diff --git a/debian/changelog b/debian/changelog index 7d938409e..560f6044c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +linux (4.14~rc2-1~exp1) UNRELEASED; urgency=medium + + * New upstream release candidate + + [ Ben Hutchings ] + * aufs: Update support patchset to aufs4.x-rcN-20171002 + + -- Ben Hutchings Sun, 01 Oct 2017 19:34:09 +0100 + linux (4.13.4-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch b/debian/patches/bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch deleted file mode 100644 index 040f85b90..000000000 --- a/debian/patches/bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Ben Hutchings -Date: Sat, 12 Aug 2017 22:27:06 +0100 -Subject: bfq: Re-enable auto-loading when built as a module - -The block core requests modules with the "-iosched" name suffix, but -bfq no longer has that suffix. Add an alias. - -Fixes: ea25da48086d ("block, bfq: split bfq-iosched.c into multiple ...") -Signed-off-by: Ben Hutchings ---- - block/bfq-iosched.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/block/bfq-iosched.c -+++ b/block/bfq-iosched.c -@@ -4974,6 +4974,7 @@ static struct elevator_type iosched_bfq_ - .elevator_name = "bfq", - .elevator_owner = THIS_MODULE, - }; -+MODULE_ALIAS("bfq-iosched"); - - static int __init bfq_init(void) - { diff --git a/debian/patches/bugfix/all/disable-some-marvell-phys.patch b/debian/patches/bugfix/all/disable-some-marvell-phys.patch index 3c40fe103..8a42a6521 100644 --- a/debian/patches/bugfix/all/disable-some-marvell-phys.patch +++ b/debian/patches/bugfix/all/disable-some-marvell-phys.patch @@ -16,25 +16,25 @@ correctness. --- a/drivers/net/phy/marvell.c +++ b/drivers/net/phy/marvell.c -@@ -964,6 +964,7 @@ static int m88e1118_config_init(struct p - return phy_write(phydev, MII_BMCR, BMCR_RESET); +@@ -956,6 +956,7 @@ static int m88e1118_config_init(struct p + return genphy_soft_reset(phydev); } +#if 0 static int m88e1149_config_init(struct phy_device *phydev) { int err; -@@ -989,7 +990,9 @@ static int m88e1149_config_init(struct p +@@ -981,7 +982,9 @@ static int m88e1149_config_init(struct p - return phy_write(phydev, MII_BMCR, BMCR_RESET); + return genphy_soft_reset(phydev); } +#endif +#if 0 static int m88e1145_config_init_rgmii(struct phy_device *phydev) { - int err; -@@ -1083,6 +1086,7 @@ static int m88e1145_config_init(struct p + int temp; +@@ -1063,6 +1066,7 @@ static int m88e1145_config_init(struct p return 0; } @@ -42,7 +42,7 @@ correctness. /** * fiber_lpa_to_ethtool_lpa_t -@@ -2079,6 +2083,7 @@ static struct phy_driver marvell_drivers +@@ -2059,6 +2063,7 @@ static struct phy_driver marvell_drivers .get_strings = marvell_get_strings, .get_stats = marvell_get_stats, }, @@ -50,7 +50,7 @@ correctness. { .phy_id = MARVELL_PHY_ID_88E1145, .phy_id_mask = MARVELL_PHY_ID_MASK, -@@ -2097,6 +2102,8 @@ static struct phy_driver marvell_drivers +@@ -2077,6 +2082,8 @@ static struct phy_driver marvell_drivers .get_strings = marvell_get_strings, .get_stats = marvell_get_stats, }, @@ -59,7 +59,7 @@ correctness. { .phy_id = MARVELL_PHY_ID_88E1149R, .phy_id_mask = MARVELL_PHY_ID_MASK, -@@ -2115,6 +2122,8 @@ static struct phy_driver marvell_drivers +@@ -2095,6 +2102,8 @@ static struct phy_driver marvell_drivers .get_strings = marvell_get_strings, .get_stats = marvell_get_stats, }, @@ -68,7 +68,7 @@ correctness. { .phy_id = MARVELL_PHY_ID_88E1240, .phy_id_mask = MARVELL_PHY_ID_MASK, -@@ -2133,6 +2142,7 @@ static struct phy_driver marvell_drivers +@@ -2113,6 +2122,7 @@ static struct phy_driver marvell_drivers .get_strings = marvell_get_strings, .get_stats = marvell_get_stats, }, @@ -76,7 +76,7 @@ correctness. { .phy_id = MARVELL_PHY_ID_88E1116R, .phy_id_mask = MARVELL_PHY_ID_MASK, -@@ -2260,9 +2270,9 @@ static struct mdio_device_id __maybe_unu +@@ -2240,9 +2250,9 @@ static struct mdio_device_id __maybe_unu { MARVELL_PHY_ID_88E1111, MARVELL_PHY_ID_MASK }, { MARVELL_PHY_ID_88E1118, MARVELL_PHY_ID_MASK }, { MARVELL_PHY_ID_88E1121R, MARVELL_PHY_ID_MASK }, diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch deleted file mode 100644 index 6eab4bd50..000000000 --- a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Vladis Dronov -Date: Tue, 12 Sep 2017 22:21:21 +0000 -Subject: nl80211: check for the required netlink attributes presence -Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153 - -nl80211_set_rekey_data() does not check if the required attributes -NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing -NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by -users with CAP_NET_ADMIN privilege and may result in NULL dereference -and a system crash. Add a check for the required attributes presence. -This patch is based on the patch by bo Zhang. - -This fixes CVE-2017-12153. - -References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 -Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") -Cc: # v3.1-rc1 -Reported-by: bo Zhang -Signed-off-by: Vladis Dronov ---- - net/wireless/nl80211.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct - if (err) - return err; - -+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || -+ !tb[NL80211_REKEY_DATA_KCK]) -+ return -EINVAL; - if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) - return -ERANGE; - if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch deleted file mode 100644 index 2d056c326..000000000 --- a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Vladis Dronov -Date: Mon, 4 Sep 2017 16:00:50 +0200 -Subject: video: fbdev: aty: do not leak uninitialized padding in clk to - userspace -Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156 - -'clk' is copied to a userland with padding byte(s) after 'vclk_post_div' -field unitialized, leaking data from the stack. Fix this ensuring all of -'clk' is initialized to zero. - -References: https://github.com/torvalds/linux/pull/441 -Reported-by: sohu0106 -Signed-off-by: Vladis Dronov -Signed-off-by: Bartlomiej Zolnierkiewicz ---- - drivers/video/fbdev/aty/atyfb_base.