSTALL) -m 644 $(DOC_MAN5) $(DESTDIR)$(man5dir); \
-# $(INSTALL) -m 644 $(DOC_MAN7) $(DESTDIR)$(man7dir)
+ sed -e 's/"PERF\\-/"PERF_$(VERSION)\\-/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION)$*.1
install-man: check-man-tools man do-install-man
--- a/tools/perf/util/Build
+++ b/tools/perf/util/Build
@@ -193,6 +193,7 @@ CFLAGS_libstring.o += -Wno-unused-pa
CFLAGS_hweight.o += -Wno-unused-parameter -DETC_PERFCONFIG="BUILD_STR($(ETC_PERFCONFIG_SQ))"
CFLAGS_parse-events.o += -Wno-redundant-decls
CFLAGS_header.o += -include $(OUTPUT)PERF-VERSION-FILE
+CFLAGS_vdso.o += -DPERFEXECDIR='"$(perfexec_instdir_SQ)"'
$(OUTPUT)util/kallsyms.o: ../lib/symbol/kallsyms.c FORCE
$(call rule_mkdir)
--- a/tools/perf/util/vdso.c
+++ b/tools/perf/util/vdso.c
@@ -52,12 +52,12 @@ static struct vdso_info *vdso_info__new(
.vdso32 = {
.temp_file_name = VDSO__TEMP_FILE_NAME,
.dso_name = DSO__NAME_VDSO32,
- .read_prog = "perf-read-vdso32",
+ .read_prog = PERFEXECDIR "/perf-read-vdso32",
},
.vdsox32 = {
.temp_file_name = VDSO__TEMP_FILE_NAME,
.dso_name = DSO__NAME_VDSOX32,
- .read_prog = "perf-read-vdsox32",
+ .read_prog = PERFEXECDIR "/perf-read-vdsox32",
},
#endif
};

33
debian/patches/debian/uname-version-timestamp.patch vendored
View File

@@ -1,33 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: Make mkcompile_h accept an alternate timestamp string
Date: Tue, 12 May 2015 19:29:22 +0100
Forwarded: not-needed
We want to include the Debian version in the utsname::version string
instead of a full timestamp string. However, we still need to provide
a standard timestamp string for gen_initramfs_list.sh to make the
kernel image reproducible.
Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
$KBUILD_BUILD_TIMESTAMP.
--- a/scripts/mkcompile_h
+++ b/scripts/mkcompile_h
@@ -37,10 +37,14 @@ else
VERSION=$KBUILD_BUILD_VERSION
fi
-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
- TIMESTAMP=`date`
+if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
+ if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
+ TIMESTAMP=`date`
+ else
+ TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
+ fi
else
- TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
+ TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
fi
if test -z "$KBUILD_BUILD_USER"; then
LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')

188
debian/patches/debian/version.patch vendored
View File

@@ -1,188 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: Include package version along with kernel release in stack traces
Date: Tue, 24 Jul 2012 03:13:10 +0100
Forwarded: not-needed
For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.
---
Makefile | 16 +++++++++++++++-
arch/ia64/kernel/process.c | 5 +++--
arch/powerpc/kernel/process.c | 6 ++++--
arch/x86/um/sysrq_64.c | 6 ++++--
kernel/hung_task.c | 6 ++++--
lib/dump_stack.c | 6 ++++--
6 files changed, 34 insertions(+), 11 deletions(-)
diff --git a/Makefile b/Makefile
index f87a5d6ab78b..36e3cc18c023 100644
--- a/Makefile
+++ b/Makefile
@@ -1102,7 +1102,8 @@ scripts: scripts_basic scripts_dtc
PHONY += prepare archprepare
archprepare: outputmakefile archheaders archscripts scripts include/config/kernel.release \
- asm-generic $(version_h) $(autoksyms_h) include/generated/utsrelease.h
+ asm-generic $(version_h) $(autoksyms_h) include/generated/utsrelease.h \
+ include/generated/package.h
prepare0: archprepare
$(Q)$(MAKE) $(build)=scripts/mod
@@ -1154,6 +1155,16 @@ define filechk_version.h
echo '#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))'
endef
+ifneq ($(DISTRIBUTION_OFFICIAL_BUILD),)
+define filechk_package.h
+ echo \#define LINUX_PACKAGE_ID \" $(DISTRIBUTOR) $(DISTRIBUTION_VERSION)\"
+endef
+else
+define filechk_package.h
+ echo \#define LINUX_PACKAGE_ID \"\"
+endef
+endif
+
$(version_h): FORCE
$(call filechk,version.h)
$(Q)rm -f $(old_version_h)
@@ -1161,6 +1172,9 @@ $(version_h): FORCE
include/generated/utsrelease.h: include/config/kernel.release FORCE
$(call filechk,utsrelease.h)
+include/generated/package.h: $(srctree)/Makefile FORCE
+ $(call filechk,package.h)
+
PHONY += headerdep
headerdep:
$(Q)find $(srctree)/include/ -name '*.h' | xargs --max-args 1 \
diff --git a/arch/ia64/kernel/process.c b/arch/ia64/kernel/process.c
index 968b5f33e725..6bdf68c1c5c1 100644
--- a/arch/ia64/kernel/process.c
+++ b/arch/ia64/kernel/process.c
@@ -34,6 +34,7 @@
#include <linux/utsname.h>
#include <linux/tracehook.h>
#include <linux/rcupdate.h>
+#include <generated/package.h>
#include <asm/cpu.h>
#include <asm/delay.h>
@@ -104,9 +105,9 @@ show_regs (struct pt_regs *regs)
print_modules();
printk("\n");
show_regs_print_info(KERN_DEFAULT);
- printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s)\n",
+ printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s%s)\n",
regs->cr_ipsr, regs->cr_ifs, ip, print_tainted(),
- init_utsname()->release);
+ init_utsname()->release, LINUX_PACKAGE_ID);
printk("ip is at %pS\n", (void *)ip);
printk("unat: %016lx pfs : %016lx rsc : %016lx\n",
regs->ar_unat, regs->ar_pfs, regs->ar_rsc);
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 639ceae7da9d..34106d761e91 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -40,6 +40,7 @@
#include <linux/elf-randomize.h>
#include <linux/pkeys.h>
#include <linux/seq_buf.h>
+#include <generated/package.h>
#include <asm/pgtable.h>
#include <asm/io.h>
@@ -1393,8 +1394,9 @@ void show_regs(struct pt_regs * regs)
printk("NIP: "REG" LR: "REG" CTR: "REG"\n",
regs->nip, regs->link, regs->ctr);
- printk("REGS: %px TRAP: %04lx %s (%s)\n",
- regs, regs->trap, print_tainted(), init_utsname()->release);
+ printk("REGS: %px TRAP: %04lx %s (%s%s)\n",
+ regs, regs->trap, print_tainted(), init_utsname()->release,
+ LINUX_PACKAGE_ID);
printk("MSR: "REG" ", regs->msr);
print_msr_bits(regs->msr);
pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer);
diff --git a/arch/x86/um/sysrq_64.c b/arch/x86/um/sysrq_64.c
index 903ad91b624f..7fdad4fc204d 100644
--- a/arch/x86/um/sysrq_64.c
+++ b/arch/x86/um/sysrq_64.c
@@ -9,6 +9,7 @@
#include <linux/sched.h>
#include <linux/sched/debug.h>
#include <linux/utsname.h>
+#include <generated/package.h>
#include <asm/current.h>
#include <asm/ptrace.h>
#include <asm/sysrq.h>
@@ -17,8 +18,9 @@ void show_regs(struct pt_regs *regs)
{
printk("\n");
print_modules();
- printk(KERN_INFO "Pid: %d, comm: %.20s %s %s\n", task_pid_nr(current),
- current->comm, print_tainted(), init_utsname()->release);
+ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s%s\n", task_pid_nr(current),
+ current->comm, print_tainted(), init_utsname()->release,
+ LINUX_PACKAGE_ID);
printk(KERN_INFO "RIP: %04lx:[<%016lx>]\n", PT_REGS_CS(regs) & 0xffff,
PT_REGS_IP(regs));
printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs),
diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index 14a625c16cb3..3a6229c93a76 100644
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -23,6 +23,7 @@
#include <linux/sched/sysctl.h>
#include <trace/events/sched.h>
+#include <generated/package.h>
/*
* The number of tasks checked:
@@ -129,10 +130,11 @@ static void check_hung_task(struct task_struct *t, unsigned long timeout)
sysctl_hung_task_warnings--;
pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n",
t->comm, t->pid, (jiffies - t->last_switch_time) / HZ);
- pr_err(" %s %s %.*s\n",
+ pr_err(" %s %s %.*s%s\n",
print_tainted(), init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
- init_utsname()->version);
+ init_utsname()->version,
+ LINUX_PACKAGE_ID);
pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\""
" disables this message.\n");
sched_show_task(t);
diff --git a/lib/dump_stack.c b/lib/dump_stack.c
index 5cff72f18c4a..cd526798ce68 100644
--- a/lib/dump_stack.c
+++ b/lib/dump_stack.c
@@ -12,6 +12,7 @@
#include <linux/atomic.h>
#include <linux/kexec.h>
#include <linux/utsname.h>
+#include <generated/package.h>
static char dump_stack_arch_desc_str[128];
@@ -44,13 +45,14 @@ void __init dump_stack_set_arch_desc(const char *fmt, ...)
*/
void dump_stack_print_info(const char *log_lvl)
{
- printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s\n",
+ printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s%s\n",
log_lvl, raw_smp_processor_id(), current->pid, current->comm,
kexec_crash_loaded() ? "Kdump: loaded " : "",
print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
- init_utsname()->version);
+ init_utsname()->version,
+ LINUX_PACKAGE_ID);
if (dump_stack_arch_desc_str[0] != '\0')
printk("%sHardware name: %s\n",
--
2.23.0

961
debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch vendored
View File

