Debian Patches

Status for linux/6.11.9-1

Patch Description Author Forwarded Bugs Origin Last update
bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch radeon, amdgpu: Firmware is required for DRM and KMS on R600 onward
radeon requires firmware/microcode for the GPU in all chips, but for
newer chips (apparently R600 'Evergreen' onward) it also expects
firmware for the memory controller and other sub-blocks.

radeon attempts to gracefully fall back and disable some features if
the firmware is not available, but becomes unstable - the framebuffer
and/or system memory may be corrupted, or the display may stay black.

Therefore, perform a basic check for the existence of
/lib/firmware/radeon when a device is probed, and abort if it
is missing, except for the pre-R600 case.

Update 2023-11-08:
In bug 1053764 Mario Limonciello <mario.limonciello@amd.com> states
that the patch isn't needed anymore for amdgpu, so remove that part
of the patch
Ben Hutchings <ben@decadent.org.uk> no debian 2023-11-08
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.
Ben Hutchings <ben@decadent.org.uk> not-needed 2010-11-19
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'rds' protocol is one such protocol that has been found to be
vulnerable, and which was not present in the 'lenny' kernel.
Therefore disable auto-loading.
Ben Hutchings <ben@decadent.org.uk> not-needed 2010-11-19
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch dccp: Disable auto-loading as mitigation against local exploits
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.
Ben Hutchings <ben@decadent.org.uk> not-needed 2017-02-16
debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch hamradio: Disable auto-loading as mitigation against local exploits
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'ham' radio protocols (ax25, netrom, rose) are not actively
maintained or widely used. Therefore disable auto-loading.
Ben Hutchings <ben@decadent.org.uk> not-needed 2019-08-05
debian/fs-enable-link-security-restrictions-by-default.patch fs: Enable link security restrictions by default
This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
('VFS: don't do protected {sym,hard}links by default').
Ben Hutchings <ben@decadent.org.uk> not-needed debian 2012-11-02
debian/yama-disable-by-default.patch yama: Disable by default Ben Hutchings <ben@decadent.org.uk> not-needed debian 2013-06-19
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch add sysctl to disallow unprivileged CLONE_NEWUSER by default
add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER
is certainly an intended feature of user namespaces. However
for at least saucy we want to make sure that, if any security
issues are found, we have a fail-safe.

[bwh: Remove unneeded binary sysctl bits]
[bwh: Keep this sysctl, but change the default to enabled]
Serge Hallyn <serge.hallyn@canonical.com> no http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8 2013-05-31
debian/gitignore.patch Tweak gitignore for Debian pkg-kernel using git
[bwh: Tweak further for pure git]
Ian Campbell <ijc@hellion.org.uk> not-needed 2013-01-17
debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch Remove microcode patches for mgsuvd (not enabled in Debian configs)
diff --git a/arch/powerpc/platforms/8xx/Kconfig b/arch/powerpc/platforms/8xx/Kconfig
index 48a920a..81570b6 100644
Ben Hutchings <ben@decadent.org.uk> not-needed 2009-04-13
debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch dvb-usb-af9005: mark as broken Ben Hutchings <ben@decadent.org.uk> not-needed 2009-08-17
debian/dfsg/video-remove-nvidiafb-and-rivafb.patch video: Remove nvidiafb and rivafb
These drivers contain register programming code provided by the
hardware vendor that appears to have been deliberately obfuscated.
This is arguably not the preferred form for modification.

These drivers are also largely redundant with nouveau. The RIVA 128
(NV3) is not supported by nouveau but is about 15 years old and
probably discontinued 10 years ago.
Ben Hutchings <ben@decadent.org.uk> no debian 2012-06-02
debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch Documentation: Fix broken link to CIPSO draft
We exclude the CIPSO draft text as its licence is not DFSG compliant.
Link to the IETF's online version instead.
Ben Hutchings <ben@decadent.org.uk> not-needed 2019-08-24
debian/version.patch Include package version along with kernel release in stack traces
For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.
Ben Hutchings <ben@decadent.org.uk> not-needed 2012-07-24
debian/uname-version-timestamp.patch Make mkcompile_h accept an alternate timestamp string
We want to include the Debian version in the utsname::version string
instead of a full timestamp string. However, we still need to provide
a standard timestamp string for gen_initramfs_list.sh to make the
kernel image reproducible.

Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
$KBUILD_BUILD_TIMESTAMP.

===================================================================
Ben Hutchings <ben@decadent.org.uk> not-needed 2015-05-12
debian/kernelvariables.patch kbuild: Make the toolchain variables easily overwritable
Allow make variables to be overridden for each flavour by a file in
the build tree, .kernelvariables.

We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
also CROSS_COMPILE, KCFLAGS.

This file can only be read after we establish the build tree, and all
use of $(ARCH) needs to be moved after this.

[bwh: Updated for 5.3: include .kernelvariables from current directory
rather than using undefined $(obj).]
Bastian Blank <waldi@debian.org> not-needed 2009-02-22
debian/mips-boston-disable-its.patch Disable uImage generation for mips generic
MIPS generic trys to generate uImage when build, which then ask for
u-boot-tools.

[bwh: Updated for 5.17:
- zload-y is no longer assigned here and appears to default to empty
- Adjust context]
YunQiang Su <syq@debian.org> not-needed 2018-05-14
debian/mips-ieee754-relaxed.patch Use RELAXED ieee754 mode for Loongson-3 as 3A 4000 is 2008-only
There are 2 mode of value of IEEE NaN hardcoded by CPU.
Currently, our mipsel/mips64el port is in so-called lagacy mode.
Loongson 3A 4000 is set as the so-called 2008 mode.

To make Debian workable on Loongson 3A 4000, we need set the kerenl in
RELAXED mode.

https://web.archive.org/web/20180830093617/https://dmz-portal.mips.com/wiki/MIPS_ABI_-_NaN_Interlinking

[bwh: Update for addition of EMULATED mode in 6.11]
YunQiang Su <syq@debian.org> not-needed 2020-11-16
debian/mips-enable-r2-to-r6-emu-by-default.patch Enable R2 to R6 emulator by default
In upstream code, 'mipsr2emu' kernel option is needed
to enable R2 to R6 emulator. Since we need r6 kernel
for our r2 port, let's always enable it.
YunQiang Su <syq@debian.org> not-needed 2018-05-14
debian/arch-sh4-fix-uimage-build.patch [sh4] Fix uImage build
[bwh: This was added without a description, but I think it is done
only to avoid a build-dependency on u-boot-tools.]
Nobuhiro Iwamatsu <iwamatsu@nigauri.org> not-needed debian
debian/tools-perf-perf-read-vdso-in-libexec.patch linux-tools: Install perf-read-vdso{,x}32 in directory under /usr/lib Ben Hutchings <benh@debian.org> no 2015-05-11
debian/tools-perf-install-python-bindings.patch tools: install perf python bindings Adriaan Schmidt <adriaan.schmidt@siemens.com> not-needed debian 2022-04-04
debian/wireless-add-debian-wireless-regdb-certificates.patch wireless: Add Debian wireless-regdb certificates
This hex dump is generated using:

{
for cert in debian/certs/wireless-regdb-*.pem; do
openssl x509 -in $cert -outform der;
done
} | hexdump -v -e '1/1 "0x%.2x," "\n"' > net/wireless/certs/debian.hex
Ben Hutchings <ben@decadent.org.uk> not-needed 2018-04-13
debian/export-symbols-needed-by-android-drivers.patch Export symbols needed by binder
We want to enable use of the Android binder driver to support
Waydroid, but it should not be built-in as that would waste resources
and increase security attack surface on systems that don't need it.

Export the currently un-exported symbols it depends on.
Ben Hutchings <ben@decadent.org.uk> no debian 2024-08-05
debian/android-enable-building-ashmem-and-binder-as-modules.patch android: Enable building ashmem and binder as modules
We want to enable use of the Android ashmem and binder drivers to
support Anbox, but they should not be built-in as that would waste
resources and increase security attack surface on systems that don't
need them.