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/video/fbdev/aty/atyfb_base.c -+++ b/drivers/video/fbdev/aty/atyfb_base.c -@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i - #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT) - case ATYIO_CLKR: - if (M64_HAS(INTEGRATED)) { -- struct atyclk clk; -+ struct atyclk clk = { 0 }; - union aty_pll *pll = &par->pll; - u32 dsp_config = pll->ct.dsp_config; - u32 dsp_on_off = pll->ct.dsp_on_off; diff --git a/debian/patches/bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch b/debian/patches/bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch deleted file mode 100644 index 7e6e0acf2..000000000 --- a/debian/patches/bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Ben Hutchings -Date: Tue, 18 Jul 2017 23:44:25 +0100 -Subject: alpha: Restore symbol versions for symbols exported from assembly -Forwarded: https://marc.info/?l=linux-alpha&m=150042247925108&w=2 - -Add so that genksyms knows the types of -these symbols and can generate CRCs for them. - -Fixes: 00fc0e0dda62 ("alpha: move exports to actual definitions") -Signed-off-by: Ben Hutchings ---- - arch/alpha/include/asm/asm-prototypes.h | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - create mode 100644 arch/alpha/include/asm/asm-prototypes.h - -diff --git a/arch/alpha/include/asm/asm-prototypes.h b/arch/alpha/include/asm/asm-prototypes.h -new file mode 100644 -index 000000000000..d12c68ea340b ---- /dev/null -+++ b/arch/alpha/include/asm/asm-prototypes.h -@@ -0,0 +1,18 @@ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+extern void __divl(void); -+extern void __reml(void); -+extern void __divq(void); -+extern void __remq(void); -+extern void __divlu(void); -+extern void __remlu(void); -+extern void __divqu(void); -+extern void __remqu(void); diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch deleted file mode 100644 index f82767d69..000000000 --- a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Jim Mattson -Date: Tue, 12 Sep 2017 13:02:54 -0700 -Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8 -Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154 - -If L1 does not specify the "use TPR shadow" VM-execution control in -vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store -exiting" VM-execution controls in vmcs02. Failure to do so will give -the L2 VM unrestricted read/write access to the hardware CR8. - -This fixes CVE-2017-12154. - -Signed-off-by: Jim Mattson -Reviewed-by: David Hildenbrand -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/vmx.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp - if (exec_control & CPU_BASED_TPR_SHADOW) { - vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); - vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); -+ } else { -+#ifdef CONFIG_X86_64 -+ exec_control |= CPU_BASED_CR8_LOAD_EXITING | -+ CPU_BASED_CR8_STORE_EXITING; -+#endif - } - - /* diff --git a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch deleted file mode 100644 index 91c990c3f..000000000 --- a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= -Date: Thu, 7 Sep 2017 19:02:30 +0100 -Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252 - -The value of the guest_irq argument to vmx_update_pi_irte() is -ultimately coming from a KVM_IRQFD API call. Do not BUG() in -vmx_update_pi_irte() if the value is out-of bounds. (Especially, -since KVM as a whole seems to hang after that.) - -Instead, print a message only once if we find that we don't have a -route for a certain IRQ (which can be out-of-bounds or within the -array). - -This fixes CVE-2017-1000252. - -Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts") -Signed-off-by: Jan H. Schönherr -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/vmx.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm - struct kvm_lapic_irq irq; - struct kvm_vcpu *vcpu; - struct vcpu_data vcpu_info; -- int idx, ret = -EINVAL; -+ int idx, ret = 0; - - if (!kvm_arch_has_assigned_device(kvm) || - !irq_remapping_cap(IRQ_POSTING_CAP) || -@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm - - idx = srcu_read_lock(&kvm->irq_srcu); - irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); -- BUG_ON(guest_irq >= irq_rt->nr_rt_entries); -+ if (guest_irq >= irq_rt->nr_rt_entries || -+ hlist_empty(&irq_rt->map[guest_irq])) { -+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n", -+ guest_irq, irq_rt->nr_rt_entries); -+ goto out; -+ } - - hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) { - if (e->type != KVM_IRQ_ROUTING_MSI) diff --git a/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch b/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch index 3d511fec6..cfbf98e82 100644 --- a/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch +++ b/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch @@ -11,8 +11,8 @@ It broke feature detection that was working just fine for us. --- a/tools/perf/Makefile.config +++ b/tools/perf/Makefile.config -@@ -38,7 +38,7 @@ ifeq ($(ARCH),x86) - LIBUNWIND_LIBS = -lunwind -lunwind-x86_64 +@@ -38,7 +38,7 @@ ifeq ($(SRCARCH),x86) + LIBUNWIND_LIBS = -lunwind-x86_64 -lunwind -llzma $(call detected,CONFIG_X86_64) else - LIBUNWIND_LIBS = -lunwind-x86 -llzma -lunwind diff --git a/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch index 6cb31f913..6827c94f1 100644 --- a/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch +++ b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch @@ -13,15 +13,15 @@ other W+X cases. So add a condition to the WARN_ON. --- --- a/arch/x86/mm/dump_pagetables.c +++ b/arch/x86/mm/dump_pagetables.c -@@ -17,6 +17,7 @@ +@@ -18,6 +18,7 @@ #include #include #include +#include - #include #include -@@ -220,7 +221,7 @@ static void note_page(struct seq_file *m + +@@ -231,7 +232,7 @@ static void note_page(struct seq_file *m pgprotval_t pr = pgprot_val(st->current_prot); if (st->check_wx && (pr & _PAGE_RW) && !(pr & _PAGE_NX)) { diff --git a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch index 533feafcc..4a1943dbf 100644 --- a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch +++ b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch @@ -17,8 +17,8 @@ Signed-off-by: Adam Borowski --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c -@@ -3098,6 +3098,15 @@ retry_root_backup: - btrfs_set_opt(fs_info->mount_opt, SSD); +@@ -3060,6 +3060,15 @@ retry_root_backup: + btrfs_set_and_info(fs_info, SSD, "enabling ssd optimizations"); } + if ((fs_info->avail_data_alloc_bits | diff --git a/debian/patches/debian/dfsg/firmware-cleanup.patch b/debian/patches/debian/dfsg/firmware-cleanup.patch deleted file mode 100644 index 760918c1a..000000000 --- a/debian/patches/debian/dfsg/firmware-cleanup.