diff --git a/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch b/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch index 36b12a8a1..d5e93c89a 100644 --- a/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch +++ b/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch @@ -1,4 +1,4 @@ -From be7a0019f698b236692d06f6beff99d44f3802b5 Mon Sep 17 00:00:00 2001 +From 408551029a78a655c5fea864b45a8e370d7d9e8c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 7 Sep 2020 02:51:53 +0100 Subject: [PATCH 1/2] Export symbols needed by Android drivers @@ -20,10 +20,10 @@ Export the currently un-exported symbols they depend on. 7 files changed, 10 insertions(+) diff --git a/fs/file.c b/fs/file.c -index 7893ea161d77..066f90a4f572 100644 +index 3e4a4dfa38fca..bdded3fcdbd87 100644 --- a/fs/file.c +++ b/fs/file.c -@@ -814,6 +814,7 @@ struct file *close_fd_get_file(unsigned int fd) +@@ -816,6 +816,7 @@ struct file *close_fd_get_file(unsigned int fd) return file; } @@ -32,10 +32,10 @@ index 7893ea161d77..066f90a4f572 100644 void do_close_on_exec(struct files_struct *files) { diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index a68d1276bab0..5e5adf3f4f49 100644 +index 802551e0009bf..2698c78062b2f 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -7227,6 +7227,7 @@ static bool is_nice_reduction(const struct task_struct *p, const int nice) +@@ -7253,6 +7253,7 @@ static bool is_nice_reduction(const struct task_struct *p, const int nice) return (nice_rlim <= task_rlimit(p, RLIMIT_NICE)); } @@ -44,10 +44,10 @@ index a68d1276bab0..5e5adf3f4f49 100644 /* * can_nice - check if a task can reduce its nice value diff --git a/kernel/sched/wait.c b/kernel/sched/wait.c -index 133b74730738..a2a3381ede73 100644 +index 802d98cf2de31..8eec46f066d86 100644 --- a/kernel/sched/wait.c +++ b/kernel/sched/wait.c -@@ -247,6 +247,7 @@ void __wake_up_pollfree(struct wait_queue_head *wq_head) +@@ -252,6 +252,7 @@ void __wake_up_pollfree(struct wait_queue_head *wq_head) /* POLLFREE must have cleared the queue. */ WARN_ON_ONCE(waitqueue_active(wq_head)); } @@ -56,7 +56,7 @@ index 133b74730738..a2a3381ede73 100644 /* * Note: we use "set_current_state()" _after_ the wait-queue add, diff --git a/kernel/task_work.c b/kernel/task_work.c -index 065e1ef8fc8d..7d06ea82a53e 100644 +index 95a7e1b7f1dab..972c3280337e8 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -73,6 +73,7 @@ int task_work_add(struct task_struct *task, struct callback_head *work, @@ -68,22 +68,22 @@ index 065e1ef8fc8d..7d06ea82a53e 100644 /** * task_work_cancel_match - cancel a pending work added by task_work_add() diff --git a/mm/memory.c b/mm/memory.c -index 5ce82a76201d..c20d92584f25 100644 +index 517221f013035..b747095cfea68 100644 --- a/mm/memory.c +++ b/mm/memory.c -@@ -1755,6 +1755,7 @@ void zap_page_range_single(struct vm_area_struct *vma, unsigned long address, - mmu_notifier_invalidate_range_end(&range); +@@ -1770,6 +1770,7 @@ void zap_page_range_single(struct vm_area_struct *vma, unsigned long address, tlb_finish_mmu(&tlb); + hugetlb_zap_end(vma, details); } +EXPORT_SYMBOL_GPL(zap_page_range_single); /** * zap_vma_ptes - remove ptes mapping the vma diff --git a/mm/shmem.c b/mm/shmem.c -index e40a08c5c6d7..3082bd4dfd52 100644 +index 69595d3418829..e155894de651c 100644 --- a/mm/shmem.c +++ b/mm/shmem.c -@@ -4351,6 +4351,7 @@ int shmem_zero_setup(struct vm_area_struct *vma) +@@ -4871,6 +4871,7 @@ int shmem_zero_setup(struct vm_area_struct *vma) return 0; } @@ -92,10 +92,10 @@ index e40a08c5c6d7..3082bd4dfd52 100644 /** * shmem_read_folio_gfp - read into page cache, using specified page allocation flags. diff --git a/security/security.c b/security/security.c -index d5ff7ff45b77..79cc02ff5971 100644 +index 23b129d482a7c..eeb7162a02674 100644 --- a/security/security.c +++ b/security/security.c -@@ -798,6 +798,7 @@ int security_binder_set_context_mgr(const struct cred *mgr) +@@ -799,6 +799,7 @@ int security_binder_set_context_mgr(const struct cred *mgr) { return call_int_hook(binder_set_context_mgr, 0, mgr); } @@ -103,7 +103,7 @@ index d5ff7ff45b77..79cc02ff5971 100644 /** * security_binder_transaction() - Check if a binder transaction is allowed -@@ -813,6 +814,7 @@ int security_binder_transaction(const struct cred *from, +@@ -814,6 +815,7 @@ int security_binder_transaction(const struct cred *from, { return call_int_hook(binder_transaction, 0, from, to); } @@ -111,7 +111,7 @@ index d5ff7ff45b77..79cc02ff5971 100644 /** * security_binder_transfer_binder() - Check if a binder transfer is allowed -@@ -828,6 +830,7 @@ int security_binder_transfer_binder(const struct cred *from, +@@ -829,6 +831,7 @@ int security_binder_transfer_binder(const struct cred *from, { return call_int_hook(binder_transfer_binder, 0, from, to); } @@ -119,7 +119,7 @@ index d5ff7ff45b77..79cc02ff5971 100644 /** * security_binder_transfer_file() - Check if a binder file xfer is allowed -@@ -844,6 +847,7 @@ int security_binder_transfer_file(const struct cred *from, +@@ -845,6 +848,7 @@ int security_binder_transfer_file(const struct cred *from, { return call_int_hook(binder_transfer_file, 0, from, to, file); } @@ -128,5 +128,5 @@ index d5ff7ff45b77..79cc02ff5971 100644 /** * security_ptrace_access_check() - Check if tracing is allowed -- -2.41.0 +2.42.1 diff --git a/pkg/debian/kernel/0001-Partially-revert-integrity-Only-use-machine-keyring-.patch b/pkg/debian/kernel/0001-Partially-revert-integrity-Only-use-machine-keyring-.patch new file mode 100644 index 000000000..f80dc3303 --- /dev/null +++ b/pkg/debian/kernel/0001-Partially-revert-integrity-Only-use-machine-keyring-.patch @@ -0,0 +1,41 @@ +From fbfaff58fe821fa93ceeb17e034886a6d8447207 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Mon, 20 Nov 2023 22:54:05 +0100 +Subject: [PATCH] Partially revert "integrity: Only use machine keyring when + uefi_check_trust_mok_keys is true" + +This partially reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7. + +MokListTrustedRT doesn't seem to be set by the Shim version used by +Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on +newer kernels. While pre-5.19 kernels silently disregard the untrusted +keys and (without signature enforcement enabled) still load external +modules (tainting the kernel), on 5.19 kernels, this breaks module +loading. Therefore, revert this change. +--- + security/integrity/platform_certs/machine_keyring.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c +index a401640a63cd1..a1ad244cbf86d 100644 +--- a/security/integrity/platform_certs/machine_keyring.c ++++ b/security/integrity/platform_certs/machine_keyring.c +@@ -51,14 +51,7 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t + */ + static __init bool uefi_check_trust_mok_keys(void) + { +- struct efi_mokvar_table_entry *mokvar_entry; +- +- mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT"); +- +- if (mokvar_entry) +- return true; +- +- return false; ++ return true; + } + + static bool __init trust_moklist(void) +-- +2.42.1 + diff --git a/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch b/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch deleted file mode 100644 index e942a930c..000000000 --- a/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 9564bb04930ddcffa8b859ccf48ca40767ec8da4 Mon Sep 17 00:00:00 2001 -From: Maximilian Luz -Date: Fri, 26 Aug 2022 21:24:36 +0200 -Subject: [PATCH] Revert "integrity: Only use machine keyring when - uefi_check_trust_mok_keys is true" - -This reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7. - -MokListTrustedRT