- Add a MODULE_LICENSE declaration to ashmem
- Change the Makefiles to build each driver as an object with the
"_linux" suffix (which is what Anbox expects)
- Change config symbol types to tristate

Update:
In upstream commit 721412ed3d titled "staging: remove ashmem" the ashmem
driver was removed entirely. Secondary commit message:
"The mainline replacement for ashmem is memfd, so remove the legacy
code from drivers/staging/"
Consequently, the ashmem part of this patch has been removed.
Ben Hutchings <ben@decadent.org.uk> no debian 2018-06-22
debian/documentation-drop-sphinx-version-check.patch [PATCH 1/2] Documentation: Drop sphinx version check Bastian Blank <waldi@debian.org> not-needed 2020-08-04
debian/perf-traceevent-support-asciidoctor-for-documentatio.patch [PATCH 2/2] perf/traceevent: Support asciidoctor for documentation Bastian Blank <waldi@debian.org> not-needed 2020-08-04
debian/kbuild-look-for-module.lds-under-arch-directory-too.patch kbuild: Look for module.lds under arch directory too
The module.lds linker script is now built under the scripts directory,
where previously it was under arch/$(SRCARCH).

However, we package the scripts directory as linux-kbuild, which is
meant to be able to do support native and cross-builds. That means it
shouldn't contain files for a specific target architecture without a
wrapper to select between them, and it doesn't appear that linker
scripts are powerful enough to implement such a wrapper.

Building module.lds in a different location would require relatively
large changes. Moving it in the package build rules can work, but we
need to support custom kernel builds from the same source so we can't
assume it's moved.

Therefore, we move module.lds under the arch build directory in
rules.real and change Makefile.modfinal to look for it in both places.
Ben Hutchings <benh@debian.org> not-needed debian 2020-12-10
debian/kbuild-abort-build-if-subdirs-used.patch kbuild: Abort build if SUBDIRS used
DKMS and module-assistant both build OOT modules as root. If they
build an old OOT module that still use SUBDIRS this causes Kbuild
to try building a full kernel, which obviously fails but not before
deleting files from the installed headers package.

To avoid such mishaps, detect this situation and abort the build.

The error message is based on that used in commit 0126be38d988
"kbuild: announce removal of SUBDIRS if used".
Ben Hutchings <benh@debian.org> not-needed debian 2021-04-26
debian/makefile-make-compiler-version-comparison-optional.patch Makefile: Make compiler version comparison optional
The top-level Makefile warns if the compiler version string changes at
all between the kernel build and an out-of-tree module build.

We expect that major compiler version changes could introduce ABI
changes, and override the CC variable in out-of-tree module builds to
ensure that the same major compiler version is used. But minor
version changes should not make a difference, so this exact version
comparison produces false warnings.

Since custom kernel packages don't have that, don't remove the version
comparison. Instead, skip it if $(DEBIAN_KERNEL_NO_CC_VERSION_CHECK)
is non-empty.
Ben Hutchings <benh@debian.org> not-needed debian 2022-09-15
bugfix/all/revert-tools-build-clean-cflags-and-ldflags-for-fixdep.patch Revert "tools build: Clean CFLAGS and LDFLAGS for fixdep"
This reverts commit 5725dd8fa888b4dcdff58241f9d3d3ac42a048e2. That
was a workaround for the bug fixed by commit 6b3db6f9b970 "tools
Ben Hutchings <benh@debian.org> no 2024-09-16
debian/fixdep-allow-overriding-hostcc-and-hostld.patch fixdep: Allow overriding HOSTCC and HOSTLD
objtool always uses HOSTCC, HOSTLD, and HOSTAR, so we need to override
these on the command line for cross-builds of linux-kbuild. But it
also builds fixdep which still needs to be native in a cross-build.
Add support for REALHOSTCC and REALHOSTLD variables which, if set,
override HOSTCC and HOSTLD for fixdep only.
Ben Hutchings <benh@debian.org> not-needed 2023-05-13
debian/linux-perf-remove-remaining-source-filenames-from-executable.patch linux-perf: Remove remaining source filenames from executable
When we build perf with -ffile-prefix-map, there are still 2
source directory names embedded in the executable:

1. The Documentation subdirectory, used as a fallback from the
installed location.
2. The python subdirectory, used in the Python script test.