@@ -1,961 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 13 Apr 2018 20:10:28 +0100
Subject: wireless: Add Debian wireless-regdb certificates
Forwarded: not-needed
This hex dump is generated using:
{
for cert in debian/certs/wireless-regdb-*.pem; do
openssl x509 -in $cert -outform der;
done
} | hexdump -v -e '1/1 "0x%.2x," "\n"' > net/wireless/certs/debian.hex
---
--- /dev/null
+++ b/net/wireless/certs/debian.hex
@@ -0,0 +1,944 @@
+0x30,
+0x82,
+0x03,
+0xac,
+0x30,
+0x82,
+0x02,
+0x94,
+0xa0,
+0x03,
+0x02,
+0x01,
+0x02,
+0x02,
+0x09,
+0x00,
+0xd9,
+0xb1,
+0xe4,
+0x6f,
+0x28,
+0xf3,
+0xd4,
+0x97,
+0x30,
+0x0d,
+0x06,
+0x09,
+0x2a,
+0x86,
+0x48,
+0x86,
+0xf7,
+0x0d,
+0x01,
+0x01,
+0x0b,
+0x05,
+0x00,
+0x30,
+0x6b,
+0x31,
+0x0b,
+0x30,
+0x09,
+0x06,
+0x03,
+0x55,
+0x04,
+0x06,
+0x13,
+0x02,
+0x47,
+0x42,
+0x31,
+0x13,
+0x30,
+0x11,
+0x06,
+0x03,
+0x55,
+0x04,
+0x07,
+0x0c,
+0x0a,
+0x4d,
+0x61,
+0x6e,
+0x63,
+0x68,
+0x65,
+0x73,
+0x74,
+0x65,
+0x72,
+0x31,
+0x0f,
+0x30,
+0x0d,
+0x06,
+0x03,
+0x55,
+0x04,
+0x0a,
+0x0c,
+0x06,
+0x44,
+0x65,
+0x62,
+0x69,
+0x61,
+0x6e,
+0x31,
+0x16,
+0x30,
+0x14,
+0x06,
+0x03,
+0x55,
+0x04,
+0x03,
+0x0c,
+0x0d,
+0x42,
+0x65,
+0x6e,
+0x20,
+0x48,
+0x75,
+0x74,
+0x63,
+0x68,
+0x69,
+0x6e,
+0x67,
+0x73,
+0x31,
+0x1e,
+0x30,
+0x1c,
+0x06,
+0x09,
+0x2a,
+0x86,
+0x48,
+0x86,
+0xf7,
+0x0d,
+0x01,
+0x09,
+0x01,
+0x16,
+0x0f,
+0x62,
+0x65,
+0x6e,
+0x68,
+0x40,
+0x64,
+0x65,
+0x62,
+0x69,
+0x61,
+0x6e,
+0x2e,
+0x6f,
+0x72,
+0x67,
+0x30,
+0x1e,
+0x17,
+0x0d,
+0x31,
+0x38,
+0x30,
+0x34,
+0x31,
+0x33,
+0x31,
+0x38,
+0x32,
+0x31,
+0x34,
+0x36,
+0x5a,
+0x17,
+0x0d,
+0x31,
+0x38,
+0x30,
+0x35,
+0x31,
+0x33,
+0x31,
+0x38,
+0x32,
+0x31,
+0x34,
+0x36,
+0x5a,
+0x30,
+0x6b,
+0x31,
+0x0b,
+0x30,
+0x09,
+0x06,
+0x03,
+0x55,
+0x04,
+0x06,
+0x13,
+0x02,
+0x47,
+0x42,
+0x31,
+0x13,
+0x30,
+0x11,
+0x06,
+0x03,
+0x55,
+0x04,
+0x07,
+0x0c,
+0x0a,
+0x4d,
+0x61,
+0x6e,
+0x63,
+0x68,
+0x65,
+0x73,
+0x74,
+0x65,
+0x72,
+0x31,
+0x0f,
+0x30,
+0x0d,
+0x06,
+0x03,
+0x55,
+0x04,
+0x0a,
+0x0c,
+0x06,
+0x44,
+0x65,
+0x62,
+0x69,
+0x61,
+0x6e,
+0x31,
+0x16,
+0x30,
+0x14,
+0x06,
+0x03,
+0x55,
+0x04,
+0x03,
+0x0c,
+0x0d,
+0x42,
+0x65,
+0x6e,
+0x20,
+0x48,
+0x75,
+0x74,
+0x63,
+0x68,
+0x69,
+0x6e,
+0x67,
+0x73,
+0x31,
+0x1e,
+0x30,
+0x1c,
+0x06,
+0x09,
+0x2a,
+0x86,
+0x48,
+0x86,
+0xf7,
+0x0d,
+0x01,
+0x09,
+0x01,
+0x16,
+0x0f,
+0x62,
+0x65,
+0x6e,
+0x68,
+0x40,
+0x64,
+0x65,
+0x62,
+0x69,
+0x61,
+0x6e,
+0x2e,
+0x6f,
+0x72,
+0x67,
+0x30,
+0x82,
+0x01,
+0x22,
+0x30,
+0x0d,
+0x06,
+0x09,
+0x2a,
+0x86,
+0x48,
+0x86,
+0xf7,
+0x0d,
+0x01,
+0x01,
+0x01,
+0x05,
+0x00,
+0x03,
+0x82,
+0x01,
+0x0f,
+0x00,
+0x30,
+0x82,
+0x01,
+0x0a,
+0x02,
+0x82,
+0x01,
+0x01,
+0x00,
+0x9d,
+0xe1,
+0x77,
+0xa0,
+0x24,
+0xa0,
+0xd5,
+0x79,
+0x65,
+0x3a,
+0x07,
+0x90,
+0xc9,
+0xf6,
+0xa5,
+0xa6,
+0x1f,
+0x84,
+0x1c,
+0x23,
+0x07,
+0x4b,
+0x4f,
+0xa5,
+0x03,
+0xc6,
+0x0f,
+0xf7,
+0x54,
+0xd5,
+0x8b,
+0x7e,
+0x79,
+0x81,
+0x00,
+0xd2,
+0xe9,
+0x3d,
+0xf4,
+0x97,
+0xfe,
+0x84,
+0xcd,
+0x55,
+0xbd,
+0xc9,
+0x8f,
+0x21,
+0x57,
+0x88,
+0x06,
+0x39,
+0x90,
+0x66,
+0x41,
+0x26,
+0x79,
+0x2c,
+0xca,
+0x3f,
+0x95,
+0x87,
+0x01,
+0x11,
+0x2f,
+0x2f,
+0xb0,
+0xe1,
+0x0b,
+0x43,
+0xfc,
+0x5f,
+0x2f,
+0x4f,
+0x67,
+0x04,
+0xdb,
+0x4d,
+0xb7,
+0x72,
+0x4d,
+0xd1,
+0xc5,
+0x76,
+0x73,
+0x4d,
+0x91,
+0x69,
+0xb0,
+0x71,
+0x17,
+0x36,
+0xea,
+0xab,
+0x0a,
+0x3a,
+0xcd,
+0x95,
+0x9b,
+0x76,
+0x1b,
+0x8e,
+0x21,
+0x17,
+0x8f,
+0xc5,
+0x02,
+0xbf,
+0x24,
+0xc7,
+0xc0,
+0x40,
+0xb1,
+0x3b,
+0xc4,
+0x80,
+0x7c,
+0x71,
+0xa5,
+0x51,
+0xdc,
+0xf7,
+0x3a,
+0x58,
+0x7f,
+0xb1,
+0x07,
+0x81,
+0x8a,
+0x10,
+0xd1,
+0xf6,
+0x93,
+0x17,
+0x71,
+0xe0,
+0xfa,
+0x51,
+0x79,
+0x15,
+0xd4,
+0xd7,
+0x8f,
+0xad,
+0xbd,
+0x6f,
+0x38,
+0xe1,
+0x26,
+0x7d,
+0xbc,
+0xf0,
+0x3e,
+0x80,
+0x89,
+0xb4,
+0xec,
+0x8e,
+0x69,
+0x90,
+0xdb,
+0x97,
+0x8a,
+0xf0,
+0x23,
+0x23,
+0x83,
+0x82,
+0x3b,
+0x6a,
+0xb1,
+0xac,
+0xeb,
+0xe7,
+0x99,
+0x74,
+0x2a,
+0x35,
+0x8e,
+0xa9,
+0x64,
+0xfd,
+0x46,
+0x9e,
+0xe8,
+0xe5,
+0x48,
+0x61,
+0x31,
+0x6e,
+0xe6,
+0xfc,
+0x19,
+0x18,
+0x54,
+0xc3,
+0x1b,
+0x4f,
+0xd6,
+0x00,
+0x44,
+0x87,
+0x1c,
+0x37,
+0x45,
+0xea,
+0xf5,
+0xc9,
+0xcb,
+0x0f,
+0x0c,
+0x55,
+0xec,
+0xcf,
+0x6a,
+0xc2,
+0x45,
+0x26,
+0x23,
+0xa2,
+0x31,
+0x52,
+0x4d,
+0xee,
+0x21,
+0x7d,
+0xfd,
+0x58,
+0x72,
+0xc2,
+0x28,
+0xc5,
+0x8e,
+0xa9,
+0xd0,
+0xee,
+0x01,
+0x77,
+0x08,
+0xa5,
+0xf0,
+0x22,
+0x2b,
+0x47,
+0x79,
+0x2b,
+0xcf,
+0x9a,
+0x46,
+0xb5,
+0x8f,
+0xfd,
+0x64,
+0xa2,
+0xb5,
+0xed,
+0x02,
+0x03,
+0x01,
+0x00,
+0x01,
+0xa3,
+0x53,
+0x30,
+0x51,
+0x30,
+0x1d,
+0x06,
+0x03,
+0x55,
+0x1d,
+0x0e,
+0x04,
+0x16,
+0x04,
+0x14,
+0xd3,
+0xfb,
+0x2d,
+0xdb,
+0xf0,
+0x8e,
+0xfa,
+0x67,
+0x6d,
+0x2f,
+0x21,
+0x99,
+0x4c,
+0xeb,
+0x41,
+0x59,
+0xe6,
+0x9d,
+0xd8,
+0xd5,
+0x30,
+0x1f,
+0x06,
+0x03,
+0x55,
+0x1d,
+0x23,
+0x04,
+0x18,
+0x30,
+0x16,
+0x80,
+0x14,
+0xd3,
+0xfb,
+0x2d,
+0xdb,
+0xf0,
+0x8e,
+0xfa,
+0x67,
+0x6d,
+0x2f,
+0x21,
+0x99,
+0x4c,
+0xeb,
+0x41,
+0x59,
+0xe6,
+0x9d,
+0xd8,
+0xd5,
+0x30,
+0x0f,
+0x06,
+0x03,
+0x55,
+0x1d,
+0x13,
+0x01,
+0x01,
+0xff,
+0x04,
+0x05,
+0x30,
+0x03,
+0x01,
+0x01,
+0xff,
+0x30,
+0x0d,
+0x06,
+0x09,
+0x2a,
+0x86,
+0x48,
+0x86,
+0xf7,
+0x0d,
+0x01,
+0x01,
+0x0b,
+0x05,
+0x00,
+0x03,
+0x82,
+0x01,
+0x01,
+0x00,
+0x71,
+0x71,
+0xe4,
+0xcd,
+0x40,
+0x84,
+0xf3,
+0x60,
+0x34,
+0x6a,
+0x78,
+0xdc,
+0xe7,
+0x81,
+0x20,
+0x8f,
+0x1e,
+0x7f,
+0x54,
+0x31,
+0x8e,
+0x4a,
+0xe5,
+0x69,
+0x91,
+0x1c,
+0x4c,
+0x77,
+0x00,
+0x47,
+0x09,
+0x98,
+0x91,
+0xf4,
+0x27,
+0x52,
+0x9a,
+0x2d,
+0x30,
+0x87,
+0x4c,
+0x51,
+0x51,
+0x1f,
+0xae,
+0xd8,
+0x8c,
+0xdb,
+0x3c,
+0x73,
+0x06,
+0x43,
+0xc6,
+0x1f,
+0x3a,
+0xba,
+0xaf,
+0x9e,
+0xd2,
+0xeb,
+0x3e,
+0x9f,
+0xd1,
+0xb2,
+0x8a,
+0xa2,
+0x16,
+0x08,
+0x26,
+0xa1,
+0x39,
+0x0c,
+0x63,
+0xe7,
+0x2d,
+0x78,
+0x9c,
+0xac,
+0x2c,
+0x4e,
+0x69,
+0xd5,
+0xa0,
+0xfd,
+0xbd,
+0xea,
+0x95,
+0xfe,
+0xe2,
+0x69,
+0x06,
+0xe1,
+0xb2,
+0x27,
+0x90,
+0x68,
+0xd8,
+0x3a,
+0xac,
+0xd6,
+0xa0,
+0x4e,
+0xe2,
+0x8a,
+0xfa,
+0xff,
+0x9c,
+0x98,
+0x6b,
+0x60,
+0x83,
+0xea,
+0xe7,
+0x46,
+0x24,
+0x09,
+0x21,
+0x12,
+0xa8,
+0xfe,
+0xaa,
+0x46,
+0x0d,
+0x24,
+0xa5,
+0xcf,
+0x52,
+0x37,
+0x48,
+0xb9,
+0xe2,
+0xb1,
+0xd6,
+0xb0,
+0xe4,
+0xbf,
+0x6f,
+0x59,
+0x7b,
+0x17,
+0x9e,
+0xdd,
+0x24,
+0x00,
+0xee,
+0xc6,
+0x89,
+0x76,
+0xe9,
+0x35,
+0x40,
+0x1f,
+0xeb,
+0x7d,
+0x23,
+0x8c,
+0xed,
+0x13,
+0x6c,
+0x66,
+0xbc,
+0xc4,
+0x88,
+0xb5,
+0x55,
+0x9a,
+0xec,
+0xbd,
+0x52,
+0x0d,
+0x0b,
+0xc5,
+0x40,
+0xe1,
+0xfe,
+0xb7,
+0x20,
+0xb1,
+0x22,
+0x16,
+0x32,
+0xed,
+0x28,
+0x3e,
+0x1f,
+0xbf,
+0xf2,
+0x00,
+0x12,
+0x75,
+0x92,
+0xd7,
+0x99,
+0x2e,
+0x25,
+0xfb,
+0xf2,
+0xe6,
+0xfd,
+0x2a,
+0x10,
+0xd1,
+0x75,
+0x89,
+0x31,
+0x52,
+0xe4,
+0xb2,
+0xc2,
+0xee,
+0xcd,
+0x41,
+0xa3,
+0x08,
+0x48,
+0x18,
+0x5e,
+0x66,
+0x42,
+0x67,
+0xcf,
+0x0b,
+0x2a,
+0x26,
+0x6b,
+0x65,
+0x87,
+0x4d,
+0xfa,
+0x04,
+0x51,
+0xec,
+0xed,
+0x03,
+0x8b,
+0x38,
+0x52,
+0x93,
+0x6d,
+0xc4,
+0x30,
+0x41,
+0x9a,
+0x6c,
+0x28,
+0x35,
+0xf0,
+0x87,
+0x15,
+0xce,
+0x78,
+0x4f,
+0x32,
+0xca,
+0x52,
+0xed,

73
debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch vendored
View File

@@ -1,73 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 05 Apr 2018 18:13:52 +0200
Subject: wireless: Disable regulatory.db direct loading
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/892229
Don't complain about being unable to load regulatory.db directly.
This is expected until we generate a signing key and update
wireless-regdb to be signed with it.
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -476,6 +476,7 @@ static void reg_regdb_apply(struct work_
static DECLARE_WORK(reg_regdb_work, reg_regdb_apply);
+#if 0
static int reg_schedule_apply(const struct ieee80211_regdomain *regdom)
{
struct reg_regdb_apply_request *request;
@@ -495,6 +496,7 @@ static int reg_schedule_apply(const stru
schedule_work(&reg_regdb_work);
return 0;
}
+#endif
#ifdef CONFIG_CFG80211_CRDA_SUPPORT
/* Max number of consecutive attempts to communicate with CRDA */
@@ -574,6 +576,35 @@ static inline int call_crda(const char *
/* code to directly load a firmware database through request_firmware */
static const struct fwdb_header *regdb;
+#if 1
+
+static int load_builtin_regdb_keys(void)
+{
+ return 0;
+}
+
+static void free_regdb_keyring(void)
+{
+}
+
+static int query_regdb_file(const char *alpha2)
+{
+ return -ENOENT;
+}
+
+int reg_reload_regdb(void)
+{
+ return -ENOENT;
+}
+
+int reg_query_regdb_wmm(char *alpha2, int freq, struct ieee80211_reg_rule *rule)
+{
+ return -ENODATA;
+}
+EXPORT_SYMBOL(reg_query_regdb_wmm);
+
+#else /* disabled until we update wireless-regdb */
+
struct fwdb_country {
u8 alpha2[2];
__be16 coll_ptr;
@@ -1090,6 +1121,8 @@ int reg_reload_regdb(void)
return err;
}
+#endif
+
static bool reg_query_database(struct regulatory_request *request)
{
if (query_regdb_file(request->alpha2) == 0)

32
debian/patches/debian/yama-disable-by-default.patch vendored
View File

@@ -1,32 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: yama: Disable by default
Date: Wed, 19 Jun 2013 04:35:28 +0100
Bug-Debian: https://bugs.debian.org/712740
Forwarded: not-needed
---
security/yama/yama_lsm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index efac68556b45..95ff3e778a17 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -28,7 +28,7 @@
#define YAMA_SCOPE_CAPABILITY 2
#define YAMA_SCOPE_NO_ATTACH 3
-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
+static int ptrace_scope = YAMA_SCOPE_DISABLED;
/* describe a ptrace relationship for potential exception */
struct ptrace_relation {
@@ -481,7 +481,7 @@ static inline void yama_init_sysctl(void) { }
static int __init yama_init(void)
{
- pr_info("Yama: becoming mindful.\n");
+ pr_info("Yama: disabled by default; enable with sysctl kernel.yama.*\n");
security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
yama_init_sysctl();
return 0;