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Ben Hutchings -Date: Tue, 15 Mar 2011 04:48:15 +0000 -Subject: Remove the entire firmware directory -Forwarded: no - -Some of this is DFSG-free, but it has been moved to firmware-free so -we don't need it in linux-2.6 as well. - -diff --git a/Makefile b/Makefile -index d6592b6..9afac11 100644 ---- a/Makefile -+++ b/Makefile -@@ -487,7 +487,7 @@ scripts: scripts_basic include/config/auto.conf include/config/tristate.conf - - # Objects we will link into vmlinux / subdirs we need to visit - init-y := init/ --drivers-y := drivers/ sound/ firmware/ -+drivers-y := drivers/ sound/ - net-y := net/ - libs-y := lib/ - core-y := usr/ -diff --git a/scripts/Makefile.fwinst b/scripts/Makefile.fwinst -index 6bf8e87..2f6db83 100644 ---- a/scripts/Makefile.fwinst -+++ b/scripts/Makefile.fwinst -@@ -13,7 +13,7 @@ src := $(obj) - -include $(objtree)/.config - - include scripts/Kbuild.include --include $(src)/Makefile -+-include $(src)/Makefile - - include scripts/Makefile.host - diff --git a/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch b/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch index 8a0efca68..4fbb8dfc0 100644 --- a/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch +++ b/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch @@ -20,9 +20,10 @@ to avoid when combining the two address mapping APIs. But with XEN enabled and ARM_LPAE not enabled, as in the armmp config, dma_addr_t is 64-bit while phys_addr_t is 32-bit. -It also reverts the commit fea20995976f4b2e8968f852a18e280487d42f0d +It also reverts commit fea20995976f4b2e8968f852a18e280487d42f0d "gpu: host1x: Free the IOMMU domain when there is no device to attach" -which depends on it. +and commit 8b3f5ac6b55f5f3f60723a58f14ec235a5b8cfe +"gpu: host1x: Don't fail on NULL bo physical address" which depend on it. --- --- a/drivers/gpu/host1x/cdma.c @@ -327,7 +328,7 @@ which depends on it. job->num_unpins = 0; -@@ -191,16 +190,12 @@ static unsigned int pin_job(struct host1 +@@ -191,12 +190,12 @@ static unsigned int pin_job(struct host1 dma_addr_t phys_addr; reloc->target.bo = host1x_bo_get(reloc->target.bo); @@ -338,15 +339,12 @@ which depends on it. - } phys_addr = host1x_bo_pin(reloc->target.bo, &sgt); -- if (!phys_addr) { -- err = -EINVAL; + if (!phys_addr) - goto unpin; -- } ++ goto unpin; job->addr_phys[job->num_unpins] = phys_addr; job->unpins[job->num_unpins].bo = reloc->target.bo; -@@ -210,67 +205,28 @@ static unsigned int pin_job(struct host1 +@@ -206,63 +205,28 @@ static unsigned int pin_job(struct host1 for (i = 0; i < job->num_gathers; i++) { struct host1x_job_gather *g = &job->gathers[i]; @@ -366,12 +364,9 @@ which depends on it. - } phys_addr = host1x_bo_pin(g->bo, &sgt); -- if (!phys_addr) { -- err = -EINVAL; + if (!phys_addr) - goto unpin; -- } -- ++ goto unpin; + - if (!IS_ENABLED(CONFIG_TEGRA_HOST1X_FIREWALL) && host->domain) { - for_each_sg(sgt->sgl, sg, sgt->nents, j) - gather_size += sg->length; @@ -402,7 +397,7 @@ which depends on it. - } - - job->gather_addr_phys[i] = job->addr_phys[job->num_unpins]; - +- + job->addr_phys[job->num_unpins] = phys_addr; job->unpins[job->num_unpins].bo = g->bo; job->unpins[job->num_unpins].sgt = sgt; @@ -419,7 +414,7 @@ which depends on it. } static int do_relocs(struct host1x_job *job, struct host1x_job_gather *g) -@@ -639,8 +595,8 @@ int host1x_job_pin(struct host1x_job *jo +@@ -631,8 +595,8 @@ int host1x_job_pin(struct host1x_job *jo host1x_syncpt_load(host->syncpt + i); /* pin memory */ @@ -430,7 +425,7 @@ which depends on it. goto out; if (IS_ENABLED(CONFIG_TEGRA_HOST1X_FIREWALL)) { -@@ -688,19 +644,11 @@ EXPORT_SYMBOL(host1x_job_pin); +@@ -680,19 +644,11 @@ EXPORT_SYMBOL(host1x_job_pin); void host1x_job_unpin(struct host1x_job *job) { diff --git a/debian/patches/debian/tools-perf-install.patch b/debian/patches/debian/tools-perf-install.patch index 5c5619971..d242c6e59 100644 --- a/debian/patches/debian/tools-perf-install.patch +++ b/debian/patches/debian/tools-perf-install.patch @@ -3,11 +3,11 @@ Date: Fri, 07 Oct 2011 21:37:52 +0100 Subject: Install perf scripts non-executable Forwarded: no -[bwh: Forward-ported to 3.12] +[bwh: Forward-ported to 4.13] --- a/tools/perf/Makefile.perf +++ b/tools/perf/Makefile.perf -@@ -677,8 +677,8 @@ endif +@@ -750,8 +750,8 @@ endif ifndef NO_LIBPERL $(call QUIET_INSTALL, perl-scripts) \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \ @@ -18,7 +18,7 @@ Forwarded: no $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'; \ $(INSTALL) scripts/perl/bin/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin' endif -@@ -686,23 +686,23 @@ ifndef NO_LIBPYTHON +@@ -759,27 +759,27 @@ ifndef NO_LIBPYTHON $(call QUIET_INSTALL, python-scripts) \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/Perf-Trace-Util/lib/Perf/Trace'; \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/bin'; \ @@ -43,8 +43,14 @@ Forwarded: no - $(INSTALL) tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \ + $(INSTALL) -m 644 tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \ -- $(INSTALL) tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr' -+ $(INSTALL) -m 644 tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr' +- $(INSTALL) tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \ ++ $(INSTALL) -m 644 tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \ +- $(INSTALL) tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \ ++ $(INSTALL) -m 644 tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'; \ +- $(INSTALL) tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib' ++ $(INSTALL) -m 644 tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib' install-bin: install-tools install-tests install-traceevent-plugins diff --git a/debian/patches/debian/tools-perf-version.patch b/debian/patches/debian/tools-perf-version.patch index cb4bad671..4e99ee492 100644 --- a/debian/patches/debian/tools-perf-version.patch +++ b/debian/patches/debian/tools-perf-version.patch @@ -9,7 +9,7 @@ version-dependent name. And do the same for trace.] --- a/tools/perf/Makefile.perf +++ b/tools/perf/Makefile.perf -@@ -649,23 +649,23 @@ endif +@@ -721,23 +721,23 @@ endif install-tools: all install-gtk $(call QUIET_INSTALL, binaries) \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(bindir_SQ)'; \ @@ -39,7 +39,7 @@ version-dependent name. And do the same for trace.] $(call QUIET_INSTALL, perf-archive) \ $(INSTALL) $(OUTPUT)perf-archive -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)' $(call QUIET_INSTALL, perf-with-kcore) \ -@@ -692,7 +692,7 @@ ifndef NO_LIBPYTHON +@@ -765,7 +765,7 @@ ifndef NO_LIBPYTHON endif $(call QUIET_INSTALL, perf_completion-script) \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \ @@ -48,7 +48,7 @@ version-dependent name. And do the same for trace.] $(call QUIET_INSTALL, perf-tip) \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \ $(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)' -@@ -713,7 +713,7 @@ install-python_ext: +@@ -790,7 +790,7 @@ install-python_ext: # 'make install-doc' should call 'make -C Documentation install' $(INSTALL_DOC_TARGETS): @@ -80,11 +80,11 @@ version-dependent name. And do the same for trace.] -# $(INSTALL) -m 644 $(DOC_MAN7) $(DESTDIR)$(man7dir) + sed -e 's/"PERF\\-/"PERF_$(VERSION)\\-/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION)$*.1 - install-man: check-man-tools man + install-man: check-man-tools man do-install-man --- a/tools/perf/util/Build +++ b/tools/perf/util/Build -@@ -162,6 +162,7 @@ CFLAGS_rbtree.o += -Wno-unused-pa +@@ -179,6 +179,7 @@ CFLAGS_libstring.o += -Wno-unused-pa CFLAGS_hweight.o += -Wno-unused-parameter -DETC_PERFCONFIG="BUILD_STR($(ETC_PERFCONFIG_SQ))" CFLAGS_parse-events.o += -Wno-redundant-decls CFLAGS_header.o += -include $(OUTPUT)PERF-VERSION-FILE diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch index 2c91d7886..9a9f43464 100644 --- a/debian/patches/debian/version.patch +++ b/debian/patches/debian/version.patch @@ -9,7 +9,7 @@ are set. --- a/Makefile +++ b/Makefile -@@ -1038,7 +1038,7 @@ endif +@@ -1055,7 +1055,7 @@ endif prepare2: prepare3 prepare-compiler-check outputmakefile asm-generic prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ @@ -18,7 +18,7 @@ are set. $(cmd_crmodverdir) archprepare: archheaders archscripts prepare1 scripts_basic -@@ -1099,6 +1099,16 @@ define filechk_version.h +@@ -1116,6 +1116,16 @@ define filechk_version.h echo '#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))';) endef @@ -35,7 +35,7 @@ are set. $(version_h): $(srctree)/Makefile FORCE $(call filechk,version.h) $(Q)rm -f $(old_version_h) -@@ -1106,6 +1116,9 @@ $(version_h): $(srctree)/Makefile FORCE +@@ -1123,6 +1133,9 @@ $(version_h): $(srctree)/Makefile FORCE include/generated/utsrelease.h: include/config/kernel.release FORCE $(call filechk,utsrelease.h) @@ -99,18 +99,18 @@ are set. #include #include -@@ -1366,8 +1367,9 @@ void show_regs(struct pt_regs * regs) +@@ -1382,8 +1383,9 @@ void show_regs(struct pt_regs * regs) - printk("NIP: "REG" LR: "REG" CTR: "REG"\n", + printk("NIP: "REG" LR: "REG" CTR: "REG"\n", regs->nip, regs->link, regs->ctr); - printk("REGS: %p TRAP: %04lx %s (%s)\n", - regs, regs->trap, print_tainted(), init_utsname()->release); + printk("REGS: %p TRAP: %04lx %s (%s%s)\n", + regs, regs->trap, print_tainted(), init_utsname()->release, + LINUX_PACKAGE_ID); - printk("MSR: "REG" ", regs->msr); + printk("MSR: "REG" ", regs->msr); print_msr_bits(regs->msr); - printk(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer); + pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer); --- a/kernel/hung_task.c +++ b/kernel/hung_task.c @@ -20,6 +20,7 @@ @@ -121,7 +121,7 @@ are set. /* * The number of tasks checked: -@@ -113,10 +114,11 @@ static void check_hung_task(struct task_ +@@ -114,10 +115,11 @@ static void check_hung_task(struct task_ sysctl_hung_task_warnings--; pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n", t->comm, t->pid, timeout); @@ -145,7 +145,7 @@ are set. #include #include -@@ -3086,11 +3087,12 @@ void __init dump_stack_set_arch_desc(con +@@ -3118,11 +3119,12 @@ void __init dump_stack_set_arch_desc(con */ void dump_stack_print_info(const char *log_lvl) { diff --git a/debian/patches/features/all/aufs4/aufs4-base.patch b/debian/patches/features/all/aufs4/aufs4-base.patch index 49b54231a..6c156363b 100644 --- a/debian/patches/features/all/aufs4/aufs4-base.patch +++ b/debian/patches/features/all/aufs4/aufs4-base.patch @@ -1,7 +1,7 @@ From: J. R. Okajima -Date: Fri Aug 25 18:02:16 2017 +0900 +Date: Thu Sep 28 22:42:44 2017 +0900 Subject: aufs4.x-rcN base patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/9aa6b2e732a0ae7057e247cabc7bd6869714e8a3 +Origin: https://github.com/sfjro/aufs4-standalone/tree/2fd397407f9d85de19dd837bc1a48b3872582366 Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch @@ -9,10 +9,10 @@ Patch headers added by debian/patches/features/all/aufs4/gen-patch aufs4.x-rcN base patch diff --git a/MAINTAINERS b/MAINTAINERS -index 6f7721d..b320f68 100644 +index 6671f37..2cadb88 100644 --- a/MAINTAINERS +++ b/MAINTAINERS -@@ -2392,6 +2392,19 @@ F: include/linux/audit.h +@@ -2465,6 +2465,19 @@ F: include/linux/audit.h F: include/uapi/linux/audit.h F: kernel/audit* @@ -33,10 +33,10 @@ index 6f7721d..b320f68 100644 M: Miguel Ojeda Sandonis W: http://miguelojeda.es/auxdisplay.htm diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index ef83349..4551210 100644 +index 85de673..d44de9d 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c -@@ -707,6 +707,24 @@ static inline int is_loop_device(struct file *file) +@@ -686,6 +686,24 @@ static inline int is_loop_device(struct file *file) return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; } @@ -75,7 +75,7 @@ index f901413..e3719a5 100644 void (*finish)(void *)) { diff --git a/fs/fcntl.c b/fs/fcntl.c -index 3b01b64..659760e 100644 +index 448a111..f51c2cf 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -31,7 +31,7 @@ @@ -97,10 +97,10 @@ index 3b01b64..659760e 100644 return error; diff --git a/fs/inode.c b/fs/inode.c -index 5037059..73820bf 100644 +index d1e35b5..f7800d6 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -1641,7 +1641,7 @@ EXPORT_SYMBOL(generic_update_time); +@@ -1655,7 +1655,7 @@ EXPORT_SYMBOL(generic_update_time); * This does the actual work of updating an inodes time or version. Must have * had called mnt_want_write() before calling this. */ @@ -109,13 +109,30 @@ index 5037059..73820bf 100644 { int (*update_time)(struct inode *, struct timespec *, int); +diff --git a/fs/namespace.c b/fs/namespace.c +index 54059b1..4f508a1 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -844,6 +844,12 @@ static inline int check_mnt(struct mount *mnt) + return mnt->mnt_ns == current->nsproxy->mnt_ns; + } + ++/* for aufs, CONFIG_AUFS_BR_FUSE */ ++int is_current_mnt_ns(struct vfsmount *mnt) ++{ ++ return check_mnt(real_mount(mnt)); ++} ++ + /* + * vfsmount lock must be held for write + */ diff --git a/fs/read_write.c b/fs/read_write.c -index 0cc7033..6e542f0 100644 +index a2b9a47..cfd7de4 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -473,6 +473,28 @@ ssize_t __vfs_write(struct file *file, const char __user *p, size_t count, +@@ -483,6 +483,28 @@ ssize_t __vfs_write(struct file *file, const char __user *p, size_t count, + return -EINVAL; } - EXPORT_SYMBOL(__vfs_write); +vfs_readf_t vfs_readf(struct file *file) +{ @@ -139,14 +156,14 @@ index 0cc7033..6e542f0 100644 + return ERR_PTR(-ENOSYS); +} + - ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t *pos) + ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) { mm_segment_t old_fs; diff --git a/fs/splice.c b/fs/splice.c -index ae41201..9753304 100644 +index f3084cc..eb888c6 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -853,8 +853,8 @@ EXPORT_SYMBOL(generic_splice_sendpage); +@@ -837,8 +837,8 @@ EXPORT_SYMBOL(generic_splice_sendpage); /* * Attempt to initiate a splice from pipe to file. */ @@ -157,7 +174,7 @@ index ae41201..9753304 100644 { ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int); -@@ -870,9 +870,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out, +@@ -854,9 +854,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out, /* * Attempt to initiate a splice from a file to a pipe. */ @@ -171,7 +188,7 @@ index ae41201..9753304 100644 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); diff --git a/fs/sync.c b/fs/sync.c -index 2a54c1f..7a5fa3f 100644 +index a576aa2..eb61780 100644 --- a/fs/sync.c +++ b/fs/sync.c @@ -27,7 +27,7 @@ @@ -196,10 +213,10 @@ index 61eb82c..e700888 100644 static inline void fput_light(struct file *file, int fput_needed) { diff --git a/include/linux/fs.h b/include/linux/fs.h -index 6e1fd5d..9421ed0 100644 +index 339e737..b024533 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h -@@ -1262,6 +1262,7 @@ extern void fasync_free(struct fasync_struct *); +@@ -1264,6 +1264,7 @@ extern void fasync_free(struct fasync_struct *); /* can be called from interrupts */ extern void kill_fasync(struct fasync_struct **, int, int); @@ -207,7 +224,7 @@ index 6e1fd5d..9421ed0 100644 extern void __f_setown(struct file *filp, struct pid *, enum pid_type, int force); extern int f_setown(struct file *filp, unsigned long arg, int force); extern void f_delown(struct file *filp); -@@ -1683,6 +1684,7 @@ struct file_operations { +@@ -1710,6 +1711,7 @@ struct file_operations { ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); int (*check_flags)(int); @@ -215,7 +232,7 @@ index 6e1fd5d..9421ed0 100644 int (*flock) (struct file *, int, struct file_lock *); ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int); ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); -@@ -1753,6 +1755,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector, +@@ -1780,6 +1782,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector, struct iovec *fast_pointer, struct iovec **ret_pointer); @@ -226,9 +243,9 @@ index 6e1fd5d..9421ed0 100644 +vfs_writef_t vfs_writef(struct file *file); + extern ssize_t __vfs_read(struct file *, char __user *, size_t, loff_t *); - extern ssize_t __vfs_write(struct file *, const char __user *, size_t, loff_t *); extern ssize_t vfs_read(struct file *, char __user *, size_t, loff_t *); -@@ -2157,6 +2165,7 @@ extern int current_umask(void); + extern ssize_t vfs_write(struct file *, const char __user *, size_t, loff_t *); +@@ -2182,6 +2190,7 @@ extern int current_umask(void); extern void ihold(struct inode * inode); extern void iput(struct inode *); extern int generic_update_time(struct inode *, struct timespec *, int); @@ -236,7 +253,7 @@ index 6e1fd5d..9421ed0 100644 /* /sys/fs */ extern struct kobject *fs_kobj; -@@ -2437,6 +2446,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb) +@@ -2462,6 +2471,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb) return false; } #endif @@ -244,6 +261,25 @@ index 6e1fd5d..9421ed0 100644 extern int sync_filesystem(struct super_block *); extern const struct file_operations def_blk_fops; extern const struct file_operations def_chr_fops; +diff --git a/include/linux/mnt_namespace.h b/include/linux/mnt_namespace.h +index 12b2ab5..8b810d1 100644 +--- a/include/linux/mnt_namespace.h ++++ b/include/linux/mnt_namespace.h +@@ -5,11 +5,14 @@ + struct mnt_namespace; + struct fs_struct; + struct user_namespace; ++struct vfsmount; + + extern struct mnt_namespace *copy_mnt_ns(unsigned long, struct mnt_namespace *, + struct user_namespace *, struct fs_struct *); + extern void put_mnt_ns(struct mnt_namespace *ns); + ++extern int is_current_mnt_ns(struct vfsmount *mnt); ++ + extern const struct file_operations proc_mounts_operations; + extern const struct file_operations proc_mountinfo_operations; + extern const struct file_operations proc_mountstats_operations; diff --git a/include/linux/splice.h b/include/linux/splice.h index db42746..12f3a5a 100644 --- a/include/linux/splice.h diff --git a/debian/patches/features/all/aufs4/aufs4-mmap.patch b/debian/patches/features/all/aufs4/aufs4-mmap.patch index 93d5bd778..177ca74e5 100644 --- a/debian/patches/features/all/aufs4/aufs4-mmap.patch +++ b/debian/patches/features/all/aufs4/aufs4-mmap.patch @@ -1,7 +1,7 @@ From: J. R. Okajima -Date: Fri Aug 25 18:02:16 2017 +0900 +Date: Fri Sep 22 11:57:33 2017 +0900 Subject: aufs4.x-rcN mmap patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/9aa6b2e732a0ae7057e247cabc7bd6869714e8a3 +Origin: https://github.com/sfjro/aufs4-standalone/tree/2fd397407f9d85de19dd837bc1a48b3872582366 Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch @@ -9,10 +9,10 @@ Patch headers added by debian/patches/features/all/aufs4/gen-patch aufs4.x-rcN mmap patch diff --git a/fs/proc/base.c b/fs/proc/base.c -index 719c2e9..a1b7968 100644 +index ad3b076..ad4a50d 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c -@@ -1986,7 +1986,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) +@@ -1987,7 +1987,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) down_read(&mm->mmap_sem); vma = find_exact_vma(mm, vm_start, vm_end); if (vma && vma->vm_file) { @@ -38,10 +38,10 @@ index 7563437..7c0dc0f 100644 ino = inode->i_ino; } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index fe8f326..b2f7f1a 100644 +index 5589b4b..f60aea2 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -293,7 +293,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) +@@ -309,7 +309,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) const char *name = NULL; if (file) { @@ -53,7 +53,7 @@ index fe8f326..b2f7f1a 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; -@@ -1640,7 +1643,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1734,7 +1737,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) struct proc_maps_private *proc_priv = &numa_priv->proc_maps; struct vm_area_struct *vma = v; struct numa_maps *md = &numa_priv->md; @@ -63,10 +63,10 @@ index fe8f326..b2f7f1a 100644 struct mm_walk walk = { .hugetlb_entry = gather_hugetlb_stats, diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c -index 23266694..58e59b6 100644 +index b00b7660..93e8a86 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c -@@ -157,7 +157,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma, +@@ -155,7 +155,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma, file = vma->vm_file; if (file) { @@ -79,10 +79,10 @@ index 23266694..58e59b6 100644 ino = inode->i_ino; pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT; diff --git a/include/linux/mm.h b/include/linux/mm.h -index 46b9ac5..62ba1c3 100644 +index f8c10d3..7241686 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -1306,6 +1306,28 @@ static inline int fixup_user_fault(struct task_struct *tsk, +@@ -1348,6 +1348,28 @@ static inline int fixup_user_fault(struct task_struct *tsk, } #endif @@ -112,10 +112,10 @@ index 46b9ac5..62ba1c3 100644 unsigned int gup_flags); extern int access_remote_vm(struct mm_struct *mm, unsigned long addr, diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 3cadee0..d0142c1 100644 +index 46f4ecf5..1340df3 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h -@@ -259,6 +259,7 @@ struct vm_region { +@@ -260,6 +260,7 @@ struct vm_region { unsigned long vm_top; /* region allocated to here */ unsigned long vm_pgoff; /* the offset in vm_file corresponding to vm_start */ struct file *vm_file; /* the backing file or NULL */ @@ -123,19 +123,19 @@ index 3cadee0..d0142c1 100644 int vm_usage; /* region usage count (access under nommu_region_sem) */ bool vm_icache_flushed : 1; /* true if the icache has been flushed for -@@ -333,6 +334,7 @@ struct vm_area_struct { +@@ -334,6 +335,7 @@ struct vm_area_struct { unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE units */ struct file * vm_file; /* File we map to (can be NULL). */ + struct file *vm_prfile; /* shadow of vm_file */ void * vm_private_data; /* was vm_pte (shared mem) */ - #ifndef CONFIG_MMU + atomic_long_t swap_readahead_info; diff --git a/kernel/fork.c b/kernel/fork.c -index e075b77..af14572 100644 +index 1064618..8937405 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -663,7 +663,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, +@@ -672,7 +672,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, struct inode *inode = file_inode(file); struct address_space *mapping = file->f_mapping; @@ -145,7 +145,7 @@ index e075b77..af14572 100644 atomic_dec(&inode->i_writecount); i_mmap_lock_write(mapping); diff --git a/mm/Makefile b/mm/Makefile -index 411bd24..e7de927 100644 +index e3ac3ae..745b26c 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -39,7 +39,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ @@ -158,10 +158,10 @@ index 411bd24..e7de927 100644 obj-y += init-mm.o diff --git a/mm/filemap.c b/mm/filemap.c -index a497024..9389040 100644 +index 870971e..045dd0e 100644 --- a/mm/filemap.c +++ b/mm/filemap.c -@@ -2541,7 +2541,7 @@ int filemap_page_mkwrite(struct vm_fault *vmf) +@@ -2582,7 +2582,7 @@ int filemap_page_mkwrite(struct vm_fault *vmf) int ret = VM_FAULT_LOCKED; sb_start_pagefault(inode->i_sb); @@ -171,10 +171,10 @@ index a497024..9389040 100644 if (page->mapping != inode->i_mapping) { unlock_page(page); diff --git a/mm/mmap.c b/mm/mmap.c -index f19efcf..7fdd59e 100644 +index 680506f..081406a 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -170,7 +170,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) +@@ -171,7 +171,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -183,7 +183,7 @@ index f19efcf..7fdd59e 100644 mpol_put(vma_policy(vma)); kmem_cache_free(vm_area_cachep, vma); return next; -@@ -895,7 +895,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, +@@ -896,7 +896,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, if (remove_next) { if (file) { uprobe_munmap(next, next->vm_start, next->vm_end); @@ -192,7 +192,7 @@ index f19efcf..7fdd59e 100644 } if (next->anon_vma) anon_vma_merge(vma, next); -@@ -1745,8 +1745,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1746,8 +1746,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return addr; unmap_and_free_vma: @@ -202,7 +202,7 @@ index f19efcf..7fdd59e 100644 /* Undo any partial mapping done by a device driver. */ unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); -@@ -2568,7 +2568,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2569,7 +2569,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, goto out_free_mpol; if (new->vm_file) @@ -211,7 +211,7 @@ index f19efcf..7fdd59e 100644 if (new->vm_ops && new->vm_ops->open) new->vm_ops->open(new); -@@ -2587,7 +2587,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2588,7 +2588,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, if (new->vm_ops && new->vm_ops->close) new->vm_ops->close(new); if (new->vm_file) @@ -220,7 +220,7 @@ index f19efcf..7fdd59e 100644 unlink_anon_vmas(new); out_free_mpol: mpol_put(vma_policy(new)); -@@ -2741,7 +2741,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2750,7 +2750,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, struct vm_area_struct *vma; unsigned long populate = 0; unsigned long ret = -EINVAL; @@ -229,7 +229,7 @@ index f19efcf..7fdd59e 100644 pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.\n", current->comm, current->pid); -@@ -2816,10 +2816,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2825,10 +2825,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, } } @@ -258,7 +258,7 @@ index f19efcf..7fdd59e 100644 out: up_write(&mm->mmap_sem); if (populate) -@@ -3110,7 +3127,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -3136,7 +3153,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, if (anon_vma_clone(new_vma, vma)) goto out_free_mempol; if (new_vma->vm_file) @@ -268,7 +268,7 @@ index f19efcf..7fdd59e 100644 new_vma->vm_ops->open(new_vma); vma_link(mm, new_vma, prev, rb_link, rb_parent); diff --git a/mm/nommu.c b/mm/nommu.c -index fc184f5..637ea81 100644 +index 17c00d9..4bcdf94 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -641,7 +641,7 @@ static void __put_nommu_region(struct vm_region *region) @@ -289,7 +289,7 @@ index fc184f5..637ea81 100644 put_nommu_region(vma->vm_region); kmem_cache_free(vm_area_cachep, vma); } -@@ -1326,7 +1326,7 @@ unsigned long do_mmap(struct file *file, +@@ -1321,7 +1321,7 @@ unsigned long do_mmap(struct file *file, goto error_just_free; } } @@ -298,7 +298,7 @@ index fc184f5..637ea81 100644 kmem_cache_free(vm_region_jar, region); region = pregion; result = start; -@@ -1401,10 +1401,10 @@ unsigned long do_mmap(struct file *file, +@@ -1396,10 +1396,10 @@ unsigned long do_mmap(struct file *file, up_write(&nommu_region_sem); error: if (region->vm_file) diff --git a/debian/patches/features/all/aufs4/aufs4-standalone.patch b/debian/patches/features/all/aufs4/aufs4-standalone.patch index 7fe91ea4e..09a6100b6 100644 --- a/debian/patches/features/all/aufs4/aufs4-standalone.patch +++ b/debian/patches/features/all/aufs4/aufs4-standalone.patch @@ -1,7 +1,7 @@ From: J. R. Okajima -Date: Fri Aug 25 18:02:16 2017 +0900 +Date: Thu Sep 28 22:42:44 2017 +0900 Subject: aufs4.x-rcN standalone patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/9aa6b2e732a0ae7057e247cabc7bd6869714e8a3 +Origin: https://github.com/sfjro/aufs4-standalone/tree/2fd397407f9d85de19dd837bc1a48b3872582366 Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch @@ -29,7 +29,7 @@ index e3719a5..3203470 100644 /** * d_ancestor - search for an ancestor diff --git a/fs/exec.c b/fs/exec.c -index 62175cb..f0b6fdd 100644 +index ac34d97..f42757e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -109,6 +109,7 @@ bool path_noexec(const struct path *path) @@ -41,7 +41,7 @@ index 62175cb..f0b6fdd 100644 #ifdef CONFIG_USELIB /* diff --git a/fs/fcntl.c b/fs/fcntl.c -index 659760e..5c37087 100644 +index f51c2cf..58bf222 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -84,6 +84,7 @@ int setfl(int fd, struct file * filp, unsigned long arg) @@ -53,7 +53,7 @@ index 659760e..5c37087 100644 static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, int force) diff --git a/fs/file_table.c b/fs/file_table.c -index 72e861a..01ae52f 100644 +index 61517f5..c6bab39c 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -148,6 +148,7 @@ struct file *get_empty_filp(void) @@ -64,7 +64,7 @@ index 72e861a..01ae52f 100644 /** * alloc_file - allocate and initialize a 'struct file' -@@ -260,6 +261,7 @@ void flush_delayed_fput(void) +@@ -258,6 +259,7 @@ void flush_delayed_fput(void) { delayed_fput(NULL); } @@ -72,7 +72,7 @@ index 72e861a..01ae52f 100644 static DECLARE_DELAYED_WORK(delayed_fput_work, delayed_fput); -@@ -302,6 +304,7 @@ void __fput_sync(struct file *file) +@@ -300,6 +302,7 @@ void __fput_sync(struct file *file) } EXPORT_SYMBOL(fput); @@ -80,19 +80,19 @@ index 72e861a..01ae52f 100644 void put_filp(struct file *file) { -@@ -310,6 +313,7 @@ void put_filp(struct file *file) +@@ -308,6 +311,7 @@ void put_filp(struct file *file) file_free(file); } } +EXPORT_SYMBOL_GPL(put_filp); void __init files_init(void) - { + { diff --git a/fs/inode.c b/fs/inode.c -index 73820bf..7db829e 100644 +index f7800d6..f31a6c7 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -1650,6 +1650,7 @@ int update_time(struct inode *inode, struct timespec *time, int flags) +@@ -1664,6 +1664,7 @@ int update_time(struct inode *inode, struct timespec *time, int flags) return update_time(inode, time, flags); } @@ -101,10 +101,10 @@ index 73820bf..7db829e 100644 /** * touch_atime - update the access time diff --git a/fs/namespace.c b/fs/namespace.c -index f8893dc..c55d949 100644 +index 4f508a1..c872ba2 100644 --- a/fs/namespace.c +++ b/fs/namespace.c -@@ -463,6 +463,7 @@ void __mnt_drop_write(struct vfsmount *mnt) +@@ -515,6 +515,7 @@ void __mnt_drop_write(struct vfsmount *mnt) mnt_dec_writers(real_mount(mnt)); preempt_enable(); } @@ -112,7 +112,15 @@ index f8893dc..c55d949 100644 /** * mnt_drop_write - give up write access to a mount -@@ -1823,6 +1824,7 @@ int iterate_mounts(int (*f)(struct vfsmount *, void *), void *arg, +@@ -849,6 +850,7 @@ int is_current_mnt_ns(struct vfsmount *mnt) + { + return check_mnt(real_mount(mnt)); + } ++EXPORT_SYMBOL_GPL(is_current_mnt_ns); + + /* + * vfsmount lock must be held for write +@@ -1885,6 +1887,7 @@ int iterate_mounts(int (*f)(struct vfsmount *, void *), void *arg, } return 0; } @@ -193,7 +201,7 @@ index 9991f88..117042c 100644 /* * Destroy all marks in destroy_list, waits for SRCU period to finish before diff --git a/fs/open.c b/fs/open.c -index 35bb784..92e08c5 100644 +index 7ea1184..6e2e241 100644 --- a/fs/open.c +++ b/fs/open.c @@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, @@ -213,10 +221,18 @@ index 35bb784..92e08c5 100644 static int do_dentry_open(struct file *f, struct inode *inode, diff --git a/fs/read_write.c b/fs/read_write.c -index 6e542f0..c6fa090 100644 +index cfd7de4..8623bd3 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -483,6 +483,7 @@ vfs_readf_t vfs_readf(struct file *file) +@@ -453,6 +453,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) + + return ret; + } ++EXPORT_SYMBOL_GPL(vfs_read); + + static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t len, loff_t *ppos) + { +@@ -493,6 +494,7 @@ vfs_readf_t vfs_readf(struct file *file) return new_sync_read; return ERR_PTR(-ENOSYS); } @@ -224,19 +240,27 @@ index 6e542f0..c6fa090 100644 vfs_writef_t vfs_writef(struct file *file) { -@@ -494,6 +495,7 @@ vfs_writef_t vfs_writef(struct file *file) +@@ -504,6 +506,7 @@ vfs_writef_t vfs_writef(struct file *file) return new_sync_write; return ERR_PTR(-ENOSYS); } +EXPORT_SYMBOL_GPL(vfs_writef); - ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t *pos) + ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) + { +@@ -573,6 +576,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ + + return ret; + } ++EXPORT_SYMBOL_GPL(vfs_write); + + static inline loff_t file_pos_read(struct file *file) { diff --git a/fs/splice.c b/fs/splice.c -index 9753304..b38e036 100644 +index eb888c6..7ab89d2 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -866,6 +866,7 @@ long do_splice_from(struct pipe_inode_info *pipe, struct file *out, +@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_info *pipe, struct file *out, return splice_write(pipe, out, ppos, len, flags); } @@ -244,7 +268,7 @@ index 9753304..b38e036 100644 /* * Attempt to initiate a splice from a file to a pipe. -@@ -895,6 +896,7 @@ long do_splice_to(struct file *in, loff_t *ppos, +@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_t *ppos, return splice_read(in, ppos, pipe, len, flags); } @@ -253,7 +277,7 @@ index 9753304..b38e036 100644 /** * splice_direct_to_actor - splices data directly between two non-pipes diff --git a/fs/sync.c b/fs/sync.c -index 7a5fa3f..c9b9d46 100644 +index eb61780..32c5a05 100644 --- a/fs/sync.c +++ b/fs/sync.c @@ -38,6 +38,7 @@ int __sync_filesystem(struct super_block *sb, int wait) @@ -265,10 +289,10 @@ index 7a5fa3f..c9b9d46 100644 /* * Write out and wait upon all dirty data associated with this diff --git a/fs/xattr.c b/fs/xattr.c -index 464c94b..0234d49 100644 +index 4424f7f..15431ff 100644 --- a/fs/xattr.c +++ b/fs/xattr.c -@@ -296,6 +296,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, +@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, *xattr_value = value; return error; } @@ -277,19 +301,19 @@ index 464c94b..0234d49 100644 ssize_t __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, diff --git a/kernel/task_work.c b/kernel/task_work.c -index d513051..e056d54 100644 +index 836a72a..aa00d49 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c -@@ -119,3 +119,4 @@ void task_work_run(void) +@@ -115,3 +115,4 @@ void task_work_run(void) } while (work); } } +EXPORT_SYMBOL_GPL(task_work_run); diff --git a/security/commoncap.c b/security/commoncap.c -index 7abebd7..c079ce4 100644 +index c25e0d2..9551659 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -1062,12 +1062,14 @@ int cap_mmap_addr(unsigned long addr) +@@ -1269,12 +1269,14 @@ int cap_mmap_addr(unsigned long addr) } return ret; } @@ -325,10 +349,10 @@ index 03c1652..f88c84b 100644 int devcgroup_inode_mknod(int mode, dev_t dev) { diff --git a/security/security.c b/security/security.c -index 3013237..342ce8b 100644 +index 4bf0f57..b30d1e1 