Remove (1) since it is an unnecessary fallback. Change (2)
to the installed location.
Ben Hutchings <benh@debian.org> no 2023-05-30
features/all/drivers-media-dvb-usb-af9005-request_firmware.patch af9005: Use request_firmware() to load register init script
Read the register init script from the Windows driver. This is sick
but should avoid the potential copyright infringement in distributing
a version of the script which is directly derived from the driver.
Ben Hutchings <ben@decadent.org.uk> no 2009-08-24
debian/iwlwifi-do-not-request-unreleased-firmware.patch iwlwifi: Do not request unreleased firmware for IWL6000
The iwlwifi driver currently supports firmware API versions 4-6 for
these devices. It will request the file for the latest supported
version and then fall back to earlier versions. However, the latest
version that has actually been released is 4, so we expect the
requests for versions 6 and then 5 to fail.

The installer appears to report any failed request, and it is probably
not easy to detect that this particular failure is harmless. So stop
requesting the unreleased firmware.
Ben Hutchings <ben@decadent.org.uk> not-needed debian
debian/firmware_loader-log-direct-loading-failures-as-info-for-d-i.path firmware_loader: Log direct loading failures as info for d-i
On an installed Debian system, firmware packages will normally be
installed automatically based on a mapping of device IDs to firmware.
Within the Debian installer this has not yet happened and we need a
way to detect missing firmware.

Although many/most drivers log firmware loading failures, they do so
using many different formats. This adds a single log message to the
firmware loader, which the installer's hw-detect package will look
for. The log level is set to "info" because some failures are
expected and we do not want to confuse users with bogus error messages
(like in bug #966218).

this with the check-missing-firmware.sh in hw-detect.
Ben Hutchings <benh@debian.org> not-needed 2024-05-30
features/all/security-perf-allow-further-restriction-of-perf_event_open.patch security,perf: Allow further restriction of perf_event_open
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
Ben Hutchings <ben@decadent.org.uk> yes 2016-01-11
features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch intel-iommu: Add option to exclude integrated GPU only
There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage, but turning it off
for all graphics devices seems like a major weakness.

Add an option, intel_iommu=intgpu_off, to exclude only integrated GPUs
from remapping. This is a narrower exclusion than igfx_off: it only
affects Intel devices on the root bus. Devices attached through an
external port (Thunderbolt or ExpressCard) won't be on the root bus.
Ben Hutchings <ben@decadent.org.uk> no debian 2019-08-21
features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch intel-iommu: Add Kconfig option to exclude iGPU by default
There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage.

Replace CONFIG_INTEL_IOMMU_DEFAULT_ON with a 3-way choice
corresponding to "on", "off", and "on,intgpu_off".
Ben Hutchings <ben@decadent.org.uk> no debian 2019-08-21
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch cdc_ncm,cdc_mbim: Use NCM by default
Devices that support both NCM and MBIM modes should be kept in NCM
mode unless there is userland support for MBIM.

Set the default value of cdc_ncm.prefer_mbim to false and leave it to
userland (modem-manager) to override this with a modprobe.conf file
once it's ready to speak MBIM.
Ben Hutchings <ben@decadent.org.uk> not-needed 2013-03-31
debian/snd-pcsp-disable-autoload.patch snd-pcsp: Disable autoload
There are two drivers claiming the platform:pcspkr device:
- pcspkr creates an input(!) device that can only beep
- snd-pcsp creates an equivalent input device plus a PCM device that can
play barely recognisable renditions of sampled sound

snd-pcsp is blacklisted by the alsa-base package, but not everyone
installs that. On PCs where no sound is wanted at all, both drivers
will still be loaded and one or other will complain that it couldn't
claim the relevant I/O range.