328
debian/patches/features/all/aufs5/aufs5-base.patch vendored
View File

@@ -1,328 +0,0 @@
From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Sat Aug 3 23:41:50 2019 +0900
Subject: aufs5.x-rcN base patch
Origin: https://github.com/sfjro/aufs5-standalone/tree/3326ef6942b5e40f0ecc8248a6a77002d942ea7d
Bug-Debian: https://bugs.debian.org/541828
Patch headers added by debian/bin/genpatch-aufs
SPDX-License-Identifier: GPL-2.0
aufs5.x-rcN base patch
diff --git a/MAINTAINERS b/MAINTAINERS
index 6426db5198f0..332a330a8614 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2818,6 +2818,19 @@ F: include/linux/audit.h
F: include/uapi/linux/audit.h
F: kernel/audit*
+AUFS (advanced multi layered unification filesystem) FILESYSTEM
+M: "J. R. Okajima" <hooanon05g@gmail.com>
+L: aufs-users@lists.sourceforge.net (members only)
+L: linux-unionfs@vger.kernel.org
+W: http://aufs.sourceforge.net
+T: git://github.com/sfjro/aufs4-linux.git
+S: Supported
+F: Documentation/filesystems/aufs/
+F: Documentation/ABI/testing/debugfs-aufs
+F: Documentation/ABI/testing/sysfs-aufs
+F: fs/aufs/
+F: include/uapi/linux/aufs_type.h
+
AUXILIARY DISPLAY DRIVERS
M: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com>
S: Maintained
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 44c9985f352a..fc0584d8b8fd 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -738,6 +738,24 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
return error;
}
+/*
+ * for AUFS
+ * no get/put for file.
+ */
+struct file *loop_backing_file(struct super_block *sb)
+{
+ struct file *ret;
+ struct loop_device *l;
+
+ ret = NULL;
+ if (MAJOR(sb->s_dev) == LOOP_MAJOR) {
+ l = sb->s_bdev->bd_disk->private_data;
+ ret = l->lo_backing_file;
+ }
+ return ret;
+}
+EXPORT_SYMBOL_GPL(loop_backing_file);
+
/* loop sysfs attributes */
static ssize_t loop_attr_show(struct device *dev, char *page,
diff --git a/fs/dcache.c b/fs/dcache.c
index e88cf0554e65..7ce4ccf5a51c 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1264,7 +1264,7 @@ enum d_walk_ret {
*
* The @enter() callbacks are called with d_lock held.
*/
-static void d_walk(struct dentry *parent, void *data,
+void d_walk(struct dentry *parent, void *data,
enum d_walk_ret (*enter)(void *, struct dentry *))
{
struct dentry *this_parent;
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 3d40771e8e7c..d62303c5472a 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -32,7 +32,7 @@
#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
-static int setfl(int fd, struct file * filp, unsigned long arg)
+int setfl(int fd, struct file * filp, unsigned long arg)
{
struct inode * inode = file_inode(filp);
int error = 0;
@@ -63,6 +63,8 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
if (filp->f_op->check_flags)
error = filp->f_op->check_flags(arg);
+ if (!error && filp->f_op->setfl)
+ error = filp->f_op->setfl(filp, arg);
if (error)
return error;
diff --git a/fs/inode.c b/fs/inode.c
index 0f1e3b563c47..43df8452f97d 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1670,7 +1670,7 @@ EXPORT_SYMBOL(generic_update_time);
* This does the actual work of updating an inodes time or version. Must have
* had called mnt_want_write() before calling this.
*/
-static int update_time(struct inode *inode, struct timespec64 *time, int flags)
+int update_time(struct inode *inode, struct timespec64 *time, int flags)
{
int (*update_time)(struct inode *, struct timespec64 *, int);
diff --git a/fs/namespace.c b/fs/namespace.c
index d28d30b13043..34c8093ddb1d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -776,6 +776,12 @@ static inline int check_mnt(struct mount *mnt)
return mnt->mnt_ns == current->nsproxy->mnt_ns;
}
+/* for aufs, CONFIG_AUFS_BR_FUSE */
+int is_current_mnt_ns(struct vfsmount *mnt)
+{
+ return check_mnt(real_mount(mnt));
+}
+
/*
* vfsmount lock must be held for write
*/
diff --git a/fs/read_write.c b/fs/read_write.c
index 1f5088dec566..f84e1d9c2434 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -498,6 +498,28 @@ static ssize_t __vfs_write(struct file *file, const char __user *p,
return -EINVAL;
}
+vfs_readf_t vfs_readf(struct file *file)
+{
+ const struct file_operations *fop = file->f_op;
+
+ if (fop->read)
+ return fop->read;
+ if (fop->read_iter)
+ return new_sync_read;
+ return ERR_PTR(-ENOSYS);
+}
+
+vfs_writef_t vfs_writef(struct file *file)
+{
+ const struct file_operations *fop = file->f_op;
+
+ if (fop->write)
+ return fop->write;
+ if (fop->write_iter)
+ return new_sync_write;
+ return ERR_PTR(-ENOSYS);
+}
+
ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
{
mm_segment_t old_fs;
diff --git a/fs/splice.c b/fs/splice.c
index 98412721f056..75b489fcb66f 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -834,8 +834,8 @@ EXPORT_SYMBOL(generic_splice_sendpage);
/*
* Attempt to initiate a splice from pipe to file.
*/
-static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
- loff_t *ppos, size_t len, unsigned int flags)
+long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
+ loff_t *ppos, size_t len, unsigned int flags)
{
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *,
loff_t *, size_t, unsigned int);
@@ -851,9 +851,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
/*
* Attempt to initiate a splice from a file to a pipe.
*/
-static long do_splice_to(struct file *in, loff_t *ppos,
- struct pipe_inode_info *pipe, size_t len,
- unsigned int flags)
+long do_splice_to(struct file *in, loff_t *ppos,
+ struct pipe_inode_info *pipe, size_t len,
+ unsigned int flags)
{
ssize_t (*splice_read)(struct file *, loff_t *,
struct pipe_inode_info *, size_t, unsigned int);
diff --git a/fs/sync.c b/fs/sync.c
index 4d1ff010bc5a..457f4e4a5cc1 100644
--- a/fs/sync.c
+++ b/fs/sync.c
@@ -28,7 +28,7 @@
* wait == 1 case since in that case write_inode() functions do
* sync_dirty_buffer() and thus effectively write one block at a time.
*/
-static int __sync_filesystem(struct super_block *sb, int wait)
+int __sync_filesystem(struct super_block *sb, int wait)
{
if (wait)
sync_inodes_sb(sb);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 56b8e358af5c..5e914b18a5a2 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1331,6 +1331,7 @@ extern void fasync_free(struct fasync_struct *);
/* can be called from interrupts */
extern void kill_fasync(struct fasync_struct **, int, int);
+extern int setfl(int fd, struct file * filp, unsigned long arg);
extern void __f_setown(struct file *filp, struct pid *, enum pid_type, int force);
extern int f_setown(struct file *filp, unsigned long arg, int force);
extern void f_delown(struct file *filp);
@@ -1810,6 +1811,7 @@ struct file_operations {
ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);
unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
int (*check_flags)(int);
+ int (*setfl)(struct file *, unsigned long);
int (*flock) (struct file *, int, struct file_lock *);
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
@@ -1880,6 +1882,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
struct iovec *fast_pointer,
struct iovec **ret_pointer);
+typedef ssize_t (*vfs_readf_t)(struct file *, char __user *, size_t, loff_t *);
+typedef ssize_t (*vfs_writef_t)(struct file *, const char __user *, size_t,
+ loff_t *);
+vfs_readf_t vfs_readf(struct file *file);
+vfs_writef_t vfs_writef(struct file *file);
+
extern ssize_t __vfs_read(struct file *, char __user *, size_t, loff_t *);
extern ssize_t vfs_read(struct file *, char __user *, size_t, loff_t *);
extern ssize_t vfs_write(struct file *, const char __user *, size_t, loff_t *);
@@ -2298,6 +2306,7 @@ extern int current_umask(void);
extern void ihold(struct inode * inode);
extern void iput(struct inode *);
extern int generic_update_time(struct inode *, struct timespec64 *, int);
+extern int update_time(struct inode *, struct timespec64 *, int);
/* /sys/fs */
extern struct kobject *fs_kobj;
@@ -2586,6 +2595,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb)
return false;
}
#endif
+extern int __sync_filesystem(struct super_block *, int);
extern int sync_filesystem(struct super_block *);
extern const struct file_operations def_blk_fops;
extern const struct file_operations def_chr_fops;
diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
index 0b0d7259276d..12d18e180348 100644
--- a/include/linux/lockdep.h
+++ b/include/linux/lockdep.h
@@ -334,6 +334,8 @@ static inline int lockdep_match_key(struct lockdep_map *lock,
return lock->key == key;
}
+struct lock_class *lockdep_hlock_class(struct held_lock *hlock);
+
/*
* Acquire a lock.
*
@@ -476,6 +478,7 @@ struct lockdep_map { };
#define lockdep_depth(tsk) (0)
+#define lockdep_is_held(lock) (1)
#define lockdep_is_held_type(l, r) (1)
#define lockdep_assert_held(l) do { (void)(l); } while (0)
diff --git a/include/linux/mnt_namespace.h b/include/linux/mnt_namespace.h
index 35942084cd40..24f5fd1a789d 100644
--- a/include/linux/mnt_namespace.h
+++ b/include/linux/mnt_namespace.h
@@ -6,11 +6,14 @@
struct mnt_namespace;
struct fs_struct;
struct user_namespace;
+struct vfsmount;
extern struct mnt_namespace *copy_mnt_ns(unsigned long, struct mnt_namespace *,
struct user_namespace *, struct fs_struct *);
extern void put_mnt_ns(struct mnt_namespace *ns);
+extern int is_current_mnt_ns(struct vfsmount *mnt);
+
extern const struct file_operations proc_mounts_operations;
extern const struct file_operations proc_mountinfo_operations;
extern const struct file_operations proc_mountstats_operations;
diff --git a/include/linux/splice.h b/include/linux/splice.h
index 74b4911ac16d..19789fbea567 100644
--- a/include/linux/splice.h
+++ b/include/linux/splice.h
@@ -87,4 +87,10 @@ extern void splice_shrink_spd(struct splice_pipe_desc *);
extern const struct pipe_buf_operations page_cache_pipe_buf_ops;
extern const struct pipe_buf_operations default_pipe_buf_ops;
+
+extern long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
+ loff_t *ppos, size_t len, unsigned int flags);
+extern long do_splice_to(struct file *in, loff_t *ppos,
+ struct pipe_inode_info *pipe, size_t len,
+ unsigned int flags);
#endif
diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 4861cf8e274b..ec87ccf82025 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -153,7 +153,7 @@ static
struct lock_class lock_classes[MAX_LOCKDEP_KEYS];
static DECLARE_BITMAP(lock_classes_in_use, MAX_LOCKDEP_KEYS);
-static inline struct lock_class *hlock_class(struct held_lock *hlock)
+inline struct lock_class *lockdep_hlock_class(struct held_lock *hlock)
{
unsigned int class_idx = hlock->class_idx;
@@ -174,6 +174,7 @@ static inline struct lock_class *hlock_class(struct held_lock *hlock)
*/
return lock_classes + class_idx;
}
+#define hlock_class(hlock) lockdep_hlock_class(hlock)
#ifdef CONFIG_LOCK_STAT
static DEFINE_PER_CPU(struct lock_class_stats[MAX_LOCKDEP_KEYS], cpu_lock_stats);