100644 --- a/security/security.c +++ b/security/security.c -@@ -535,6 +535,7 @@ int security_path_rmdir(const struct path *dir, struct dentry *dentry) +@@ -530,6 +530,7 @@ int security_path_rmdir(const struct path *dir, struct dentry *dentry) return 0; return call_int_hook(path_rmdir, 0, dir, dentry); } @@ -336,7 +360,7 @@ index 3013237..342ce8b 100644 int security_path_unlink(const struct path *dir, struct dentry *dentry) { -@@ -551,6 +552,7 @@ int security_path_symlink(const struct path *dir, struct dentry *dentry, +@@ -546,6 +547,7 @@ int security_path_symlink(const struct path *dir, struct dentry *dentry, return 0; return call_int_hook(path_symlink, 0, dir, dentry, old_name); } @@ -344,7 +368,7 @@ index 3013237..342ce8b 100644 int security_path_link(struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry) -@@ -559,6 +561,7 @@ int security_path_link(struct dentry *old_dentry, const struct path *new_dir, +@@ -554,6 +556,7 @@ int security_path_link(struct dentry *old_dentry, const struct path *new_dir, return 0; return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry); } @@ -352,7 +376,7 @@ index 3013237..342ce8b 100644 int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry, -@@ -586,6 +589,7 @@ int security_path_truncate(const struct path *path) +@@ -581,6 +584,7 @@ int security_path_truncate(const struct path *path) return 0; return call_int_hook(path_truncate, 0, path); } @@ -360,7 +384,7 @@ index 3013237..342ce8b 100644 int security_path_chmod(const struct path *path, umode_t mode) { -@@ -593,6 +597,7 @@ int security_path_chmod(const struct path *path, umode_t mode) +@@ -588,6 +592,7 @@ int security_path_chmod(const struct path *path, umode_t mode) return 0; return call_int_hook(path_chmod, 0, path, mode); } @@ -368,7 +392,7 @@ index 3013237..342ce8b 100644 int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) { -@@ -600,6 +605,7 @@ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) +@@ -595,6 +600,7 @@ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) return 0; return call_int_hook(path_chown, 0, path, uid, gid); } @@ -376,7 +400,7 @@ index 3013237..342ce8b 100644 int security_path_chroot(const struct path *path) { -@@ -685,6 +691,7 @@ int security_inode_readlink(struct dentry *dentry) +@@ -680,6 +686,7 @@ int security_inode_readlink(struct dentry *dentry) return 0; return call_int_hook(inode_readlink, 0, dentry); } @@ -384,7 +408,7 @@ index 3013237..342ce8b 100644 int security_inode_follow_link(struct dentry *dentry, struct inode *inode, bool rcu) -@@ -700,6 +707,7 @@ int security_inode_permission(struct inode *inode, int mask) +@@ -695,6 +702,7 @@ int security_inode_permission(struct inode *inode, int mask) return 0; return call_int_hook(inode_permission, 0, inode, mask); } @@ -392,7 +416,7 @@ index 3013237..342ce8b 100644 int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { -@@ -871,6 +879,7 @@ int security_file_permission(struct file *file, int mask) +@@ -866,6 +874,7 @@ int security_file_permission(struct file *file, int mask) return fsnotify_perm(file, mask); } @@ -400,7 +424,7 @@ index 3013237..342ce8b 100644 int security_file_alloc(struct file *file) { -@@ -930,6 +939,7 @@ int security_mmap_file(struct file *file, unsigned long prot, +@@ -925,6 +934,7 @@ int security_mmap_file(struct file *file, unsigned long prot, return ret; return ima_file_mmap(file, prot); } diff --git a/debian/patches/features/all/lockdown/0039-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/debian/patches/features/all/lockdown/0039-Add-the-ability-to-lock-down-access-to-the-running-k.patch index ece981a25..7134fd6cf 100644 --- a/debian/patches/features/all/lockdown/0039-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/debian/patches/features/all/lockdown/0039-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -20,13 +20,11 @@ Signed-off-by: David Howells 5 files changed, 78 insertions(+) create mode 100644 security/lock_down.c -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 4c26dc3a8295..b820a80dc949 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h -@@ -275,6 +275,15 @@ extern int oops_may_print(void); - void do_exit(long error_code) __noreturn; - void complete_and_exit(struct completion *, long) __noreturn; +@@ -287,6 +287,15 @@ static inline void refcount_error_report + { } + #endif +#ifdef CONFIG_LOCK_DOWN_KERNEL +extern bool kernel_is_locked_down(void); @@ -40,11 +38,9 @@ index 4c26dc3a8295..b820a80dc949 100644 /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); -diff --git a/include/linux/security.h b/include/linux/security.h -index af675b576645..68bab18ddd57 100644 --- a/include/linux/security.h +++ b/include/linux/security.h -@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata) +@@ -1753,5 +1753,16 @@ static inline void free_secdata(void *se { } #endif /* CONFIG_SECURITY */ @@ -61,11 +57,9 @@ index af675b576645..68bab18ddd57 100644 + #endif /* ! __LINUX_SECURITY_H */ -diff --git a/security/Kconfig b/security/Kconfig -index 3ff1bf91080e..e3830171bdcb 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -198,6 +198,21 @@ config STATIC_USERMODEHELPER_PATH +@@ -214,6 +214,21 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). @@ -87,20 +81,15 @@ index 3ff1bf91080e..e3830171bdcb 100644 source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig -diff --git a/security/Makefile b/security/Makefile -index f2d71cdb8e19..8c4a43e3d4e0 100644 --- a/security/Makefile +++ b/security/Makefile -@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o +@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ + +# Allow the kernel to be locked down +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o -diff --git a/security/lock_down.c b/security/lock_down.c -new file mode 100644 -index 000000000000..5788c60ff4e1 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,40 @@ diff --git a/debian/patches/features/all/lockdown/0040-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/0040-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 7bc8d5a5c..a1ad17b6c 100644 --- a/debian/patches/features/all/lockdown/0040-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/debian/patches/features/all/lockdown/0040-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -17,7 +17,7 @@ Signed-off-by: David Howells --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1827,6 +1827,18 @@ config EFI_MIXED +@@ -1886,6 +1886,18 @@ config EFI_MIXED If unsure, say N. @@ -38,15 +38,15 @@ Signed-off-by: David Howells prompt "Enable seccomp to safely compute untrusted bytecode" --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -69,6 +69,7 @@ - #include +@@ -70,6 +70,7 @@ #include #include + #include +#include #include #include