In case anyone finds snd-pcsp useful, we continue to build it. But
remove the alias, to ensure it's not loaded where it's not wanted.
Ben Hutchings <ben@decadent.org.uk> not-needed debian 2014-02-05
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch viafb: Autoload on OLPC XO 1.5 only
It appears that viafb won't work automatically on all the boards for
which it has a PCI device ID match. Currently, it is blacklisted by
udev along with most other framebuffer drivers, so this doesn't matter
much.

However, this driver is required for console support on the XO 1.5.
We need to allow it to be autoloaded on this model only, and then
un-blacklist it in udev.
Ben Hutchings <ben@decadent.org.uk> no debian 2013-04-20
debian/fjes-disable-autoload.patch fjes: Disable auto-loading
fjes matches a generic ACPI device ID, and relies on its probe
function to distinguish whether that really corresponds to a supported
device. Very few system will need the driver and it wastes memory on
all the other systems where the same device ID appears, so disable
auto-loading.
Ben Hutchings <ben@decadent.org.uk> no debian 2017-03-18
debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
Various free and proprietary AV products use this feature and users
apparently want it. But punting access checks to userland seems like
an easy way to deadlock the system, and there will be nothing we can
do about that. So warn and taint the kernel if this feature is
actually used.
Ben Hutchings <ben@decadent.org.uk> not-needed 2016-07-13
debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch btrfs: warn about RAID5/6 being experimental at mount time
Too many people come complaining about losing their data -- and indeed,
there's no warning outside a wiki and the mailing list tribal knowledge.
Message severity chosen for consistency with XFS -- "alert" makes dmesg
produce nice red background which should get the point across.

[bwh: Also add_taint() so this is flagged in bug reports]
[2023-01-10: still accurate according to btrfs-progs own manpage:
https://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git/commit/?id=922797e15590b836e377d6dc47b828356cafc2a9]
[2024-03-17: still accurate; manpage is now in Documentation/btrfs-man5.rst
implementation went from disk-io.c to super.c; forwarded the issue]
Adam Borowski <kilobyte@angband.pl> yes debian https://bugs.debian.org/863290#5 2017-03-28
bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch ARM: dts: kirkwood: Fix SATA pinmux-ing for TS419
The old board code for the TS419 assigns MPP pins 15 and 16 as SATA
activity signals (and none as SATA presence signals). Currently the
device tree assigns the SoC's default pinmux groups for SATA, which
conflict with the second Ethernet port.
Ben Hutchings <ben@decadent.org.uk> yes debian 2017-02-17
bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch perf tools: Fix unwind build on i386
EINVAL may not be defined when building unwind-libunwind.c with
REMOTE_UNWIND_LIBUNWIND, resulting in a compiler error in
LIBUNWIND__ARCH_REG_ID(). Its only caller, access_reg(), only checks
for a negative return value and doesn't care what it is. So change
-EINVAL to -1.
Ben Hutchings <ben@decadent.org.uk> no 2017-07-22
bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch sh: Do not use hyphen in exported variable names
arch/sh/Makefile defines and exports ld-bfd to be used by
arch/sh/boot/Makefile and arch/sh/boot/compressed/Makefile. However
some shells, including dash, will not pass through environment
variables whose name includes a hyphen. Usually GNU make does not use
a shell to recurse, but if e.g. $(srctree) contains '~' it will use a
shell here.

Rename the variable to ld_bfd.

(Another instance of this problem was fixed upstream by commit
82977af93a0d "sh: rename suffix-y to suffix_y".)
Ben Hutchings <ben@decadent.org.uk> no 2022-02-07
bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch ARM: mm: Export __sync_icache_dcache() for xen-privcmd
The xen-privcmd driver, which can be modular, calls set_pte_at()
which in turn may call __sync_icache_dcache().