405
debian/patches/features/all/aufs5/aufs5-mmap.patch vendored
View File

@@ -1,405 +0,0 @@
From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Sat Aug 3 23:41:50 2019 +0900
Subject: aufs5.x-rcN mmap patch
Origin: https://github.com/sfjro/aufs5-standalone/tree/3326ef6942b5e40f0ecc8248a6a77002d942ea7d
Bug-Debian: https://bugs.debian.org/541828
Patch headers added by debian/bin/genpatch-aufs
SPDX-License-Identifier: GPL-2.0
aufs5.x-rcN mmap patch
Index: debian-kernel/fs/proc/base.c
===================================================================
--- debian-kernel.orig/fs/proc/base.c
+++ debian-kernel/fs/proc/base.c
@@ -2037,7 +2037,7 @@ static int map_files_get_link(struct den
rc = -ENOENT;
vma = find_exact_vma(mm, vm_start, vm_end);
if (vma && vma->vm_file) {
- *path = vma->vm_file->f_path;
+ *path = vma_pr_or_file(vma)->f_path;
path_get(path);
rc = 0;
}
Index: debian-kernel/fs/proc/nommu.c
===================================================================
--- debian-kernel.orig/fs/proc/nommu.c
+++ debian-kernel/fs/proc/nommu.c
@@ -41,7 +41,10 @@ static int nommu_region_show(struct seq_
file = region->vm_file;
if (file) {
- struct inode *inode = file_inode(region->vm_file);
+ struct inode *inode;
+
+ file = vmr_pr_or_file(region);
+ inode = file_inode(file);
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
}
Index: debian-kernel/fs/proc/task_mmu.c
===================================================================
--- debian-kernel.orig/fs/proc/task_mmu.c
+++ debian-kernel/fs/proc/task_mmu.c
@@ -309,7 +309,10 @@ show_map_vma(struct seq_file *m, struct
const char *name = NULL;
if (file) {
- struct inode *inode = file_inode(vma->vm_file);
+ struct inode *inode;
+
+ file = vma_pr_or_file(vma);
+ inode = file_inode(file);
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
@@ -1819,7 +1822,7 @@ static int show_numa_map(struct seq_file
struct proc_maps_private *proc_priv = &numa_priv->proc_maps;
struct vm_area_struct *vma = v;
struct numa_maps *md = &numa_priv->md;
- struct file *file = vma->vm_file;
+ struct file *file = vma_pr_or_file(vma);
struct mm_struct *mm = vma->vm_mm;
struct mempolicy *pol;
char buffer[64];
Index: debian-kernel/fs/proc/task_nommu.c
===================================================================
--- debian-kernel.orig/fs/proc/task_nommu.c
+++ debian-kernel/fs/proc/task_nommu.c
@@ -155,7 +155,10 @@ static int nommu_vma_show(struct seq_fil
file = vma->vm_file;
if (file) {
- struct inode *inode = file_inode(vma->vm_file);
+ struct inode *inode;
+
+ file = vma_pr_or_file(vma);
+ inode = file_inode(file);
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT;
Index: debian-kernel/include/linux/mm.h
===================================================================
--- debian-kernel.orig/include/linux/mm.h
+++ debian-kernel/include/linux/mm.h
@@ -1515,6 +1515,28 @@ static inline void unmap_shared_mapping_
unmap_mapping_range(mapping, holebegin, holelen, 0);
}
+extern void vma_do_file_update_time(struct vm_area_struct *, const char[], int);
+extern struct file *vma_do_pr_or_file(struct vm_area_struct *, const char[],
+ int);
+extern void vma_do_get_file(struct vm_area_struct *, const char[], int);
+extern void vma_do_fput(struct vm_area_struct *, const char[], int);
+
+#define vma_file_update_time(vma) vma_do_file_update_time(vma, __func__, \
+ __LINE__)
+#define vma_pr_or_file(vma) vma_do_pr_or_file(vma, __func__, \
+ __LINE__)
+#define vma_get_file(vma) vma_do_get_file(vma, __func__, __LINE__)
+#define vma_fput(vma) vma_do_fput(vma, __func__, __LINE__)
+
+#ifndef CONFIG_MMU
+extern struct file *vmr_do_pr_or_file(struct vm_region *, const char[], int);
+extern void vmr_do_fput(struct vm_region *, const char[], int);
+
+#define vmr_pr_or_file(region) vmr_do_pr_or_file(region, __func__, \
+ __LINE__)
+#define vmr_fput(region) vmr_do_fput(region, __func__, __LINE__)
+#endif /* !CONFIG_MMU */
+
extern int access_process_vm(struct task_struct *tsk, unsigned long addr,
void *buf, int len, unsigned int gup_flags);
extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
Index: debian-kernel/include/linux/mm_types.h
===================================================================
--- debian-kernel.orig/include/linux/mm_types.h
+++ debian-kernel/include/linux/mm_types.h
@@ -262,6 +262,7 @@ struct vm_region {
unsigned long vm_top; /* region allocated to here */
unsigned long vm_pgoff; /* the offset in vm_file corresponding to vm_start */
struct file *vm_file; /* the backing file or NULL */
+ struct file *vm_prfile; /* the virtual backing file or NULL */
int vm_usage; /* region usage count (access under nommu_region_sem) */
bool vm_icache_flushed : 1; /* true if the icache has been flushed for
@@ -336,6 +337,7 @@ struct vm_area_struct {
unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE
units */
struct file * vm_file; /* File we map to (can be NULL). */
+ struct file *vm_prfile; /* shadow of vm_file */
void * vm_private_data; /* was vm_pte (shared mem) */
#ifdef CONFIG_SWAP
Index: debian-kernel/kernel/fork.c
===================================================================
--- debian-kernel.orig/kernel/fork.c
+++ debian-kernel/kernel/fork.c
@@ -562,7 +562,7 @@ static __latent_entropy int dup_mmap(str
struct inode *inode = file_inode(file);
struct address_space *mapping = file->f_mapping;
- get_file(file);
+ vma_get_file(tmp);
if (tmp->vm_flags & VM_DENYWRITE)
atomic_dec(&inode->i_writecount);
i_mmap_lock_write(mapping);
Index: debian-kernel/mm/Makefile
===================================================================
--- debian-kernel.orig/mm/Makefile
+++ debian-kernel/mm/Makefile
@@ -42,7 +42,7 @@ obj-y := filemap.o mempool.o oom_kill.
mm_init.o mmu_context.o percpu.o slab_common.o \
compaction.o vmacache.o \
interval_tree.o list_lru.o workingset.o \
- debug.o gup.o $(mmu-y)
+ prfile.o debug.o gup.o $(mmu-y)
# Give 'page_alloc' its own module-parameter namespace
page-alloc-y := page_alloc.o
Index: debian-kernel/mm/filemap.c
===================================================================
--- debian-kernel.orig/mm/filemap.c
+++ debian-kernel/mm/filemap.c
@@ -2695,7 +2695,7 @@ vm_fault_t filemap_page_mkwrite(struct v
vm_fault_t ret = VM_FAULT_LOCKED;
sb_start_pagefault(inode->i_sb);
- file_update_time(vmf->vma->vm_file);
+ vma_file_update_time(vmf->vma);
lock_page(page);
if (page->mapping != inode->i_mapping) {
unlock_page(page);
Index: debian-kernel/mm/mmap.c
===================================================================
--- debian-kernel.orig/mm/mmap.c
+++ debian-kernel/mm/mmap.c
@@ -182,7 +182,7 @@ static struct vm_area_struct *remove_vma
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
- fput(vma->vm_file);
+ vma_fput(vma);
mpol_put(vma_policy(vma));
vm_area_free(vma);
return next;
@@ -940,7 +940,7 @@ again:
if (remove_next) {
if (file) {
uprobe_munmap(next, next->vm_start, next->vm_end);
- fput(file);
+ vma_fput(vma);
}
if (next->anon_vma)
anon_vma_merge(vma, next);
@@ -1865,8 +1865,8 @@ out:
return addr;
unmap_and_free_vma:
+ vma_fput(vma);
vma->vm_file = NULL;
- fput(file);
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
@@ -2695,7 +2695,7 @@ int __split_vma(struct mm_struct *mm, st
goto out_free_mpol;
if (new->vm_file)
- get_file(new->vm_file);
+ vma_get_file(new);
if (new->vm_ops && new->vm_ops->open)
new->vm_ops->open(new);
@@ -2714,7 +2714,7 @@ int __split_vma(struct mm_struct *mm, st
if (new->vm_ops && new->vm_ops->close)
new->vm_ops->close(new);
if (new->vm_file)
- fput(new->vm_file);
+ vma_fput(new);
unlink_anon_vmas(new);
out_free_mpol:
mpol_put(vma_policy(new));
@@ -2906,7 +2906,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
struct vm_area_struct *vma;
unsigned long populate = 0;
unsigned long ret = -EINVAL;
- struct file *file;
+ struct file *file, *prfile;
pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.\n",
current->comm, current->pid);
@@ -2981,10 +2981,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
}
}
- file = get_file(vma->vm_file);
+ vma_get_file(vma);
+ file = vma->vm_file;
+ prfile = vma->vm_prfile;
ret = do_mmap_pgoff(vma->vm_file, start, size,
prot, flags, pgoff, &populate, NULL);
+ if (!IS_ERR_VALUE(ret) && file && prfile) {
+ struct vm_area_struct *new_vma;
+
+ new_vma = find_vma(mm, ret);
+ if (!new_vma->vm_prfile)
+ new_vma->vm_prfile = prfile;
+ if (new_vma != vma)
+ get_file(prfile);
+ }
+ /*
+ * two fput()s instead of vma_fput(vma),
+ * coz vma may not be available anymore.
+ */
fput(file);
+ if (prfile)
+ fput(prfile);
out:
up_write(&mm->mmap_sem);
if (populate)
@@ -3274,7 +3291,7 @@ struct vm_area_struct *copy_vma(struct v
if (anon_vma_clone(new_vma, vma))
goto out_free_mempol;
if (new_vma->vm_file)
- get_file(new_vma->vm_file);
+ vma_get_file(new_vma);
if (new_vma->vm_ops && new_vma->vm_ops->open)
new_vma->vm_ops->open(new_vma);
vma_link(mm, new_vma, prev, rb_link, rb_parent);
Index: debian-kernel/mm/nommu.c
===================================================================
--- debian-kernel.orig/mm/nommu.c
+++ debian-kernel/mm/nommu.c
@@ -552,7 +552,7 @@ static void __put_nommu_region(struct vm
up_write(&nommu_region_sem);
if (region->vm_file)
- fput(region->vm_file);
+ vmr_fput(region);
/* IO memory and memory shared directly out of the pagecache
* from ramfs/tmpfs mustn't be released here */
@@ -690,7 +690,7 @@ static void delete_vma(struct mm_struct
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
- fput(vma->vm_file);
+ vma_fput(vma);
put_nommu_region(vma->vm_region);
vm_area_free(vma);
}
@@ -1213,7 +1213,7 @@ unsigned long do_mmap(struct file *file,
goto error_just_free;
}
}
- fput(region->vm_file);
+ vmr_fput(region);
kmem_cache_free(vm_region_jar, region);
region = pregion;
result = start;
@@ -1290,10 +1290,10 @@ error_just_free:
up_write(&nommu_region_sem);
error:
if (region->vm_file)
- fput(region->vm_file);
+ vmr_fput(region);
kmem_cache_free(vm_region_jar, region);
if (vma->vm_file)
- fput(vma->vm_file);
+ vma_fput(vma);
vm_area_free(vma);
return ret;
Index: debian-kernel/mm/prfile.c
===================================================================
--- /dev/null
+++ debian-kernel/mm/prfile.c
@@ -0,0 +1,86 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Mainly for aufs which mmap(2) different file and wants to print different
+ * path in /proc/PID/maps.
+ * Call these functions via macros defined in linux/mm.h.
+ *
+ * See Documentation/filesystems/aufs/design/06mmap.txt
+ *
+ * Copyright (c) 2014-2019 Junjro R. Okajima
+ * Copyright (c) 2014 Ian Campbell
+ */
+
+#include <linux/mm.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+
+/* #define PRFILE_TRACE */
+static inline void prfile_trace(struct file *f, struct file *pr,
+ const char func[], int line, const char func2[])
+{
+#ifdef PRFILE_TRACE
+ if (pr)
+ pr_info("%s:%d: %s, %pD2\n", func, line, func2, f);
+#endif
+}
+
+void vma_do_file_update_time(struct vm_area_struct *vma, const char func[],
+ int line)
+{
+ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ file_update_time(f);
+ if (f && pr)
+ file_update_time(pr);
+}
+
+struct file *vma_do_pr_or_file(struct vm_area_struct *vma, const char func[],
+ int line)
+{
+ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ return (f && pr) ? pr : f;
+}
+
+void vma_do_get_file(struct vm_area_struct *vma, const char func[], int line)
+{
+ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ get_file(f);
+ if (f && pr)
+ get_file(pr);
+}
+
+void vma_do_fput(struct vm_area_struct *vma, const char func[], int line)
+{
+ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ fput(f);
+ if (f && pr)
+ fput(pr);
+}
+
+#ifndef CONFIG_MMU
+struct file *vmr_do_pr_or_file(struct vm_region *region, const char func[],
+ int line)
+{
+ struct file *f = region->vm_file, *pr = region->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ return (f && pr) ? pr : f;
+}
+
+void vmr_do_fput(struct vm_region *region, const char func[], int line)
+{
+ struct file *f = region->vm_file, *pr = region->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ fput(f);
+ if (f && pr)
+ fput(pr);
+}
+#endif /* !CONFIG_MMU */

285
debian/patches/features/all/aufs5/aufs5-standalone.patch vendored
View File

@@ -1,285 +0,0 @@
From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Sat Aug 3 23:41:50 2019 +0900
Subject: aufs5.x-rcN standalone patch
Origin: https://github.com/sfjro/aufs5-standalone/tree/3326ef6942b5e40f0ecc8248a6a77002d942ea7d
Bug-Debian: https://bugs.debian.org/541828
Patch headers added by debian/bin/genpatch-aufs
SPDX-License-Identifier: GPL-2.0
aufs5.x-rcN standalone patch
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1369,6 +1369,7 @@ rename_retry:
seq = 1;
goto again;
}
+EXPORT_SYMBOL_GPL(d_walk);
struct check_mount {
struct vfsmount *mnt;
@@ -2914,6 +2915,7 @@ void d_exchange(struct dentry *dentry1,
write_sequnlock(&rename_lock);
}
+EXPORT_SYMBOL_GPL(d_exchange);
/**
* d_ancestor - search for an ancestor
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -110,6 +110,7 @@ bool path_noexec(const struct path *path
return (path->mnt->mnt_flags & MNT_NOEXEC) ||
(path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC);
}
+EXPORT_SYMBOL_GPL(path_noexec);
#ifdef CONFIG_USELIB
/*
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, un
out:
return error;
}
+EXPORT_SYMBOL_GPL(setfl);
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
int force)
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -162,6 +162,7 @@ over:
}
return ERR_PTR(-ENFILE);
}
+EXPORT_SYMBOL_GPL(alloc_empty_file);
/*
* Variant of alloc_empty_file() that doesn't check and modify nr_files.
@@ -375,6 +376,7 @@ void __fput_sync(struct file *file)
}
EXPORT_SYMBOL(fput);
+EXPORT_SYMBOL_GPL(__fput_sync);
void __init files_init(void)
{
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1682,6 +1682,7 @@ int update_time(struct inode *inode, str
return update_time(inode, time, flags);
}
+EXPORT_SYMBOL_GPL(update_time);
/**
* touch_atime - update the access time
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -431,6 +431,7 @@ void __mnt_drop_write(struct vfsmount *m
mnt_dec_writers(real_mount(mnt));
preempt_enable();
}
+EXPORT_SYMBOL_GPL(__mnt_drop_write);
/**
* mnt_drop_write - give up write access to a mount
@@ -781,6 +782,7 @@ int is_current_mnt_ns(struct vfsmount *m
{
return check_mnt(real_mount(mnt));
}
+EXPORT_SYMBOL_GPL(is_current_mnt_ns);
/*
* vfsmount lock must be held for write
@@ -1903,6 +1905,7 @@ int iterate_mounts(int (*f)(struct vfsmo
}
return 0;
}
+EXPORT_SYMBOL_GPL(iterate_mounts);
static void lock_mnt_tree(struct mount *mnt)
{
--- a/fs/notify/group.c
+++ b/fs/notify/group.c
@@ -99,6 +99,7 @@ void fsnotify_get_group(struct fsnotify_
{
refcount_inc(&group->refcnt);
}
+EXPORT_SYMBOL_GPL(fsnotify_get_group);
/*
* Drop a reference to a group. Free it if it's through.
--- a/fs/open.c
+++ b/fs/open.c
@@ -65,6 +65,7 @@ int do_truncate(struct dentry *dentry, l
inode_unlock(dentry->d_inode);
return ret;
}
+EXPORT_SYMBOL_GPL(do_truncate);
long vfs_truncate(const struct path *path, loff_t length)
{
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -468,6 +468,7 @@ ssize_t vfs_read(struct file *file, char
return ret;
}
+EXPORT_SYMBOL_GPL(vfs_read);
static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t len, loff_t *ppos)
{
@@ -508,6 +509,7 @@ vfs_readf_t vfs_readf(struct file *file)
return new_sync_read;
return ERR_PTR(-ENOSYS);
}
+EXPORT_SYMBOL_GPL(vfs_readf);
vfs_writef_t vfs_writef(struct file *file)
{
@@ -519,6 +521,7 @@ vfs_writef_t vfs_writef(struct file *fil
return new_sync_write;
return ERR_PTR(-ENOSYS);
}
+EXPORT_SYMBOL_GPL(vfs_writef);
ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
{
@@ -588,6 +591,7 @@ ssize_t vfs_write(struct file *file, con
return ret;
}
+EXPORT_SYMBOL_GPL(vfs_write);
/* file_ppos returns &file->f_pos or NULL if file is stream */
static inline loff_t *file_ppos(struct file *file)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -847,6 +847,7 @@ long do_splice_from(struct pipe_inode_in
return splice_write(pipe, out, ppos, len, flags);
}
+EXPORT_SYMBOL_GPL(do_splice_from);
/*
* Attempt to initiate a splice from a file to a pipe.
@@ -876,6 +877,7 @@ long do_splice_to(struct file *in, loff_
return splice_read(in, ppos, pipe, len, flags);
}
+EXPORT_SYMBOL_GPL(do_splice_to);
/**
* splice_direct_to_actor - splices data directly between two non-pipes
--- a/fs/sync.c
+++ b/fs/sync.c
@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block
sb->s_op->sync_fs(sb, wait);
return __sync_blockdev(sb->s_bdev, wait);
}
+EXPORT_SYMBOL_GPL(__sync_filesystem);
/*
* Write out and wait upon all dirty data associated with this
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -296,6 +296,7 @@ vfs_getxattr_alloc(struct dentry *dentry
*xattr_value = value;
return error;
}
+EXPORT_SYMBOL_GPL(vfs_getxattr_alloc);
ssize_t
__vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -174,6 +174,7 @@ inline struct lock_class *lockdep_hlock_
*/
return lock_classes + class_idx;
}
+EXPORT_SYMBOL_GPL(lockdep_hlock_class);
#define hlock_class(hlock) lockdep_hlock_class(hlock)
#ifdef CONFIG_LOCK_STAT
--- a/kernel/task_work.c
+++ b/kernel/task_work.c
@@ -117,3 +117,4 @@ void task_work_run(void)
} while (work);
}
}
+EXPORT_SYMBOL_GPL(task_work_run);
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -824,3 +824,4 @@ int __devcgroup_check_permission(short t
return 0;
}
+EXPORT_SYMBOL_GPL(__devcgroup_check_permission);
--- a/security/security.c
+++ b/security/security.c
@@ -1040,6 +1040,7 @@ int security_path_rmdir(const struct pat
return 0;
return call_int_hook(path_rmdir, 0, dir, dentry);
}
+EXPORT_SYMBOL_GPL(security_path_rmdir);
int security_path_unlink(const struct path *dir, struct dentry *dentry)
{
@@ -1056,6 +1057,7 @@ int security_path_symlink(const struct p
return 0;
return call_int_hook(path_symlink, 0, dir, dentry, old_name);
}
+EXPORT_SYMBOL_GPL(security_path_symlink);
int security_path_link(struct dentry *old_dentry, const struct path *new_dir,
struct dentry *new_dentry)
@@ -1064,6 +1066,7 @@ int security_path_link(struct dentry *ol
return 0;
return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry);
}
+EXPORT_SYMBOL_GPL(security_path_link);
int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
const struct path *new_dir, struct dentry *new_dentry,
@@ -1091,6 +1094,7 @@ int security_path_truncate(const struct
return 0;
return call_int_hook(path_truncate, 0, path);
}
+EXPORT_SYMBOL_GPL(security_path_truncate);
int security_path_chmod(const struct path *path, umode_t mode)
{
@@ -1098,6 +1102,7 @@ int security_path_chmod(const struct pat
return 0;
return call_int_hook(path_chmod, 0, path, mode);
}
+EXPORT_SYMBOL_GPL(security_path_chmod);
int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
{
@@ -1105,6 +1110,7 @@ int security_path_chown(const struct pat
return 0;
return call_int_hook(path_chown, 0, path, uid, gid);
}
+EXPORT_SYMBOL_GPL(security_path_chown);
int security_path_chroot(const struct path *path)
{
@@ -1205,6 +1211,7 @@ int security_inode_permission(struct ino
return 0;
return call_int_hook(inode_permission, 0, inode, mask);
}
+EXPORT_SYMBOL_GPL(security_inode_permission);
int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
@@ -1382,6 +1389,7 @@ int security_file_permission(struct file
return fsnotify_perm(file, mask);
}
+EXPORT_SYMBOL_GPL(security_file_permission);
int security_file_alloc(struct file *file)
{