doesn't seem to be set by the Shim version used by -Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on -newer kernels. While pre-5.19 kernels silently disregard the untrusted -keys and (without signature enforcement enabled) still load external -modules (tainting the kernel), on 5.19 kernels, this breaks module -loading. Therefore, revert this change. - -See https://github.com/linux-surface/linux-surface/issues/906. ---- - security/integrity/digsig.c | 2 +- - security/integrity/integrity.h | 5 ----- - .../integrity/platform_certs/keyring_handler.c | 2 +- - .../integrity/platform_certs/machine_keyring.c | 16 ---------------- - 4 files changed, 2 insertions(+), 23 deletions(-) - -diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c -index 6f31ffe23c48..590cd07b804b 100644 ---- a/security/integrity/digsig.c -+++ b/security/integrity/digsig.c -@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id, - } else { - if (id == INTEGRITY_KEYRING_PLATFORM) - set_platform_trusted_keys(keyring[id]); -- if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) -+ if (id == INTEGRITY_KEYRING_MACHINE) - set_machine_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_IMA) - load_module_cert(keyring[id]); -diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h -index 7167a6e99bdc..1dbb494c86c0 100644 ---- a/security/integrity/integrity.h -+++ b/security/integrity/integrity.h -@@ -320,14 +320,9 @@ static inline void __init add_to_platform_keyring(const char *source, - - #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING - void __init add_to_machine_keyring(const char *source, const void *data, size_t len); --bool __init trust_moklist(void); - #else - static inline void __init add_to_machine_keyring(const char *source, - const void *data, size_t len) - { - } --static inline bool __init trust_moklist(void) --{ -- return false; --} - #endif -diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c -index 8a1124e4d769..b22e0125a483 100644 ---- a/security/integrity/platform_certs/keyring_handler.c -+++ b/security/integrity/platform_certs/keyring_handler.c -@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) - __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) - { - if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { -- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) -+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) - return add_to_machine_keyring; - else - return add_to_platform_keyring; -diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c -index 7aaed7950b6e..09fd8f20c756 100644 ---- a/security/integrity/platform_certs/machine_keyring.c -+++ b/security/integrity/platform_certs/machine_keyring.c -@@ -8,8 +8,6 @@ - #include - #include "../integrity.h" - --static bool trust_mok; -- - static __init int machine_keyring_init(void) - { - int rc; -@@ -61,17 +59,3 @@ static __init bool uefi_check_trust_mok_keys(void) - - return false; - } -- --bool __init trust_moklist(void) --{ -- static bool initialized; -- -- if (!initialized) { -- initialized = true; -- -- if (uefi_check_trust_mok_keys()) -- trust_mok = true; -- } -- -- return trust_mok; --} --- -2.41.0 - diff --git a/pkg/debian/kernel/0001-serial-core-Fix-checks-for-tx-runtime-PM-state.patch b/pkg/debian/kernel/0001-serial-core-Fix-checks-for-tx-runtime-PM-state.patch deleted file mode 100644 index d525a9324..000000000 --- a/pkg/debian/kernel/0001-serial-core-Fix-checks-for-tx-runtime-PM-state.