The call to __sync_icache_dcache() may be optimised out because it is
conditional on !pte_special(), and xen-privcmd calls pte_mkspecial().
However, in a non-LPAE configuration there is no "special" bit and the
call is really unconditional.
Ben Hutchings <ben@decadent.org.uk> yes 2018-07-11
bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch powerpc/boot: Fix missing crc32poly.h when building with KERNEL_XZ
After commit faa16bc404d7 ("lib: Use existing define with
polynomial") the lib/xz/xz_crc32.c includes a header from include/linux
directory thus any other user of this code should define proper include
path.

This fixes the build error on powerpc with CONFIG_KERNEL_XZ:

In file included from ../arch/powerpc/boot/../../../lib/decompress_unxz.c:233:0,
from ../arch/powerpc/boot/decompress.c:42:
../arch/powerpc/boot/../../../lib/xz/xz_crc32.c:18:29: fatal error: linux/crc32poly.h: No such file or directory
Krzysztof Kozlowski <krzk@kernel.org> no https://patchwork.ozlabs.org/patch/963258/ 2018-08-29
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch arm64/acpi: Add fixup for HPE m400 quirks
Adds a new ACPI init routine acpi_fixup_m400_quirks that adds
a work-around for HPE ProLiant m400 APEI firmware problems.

The work-around disables APEI when CONFIG_ACPI_APEI is set and
m400 firmware is detected. Without this fixup m400 systems
experience errors like these on startup:

[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 2
[Hardware Error]: event severity: fatal
[Hardware Error]: Error 0, type: fatal
[Hardware Error]: section_type: memory error
[Hardware Error]: error_status: 0x0000000000001300
[Hardware Error]: error_type: 10, invalid address
Kernel panic - not syncing: Fatal hardware error!

[bwh: Adjust context and indentation to apply to Linux 6.10]
Geoff Levand <geoff@infradead.org> yes 2018-06-13
features/x86/x86-memtest-WARN-if-bad-RAM-found.patch x86: memtest: WARN if bad RAM found
Since this is not a particularly thorough test, if we find any bad
bits of RAM then there is a fair chance that there are other bad bits
we fail to detect.
Ben Hutchings <ben@decadent.org.uk> yes debian 2011-12-05
features/x86/x86-make-x32-syscall-support-conditional.patch x86: Make x32 syscall support conditional on a kernel parameter
Enabling x32 in the standard amd64 kernel would increase its attack
surface while provide no benefit to the vast majority of its users.
No-one seems interested in regularly checking for vulnerabilities
specific to x32 (at least no-one with a white hat).

Still, adding another flavour just to turn on x32 seems wasteful. And
the only differences on syscall entry are a few instructions that mask
out the x32 flag and compare the syscall number.

Use a static key to control whether x32 syscalls are really enabled, a
Kconfig parameter to set its default value and a kernel parameter
"syscall.x32" to change it at boot time.
Ben Hutchings <ben@decadent.org.uk> yes debian 2018-02-12
bugfix/all/disable-some-marvell-phys.patch phy/marvell: disable 4-port phys
The Marvell PHY was originally disabled because it can cause networking
failures on some systems. According to Lennert Buytenhek this is because some
of the variants added did not share the same register layout. Since the known
cases are all 4-ports disable those variants (indicated by a 4 in the
penultimate position of the model name) until they can be audited for
correctness.

[bwh: Also #if-out the init functions for these PHYs to avoid
compiler warnings]
Ian Campbell <ijc@hellion.org.uk> yes debian 2013-11-20
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch fs: Add MODULE_SOFTDEP declarations for hard-coded crypto drivers
This helps initramfs builders and other tools to find the full
dependencies of a module.

[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
Ben Hutchings <ben@decadent.org.uk> yes debian 2016-04-13
bugfix/all/documentation-use-relative-source-paths-in-abi-documentation.patch Documentation: Use relative source filenames in ABI documentation
Currently the ABI documentation files contain absolute source
filenames, which makes them unreproducible if the build directory can
vary.

Remove the source base directory ($srctree) from the source filenames
shown in the documentation.
Ben Hutchings <benh@debian.org> no 2024-09-16
bugfix/all/Revert-mmc-dw_mmc-Fix-IDMAC-operation-with-pages-big.patch [PATCH] Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"

This reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890.
Aurelien Jarno <aurelien@aurel32.net> no 2024-10-23
features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.

Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.

[rperier: Forward-ported to 5.5:
- Use pr_warn()
- Adjust context]
[bwh: Forward-ported to 5.6: adjust context]
[bwh: Forward-ported to 5.7:
- Use the next available bit in efi.flags
- Adjust context]
David Howells <dhowells@redhat.com> no https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28 2019-02-18
features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch efi: Lock down the kernel if booted in secure boot mode
Based on an earlier patch by David Howells, who wrote the following
description:

> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.

[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
Ben Hutchings <ben@decadent.org.uk> no 2019-09-10
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch mtd: phram,slram: Disable when the kernel is locked down
These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is
locked down.

* Add the HWPARAM flag to the module parameters
* When slram is built-in, it uses __setup() to read kernel parameters,
so add an explicit check security_locked_down() check
Ben Hutchings <ben@decadent.org.uk> yes 2019-08-30
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch arm64: add kernel config option to lock down when in Secure Boot mode
Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
- Pass result of efi_get_secureboot() in stub through to
efi_set_secure_boot() in main kernel
- Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
sys_table parameter]
[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
- Add Secure Boot mode to the parameter enumeration in fdtparams.c
- Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
- Since Xen does not have a property name defined for Secure Boot mode,
change efi_get_fdt_prop() to handle a missing property name by clearing
the output variable]
[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
Linn Crosetto <linn@hpe.com> no debian 2016-08-30
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module

This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.

For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT

Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.

[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.19:
- The type parameter to is_hash_blacklisted() is now an enumeration
rather than a string
- Adjust filename, context]
"Lee, Chun-Yi" <joeyli.kernel@gmail.com> no https://lore.kernel.org/patchwork/patch/933175/ 2018-03-13
features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch [PATCH] KEYS: Make use of platform keyring for module signature verify

This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.

[bwh: Forward-ported to 5.19: adjust filename]
[наб: reinstate for 6.1, re-write description]
Robert Holmes <robeholmes@gmail.com> yes debian https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch 2019-04-23
features/all/db-mok-keyring/trust-machine-keyring-by-default.patch [PATCH] trust machine keyring (MoK) by default
Debian always trusted keys in MoK by default. Upstream made it
conditional on a new EFI variable being set.
To keep backward compatibility skip this check.
Luca Boccassi <bluca@debian.org> not-needed 2022-10-14
bugfix/all/module-disable-matching-missing-version-crc.patch module: Disable matching missing version CRC
This partly reverts commit cd3caefb4663e3811d37cc2afad3cce642d60061.
We want to fail closed if a symbol version CRC is missing, as the
alternative may allow subverting module signing.
Ben Hutchings <ben@decadent.org.uk> not-needed 2016-12-02
bugfix/all/usbip-document-tcp-wrappers.patch usbip: Document TCP wrappers
Add references to TCP wrappers configuration in the manual page.
Ben Hutchings <ben@decadent.org.uk> no 2012-06-24
bugfix/all/kbuild-fix-recordmcount-dependency.patch kbuild: Fix recordmcount dependency for OOT modules
We never rebuild anything in-tree when building an out-of-tree
modules, so external modules should not depend on the recordmcount
sources.
Ben Hutchings <ben@decadent.org.uk> no 2014-09-08
bugfix/all/tools-perf-remove-shebangs.patch tools/perf: Remove shebang lines from perf scripts
perf scripts need to be invoked through perf, not directly through
perl (or other language interpreter). So including shebang lines in
them is useless and possibly misleading.
Ben Hutchings <ben@decadent.org.uk> no 2015-09-25
bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch Revert "perf build: Fix libunwind feature detection on 32-bit x86"
This reverts commit 05b41775e2edd69a83f592e3534930c934d4038e.
It broke feature detection that was working just fine for us.
Ben Hutchings <ben@decadent.org.uk> no 2015-09-25
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch tools/build: Remove bpf() run-time check at build time
It is not correct to test that a syscall works on the build system's
kernel. We might be building on an earlier kernel version or with
security restrictions that block bpf().
Ben Hutchings <ben@decadent.org.uk> no 2016-02-21
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch cpupower: Fix checks for CPU existence
Calls to cpufreq_cpu_exists(cpu) were converted to
cpupower_is_cpu_online(cpu) when libcpupower was introduced and the
former function was deleted. However, cpupower_is_cpu_online() does
not distinguish physically absent and offline CPUs, and does not set
errno.

cpufreq-set has already been fixed (commit c25badc9ceb6).