63
debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch vendored
View File

@@ -1,63 +0,0 @@
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:37:59 +0800
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
Origin: https://lore.kernel.org/patchwork/patch/933173/
The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.
Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.0: adjust filename]
---
security/integrity/platform_certs/load_uefi.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -173,17 +173,6 @@ static int __init load_uefi_certs(void)
}
}
- rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
- if (rc < 0) {
- pr_info("Couldn't get UEFI MokListRT\n");
- } else if (moksize != 0) {
- rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
- if (rc)
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
- kfree(mok);
- }
-
rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
if (rc < 0) {
pr_info("Couldn't get UEFI dbx list\n");
@@ -196,6 +185,21 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
+ /* the MOK can not be trusted when secure boot is disabled */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
+ rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+ if (rc < 0) {
+ pr_info("Couldn't get UEFI MokListRT\n");
+ } else if (moksize != 0) {
+ rc = parse_efi_signature_list("UEFI:MokListRT",
+ mok, moksize, get_handler_for_db);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
+ }
+
return rc;
}
late_initcall(load_uefi_certs);

59
debian/patches/features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch vendored
View File

@@ -1,59 +0,0 @@
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:38:01 +0800
Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx
Origin: https://lore.kernel.org/patchwork/patch/933177/
This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.0: adjust filename]
---
security/integrity/platform_certs/load_uefi.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -149,8 +149,8 @@ static int __init load_uefi_certs(void)
{
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
- void *db = NULL, *dbx = NULL, *mok = NULL;
- unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
int rc = 0;
if (!efi.get_variable)
@@ -185,7 +185,7 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
- /* the MOK can not be trusted when secure boot is disabled */
+ /* the MOK and MOKx can not be trusted when secure boot is disabled */
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
@@ -200,6 +200,18 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
+ rc = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &mokx);
+ if (rc < 0) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
+ } else if (mokxsize != 0) {
+ rc = parse_efi_signature_list("UEFI:mokx",
+ mokx, mokxsize,
+ get_handler_for_dbx);
+ if (rc)
+ pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
+ kfree(mokx);
+ }
+
return rc;
}
late_initcall(load_uefi_certs);

122
debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch vendored
View File

@@ -1,122 +0,0 @@
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:38:02 +0800
Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a
kernel module
Origin: https://lore.kernel.org/patchwork/patch/933175/
This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.
For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT
Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
---
kernel/module_signing.c | 59 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 57 insertions(+), 2 deletions(-)
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 9d9fc678c91d..0f041a21f418 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -12,15 +12,62 @@
#include <linux/string.h>
#include <linux/verification.h>
#include <crypto/public_key.h>
+#include <crypto/hash.h>
+#include <keys/system_keyring.h>
#include "module-internal.h"
+static int mod_is_hash_blacklisted(const void *mod, size_t verifylen)
+{
+ struct crypto_shash *tfm;
+ struct shash_desc *desc;
+ size_t digest_size, desc_size;
+ u8 *digest;
+ int ret = 0;
+
+ tfm = crypto_alloc_shash("sha256", 0, 0);
+ if (IS_ERR(tfm))
+ goto error_return;
+
+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
+ digest_size = crypto_shash_digestsize(tfm);
+ digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
+ if (!digest) {
+ pr_err("digest memory buffer allocate fail\n");
+ ret = -ENOMEM;
+ goto error_digest;
+ }
+ desc = (void *)digest + digest_size;
+ desc->tfm = tfm;
+ ret = crypto_shash_init(desc);
+ if (ret < 0)
+ goto error_shash;
+
+ ret = crypto_shash_finup(desc, mod, verifylen, digest);
+ if (ret < 0)
+ goto error_shash;
+
+ pr_debug("%ld digest: %*phN\n", verifylen, (int) digest_size, digest);
+
+ ret = is_hash_blacklisted(digest, digest_size, "bin");
+ if (ret == -EKEYREJECTED)
+ pr_err("Module hash %*phN is blacklisted\n",
+ (int) digest_size, digest);
+
+error_shash:
+ kfree(digest);
+error_digest:
+ crypto_free_shash(tfm);
+error_return:
+ return ret;
+}
+
/*
* Verify the signature on a module.
*/
int mod_verify_sig(const void *mod, struct load_info *info)
{
struct module_signature ms;
- size_t sig_len, modlen = info->len;
+ size_t sig_len, modlen = info->len, wholelen;
int ret;
pr_devel("==>%s(,%zu)\n", __func__, modlen);
@@ -28,6 +75,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
if (modlen <= sizeof(ms))
return -EBADMSG;
+ wholelen = modlen + sizeof(MODULE_SIG_STRING) - 1;
memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
ret = mod_check_sig(&ms, modlen, info->name);
@@ -38,8 +86,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
modlen -= sig_len + sizeof(ms);
info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
VERIFY_USE_SECONDARY_KEYRING,
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
+ pr_devel("verify_pkcs7_signature() = %d\n", ret);
+
+ /* checking hash of module is in blacklist */
+ if (!ret)
+ ret = mod_is_hash_blacklisted(mod, wholelen);
+
+ return ret;
}
--
2.23.0

107
debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch vendored
View File

@@ -1,107 +0,0 @@
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:38:03 +0800
Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok
Origin: https://lore.kernel.org/patchwork/patch/933176/
That's better for checking the attributes of db and mok variables
before loading certificates to kernel keyring.
For db and dbx, both of them are authenticated variables. Which
means that they can only be modified by manufacturer's key. So
the kernel should checks EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
attribute before we trust it.
For mok-rt and mokx-rt, both of them are created by shim boot loader
to forward the mok/mokx content to runtime. They must be runtime-volatile
variables. So kernel should checks that the attributes map did not set
EFI_VARIABLE_NON_VOLATILE bit before we trust it.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.0: adjust filename, context]
---
.../platform_certs/load_uefi.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -39,12 +39,14 @@ static __init bool uefi_check_ignore_db(
* Get a certificate list blob from the named EFI variable.
*/
static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- unsigned long *size, void **cert_list)
+ unsigned long *size, void **cert_list,
+ u32 pos_attr, u32 neg_attr)
{
efi_status_t status;
unsigned long lsize = 4;
unsigned long tmpdb[4];
void *db;
+ u32 attr = 0;
status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
if (status == EFI_NOT_FOUND) {
@@ -62,12 +64,19 @@ static __init int get_cert_list(efi_char
if (!db)
return -ENOMEM;
- status = efi.get_variable(name, guid, NULL, &lsize, db);
+ status = efi.get_variable(name, guid, &attr, &lsize, db);
if (status != EFI_SUCCESS) {
kfree(db);
pr_err("Error reading db var: 0x%lx\n", status);
return efi_status_to_err(status);
}
+ /* must have positive attributes and no negative attributes */
+ if ((pos_attr && !(attr & pos_attr)) ||
+ (neg_attr && (attr & neg_attr))) {
+ kfree(db);
+ pr_err("Error reading db var attributes: 0x%016x\n", attr);
+ return -1;
+ }
*size = lsize;
*cert_list = db;
@@ -160,7 +169,8 @@ static int __init load_uefi_certs(void)
* an error if we can't get them.
*/
if (!uefi_check_ignore_db()) {
- rc = get_cert_list(L"db", &secure_var, &dbsize, &db);
+ rc = get_cert_list(L"db", &secure_var, &dbsize, &db,
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, 0);
if (rc < 0) {
pr_err("MODSIGN: Couldn't get UEFI db list\n");
} else if (dbsize != 0) {
@@ -173,7 +183,8 @@ static int __init load_uefi_certs(void)
}
}
- rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
+ rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx,
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, 0);
if (rc < 0) {
pr_info("Couldn't get UEFI dbx list\n");
} else if (dbxsize != 0) {
@@ -189,7 +200,8 @@ static int __init load_uefi_certs(void)
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
- rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+ rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok,
+ 0, EFI_VARIABLE_NON_VOLATILE);
if (rc < 0) {
pr_info("Couldn't get UEFI MokListRT\n");
} else if (moksize != 0) {
@@ -200,7 +212,8 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
- rc = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &mokx);
+ rc = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &mokx,
+ 0, EFI_VARIABLE_NON_VOLATILE);
if (rc < 0) {
pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
} else if (mokxsize != 0) {

103
debian/patches/features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch vendored
View File

@@ -1,103 +0,0 @@
From: Peter Jones <pjones@redhat.com>
Date: Mon, 2 Oct 2017 18:25:29 -0400
Subject: [PATCH 6/7] Make get_cert_list() not complain about cert lists that
aren't present.
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=0f4d5c7b49b45e7cf038bb769e33451b78a6445d
Signed-off-by: Peter Jones <pjones@redhat.com>
[bwh: Forward-ported to 5.0: adjust filename, context]
---
.../platform_certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
1 file changed, 22 insertions(+), 15 deletions(-)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -38,8 +38,8 @@ static __init bool uefi_check_ignore_db(
/*
* Get a certificate list blob from the named EFI variable.
*/
-static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- unsigned long *size)
+static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ unsigned long *size, void **cert_list)
{
efi_status_t status;
unsigned long lsize = 4;
@@ -47,24 +47,31 @@ static __init void *get_cert_list(efi_ch
void *db;
status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+ if (status == EFI_NOT_FOUND) {
+ *size = 0;
+ *cert_list = NULL;
+ return 0;
+ }
+
if (status != EFI_BUFFER_TOO_SMALL) {
pr_err("Couldn't get size: 0x%lx\n", status);
- return NULL;
+ return efi_status_to_err(status);
}
db = kmalloc(lsize, GFP_KERNEL);
if (!db)
- return NULL;
+ return -ENOMEM;
status = efi.get_variable(name, guid, NULL, &lsize, db);
if (status != EFI_SUCCESS) {
kfree(db);
pr_err("Error reading db var: 0x%lx\n", status);
- return NULL;
+ return efi_status_to_err(status);
}
*size = lsize;
- return db;
+ *cert_list = db;
+ return 0;
}
/*
@@ -153,10 +160,10 @@ static int __init load_uefi_certs(void)
* an error if we can't get them.
*/
if (!uefi_check_ignore_db()) {
- db = get_cert_list(L"db", &secure_var, &dbsize);
- if (!db) {
+ rc = get_cert_list(L"db", &secure_var, &dbsize, &db);
+ if (rc < 0) {
pr_err("MODSIGN: Couldn't get UEFI db list\n");
- } else {
+ } else if (dbsize != 0) {
rc = parse_efi_signature_list("UEFI:db",
db, dbsize, get_handler_for_db);
if (rc)
@@ -166,10 +173,10 @@ static int __init load_uefi_certs(void)
}
}
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
- if (!mok) {
+ rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+ if (rc < 0) {
pr_info("Couldn't get UEFI MokListRT\n");
- } else {
+ } else if (moksize != 0) {
rc = parse_efi_signature_list("UEFI:MokListRT",
mok, moksize, get_handler_for_db);
if (rc)
@@ -177,10 +184,10 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
- dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
- if (!dbx) {
+ rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
+ if (rc < 0) {
pr_info("Couldn't get UEFI dbx list\n");
- } else {
+ } else if (dbxsize != 0) {
rc = parse_efi_signature_list("UEFI:dbx",
dbx, dbxsize,
get_handler_for_dbx);

37
debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch vendored
View File

@@ -1,37 +0,0 @@
From: Robert Holmes <robeholmes@gmail.com>
Date: Tue, 23 Apr 2019 07:39:29 +0000
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
verify
Bug-Debian: https://bugs.debian.org/935945
Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.
As such, kernel modules signed with keys from the MokList variable
were not successfully verified.
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
kernel/module_signing.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -135,6 +135,13 @@ int mod_verify_sig(const void *mod, stru
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
pr_devel("verify_pkcs7_signature() = %d\n", ret);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ pr_devel("verify_pkcs7_signature() = %d\n", ret);
+ }
/* checking hash of module is in blacklist */
if (!ret)

28
debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch vendored
View File

@@ -1,28 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 05 May 2019 13:45:06 +0100
Subject: MODSIGN: Make shash allocation failure fatal
mod_is_hash_blacklisted() currently returns 0 (suceess) if
crypto_alloc_shash() fails. This should instead be a fatal error,
so unwrap and pass up the error code.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -51,11 +51,13 @@ static int mod_is_hash_blacklisted(const
struct shash_desc *desc;
size_t digest_size, desc_size;
u8 *digest;
- int ret = 0;
+ int ret;
tfm = crypto_alloc_shash("sha256", 0, 0);
- if (IS_ERR(tfm))
+ if (IS_ERR(tfm)) {
+ ret = PTR_ERR(tfm);
goto error_return;
+ }
desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
digest_size = crypto_shash_digestsize(tfm);

145
debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch vendored
View File