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8459746f889d72794c164d18423344686267a451 Mon Sep 17 00:00:00 2001 -From: Tony Lindgren -Date: Thu, 5 Oct 2023 10:56:42 +0300 -Subject: [PATCH] serial: core: Fix checks for tx runtime PM state - -commit 81a61051e0ce5fd7e09225c0d5985da08c7954a7 upstream. - -Maximilian reported that surface_serial_hub serdev tx does not work during -system suspend. During system suspend, runtime PM gets disabled in -__device_suspend_late(), and tx is unable to wake-up the serial core port -device that we use to check if tx is safe to start. Johan summarized the -regression noting that serdev tx no longer always works as earlier when the -serdev device is runtime PM active. - -The serdev device and the serial core controller devices are siblings of -the serial port hardware device. The runtime PM usage count from serdev -device does not propagate to the serial core device siblings, it only -propagates to the parent. - -In addition to the tx issue for suspend, testing for the serial core port -device can cause an unnecessary delay in enabling tx while waiting for the -serial core port device to wake-up. The serial core port device wake-up is -only needed to flush pending tx when the serial port hardware device was -in runtime PM suspended state. - -To fix the regression, we need to check the runtime PM state of the parent -serial port hardware device for tx instead of the serial core port device. - -As the serial port device drivers may or may not implement runtime PM, we -need to also add a check for pm_runtime_enabled(). - -Reported-by: Maximilian Luz -Cc: stable -Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM") -Signed-off-by: Tony Lindgren -Tested-by: Maximilian Luz -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20231005075644.25936-1-tony@atomide.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/serial_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index bf63a045fdc8..83c419ac78bc 100644 ---- a/drivers/tty/serial/serial_core.c -+++ b/drivers/tty/serial/serial_core.c -@@ -157,7 +157,7 @@ static void __uart_start(struct tty_struct *tty) - * enabled, serial_port_runtime_resume() calls start_tx() again - * after enabling the device. - */ -- if (pm_runtime_active(&port_dev->dev)) -+ if (!pm_runtime_enabled(port->dev) || pm_runtime_active(port->dev)) - port->ops->start_tx(port); - pm_runtime_mark_last_busy(&port_dev->dev); - pm_runtime_put_autosuspend(&port_dev->dev); --- -2.42.0 - diff --git a/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch b/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch index b9938a5ea..8b0c70289 100644 --- a/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch +++ b/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch @@ -1,4 +1,4 @@ -From 9917ce49cb4e0d91977f11ce5b04b15856a0d82c Mon Sep 17 00:00:00 2001 +From 2802d75f2b216a35c6a976c0064fcc0e20d82e4b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 22 Jun 2018 17:27:00 +0100 Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules @@ -26,7 +26,7 @@ Consequently, the ashmem part of this patch has been removed. 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig -index 07aa8ae0a058..94a3a86f9bd4 100644 +index 07aa8ae0a058c..94a3a86f9bd4f 100644 --- a/drivers/android/Kconfig +++ b/drivers/android/Kconfig @@ -2,7 +2,7 @@ @@ -39,7 +39,7 @@ index 07aa8ae0a058..94a3a86f9bd4 100644 default n help diff --git a/drivers/android/Makefile b/drivers/android/Makefile -index c9d3d0c99c25..55411d9a9c2a 100644 +index c9d3d0c99c257..55411d9a9c2a1 100644 --- a/drivers/android/Makefile +++ b/drivers/android/Makefile @@ -1,6 +1,7 @@ @@ -54,7 +54,7 @@ index c9d3d0c99c25..55411d9a9c2a 100644 +binder_linux-$(CONFIG_ANDROID_BINDERFS) += binderfs.o +binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c -index 662a2a2e2e84..98fcbb0c8325 100644 +index e3db8297095a2..eef695eff0025 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -38,7 +38,7 @@ enum { @@ -67,5 +67,5 @@ index 662a2a2e2e84..98fcbb0c8325 100644 #define binder_alloc_debug(mask, x...) \ -- -2.41.0 +2.42.1