In cpufreq-bench, which prints an error message for offline CPUs,
properly distinguish and report the zero and negative cases.

[carnil: Update/Refresh patch for 4.14.17: The issue with the
incorrect check has been fixed with upstream commit 53d1cd6b125f.
Keep in the patch the distinction and report for the zero and
negative cases.]
Ben Hutchings <ben@decadent.org.uk> yes 2016-11-03
bugfix/all/libapi-define-_fortify_source-as-2-not-empty.patch libapi: Define _FORTIFY_SOURCE as 2, not empty Ben Hutchings <benh@debian.org> yes 2022-01-15
bugfix/all/tools-perf-fix-missing-ldflags-for-some-programs.patch tools/perf: Fix missing LDFLAGS for some programs Ben Hutchings <benh@debian.org> no 2022-01-15
bugfix/all/tools_lib_symbol_use_d_fortify_source_2_for_non_debug_builds.patch tools lib symbol: Use -D_FORTIFY_SOURCE=2 for non-debug builds
Commit 160be157eaba ("tool lib symbol: Add Makefile/Build") failed to
define _FORTIFY_SOURCE to 2, probabaly this was cut&pasted from other
Makefiles with the same problem.
Uwe Kleine-König <ukleinek@debian.org> yes 2023-04-24
bugfix/all/perf-tools-support-extra-cxxflags.patch perf tools: Support EXTRA_CXXFLAGS
Add support for an EXTRA_CXXFLAGS variable, used similarly to
EXTRA_CFLAGS.
Ben Hutchings <benh@debian.org> no 2023-05-15
bugfix/all/perf-tools-pass-extra_cflags-through-to-libbpf-build-again.patch perf tools: Pass EXTRA_CFLAGS through to libbpf build again
When perf was statically linked to libbpf, any definition of
EXTRA_CFLAGS passed to Makefile.perf propagated to the sub-make of
libbpf. Since commit 9dabf4003423 ("perf python: Switch module to
linking libraries from building source"), EXTRA_CFLAGS is overridden
to "-fPIC" for the sub-make.

Change to include any user-provided EXTRA_CFLAGS before the "-fPIC"
option.
Ben Hutchings <benh@debian.org> no 2024-08-16
bugfix/all/kbuild-bpf-fix-btf-reproducibility.patch kbuild, bpf: Fix BTF reproducibility
pahole 1.22 introduced the -j option for parallel processing, and
kbuild uses it, but this makes its output unreproducible.

pahole 1.27 introduced --btf_features=+reproducible_build which makes
the output reproducible even when -j is used.

Assume that if KBUILD_BUILD_TIMESTAMP is set then a reproducible build
is required, and use both options if available or neither if not.
Ben Hutchings <benh@debian.org> no 2024-09-16
bugfix/powerpc/fbdev-offb-Update-expected-device-name.patch fbdev/offb: Update expected device name
Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"),
as spotted by Frédéric Bonnard, the historical "of-display" device is
"of-display.N" as required.

This means that offb no longer finds the expected device, which prevents
the Debian Installer from setting up its interface, at least on ppc64el.

It might be better to iterate on all possible nodes, but updating the
hardcoded device from "of-display" to "of-display.0" is confirmed to fix
the Debian Installer at the very least.
Cyril Brulebois <cyril@debamax.com> no https://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev.git/commit?id=27c74ea74be805ccba1bc1a0a03cc79c51dca6ea 2023-04-12

All known versions for source package 'linux'

Links