@@ -1,145 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 24 Aug 2009 23:19:58 +0100
Subject: af9005: Use request_firmware() to load register init script
Forwarded: no
Read the register init script from the Windows driver. This is sick
but should avoid the potential copyright infringement in distributing
a version of the script which is directly derived from the driver.
---
drivers/media/dvb/dvb-usb/Kconfig | 2 +-
drivers/media/dvb/dvb-usb/af9005-fe.c | 66 ++++++++++++++++++++++++++------
2 files changed, 54 insertions(+), 14 deletions(-)
--- a/drivers/media/usb/dvb-usb/Kconfig
+++ b/drivers/media/usb/dvb-usb/Kconfig
@@ -246,10 +246,10 @@ config DVB_USB_OPERA1
config DVB_USB_AF9005
tristate "Afatech AF9005 DVB-T USB1.1 support"
- depends on BROKEN
depends on DVB_USB
select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT
select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT
+ select FW_LOADER
help
Say Y here to support the Afatech AF9005 based DVB-T USB1.1 receiver
and the TerraTec Cinergy T USB XE (Rev.1)
--- a/drivers/media/usb/dvb-usb/af9005-fe.c
+++ b/drivers/media/usb/dvb-usb/af9005-fe.c
@@ -18,10 +18,26 @@
* see Documentation/media/dvb-drivers/dvb-usb.rst for more information
*/
#include "af9005.h"
-#include "af9005-script.h"
#include "mt2060.h"
#include "qt1010.h"
#include <asm/div64.h>
+#include <linux/firmware.h>
+
+/* Register initialisation script to be extracted from the Windows driver */
+
+typedef struct {
+ __le16 reg;
+ u8 pos;
+ u8 len;
+ u8 val;
+ u8 pad;
+} __packed RegDesc;
+
+#define WIN_DRV_NAME "AF05BDA.sys"
+#define WIN_DRV_VERSION "6.3.2.1"
+#define WIN_DRV_SIZE 133504
+#define WIN_DRV_SCRIPT_OFFSET 88316
+#define WIN_DRV_SCRIPT_SIZE 1110
struct af9005_fe_state {
struct dvb_usb_device *d;
@@ -813,6 +829,8 @@ static int af9005_fe_init(struct dvb_fro
{
struct af9005_fe_state *state = fe->demodulator_priv;
struct dvb_usb_adapter *adap = fe->dvb->priv;
+ const struct firmware *fw;
+ const RegDesc *script;
int ret, i, scriptlen;
u8 temp, temp0 = 0, temp1 = 0, temp2 = 0;
u8 buf[2];
@@ -965,37 +983,55 @@ static int af9005_fe_init(struct dvb_fro
if ((ret = af9005_write_ofdm_register(state->d, 0xaefb, 0x01)))
return ret;
- /* load init script */
- deb_info("load init script\n");
- scriptlen = sizeof(script) / sizeof(RegDesc);
+ /* load and validate init script */
+ deb_info("load init script from Windows driver\n");
+ ret = request_firmware(&fw, WIN_DRV_NAME, &state->d->udev->dev);
+ if (ret)
+ return ret;
+ BUILD_BUG_ON(sizeof(RegDesc) != 6);
+ if (fw->size != WIN_DRV_SIZE ||
+ memcmp(fw->data + WIN_DRV_SCRIPT_OFFSET,
+ "\x80\xa1\x00\x08\x0a\x00", 6) ||
+ memcmp(fw->data + WIN_DRV_SCRIPT_OFFSET + WIN_DRV_SCRIPT_SIZE - 6,
+ "\x49\xa3\x00\x06\x02\x00", 6)) {
+ err("%s is invalid - should be version %s, size %u bytes\n",
+ WIN_DRV_NAME, WIN_DRV_VERSION, WIN_DRV_SIZE);
+ ret = -EINVAL;
+ goto fail_release;
+ }
+
+ script = (const RegDesc *)(fw->data + WIN_DRV_SCRIPT_OFFSET);
+ scriptlen = WIN_DRV_SCRIPT_SIZE / sizeof(RegDesc);
for (i = 0; i < scriptlen; i++) {
+ u16 reg = le16_to_cpu(script[i].reg);
if ((ret =
- af9005_write_register_bits(state->d, script[i].reg,
+ af9005_write_register_bits(state->d, reg,
script[i].pos,
script[i].len, script[i].val)))
- return ret;
+ goto fail_release;
/* save 3 bytes of original fcw */
- if (script[i].reg == 0xae18)
+ if (reg == 0xae18)
temp2 = script[i].val;
- if (script[i].reg == 0xae19)
+ if (reg == 0xae19)
temp1 = script[i].val;
- if (script[i].reg == 0xae1a)
+ if (reg == 0xae1a)
temp0 = script[i].val;
/* save original unplug threshold */
- if (script[i].reg == xd_p_reg_unplug_th)
+ if (reg == xd_p_reg_unplug_th)
state->original_if_unplug_th = script[i].val;
- if (script[i].reg == xd_p_reg_unplug_rf_gain_th)
+ if (reg == xd_p_reg_unplug_rf_gain_th)
state->original_rf_unplug_th = script[i].val;
- if (script[i].reg == xd_p_reg_unplug_dtop_if_gain_th)
+ if (reg == xd_p_reg_unplug_dtop_if_gain_th)
state->original_dtop_if_unplug_th = script[i].val;
- if (script[i].reg == xd_p_reg_unplug_dtop_rf_gain_th)
+ if (reg == xd_p_reg_unplug_dtop_rf_gain_th)
state->original_dtop_rf_unplug_th = script[i].val;
}
state->original_fcw =
((u32) temp2 << 16) + ((u32) temp1 << 8) + (u32) temp0;
+ release_firmware(fw);
/* save original TOPs */
deb_info("save original TOPs\n");
@@ -1075,6 +1111,10 @@ static int af9005_fe_init(struct dvb_fro
deb_info("profit!\n");
return 0;
+
+fail_release:
+ release_firmware(fw);
+ return ret;
}
static int af9005_fe_sleep(struct dvb_frontend *fe)

270
debian/patches/features/all/lockdown/add-a-sysrq-option-to-lift-kernel-lockdown.patch vendored
View File

@@ -1,270 +0,0 @@
From: Kyle McMartin <kyle@redhat.com>
Date: Mon, 18 Feb 2019 12:44:57 +0000
Subject: [02/30] Add a SysRq option to lift kernel lockdown
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a420ebff9e6d0153119096706918e3925ea860fc
Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified.
On x86 this is triggered with SysRq+x, but this key may not be available on
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
Since this macro must be defined in an arch to be able to use this facility
for that arch, the Kconfig option is restricted to arches that support it.
Signed-off-by: Kyle McMartin <kyle@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: x86@kernel.org
[bwh: Forward-ported to upstream lockdown:
- Change config dependency to SECURITY_LOCKDOWN_LSM
- Compare kernel_locked_down with LOCKDOWN_NONE instead of treating it
as a bool
- Adjust filenames, context]
---
arch/x86/include/asm/setup.h | 2 +
drivers/input/misc/uinput.c | 1
drivers/tty/sysrq.c | 19 +++++++++++-----
include/linux/input.h | 5 ++++
include/linux/sysrq.h | 8 ++++++-
kernel/debug/kdb/kdb_main.c | 2 -
security/lockdown/Kconfig | 9 +++++++
security/lockdown/lockdown.c | 49 ++++++++++++++++++++++++++++++++++++++++++-
8 files changed, 86 insertions(+), 9 deletions(-)
--- a/arch/x86/include/asm/setup.h
+++ b/arch/x86/include/asm/setup.h
@@ -9,6 +9,8 @@
#include <linux/linkage.h>
#include <asm/page_types.h>
+#define LOCKDOWN_LIFT_KEY 'x'
+
#ifdef __i386__
#include <linux/pfn.h>
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -353,6 +353,7 @@ static int uinput_create_device(struct u
dev->flush = uinput_dev_flush;
}
+ dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_ta
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+ /* x: May be registered on x86_64 for disabling secure boot */
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key,
sysrq_key_table[i] = op_p;
}
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
{
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -546,11 +547,15 @@ void __handle_sysrq(int key, bool check_
op_p = __sysrq_get_key_op(key);
if (op_p) {
+ /* Ban synthetic events from some sysrq functionality */
+ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+ printk("This sysrq operation is disabled from userspace.\n");
/*
* Should we check for enabled operations (/proc/sysrq-trigger
* should not) and is the invoked operation enabled?
*/
- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
pr_info("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
@@ -585,7 +590,7 @@ void __handle_sysrq(int key, bool check_
void handle_sysrq(int key)
{
if (sysrq_on())
- __handle_sysrq(key, true);
+ __handle_sysrq(key, SYSRQ_FROM_KERNEL);
}
EXPORT_SYMBOL(handle_sysrq);
@@ -665,7 +670,7 @@ static void sysrq_do_reset(struct timer_
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
- __handle_sysrq(sysrq_xlate[KEY_B], false);
+ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct
default:
if (sysrq->active && value && value != 2) {
+ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
+ SYSRQ_FROM_SYNTHETIC : 0;
sysrq->need_reinject = false;
- __handle_sysrq(sysrq_xlate[code], true);
+ __handle_sysrq(sysrq_xlate[code], from);
}
break;
}
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struc
if (get_user(c, buf))
return -EFAULT;
- __handle_sysrq(c, false);
+ __handle_sysrq(c, SYSRQ_FROM_PROC);
}
return count;
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -48,6 +48,7 @@ enum input_clock_type {
* @phys: physical path to the device in the system hierarchy
* @uniq: unique identification code for the device (if device has it)
* @id: id of the device (struct input_id)
+ * @flags: input device flags (SYNTHETIC, etc.)
* @propbit: bitmap of device properties and quirks
* @evbit: bitmap of types of events supported by the device (EV_KEY,
* EV_REL, etc.)
@@ -134,6 +135,8 @@ struct input_dev {
const char *uniq;
struct input_id id;
+ unsigned int flags;
+
unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
@@ -204,6 +207,8 @@ struct input_dev {
};
#define to_input_dev(d) container_of(d, struct input_dev, dev)
+#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001
+
/*
* Verify that we are in sync with input_device_id mod_devicetable.h #defines
*/
--- a/include/linux/sysrq.h
+++ b/include/linux/sysrq.h
@@ -29,6 +29,8 @@
#define SYSRQ_ENABLE_BOOT 0x0080
#define SYSRQ_ENABLE_RTNICE 0x0100
+#define SYSRQ_DISABLE_USERSPACE 0x00010000
+
struct sysrq_key_op {
void (*handler)(int);
char *help_msg;
@@ -43,8 +45,12 @@ struct sysrq_key_op {
* are available -- else NULL's).
*/
+#define SYSRQ_FROM_KERNEL 0x0001
+#define SYSRQ_FROM_PROC 0x0002
+#define SYSRQ_FROM_SYNTHETIC 0x0004
+
void handle_sysrq(int key);
-void __handle_sysrq(int key, bool check_mask);
+void __handle_sysrq(int key, unsigned int from);
int register_sysrq_key(int key, struct sysrq_key_op *op);
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
struct sysrq_key_op *__sysrq_get_key_op(int key);
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char *
return KDB_ARGCOUNT;
kdb_trap_printk++;
- __handle_sysrq(*argv[1], check_mask);
+ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
kdb_trap_printk--;
return 0;
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -60,3 +60,12 @@ config LOCK_DOWN_IN_EFI_SECURE_BOOT
Enabling this option results in kernel lockdown being
triggered in confidentiality mode if EFI Secure Boot is set.
+
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+ bool "Allow the kernel lockdown to be lifted by SysRq"
+ depends on SECURITY_LOCKDOWN_LSM
+ depends on MAGIC_SYSRQ
+ depends on X86
+ help
+ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
+ combination on a wired keyboard.
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -13,8 +13,14 @@
#include <linux/security.h>
#include <linux/export.h>
#include <linux/lsm_hooks.h>
+#include <linux/sysrq.h>
+#include <asm/setup.h>
-static enum lockdown_reason kernel_locked_down;
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+static __read_mostly enum lockdown_reason kernel_locked_down;
+#else
+static __ro_after_init enum lockdown_reason kernel_locked_down;
+#endif
static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_NONE] = "none",
@@ -189,3 +195,44 @@ DEFINE_LSM(lockdown) = {
.name = "lockdown",
.init = lockdown_lsm_init,
};
+
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+
+/*
+ * Take the kernel out of lockdown mode.
+ */
+static void lift_kernel_lockdown(void)
+{
+ pr_notice("Lifting lockdown\n");
+ kernel_locked_down = LOCKDOWN_NONE;
+}
+
+/*
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
+ * echoing the appropriate letter into the sysrq-trigger file).
+ */
+static void sysrq_handle_lockdown_lift(int key)
+{
+ if (kernel_locked_down != LOCKDOWN_NONE)
+ lift_kernel_lockdown();
+}
+
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
+ .handler = sysrq_handle_lockdown_lift,
+ .help_msg = "unSB(x)",
+ .action_msg = "Disabling Secure Boot restrictions",
+ .enable_mask = SYSRQ_DISABLE_USERSPACE,
+};
+
+static int __init lockdown_lift_sysrq(void)
+{
+ if (kernel_locked_down != LOCKDOWN_NONE) {
+ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
+ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
+ }
+ return 0;
+}
+
+late_initcall(lockdown_lift_sysrq);
+
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */

86
debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch vendored
View File

@@ -1,86 +0,0 @@
From: Linn Crosetto <linn@hpe.com>
Date: Tue, 30 Aug 2016 11:54:38 -0600
Subject: arm64: add kernel config option to lock down when in Secure Boot mode
Bug-Debian: https://bugs.debian.org/831827
Forwarded: no
Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.
Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.
Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
- Pass result of efi_get_secureboot() in stub through to
efi_set_secure_boot() in main kernel
- Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
---
drivers/firmware/efi/arm-init.c | 4 ++++
drivers/firmware/efi/efi.c | 3 ++-
drivers/firmware/efi/libstub/fdt.c | 6 ++++++
include/linux/efi.h | 1 +
4 files changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -17,6 +17,7 @@
#include <linux/of_fdt.h>
#include <linux/platform_device.h>
#include <linux/screen_info.h>
+#include <linux/security.h>
#include <asm/efi.h>
@@ -253,6 +254,8 @@ void __init efi_init(void)
return;
}
+ efi_set_secure_boot(params.secure_boot);
+
reserve_regions();
efi_esrt_init();
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -688,7 +688,8 @@ static __initdata struct params fdt_para
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
};
static __initdata struct params xen_fdt_params[] = {
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -151,6 +151,12 @@ static efi_status_t update_fdt(efi_syste
}
}
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+ &fdt_val32, sizeof(fdt_val32));
+ if (status)
+ goto fdt_set_fail;
+
/* Shrink the FDT back to its minimum size: */
fdt_pack(fdt);
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -808,6 +808,7 @@ struct efi_fdt_params {
u32 mmap_size;
u32 desc_size;
u32 desc_ver;
+ u32 secure_boot;
};
typedef struct {

145
debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch vendored
View File

@@ -1,145 +0,0 @@
From: David Howells <dhowells@redhat.com>
Date: Mon, 18 Feb 2019 12:45:03 +0000
Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
---
arch/x86/kernel/setup.c | 14 +----------
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
include/linux/efi.h | 16 ++++++++-----
4 files changed, 51 insertions(+), 19 deletions(-)
create mode 100644 drivers/firmware/efi/secureboot.c
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1179,19 +1179,7 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
- if (efi_enabled(EFI_BOOT)) {
- switch (boot_params.secure_boot) {
- case efi_secureboot_mode_disabled:
- pr_info("Secure boot disabled\n");
- break;
- case efi_secureboot_mode_enabled:
- pr_info("Secure boot enabled\n");
- break;
- default:
- pr_info("Secure boot could not be determined\n");
- break;
- }
- }
+ efi_set_secure_boot(boot_params.secure_boot);
reserve_initrd();
--- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m
obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
obj-$(CONFIG_EFI_TEST) += test/
obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
+obj-$(CONFIG_EFI) += secureboot.o
obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
--- /dev/null
+++ b/drivers/firmware/efi/secureboot.c
@@ -0,0 +1,39 @@
+
+/* Core kernel secure boot support.
+ *
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/efi.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+
+/*
+ * Decide what to do when UEFI secure boot mode is enabled.
+ */
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
+{
+ if (efi_enabled(EFI_BOOT)) {
+ switch (mode) {
+ case efi_secureboot_mode_disabled:
+ pr_info("Secure boot disabled\n");
+ break;
+ case efi_secureboot_mode_enabled:
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
+ pr_info("Secure boot enabled\n");
+ break;
+ default:
+ pr_warning("Secure boot could not be determined (mode %u)\n",
+ mode);
+ break;
+ }
+ }
+}
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1202,6 +1202,14 @@ extern int __init efi_setup_pcdp_console
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
#define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */
+
+enum efi_secureboot_mode {
+ efi_secureboot_mode_unset,
+ efi_secureboot_mode_unknown,
+ efi_secureboot_mode_disabled,
+ efi_secureboot_mode_enabled,
+};
#ifdef CONFIG_EFI
/*
@@ -1212,6 +1220,7 @@ static inline bool efi_enabled(int featu
return test_bit(feature, &efi.flags) != 0;
}
extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
#else
static inline bool efi_enabled(int feature)
{
@@ -1225,6 +1234,7 @@ efi_capsule_pending(int *reset_type)
{
return false;
}
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
#endif
extern int efi_status_to_err(efi_status_t status);
@@ -1616,12 +1626,6 @@ static inline bool efi_runtime_disabled(
extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
extern unsigned long efi_call_virt_save_flags(void);
-enum efi_secureboot_mode {
- efi_secureboot_mode_unset,
- efi_secureboot_mode_unknown,
- efi_secureboot_mode_disabled,
- efi_secureboot_mode_enabled,
-};
enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
#ifdef CONFIG_RESET_ATTACK_MITIGATION

115
debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch vendored
View File

@@ -1,115 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 10 Sep 2019 11:54:28 +0100
Subject: efi: Lock down the kernel if booted in secure boot mode
Based on an earlier patch by David Howells, who wrote the following
description:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/setup.c | 4 ++--
drivers/firmware/efi/secureboot.c | 3 +++
include/linux/security.h | 6 ++++++
security/lockdown/Kconfig | 15 +++++++++++++++
security/lockdown/lockdown.c | 2 +-
5 files changed, 27 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1027,6 +1027,8 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
dmi_setup();
/*
@@ -1179,8 +1181,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
- efi_set_secure_boot(boot_params.secure_boot);
-
reserve_initrd();
acpi_table_upgrade();
--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -15,6 +15,7 @@
#include <linux/efi.h>
#include <linux/kernel.h>
#include <linux/printk.h>
+#include <linux/security.h>
/*
* Decide what to do when UEFI secure boot mode is enabled.
@@ -28,6 +29,8 @@ void __init efi_set_secure_boot(enum efi
break;
case efi_secureboot_mode_enabled:
set_bit(EFI_SECURE_BOOT, &efi.flags);
+ lock_kernel_down("EFI Secure Boot",
+ LOCKDOWN_CONFIDENTIALITY_MAX);
pr_info("Secure boot enabled\n");
break;
default:
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct i
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
+int lock_kernel_down(const char *where, enum lockdown_reason level);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1263,6 +1264,11 @@ static inline int security_locked_down(e
{
return 0;
}
+static inline int
+lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+ return -EOPNOTSUPP;
+}
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
disabled.
endchoice
+
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
+ depends on SECURITY_LOCKDOWN_LSM
+ depends on EFI
+ select SECURITY_LOCKDOWN_LSM_EARLY
+ help
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
+ will only load signed bootloaders and kernels. Secure boot mode may
+ be determined from EFI variables provided by the system firmware if
+ not indicated by the boot parameters.
+
+ Enabling this option results in kernel lockdown being
+ triggered in confidentiality mode if EFI Secure Boot is set.
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -47,7 +47,7 @@ static enum lockdown_reason lockdown_lev
/*
* Put the kernel into lock-down mode.
*/
-static int lock_kernel_down(const char *where, enum lockdown_reason level)
+int lock_kernel_down(const char *where, enum lockdown_reason level)
{
if (kernel_locked_down >= level)
return -EPERM;

50
debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch vendored
View File

@@ -1,50 +0,0 @@
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 12 Jan 2016 12:51:27 -0800
Subject: [18/18] Enable cold boot attack mitigation
Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
[Lukas Wunner: Forward-ported to 4.11: adjust context]
---
arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 8b4c5e001157..0813490ca6e0 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -371,6 +371,22 @@ void setup_graphics(struct boot_params *boot_params)
}
}
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
+ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
+
+static void enable_reset_attack_mitigation(void)
+{
+ u8 val = 1;
+ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
+
+ /* Ignore the return value here - there's not really a lot we can do */
+ efi_early->call((unsigned long)sys_table->runtime->set_variable,
+ L"MemoryOverwriteRequestControl", &var_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
+}
+
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
@@ -765,6 +781,12 @@ efi_main(struct efi_config *c, struct boot_params *boot_params)
((u64)boot_params->ext_cmd_line_ptr << 32));
efi_parse_options((char *)cmdline_paddr);
+ /*
+ * Ask the firmware to clear memory if we don't have a clean
+ * shutdown
+ */
+ enable_reset_attack_mitigation();
+
/*
* If the boot loader gave us a value for secure_boot then we use that,
* otherwise we ask the BIOS.

32
debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch vendored
View File

@@ -1,32 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 21 Apr 2019 00:17:13 +0100
Subject: lockdown: Refer to Debian wiki until manual page exists
Forwarded: not-needed
The lockdown denial log message currently refers to a
"kernel_lockdown.7" manual page, which is supposed to document it.
That manual page hasn't been accepted by the man-pages project and
doesn't even seem to have been submitted yet. For now, refer to the
Debian wiki.
---
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -53,7 +53,7 @@ int lock_kernel_down(const char *where,
return -EPERM;
kernel_locked_down = level;
- pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
+ pr_notice("Kernel is locked down from %s; see https://wiki.debian.org/SecureBoot\n",
where);
return 0;
}
@@ -87,7 +87,7 @@ static int lockdown_is_locked_down(enum
if (kernel_locked_down >= what) {
if (lockdown_reasons[what])
- pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+ pr_notice("Lockdown: %s: %s is restricted; see https://wiki.debian.org/SecureBoot\n",
current->comm, lockdown_reasons[what]);
return -EPERM;
}

75
debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch vendored
View File

@@ -1,75 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Aug 2019 15:54:24 +0100
Subject: mtd: phram,slram: Disable when the kernel is locked down
Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is
locked down.
* Add the HWPARAM flag to the module parameters
* When slram is built-in, it uses __setup() to read kernel parameters,
so add an explicit check security_locked_down() check
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Joern Engel <joern@lazybastard.org>
Cc: linux-mtd@lists.infradead.org
---
drivers/mtd/devices/phram.c | 6 +++++-
drivers/mtd/devices/slram.c | 9 ++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c
@@ -294,7 +294,11 @@ static int phram_param_call(const char *
#endif
}
-module_param_call(phram, phram_param_call, NULL, NULL, 0200);
+static const struct kernel_param_ops phram_param_ops = {
+ .set = phram_param_call
+};
+__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
+ 0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);
MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>\"");
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -43,6 +43,7 @@
#include <linux/ioctl.h>
#include <linux/init.h>
#include <linux/io.h>
+#include <linux/security.h>
#include <linux/mtd/mtd.h>
@@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
#ifdef MODULE
static char *map[SLRAM_MAX_DEVICES_PARAMS];
-module_param_array(map, charp, NULL, 0);
+module_param_hw_array(map, charp, iomem, NULL, 0);
MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
#else
static char *map;
@@ -281,11 +282,17 @@ static int __init init_slram(void)
#ifndef MODULE
char *devstart;
char *devlength;
+ int ret;
if (!map) {
E("slram: not enough parameters.\n");
return(-EINVAL);
}
+
+ ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);
+ if (ret)
+ return ret;
+
while (map) {
devname = devstart = devlength = NULL;

75
debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch vendored
View File

@@ -1,75 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 11 Jan 2016 15:23:55 +0000
Subject: security,perf: Allow further restriction of perf_event_open
Forwarded: https://lkml.org/lkml/2016/1/11/587
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1145,6 +1145,11 @@ extern int perf_cpu_time_max_percent_han
int perf_event_max_stack_handler(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos);
+static inline bool perf_paranoid_any(void)
+{
+ return sysctl_perf_event_paranoid > 2;
+}
+
static inline bool perf_paranoid_tracepoint_raw(void)
{
return sysctl_perf_event_paranoid > -1;
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -389,8 +389,13 @@ static struct srcu_struct pmus_srcu;
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
+ * 3 - disallow all unpriv perf event use
*/
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -9395,6 +9400,9 @@ SYSCALL_DEFINE5(perf_event_open,
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
err = perf_copy_attr(attr_uptr, &attr);
if (err)
return err;
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"
+ depends on PERF_EVENTS
+ help
+ If you say Y here, the kernel.perf_event_paranoid sysctl
+ will be set to 3 by default, and no unprivileged use of the
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
config SECURITY
bool "Enable different security models"
depends on SYSFS

57
debian/patches/features/mips/MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch vendored
View File

@@ -1,57 +0,0 @@
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 20 Jul 2014 19:16:31 +0200
Subject: MIPS: Loongson 3: Add Loongson LS3A RS780E 1-way machine definition
Forwarded: no
Add a Loongson LS3A RS780E 1-way machine definition, which only differs
from other Loongson 3 based machines by the UART base clock speed.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
[bwh: Forward-ported to 4.2]
---
arch/mips/include/asm/bootinfo.h | 1 +
arch/mips/loongson64/common/machtype.c | 1 +
arch/mips/loongson64/common/serial.c | 1 +
arch/mips/loongson64/common/uart_base.c | 1 +
4 files changed, 4 insertions(+)
--- a/arch/mips/include/asm/bootinfo.h
+++ b/arch/mips/include/asm/bootinfo.h
@@ -71,6 +71,7 @@ enum loongson_machine_type {
MACH_LEMOTE_NAS,
MACH_LEMOTE_LL2F,
MACH_LOONGSON_GENERIC,
+ MACH_LOONGSON_3A780E1W,
MACH_LOONGSON_END
};
--- a/arch/mips/loongson64/common/machtype.c
+++ b/arch/mips/loongson64/common/machtype.c
@@ -28,6 +28,7 @@ static const char *system_types[] = {
[MACH_LEMOTE_NAS] = "lemote-nas-2f",
[MACH_LEMOTE_LL2F] = "lemote-lynloong-2f",
[MACH_LOONGSON_GENERIC] = "generic-loongson-machine",
+ [MACH_LOONGSON_3A780E1W] = "loongson-ls3a-rs780e-1w",
[MACH_LOONGSON_END] = NULL,
};
--- a/arch/mips/loongson64/common/serial.c
+++ b/arch/mips/loongson64/common/serial.c
@@ -48,6 +48,7 @@ static struct plat_serial8250_port uart8
[MACH_LEMOTE_NAS] = {PORT_M(3, 3686400), {} },
[MACH_LEMOTE_LL2F] = {PORT(3, 1843200), {} },
[MACH_LOONGSON_GENERIC] = {PORT_M(2, 25000000), {} },
+ [MACH_LOONGSON_3A780E1W] = {PORT_M(2, 33177600), {} },
[MACH_LOONGSON_END] = {},
};
--- a/arch/mips/loongson64/common/uart_base.c
+++ b/arch/mips/loongson64/common/uart_base.c
@@ -25,6 +25,7 @@ void prom_init_loongson_uart_base(void)
{
switch (mips_machtype) {
case MACH_LOONGSON_GENERIC:
+ case MACH_LOONGSON_3A780E1W:
/* The CPU provided serial port (CPU) */
loongson_uart_base[0] = LOONGSON_REG_BASE + 0x1e0;
break;

88
debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch vendored
View File

@@ -1,88 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 21 Aug 2019 00:32:16 +0100
Subject: intel-iommu: Add Kconfig option to exclude iGPU by default
Bug-Debian: https://bugs.debian.org/935270
Bug-Kali: https://bugs.kali.org/view.php?id=5644
There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage.
Replace CONFIG_INTEL_IOMMU_DEFAULT_ON with a 3-way choice
corresponding to "on", "off", and "on,intgpu_off".
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Index: debian-kernel/drivers/iommu/Kconfig
===================================================================
--- debian-kernel.orig/drivers/iommu/Kconfig
+++ debian-kernel/drivers/iommu/Kconfig
@@ -213,14 +213,28 @@ config INTEL_IOMMU_SVM
to access DMA resources through process address space by
means of a Process Address Space ID (PASID).
-config INTEL_IOMMU_DEFAULT_ON
- def_bool y
- prompt "Enable Intel DMA Remapping Devices by default"
- depends on INTEL_IOMMU
+if INTEL_IOMMU
+
+choice
+ prompt "Default state of Intel DMA Remapping Devices"
+ default INTEL_IOMMU_DEFAULT_ON
help
- Selecting this option will enable a DMAR device at boot time if
- one is found. If this option is not selected, DMAR support can
- be enabled by passing intel_iommu=on to the kernel.
+ Choose whether Intel DMA Remapping Devices should be enabled
+ by default. This can be overridden at boot time using the
+ intel_iommu= kernel parameter.
+
+config INTEL_IOMMU_DEFAULT_ON
+ bool "Enable"
+
+config INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF
+ bool "Enable, excluding integrated GPU"
+
+config INTEL_IOMMU_DEFAULT_OFF
+ bool "Disable"
+
+endchoice
+
+endif
config INTEL_IOMMU_BROKEN_GFX_WA
bool "Workaround broken graphics drivers (going away soon)"
Index: debian-kernel/drivers/iommu/intel-iommu.c
===================================================================
--- debian-kernel.orig/drivers/iommu/intel-iommu.c
+++ debian-kernel/drivers/iommu/intel-iommu.c
@@ -354,18 +354,14 @@ static int intel_iommu_attach_device(str
static phys_addr_t intel_iommu_iova_to_phys(struct iommu_domain *domain,
dma_addr_t iova);
-#ifdef CONFIG_INTEL_IOMMU_DEFAULT_ON
-int dmar_disabled = 0;
-#else
-int dmar_disabled = 1;
-#endif /*CONFIG_INTEL_IOMMU_DEFAULT_ON*/
+int dmar_disabled = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_OFF);
int intel_iommu_sm;
int intel_iommu_enabled = 0;
EXPORT_SYMBOL_GPL(intel_iommu_enabled);
static int dmar_map_gfx = 1;
-static int dmar_map_intgpu = 1;
+static int dmar_map_intgpu = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_ON);
static int dmar_forcedac;
static int intel_iommu_strict;
static int intel_iommu_superpage = 1;
@@ -446,6 +442,7 @@ static int __init intel_iommu_setup(char
while (*str) {
if (!strncmp(str, "on", 2)) {
dmar_disabled = 0;
+ dmar_map_intgpu = 1;
pr_info("IOMMU enabled\n");
} else if (!strncmp(str, "off", 3)) {
dmar_disabled = 1;

87
debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch vendored
View File

@@ -1,87 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 21 Aug 2019 00:05:30 +0100
Subject: intel-iommu: Add option to exclude integrated GPU only
Bug-Debian: https://bugs.debian.org/935270
Bug-Kali: https://bugs.kali.org/view.php?id=5644
There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage, but turning it off
for all graphics devices seems like a major weakness.
Add an option, intel_iommu=igpu_off, to exclude only integrated GPUs
from remapping. This is a narrower exclusion than igfx_off: it only
affects Intel devices on the root bus. Devices attached through an
external port (Thunderbolt or ExpressCard) won't be on the root bus.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -52,6 +52,9 @@
#define CONTEXT_SIZE VTD_PAGE_SIZE
#define IS_GFX_DEVICE(pdev) ((pdev->class >> 16) == PCI_BASE_CLASS_DISPLAY)
+#define IS_INTGPU_DEVICE(pdev) (IS_GFX_DEVICE(pdev) && \
+ (pdev)->vendor == 0x8086 && \
+ pci_is_root_bus((pdev)->bus))
#define IS_USB_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_SERIAL_USB)
#define IS_ISA_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA)
#define IS_AZALIA(pdev) ((pdev)->vendor == 0x8086 && (pdev)->device == 0x3a3e)
@@ -356,6 +359,7 @@ int intel_iommu_enabled = 0;
EXPORT_SYMBOL_GPL(intel_iommu_enabled);
static int dmar_map_gfx = 1;
+static int dmar_map_intgpu = 1;
static int dmar_forcedac;
static int intel_iommu_strict;
static int intel_iommu_superpage = 1;
@@ -364,6 +368,7 @@ static int iommu_identity_mapping;
#define IDENTMAP_ALL 1
#define IDENTMAP_GFX 2
#define IDENTMAP_AZALIA 4
+#define IDENTMAP_INTGPU 8
int intel_iommu_gfx_mapped;
EXPORT_SYMBOL_GPL(intel_iommu_gfx_mapped);
@@ -439,6 +444,9 @@ static int __init intel_iommu_setup(char
} else if (!strncmp(str, "igfx_off", 8)) {
dmar_map_gfx = 0;
pr_info("Disable GFX device mapping\n");
+ } else if (!strncmp(str, "intgpu_off", 8)) {
+ dmar_map_intgpu = 0;
+ pr_info("Disable integrated GPU device mapping\n");
} else if (!strncmp(str, "forcedac", 8)) {
pr_info("Forcing DAC for PCI devices\n");
dmar_forcedac = 1;
@@ -2890,6 +2898,9 @@ static int device_def_domain_type(struct
if ((iommu_identity_mapping & IDENTMAP_GFX) && IS_GFX_DEVICE(pdev))
return IOMMU_DOMAIN_IDENTITY;
+ if ((iommu_identity_mapping & IDENTMAP_INTGPU) && IS_INTGPU_DEVICE(pdev))
+ return IOMMU_DOMAIN_IDENTITY;
+
/*
* We want to start off with all devices in the 1:1 domain, and
* take them out later if we find they can't access all of memory.
@@ -3277,6 +3288,9 @@ static int __init init_dmars(void)
if (!dmar_map_gfx)
iommu_identity_mapping |= IDENTMAP_GFX;
+ if (!dmar_map_intgpu)
+ iommu_identity_mapping |= IDENTMAP_INTGPU;
+
check_tylersburg_isoch();
ret = si_domain_init(hw_pass_through);
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1703,6 +1703,8 @@
bypassed by not enabling DMAR with this option. In
this case, gfx device will use physical address for
DMA.
+ intgpu_off [Default Off]
+ Bypass the DMAR unit for an integrated GPU only.
forcedac [x86_64]
With this option iommu will not optimize to look
for io virtual address below 32-bit forcing dual

180
debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch vendored
View File

@@ -1,180 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 12 Feb 2018 23:59:26 +0000
Subject: x86: Make x32 syscall support conditional on a kernel parameter
Bug-Debian: https://bugs.debian.org/708070
Forwarded: https://lore.kernel.org/lkml/1415245982.3398.53.camel@decadent.org.uk/T/#u
Enabling x32 in the standard amd64 kernel would increase its attack
surface while provide no benefit to the vast majority of its users.
No-one seems interested in regularly checking for vulnerabilities
specific to x32 (at least no-one with a white hat).
Still, adding another flavour just to turn on x32 seems wasteful. And
the only differences on syscall entry are a few instructions that mask
out the x32 flag and compare the syscall number.
Use a static key to control whether x32 syscalls are really enabled, a
Kconfig parameter to set its default value and a kernel parameter
"syscall.x32" to change it at boot time.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/admin-guide/kernel-parameters.txt | 4 ++
arch/x86/Kconfig | 8 ++++
arch/x86/entry/common.c | 3 +
arch/x86/entry/syscall_64.c | 46 ++++++++++++++++++++++++
arch/x86/include/asm/elf.h | 4 +-
arch/x86/include/asm/syscall.h | 13 ++++++
6 files changed, 76 insertions(+), 2 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4678,6 +4678,10 @@
switches= [HW,M68k]
+ syscall.x32= [KNL,x86_64] Enable/disable use of x32 syscalls on
+ an x86_64 kernel where CONFIG_X86_X32 is enabled.
+ Default depends on CONFIG_X86_X32_DISABLED.
+
sysfs.deprecated=0|1 [KNL]
Enable/disable old style sysfs layout for old udev
on older distributions. When this option is enabled
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2901,6 +2901,14 @@ config COMPAT_32
select HAVE_UID16
select OLD_SIGSUSPEND3
+config X86_X32_DISABLED
+ bool "x32 ABI disabled by default"
+ depends on X86_X32
+ default n
+ help
+ Disable the x32 ABI unless explicitly enabled using the
+ kernel paramter "syscall.x32=y".
+
config COMPAT
def_bool y
depends on IA32_EMULATION || X86_X32
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -289,7 +289,8 @@ __visible void do_syscall_64(unsigned lo
nr = array_index_nospec(nr, NR_syscalls);
regs->ax = sys_call_table[nr](regs);
#ifdef CONFIG_X86_X32_ABI
- } else if (likely((nr & __X32_SYSCALL_BIT) &&
+ } else if (x32_enabled &&
+ likely((nr & __X32_SYSCALL_BIT) &&
(nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) {
nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT,
X32_NR_syscalls);
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -4,6 +4,9 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/moduleparam.h>
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "syscall."
#include <asm/asm-offsets.h>
#include <asm/syscall.h>
@@ -47,4 +50,47 @@ asmlinkage const sys_call_ptr_t x32_sys_
#undef __SYSCALL_64
#undef __SYSCALL_X32
+/* Maybe enable x32 syscalls */
+
+#if defined(CONFIG_X86_X32_DISABLED)
+DEFINE_STATIC_KEY_FALSE(x32_enabled_skey);
+#else
+DEFINE_STATIC_KEY_TRUE(x32_enabled_skey);
+#endif
+
+static int __init x32_param_set(const char *val, const struct kernel_param *p)
+{
+ bool enabled;
+ int ret;
+
+ ret = kstrtobool(val, &enabled);
+ if (ret)
+ return ret;
+ if (IS_ENABLED(CONFIG_X86_X32_DISABLED)) {
+ if (enabled) {
+ static_key_enable(&x32_enabled_skey.key);
+ pr_info("Enabled x32 syscalls\n");
+ }
+ } else {
+ if (!enabled) {
+ static_key_disable(&x32_enabled_skey.key);
+ pr_info("Disabled x32 syscalls\n");
+ }
+ }
+ return 0;
+}
+
+static int x32_param_get(char *buffer, const struct kernel_param *p)
+{
+ return sprintf(buffer, "%c\n",
+ static_key_enabled(&x32_enabled_skey) ? 'Y' : 'N');
+}
+
+static const struct kernel_param_ops x32_param_ops = {
+ .set = x32_param_set,
+ .get = x32_param_get,
+};
+
+arch_param_cb(x32, &x32_param_ops, NULL, 0444);
+
#endif
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -11,6 +11,7 @@
#include <asm/user.h>
#include <asm/auxvec.h>
#include <asm/fsgsbase.h>
+#include <asm/syscall.h>
typedef unsigned long elf_greg_t;
@@ -163,7 +164,8 @@ do { \
#define compat_elf_check_arch(x) \
(elf_check_arch_ia32(x) || \
- (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
+ (IS_ENABLED(CONFIG_X86_X32_ABI) && x32_enabled && \
+ (x)->e_machine == EM_X86_64))
#if __USER32_DS != __USER_DS
# error "The following code assumes __USER32_DS == __USER_DS"
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -13,6 +13,7 @@
#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
+#include <linux/jump_label.h>
#include <asm/asm-offsets.h> /* For NR_syscalls */
#include <asm/thread_info.h> /* for TS_COMPAT */
#include <asm/unistd.h>
@@ -40,6 +41,18 @@ extern const sys_call_ptr_t ia32_sys_cal
extern const sys_call_ptr_t x32_sys_call_table[];
#endif
+#if defined(CONFIG_X86_X32_ABI)
+#if defined(CONFIG_X86_X32_DISABLED)
+DECLARE_STATIC_KEY_FALSE(x32_enabled_skey);
+#define x32_enabled static_branch_unlikely(&x32_enabled_skey)
+#else
+DECLARE_STATIC_KEY_TRUE(x32_enabled_skey);
+#define x32_enabled static_branch_likely(&x32_enabled_skey)
+#endif
+#else
+#define x32_enabled 0
+#endif
+
/*
* Only the low 32 bits of orig_ax are meaningful, so we return int.
* This importantly ignores the high bits on 64-bit, so comparisons

28
debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch vendored
View File

@@ -1,28 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 5 Dec 2011 04:00:58 +0000
Subject: x86: memtest: WARN if bad RAM found
Bug-Debian: https://bugs.debian.org/613321
Forwarded: http://thread.gmane.org/gmane.linux.kernel/1286471
Since this is not a particularly thorough test, if we find any bad
bits of RAM then there is a fair chance that there are other bad bits
we fail to detect.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/memtest.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
--- a/mm/memtest.c
+++ b/mm/memtest.c
@@ -26,6 +26,10 @@ static u64 patterns[] __initdata = {
static void __init reserve_bad_mem(u64 pattern, phys_addr_t start_bad, phys_addr_t end_bad)
{
+#ifdef CONFIG_X86
+ WARN_ONCE(1, "Bad RAM detected. Use memtest86+ to perform a thorough test\n"
+ "and the memmap= parameter to reserve the bad areas.");
+#endif
pr_info(" %016llx bad mem addr %pa - %pa reserved\n",
cpu_to_be64(pattern), &start_bad, &end_bad);
memblock_reserve(start_bad, end_bad - start_bad);

137
debian/patches/series vendored
View File

@@ -1,137 +0,0 @@
debian/gitignore.patch
# Disable features broken by exclusion of upstream files
debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
debian/dfsg/vs6624-disable.patch
debian/dfsg/drivers-net-appletalk-cops.patch
debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
# Changes to support package build system
debian/version.patch
debian/uname-version-timestamp.patch
debian/kernelvariables.patch
debian/ia64-hardcode-arch-script-output.patch
debian/mips-disable-werror.patch
debian/mips-boston-disable-its.patch
debian/arch-sh4-fix-uimage-build.patch
debian/tools-perf-version.patch
debian/tools-perf-install.patch
debian/wireless-add-debian-wireless-regdb-certificates.patch
debian/export-symbols-needed-by-android-drivers.patch
debian/android-enable-building-ashmem-and-binder-as-modules.patch
# Fixes/improvements to firmware loading
features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
debian/iwlwifi-do-not-request-unreleased-firmware.patch
bugfix/all/firmware_class-log-every-success-and-failure.patch
bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
# Patches from aufs5 repository, imported with debian/bin/genpatch-aufs.
# These are only the changes needed to allow aufs to be built out-of-tree.
features/all/aufs5/aufs5-base.patch
features/all/aufs5/aufs5-mmap.patch
features/all/aufs5/aufs5-standalone.patch
# Change some defaults for security reasons
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/fs-enable-link-security-restrictions-by-default.patch
# Set various features runtime-disabled by default
debian/sched-autogroup-disabled.patch
debian/yama-disable-by-default.patch
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
# Disable autoloading/probing of various drivers by default
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
debian/snd-pcsp-disable-autoload.patch
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
debian/fjes-disable-autoload.patch
# Taint if dangerous features are used
debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
# Arch bug fixes
bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
bugfix/ppc64el/libbpf-fix-readelf-output-parsing-on-powerpc-with-re.patch
# Arch features
features/mips/MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch
features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
features/x86/x86-make-x32-syscall-support-conditional.patch
# Miscellaneous bug fixes
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
# Miscellaneous features
# Lockdown missing pieces
features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
features/all/lockdown/add-a-sysrq-option-to-lift-kernel-lockdown.patch
features/all/lockdown/enable-cold-boot-attack-mitigation.patch
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# until the "kernel_lockdown.7" manual page exists
features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch
# Improve integrity platform keyring for kernel modules verification
features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/ntfs-mark-it-as-broken.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
bugfix/all/tools-perf-man-date.patch
bugfix/all/tools-perf-remove-shebangs.patch
bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/cpupower-bump-soname-version.patch
bugfix/all/libcpupower-hide-private-function.patch
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
bugfix/all/tools-lib-api-fs-fs.c-fix-misuse-of-strncpy.patch
bugfix/all/usbip-fix-misuse-of-strncpy.patch
bugfix/all/usbip-network-fix-unaligned-member-access.patch
bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
# wireless: Disable regulatory.db direct loading (until we sort out signing)
debian/wireless-disable-regulatory.db-direct-loading.patch
# overlay: allow mounting in user namespaces
debian/overlayfs-permit-mounts-in-userns.patch
# ABI maintenance

2
debian/rules.real vendored
View File

@@ -151,9 +151,11 @@ $(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-%.patch.xz: $(STAMPS_DIR)/source_non
(rm -f $@; exit 1)
$(STAMPS_DIR)/source:
ifeq ($(DO_APPLY_PATCHES),True)
test -d .pc
set +e; QUILT_PC=.pc quilt unapplied --quiltrc - >/dev/null && echo 'Patch series not fully applied'; test $$? -eq 1
@$(stamp)
endif
$(STAMPS_DIR)/source_%: SOURCE_DIR=$(BUILD_DIR)/source
$(STAMPS_DIR)/source_%: DIR=$(BUILD_DIR)/source_$*